Aaron Weis was named Special Assistant to the Secretary of the Navy for Information Management and Department of the Navy Chief Information Officer effective September 29, 2019. He is responsible for information management, digital, data and cyber strategy. In this role, he is also responsible for reviewing the Department of the Navy budget proposal for Information Technology and National Security System expenditures and investments, and certifying whether it adequately addresses concerns from enterprise efficiency and cybersecurity perspectives.
Mr. Weis is supported by two three-star DON deputy CIOs aligned to the Services. Vice Adm. Matthew Kohler, Deputy Chief of Naval Operations for Information Warfare (OPNAV N2N6)/Director of Naval Intelligence, is dual-hatted as the DON Deputy CIO for the Navy. Lt. Gen. Lori Reynolds, Deputy Commandant for Information / Commander, U.S. Marine Corps Forces Strategic Command, is dual-hatted as DON Deputy CIO for the Marine Corps.
Four subordinate directorates report directly to Mr. Weis, a Chief Technology Officer (CTO) to design a fully integrated digital mission capability platform; a Chief Data Officer (CDO) to harness the power of raw data; a Chief Digital Innovation Officer (CDIO) to leverage emerging technology and deliver transformative capabilities; and a Chief Information Security Officer (CISO) to protect data and information regardless of where it resides.
The Secretary of the Navy Cybersecurity Readiness Review underscored the need for strong cybersecurity and the need to organize around information as a strategic asset and warfighting capability. The empowered CIO is chartered with developing and implementing an overall vision and strategy to guide the department over the next five years to modernize DON technology and bring transformative capabilities to Sailors, Marines, and civilians.
CHIPS senior editor Sharon Anderson interviewed Mr. Weis in early February.
CHIPS: I understand that you will be issuing the DON’s Information strategy and vision shortly. Can you discuss the major focus areas of the plan?
Weis: We just released the DON Information Superiority Vision, after Acting Secretary of the Navy Modly released a SECNAV Vector on the topic of information management this past Friday.
It will speak to three main themes that address the challenges we have today in our need to provide decision-ready information to Sailors and Marines that will increase their lethality as a force. It will increase the capability they have at their fingertips. It will address the challenges that were articulated in the Cyber Readiness Review. Those challenges are many, but the DON Information Superiority Vision will be the outline of how we begin to resolve them.
The three broad themes address the need to modernize the Department of Navy’s infrastructure, specifically in three areas around our networks, our ability to use cloud computing and how we manage identities.
The second broad theme is innovation. The need to drive innovation at speed across the Navy and Marine Corps and to create the repeatable process for how we can harvest and drive focus on the problems that need to be solved.
If modernization is about our infrastructure gaining parity, then innovation is how we move beyond that and drive competitive advantage.
The third broad theme, the third line of effort (LOE) is ‘defend.’ We are specifically not using the ‘cybersecurity’ word for that because cyber has become an overused word. It’s an important word, but it has become broadly used and it has taken on so many different meanings that at times it can become a meaningless word. We are using the word defend. In a nutshell, it is the need for the Department of the Navy to be able to defend our information wherever it is, whether it is stored, whether it is in transit across our networks or in the supply chain, the Defense Industrial Base.
We have to improve our ability to defend and our ability to retain the information we have. Because today we are very much not performing where we need to be — that was one of the main points of the Cybersecurity Readiness Review.
It’s not a long document, but it outlines a broad vision for how we need to start getting after these problems. The follow-on to this vision will be a number of strategy implementation plans that will be centered on innovation and defend.
CHIPS: Can you talk about any short-term accomplishments you have achieved since becoming the DON CIO?
Weis: When we first stood up the office in the beginning of October, we did have a goal set around quick-wins. Like many things in the department, some of them are harder than you would expect because there are other limiting factors. One of the areas we have had an immediate impact in coordination with 10th Fleet, is our Interim Authority to Operate problem. Today we have systems that have had an Interim Authority to Operate for years.
