Skip to Main Content

‘We’re Doing It Wrong’: The Navy’s Plan for Better Cybersecurity

CIO Aaron Weis’ take on a continuous ATO process includes moving to a currency mindset.

7m read
Written by:
'We're Doing It Wrong': The Navy's Plan for Better Cybersecurity
The Chief Petty Officer Mess assembles aboard Commander, U.S. 7th Fleet's flagship, USS Blue Ridge (LCC 19), in celebration of the Navy Chief's 128th Birthday. As the U.S. Navy's largest forward-deployed fleet, 7th Fleet employs 50-70 ships and submarines across the Western Pacific and Indian oceans. U.S. 7th Fleet routinely operates and interacts with 35 maritime nations while conducting missions to preserve and protect a free and open Indo-Pacific Region. Photo Credit: U.S. Navy photo by Mass Communication Specialist 2nd Class Reymundo A. Villegas III/Released

Department of the Navy CIO Aaron Weis wants to adopt a “readiness” approach to cybersecurity to combat future cyberattacks and limit waste of cybersecurity funding and resources, he said at the AFCEA West naval conference hosted by AFCEA International and the U.S. Naval Institute in San Diego this week.

Weis synthesized cybersecurity perspectives from across the service and Defense Department, and drilled down into the prevailing narrative of DOD cybersecurity needing a seismic cultural shift to maintain a competitive edge in modern warfare.

Weis’ preferred approach requires a cultural and mindset shift for sailors to see cybersecurity as a military problem of readiness and currency as opposed to a compliance checklist. Weis’ comments dovetail with ongoing conversations across DOD regarding the cultural shift toward a zero trust approach to cybersecurity, which defense cyber leaders repeatedly say is necessary to implement the Joint All-Domain Command-and-Control (JADC2) initiative.

“The way we approach the problem of cybersecurity is wrong,” Weis said during a session at AFCEA West. “We’re doing it wrong. We approach cybersecurity as a compliance problem, with endless checklists, RMF (risk management framework), eMASS (enterprise mission assurance support service), tools, checkers checking the checkers, years and billions of dollars. But I can tell you we have 15 years of track record that says it’s not working. We continue to get our lunch money stolen and get locked out of our own lockers. What is the definition of insanity? Doing the same thing over and over again and expecting a different result.”

Approaching cybersecurity as a “problem of readiness … on an ongoing basis” is more sustainable and effective than adhering to cybersecurity compliance checklists, he added.

“Readiness is something that commanding officers sort of live and breathe by,” Weis said, “and those mean different things for a strike group commander. It’s readiness to deploy in three months, right? If you’re in special forces, it’s fight tonight. It is a dynamic scale; you exist as a commanding officer in your unit every day on a continuum of readiness and you manage that.”

Developing Cyber Readiness

Ensuring cyber readiness entails asking a number of questions, such as: do we have the right people, are they trained and qualified, do we have enough of them, do we have the right equipment? Weis said sailors and department civilians need to be so confident about cybersecurity they can “do it with their eyes closed.”

Weis also criticized the way cyber professionals rely on the authorization to operate (ATO) certification system used across DOD, which evaluates IT and OT systems to ensure cybersecurity compliance before use. Last year the Pentagon issued a memo calling on defense cyber leaders to move toward a continuous ATO (cATO) model, where IT and OT systems are evaluated on a rolling basis as opposed to a one-and-done check every three years, in an effort to catch software vulnerabilities sooner.

The current ATO system costs DOD $1.1 billion to sustain, Weis said, and does little to improve cybersecurity.

“I could tell you things that we can’t talk about here that have led to programs of national importance that were horrific in cybersecurity,” he said. “Some of the worst cybersecurity I have ever seen in my 32 years of doing this, and when confronted, a program office says, ‘But I have an ATO.’”

Instead, Weis wants cyber leaders to view ATOs from a “currency” perspective, similar to how a pilot must maintain currency with Federal Aviation Administration (FAA) requirements in order to maintain an active and unrestricted pilot license.

“I believe that currency mindset is a better one to bring to the concept of ATO,” he said. “Maybe you were once secure, maybe some time during all those push-ups and the eMASS loads and the RMF checks and the checkers checking the checkers in the past year and a half, you might have been secure at one point, but the world moved on. Software evolved, the adversary have all changed tactics. Odds are, you’re probably not secure even at the time you got the ATO. You can get an ATO and it is yours if you can keep it, and so putting in place this idea that you must attain cyber currency for your given application or program is a critical one.”

Coordinating Cyber Efforts Across the Navy

Department of the Navy Acting CISO Tony Plater also describes moving from a compliance mindset.

“It’s not enough to say we implemented all the cybersecurity requirements; we must move to a state of readiness. That means testing those requirements, understanding from an adversarial perspective the tactics, procedures and techniques, how our networks actually respond,” Plater said at GovCIO Media & Research’s October CyberScape event.

Weis’ and Plater’s comments also echo U.S. Coast Guard Deputy CIO Brian Campo’s ATO talking points in a recent CyberCast interview with GovCIO Media & Research. Campo said the Coast Guard is moving away from the traditional three-year ATO model toward “mini ATO reviews on every single deployment, looking at things that help us get capabilities out quicker, like certification to field, which is sort of an interim for an ATO and then looking at connection agreements, all those sorts of things that that give us more security capability in less time but with the same risk cluster.”

Weis is working with Department of the Navy CTO Jane Rathbun to build cybersecurity requirements into new programs for a “born cyber” approach, i.e., DevSecOps. To support these efforts, the Navy’s software factory, Black Pearl, is developing common DevSecOps standards and language to streamline in-house software development and software procurement from federal contractors.

“Importantly, it also means that we are adjusting the roles more accountability for cyber and ATO needs to be placed within the acquisition side of the house and less into the checker checking side of the house,” Weis said.

Rathbun also highlighted the Navy’s concept of cyber readiness during a cybersecurity event with GovCIO Media & Research last year, describing it as a cultural shift encompassing all teams along the product development lifecycle.

“We are pivoting from the concept cybersecurity to the concept of cyber readiness, where it’s a continuum where every day you earn your right to operate because your capability is cybersecure and you’ve done the things you need to do,” she said during the event last year. “In the Navy, we have a CISO office, acquisition organization and CIO organization, and everyone has to work together to articulate that North Star of the operating culture we want to create and then take that and define the policies, process changes, role changes and articulate this to industry as our strategic partner.”

Related Content
Woman typing at computer

Stay in the know

Subscribe now to receive our curated newsletters

Subscribe