Since joining the Department of the Navy in September last year, Navy Chief Information Officer Aaron Weis has been outspoken about numerous shortfalls in the service’s IT infrastructure and cybersecurity posture.
In his current role, he plays a major role in correcting gaps identified by a Navy cybersecurity readiness report last year that found glaring holes in the service’s cyber posture. Since taking over the IT reigns, the service has narrowed its IT focus down to three lines of effort: modernize, innovate and defend.
In an interview with C4ISRNET, Weis discussed the progress the sea service has made on its cybersecurity posture and IT environment since he became CIO, as well as new pilot programs and how the Navy is spending funds on information technology.
What progress has the Navy made since you took over as CIO?
I think the progress is in a couple of areas. One is from a “defend” perspective — really highlighting that we’re going to have to change our perspective on defend and the cultural perspective. I talk a lot about moving from this culture of security by compliance to a culture where we have security as a constant state of readiness, where we’re always assessing our own readiness from a cybersecurity perspective.
Just the raising in awareness of that has helped spark a number of efforts. One of which is the Navy has undertaken a complete re-look at the RMF [risk management framework] for how we assess risk. The RMF, I think traditionally there’s an amount of just check boxes and forms that have to be filled out and managed. And there’s a recipe that you go through to get to RMF. The intent is right. And the outcome is intended to be that we’re managing risk. The downside is it takes a really long time and what comes out of it is not a current snapshot of risk.
How has that changed?
So the Navy now has taken a wholesale re-look at the RMF process. They’re looking at security as a state of readiness versus a state of compliance. They’re refining and retuning RMF to be more responsive to reflect current state and to be able to be a more consistent indicator of risk management versus the one and done.
What other successes can you point to?
I think another that comes out of that defend idea is we have really highlighted the need for modernization. Identity is a critical element of being able to defend. Traditionally, as somebody matures in their career in the Navy, you might acquire seven or more identities as you move on to a ship and then back to an ashore duty station, and maybe you’re on a different ship. So your identity morphs. It makes it very difficult for us to offer consistency and to be able to secure you. One of the foundations of zero trust is that we know who you are — that we can say that with authority. So we’ve been able to launch an identity program.
We’ve got some strong pilots right now that are being run to prove out technology, but we’re also launching an identity program around the ability to offer ubiquitous access and have that dovetail with a zero-trust architecture. So that has been launched.
What’s an example of an identity pilot you’re working on?
We’ve got a identity management pilot that we’re doing in conjunction with Navy Enterprise Resource Planning, or ERP. The Navy’s ERP system is an SAP ERP system that was moved to the cloud last year very successfully, and we are now working to implement an identity management and access solution that integrates with that Navy ERP cloud-based solution. And we are using that pilot to prove out a suite of tools that we hope to be able to fan out and expand use of beyond just that single system.
At AFCEA West in March, you mentioned that you wanted to use software-defined networking to improve information sharing between sailors and Marines. What progress have you made on that?
We have a team that we assembled who’s working through several aspects of the modernize [line of effort]. Network and network architecture is one of them. Another strong effort is the collaboration tools around Office 365 and zero-trust elements that go with that. They have been working in conjunction with the cyber component. So what we are seeing now and what we expect to see more of are proposed architectures that we can put in place for some targeted pilots that we want to take some specific enclaves within the network and use those as areas to try out some of the software-defined networking and the other architectural concepts that we’re putting in place.
The idea is that we would launch those efforts to intercept the new service provider that we would onboard in conjunction with the NGEN-R request for proposals — [a $7 billion IT contract awarded last year by the Navy to Leidos, but currently under protest by GDIT] — where we have a new service provider and we’re bringing to them the “should be” architecture. The plan was that that presented an ideal opportunity to intersect that trajectory and skate to where the puck is going.
With NGEN-R potentially being delayed through some protests, we will continue to look at where we can prove that out even ahead of a potential future partner coming onboard. But those are concepts that we’re working through; the team has continued to have a cadence around that. That has spanned through the COVID-19 crisis; they haven’t stopped that work through the telework and COVID-19 crisis.
Is there a timetable for starting those pilots?
We’re adjusting based on when we expect to see a new partner come onboard and for when we want to do those things on our own ahead of that. So I think we’re having to do some readjustment between the protest work and then as well as the COVID-19 work that may intercept some of that. We’re just assessing our timeline. I would like to see it done this year. I would like to see us be in some pilots here in the second half of calendar year 2020.
Editor’s note: Weis declined to provide an example of specific pilots because they aren’t finalized.
You also mentioned in recent months that you think the Navy needs to spend smarter. What are some areas that you’re looking at in this budget cycle that have been under-prioritized in the past?
When you run some benchmarks, we probably are spending at an appropriate amount consistent with others who have mission-critical activities in the IT space. And I use the financial industry as a good benchmark in terms of criticality of their IT infrastructure. So although we may be spending at a world-class level, we’re not necessarily always getting the world-class outcomes and output. So we’re looking at where do we want to be able to lean in and shape.
One of the first areas that we’re doing right now is the logistics — the log IT systems. That’s a portfolio that spans several hundred systems across the Navy and Marine Corps. We’re working together with the business process owners and the business side of this to look at how do we optimize log IT. How do we reduce the number of systems around an aligned business process and, along the way, shape that funding to potentially optimize our spend in log IT? And then how do we free that up or reinvest in some of the network modernization and defend activities that we feel needs more prioritization?
And that’s happening now. That log IT work and assessment is happening. There’s already system consolidation that’s happening. The log IT portfolio is one that probably approaches 8 to 9 percent of the total IT spend at this point. So that’s an area where we feel like it’s a large line item and we’ll benefit from the combination of business process work together with system work.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.