For years, they have been on Interim ATOs and every six months they just get a renewal. The reality is they have never gotten an ATO. It’s bad practice. Vice Admiral ( Timothy "T.J.") White has talked about this in terms of ‘the normalization of deviation.’ That’s a term that is also used in critical areas, like aviation, where you can reach a point where the deviation just becomes normal or accepted.
Working together with VADM White, we increased the focus on Interim ATOs and it has had a positive effect, such that we have more rigor. Because of that initial pressure and focus, we are now seeing changed behavior and Interim ATOs are being addressed before they even make it to this office which is great. That is real cultural change. We have a very tight partnership with N2N6 and 10th Fleet.
There are some other small quick-wins that will be important from a quality-of-life perspective. We are trying to remove some of the pain points in the user experience. One of the things we started doing here at the headquarters level, and we made available to others, is leveraging SSDs (solid-state drives) which radically improve the performance of the computers we are using every day.
The SSDs are options now on the [NMCI] order sheet. There are folks who are retrofitting existing machines here and it does make a dramatic difference. You can shorten the boot-up time from minutes to seconds.
The second quick-win that is really close to me is optimizing our mobile experience. We have asked for some simple things like the ability to respect the biometrics such that if you have biometrics, you may not have to enter a second password every time you want to check your email. This is something that the Marine Corps, the Air Force and the Army are already doing so the Navy ought to be able to leverage what others have done.
Those are the main ones; there have been a few others on a smaller level. We are always looking at where we can make improvements.
CHIPS: The SECNAV Cybersecurity Readiness Review (CRR) revealed gaps in the department’s security. Can you discuss any immediate steps you have taken to ensure the cybersecurity of the DON’s information and networks?
Weis: We have started acting on some of the observations in the Cyber Readiness Review, and while they are not necessarily quick-wins, there are things we are going to do over the next couple of months. We are going to have activities initiated from Chris Cleary’s office, as the CISO. He is working with the Navy and Marine Corps in creating a culture of readiness with respect to cybersecurity.
Today we have a culture in cybersecurity that is largely compliance based, a checklist culture. It’s not a bad thing, but we have to move to the next level where we are viewing cybersecurity as a state of readiness – that we are always ready and always secure. Chris has been working on a couple of things that will help reinforce that thinking, sort of a self-assessment of a state of readiness in a couple of different ways.
Another focus area from the Cybersecurity Readiness Review, is around the structural aspects [of the department], so part of that was the restructuring of the DON CIO office as well as the standing up the office of the Chief Information Security Officer.
Another area we will be leaning in soon is in respect to the defense industrial base (DIB). We know the DoD undersecretary of defense for acquisition and sustainment , with Katie Arrington, DoD's chief information security officer for acquisition, leading the effort, has released CMMC Version 1 (Cybersecurity Maturity Model Certification), the guide for the Defense Industrial Base. This is one of the tools we want to leverage in our conversation with the Tier 1 contractors as well as Tier 2s and 3s.
The CMMC is not the only solution; it is one arrow in our quiver in how we want to engage the DIB. We have to do that in conjunction with our partners in the acquisition community, with the RDA (Assistant Secretary of the Navy for Research, Development & Acquisition).
Those are areas where we have taken immediate steps. We are working on other areas from the Review and you will see those in the next few months.
CHIPS: Your response segues well to the next question. We read every day that the nation’s intellectual property is being stolen from U.S. defense contractors, universities and business alliances. How will you be working to ensure that when the DON partners with industry and academia, the department’s data is secure?
Weis: There are DoD efforts that are already underway and the first thing we want to do is understand what those efforts are so we can plug-in and leverage them. At the DoD, there is the PCTIF, which is the DoD’s Protecting Critical Technology Task Force, led by Air Force Maj. Gen. Thomas Murphy, where we are engaging. Within the Department of the Navy, we have the DIB ESC (Executive Steering Committee) which is a similar work group just from a DON level. As we work with those existing groups, the critical partner in this, as I mentioned earlier, has to be the acquisition community. They are at the front edge engaging with the DIB every day. ASN James Geurts and I are aligned on the need to secure the DIB.
