The Navy’s new chief information officer said Wednesday the department must hold its middle-tier industry partners to more stringent supply chain security standards, as he looks to improve the service’s lagging cyber posture.

Aaron Weis, who has served in the new role for six weeks, told attendees at an AFCEA event the department has to better protect its information and cited the Pentagon’s planned rollout of the Cybersecurity Maturity Model Certification (CMMC) contracting standards as a key step to ensuring suppliers’ digital security.

Aaron Weis, the Navy’s chief information officer

 “We have to be able to lean into our defense industrial base and partner with them to really secure our information that lives in the supply chain of the Department of the Navy,” Weis said.  “We are losing our information. Not through the ‘Tier 1’s,’ they’re very mature. The Lockheed Martin’s and Raytheon’s of the world have really talented, security people who work with them. But when you get down to tier two and three of that supply chain, we’re not where we need to be.”

Following the release of a report in March that detailed the Navy’s sub-par cyber posture, senior department leadership elected to stand up a CIO position to manage the improvement of the service’s security practices.

Weis, who most recently served as a senior adviser to the Pentagon CIO, noted that the March report “did not paint a flattering picture” and said his improvement plan is based around modernizing the service’s IT infrastructure and utilizing his experience leading digital security efforts during his time in the commercial sector.

“Our infrastructure is about 10 to 15 years behind where industry is at. And I say that coming out of twice-over being a Fortune 500 CIO. What I see coming into the Department of the Navy, we had those meetings in 2004 back in industry,” Weis said. “So we have a whole host of work coming around modernization of our infrastructure, networks, identity management, becoming cloud-ready.”

Weis compared the implementation of CMMC to the standards he used while in the automobile industry, where suppliers are responsible for accrediting their supply chain to avoid bringing in products with potential vulnerabilities. 

“CMMC is basically asking individual tier two or tier three suppliers to go accredit themselves and then to get that accreditation validated by a third party. That is exactly how it happens in other industries,” Weis said. “We need to set the expectation, and maybe the obligation, that [prime contractors] are going to expect the same from their supply chain.”

The Pentagon is planning to release final details of CMMC in January before rolling out the new standards in all RFIs in June 2020 and all RFPs before next fall (Defense Daily, Nov. 4).