cybersecurity (vs148/


Navy CIO talks innovation and CMMC's future impact

Aaron Weis, the Navy's newly appointed CIO, expects the Defense Department's new unified cybersecurity certification to help bring government's tech standard closer to industry's.

"There's not a single silver bullet," Weis said during a panel talk at AFCEA DC's Navy luncheon Nov. 13. "But I think you can lead by well-placed examples. You can lean on the Tier 1 providers, lean on the Tier 2s, Tier 3s to look at things culturally. And there are a number of ways that [the Navy] can go out and really put a pin on where things need to change.

The DOD's planned Cybersecurity Maturity Model Certification (CMMC) program could help and has the "right perspective," Weis said.

"I'm a believer in that model. CMMC is basically saying that -- it's asking individual Tier 2 or Tier 3 suppliers to go accredit themselves and then get that accreditation validated by a third party. And that is exactly how it happens in other industries," he said.

That method more closely mirrors how commercial industries regulate themselves, such as automotive sector where plants must be certified before car manufacturers use them, Weis said drawing on his experience working for Honeywell and Sensata.

"They're not going to pay for you to get certified, you're going to do that on your own because you want to do that work. And that's kind of a ticket to entry," Weis said. "It's bringing that sort of industry-driven model to how we ask suppliers in the supply chain to accredit themselves."

CMMC is still in the draft phases and is open for public comment, but it has already raised concerns about how certification costs could disproportionately affect small businesses and startups.

Weis said CMMC would need to be used in conjunction with other efforts, including additional obligations for the larger Tier 1 suppliers, but ultimately the onus is on the Defense Department to set the stakes.

"I think the job starts with us. So we as the Department of Navy ought to expect that from the suppliers that we have relationships with. And then likewise, we need to set the expectation and maybe the obligation that they're going to expect the same from their suppliers."

DOD plans to roll out the final versions of CMMC next year with the requirements becoming part of requests for proposal by the fall of 2020.

This article first appeared on FCW, a partner site of Defense Systems. 

About the Author

Lauren C. Williams is senior editor for FCW and Defense Systems, covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.

Defense Systems Update

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.