It’s a multi-prong effort. Some of it will be engaging the Tier 1s, the largest defense contractors — those at the top who win contracts; they have a lot of capability and maturity in the cyber space. We want to leverage the Tier 1s to lean in to the supply chain below them. While that has not always been a focus for the Tier 1s, we are working to leverage the Tier 1s as our partners in how we reach Tier 2 suppliers and beyond. We are working through positive influence and engagement with the Tier 1s.
As I mentioned before, there are some tools available, like CMMC, that we want to bring to bear. CMMC has the potential to be a huge positive [effort]. It comes from this idea of self-accreditation. Some of my background is in the automotive industry and the chemical industry. Both of those have well-proven and understood concepts, for example, a supply chain company can accredit themselves as being capable and qualified to produce in the automotive sector. There is a specific self-accreditation standard called TS96149, or for short, we just say TS. This is something everyone in the automotive industry does if you want to play in that supply chain.
The CMMC is inspired by that concept, although we are going to have to recognize this is new ground for the Defense Industrial Base. It’s likely going to take some growth and maturation as we help them along the CMMC path. In the long-term, we will leverage what other industries have done.
The other area where we can lean in with the DIB is taking a cue from what is being done in the SAP (Special Access Programs) space. That is an area that is equally, if not more important, to secure. Within SAP there are some small companies looking to create a secure environment, host it in a cloud provided by the government and be able to do email and day-to-day work — a productivity and storage solution. Obviously, it would be CMMC compliant. It would be a way for a small business, that doesn’t necessarily have the resources to upscale their own IT infrastructure, to potentially leverage a secure infrastructure that we might make available to them.
The challenge here is, as with all things, who is going to pay for it. It’s not as if somebody has a cloud-based environment ready to go for all these companies and funds programmed. This is where we are going to need a collaborative discussion with the acquisition community, RDA, as well as with the Tier 1s, because it’s in the Tier 1s’ best interest to secure these suppliers.
It might be that we resource this as a collaborative effort. There is a lot more dialogue needed, but those are some formative thoughts on how we might get after the DIB security challenge.
CHIPS: In your “empowered” role, you will be reviewing the DON’s budget proposal for IT and National Security System expenditures and investments. Are you consulting with the CTO Jane Rathbun to align investments based on your lines of effort: modernize, innovate and defend?
Weis: Jane Rathbun works directly with this office. As part of this stand up, Jane will wear two hats. Her current hat is the DASN for Information Warfare and Enterprise Services, formerly DASN C4I. She adds another hat in the CIO office as CTO. In her role as CTO, she is a critical bridge into the acquisition community. The goodness that comes from that is we have a tight alignment in what we are doing from a CIO perspective.
In this case, you give a good example. The DON requirement to have both of us reviewing and certifying system expenditures and investments and the ability for it to flow through that single link in the CTO’s office, who is also the DASN for RDA, has been a huge boon for us. In fact that streamlining has been a huge advantage, not just for the CIO, it’s also working very well for the acquisition community.
There are some growing pains as Jane learns how to split herself in two and we make sure that she has the support that she needs. ASN Geurts and I have seen that as productive and especially in your example. It’s an area where we are breaking new ground in how we work laterally across organizations and try to do it seamlessly.
CHIPS: When I interviewed DON CDIO Mike Galbraith, he shared two of his biggest challenges are time and the need to move as quickly as possible, and the need for cultural change in the DON. Have you encountered any challenges in moving the DON CIO’s charter forward, and if so, how have you overcome them?
