Navy CIO talks innovation, cybersecurity and CMMC

cybersecurity (vs148/ 

Aaron Weis, the Navy's newly appointed CIO, expects the Defense Department's new unified cybersecurity certification to help bring government's tech standard closer to industry's.

"There's not a single silver bullet," Weis said during a panel talk at AFCEA DC's Navy luncheon Nov. 13. "But I think you can lead by well-placed examples. You can lean on the Tier 1 providers, lean on the Tier 2s, Tier 3s to look at things culturally. And there are a number of ways that [the Navy] can go out and really put a pin on where things need to change.

The DOD's planned Cybersecurity Maturity Model Certification (CMMC) program could help and has the "right perspective," Weis said.

"I'm a believer in that model. CMMC is basically saying that -- it's asking individual Tier 2 or Tier 3 suppliers to go accredit themselves and then get that accreditation validated by a third party. And that is exactly how it happens in other industries," he said.

That method more closely mirrors how commercial industries regulate themselves, such as automotive sector where plants must be certified before car manufacturers use them, Weis said drawing on his experience working for Honeywell and Sensata.

"They're not going to pay for you to get certified, you're going to do that on your own because you want to do that work. And that's kind of a ticket to entry," Weis said. "It's bringing that sort of industry-driven model to how we ask suppliers in the supply chain to accredit themselves."

CMMC is still in the draft phases and is open for public comment, but it has already raised concerns about how certification costs could disproportionately affect small businesses and startups.

Weis said CMMC would need to be used in conjunction with other efforts, including additional obligations for the larger Tier 1 suppliers, but ultimately the onus is on the Defense Department to set the stakes.

"I think the job starts with us. So we as the Department of Navy ought to expect that from the suppliers that we have relationships with. And then likewise, we need to set the expectation and maybe the obligation that they're going to expect the same from their suppliers."

DOD plans to roll out the final versions of CMMC next year with the requirements becoming part of requests for proposal by the fall of 2020.

About the Author

Lauren C. Williams is senior editor for FCW and Defense Systems, covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


  • Workforce
    Shutterstock image 1658927440 By Deliris masks in office coronavirus covid19

    White House orders federal contractors vaccinated by Dec. 8

    New COVID-19 guidance directs federal contractors and subcontractors to make sure their employees are vaccinated — the latest in a series of new vaccine requirements the White House has been rolling out in recent weeks.

  • FCW Perspectives
    remote workers (elenabsl/

    Post-pandemic IT leadership

    The rush to maximum telework did more than showcase the importance of IT -- it also forced them to rethink their own operations.

Stay Connected