The U.S. Navy and our partners in industry work together to provide the capabilities we need to fight and win. Our Defense Industrial Base (DIB) partners play an integral role in our ability to defend the nation by developing and maintaining warfighting and warfighting support capabilities.
However, our dependency on DIB partners makes them an inviting target for adversaries who have repeatedly stolen critical information on our capabilities and systems from Navy contractors with greater ease and lower risk to themselves than traditional espionage. These unprecedented set of challenges threaten our ability to be ready for the 'fight tonight' in this era of renewed great power competition. Loss of this critical information puts Navy investments at risk and erodes the lethality and survivability of our forces.
Consequently, the Navy has partnered with the Department of Defense (DoD), law enforcement and industry to ensure Navy data that is stored on DIB networks is better defended.
In 2018, the Department of the Navy established a steering committee chaired by senior leaders to address issues that jeopardize Navy data handled by our industry partners.
The Assistant Secretary of the Navy for Research, Development and Acquisition enacted DIB policy through two memos. The first directed program managers to develop system security plans based on requirements in the Defense Federal Acquisition Regulations Supplement and National Institute of Standards and Technology publications. This memo established a Naval Criminal Investigative Service taskforce focused on improving industry outreach and better monitoring DIB networks; it also established a DIB incident notification process for the Navy. The second memo spelled out the Navy’s authority to reduce or suspend payments to noncompliant contractors for contracts that are noncompliant with cybersecurity standards.
When the Secretary of Defense established the Protecting Critical Technology Task Force to integrate Department-wide DIB cybersecurity efforts, the Navy provided four full time representatives to support the task force.
Navy continues to encourage companies to participate in the DoD DIB Cybersecurity Program (DIBNet), a voluntary public-private partnership established to allow DoD and industry to share cyber threat information, mitigation and remediation strategies.
DoD is developing a Cybersecurity Maturity Model Certification (CMMC), which is a framework for assessing and enhancing the cybersecurity posture of the DIB. Various levels of maturity are built into the model so small businesses can affordably achieve the requisite levels of cybersecurity. This certification adds the verification component missing from existing regulations. Certified, independent third party organizations will conduct audits of DIB partners using the CMMC, which will help the Navy better understand the cybersecurity risks associated with its DIB partners.
More work remains to better protect Navy data stored on DIB networks but the Navy is committed to making the improvements needed to safeguard the intellectual property that affects our warfighting capability.
Mr. Andrej Stare is a cybersecurity analyst and the DIB and DoD Metrics Lead in the Navy Cyber Security Division, Office of the Deputy Chief of Naval Operations for Information Warfare (N2N6G)
Editor’s Note: The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) established a new website ( https://www.acq.osd.mil/cmmc/index.html) in June dedicated to the development of the Cybersecurity Maturity Model Certification (CMMC) in recognition that security is foundational to acquisition and should not be traded along with cost, schedule, and performance. The Department is committed to working with the Defense Industrial Base (DIB) sector to enhance the protection of controlled unclassified information (CUI) within the supply chain.