Weis: The Navy and Marine Corps have a strong culture of independence, problem solving, and self-sufficiency. That’s borne by the mission they have. If you are the commanding officer of a ship, you have to be self-sufficient and be able to decide and act and be comfortable operating in that environment. That culture has permeated the Navy and the same is true of the Marine Corps — that culture of fierce self-sufficiency, to be able to decide and act to accomplish the mission. These are some of the qualities that I have the highest respect for in both the Navy and Marine Corps.
I think that awesome culture, overlaid with the complexity that we have across the Navy and Marine Corps, presents a unique challenge in how we maneuver within that complexity when we want to change direction in terms of defend and modernization. We do have to change direction to have that impact we need.
The complexity of these very large organizations with their culture of self-sufficiency is something we are going to have to work through. I don’t think we would ever want to change this culture which is 200 years in the making, it has served them very, very well. We have to learn how to harness that culture to be able to effect change in an extremely complex environment. We have 700,000 Sailors and Marines deployed around the world, spread across the highly matrixed organizations of System Commands, Type Commands, across the fleet, lower echelon commands and activities, OPNAV, in functional areas … at a scale that is massive.
If I had to pick my biggest challenge, it would be how do we drive change through the complexity of our organization.
We will always have time as a factor. At a personal level, time will always be a challenge. There are never enough hours in the day to get through all the email that comes in … but that’s something I have learned over my years of working in the DoD. You have to do personal time management and focus on what is most important, which is supporting Sailors and Marines.
CHIPS: Can you discuss how you work with the deputy CIOs Vice Adm. Kohler and Lt. Gen. Reynolds to implement the cybersecurity mandates and vision that Acting Secretary of the Navy Modly has said are necessary to ensure the readiness and lethality of Sailors and Marines?
Weis: We are working together as a unified team. LtGen Reynolds and VADM Kohler, like many of us, have multiple hats, VADM Kohler is the N2N6, and LtGen Reynolds is the Deputy Commandant for Information, within their respective service. They also have another hat they wear called the DON Deputy CIO. There are areas and things they are focused on which they need to execute for their service which are not always things on the front burner from a DON perspective and that’s perfectly OK. That is why the services have their own CIO. In those areas where we are driving naval activities, we need to bring capability to the combined force.
The Commandant and CNO have talked about the need for a return to naval capability, in response to activities we see in the Western Pacific. For those areas that speak directly to the broad LOEs in the vision, we are moving together. Going back to my previous statement of the complexity of a large organization, LtGen Reynolds and VADM Kohler and their staff and the DON CIO staff are on a daily basis working together side-by-side to get after modernization and innovation.
Certainly, as the DON CIO is re-stood up, especially in its empowered role, in the way (former) Secretary Spencer envisioned and Acting Secretary Modly is driving, we are learning how this partnership works as a unified team. Looking at the first few months, it’s been largely successful. I look forward to continuing those relationships and strengthening them moving forward.
CHIPS: Is there anything else you would like to discuss?
Weis: We do have an upcoming DON CIO conference series, one on the West Coast March 2-3 in San Diego and one on the East Coast May 11-13, in Norfolk.
We are re-tooling the conference in a couple ways. One, we are using it to drive that vision strategy across those three LOEs, and secondly, back to your previous question, we want to more broadly bring together the Navy and Marine Corps. We are coming together in a common forum and it gives me the opportunity to more broadly engage at the Echelon IIs and beyond with those CIOs to drive alignment, communication and collaboration. I am really looking forward to meeting the people that make it happen.
CHIPS: You talked about meeting the Echelon II CIOs, would the conferences be of interest to the average IT user?
Weis: Yes. There will be separate tracks focused around the LOEs as well as some other areas that are of particular interest to the Marine Corps and Navy. The Marine Corps has a broad sub-track about RMF and working groups to address training. We will have cloud sessions, an identity management session. The network modernization team that we just kicked off on Feb. 4 will be talking about what they are doing, and we will have some other sessions on emerging technology that fall under the innovation bucket. We want to make the vision strategy broadly accessible.
We will also present the DON IM/IT Excellence Awards. The conferences are a great place to showcase what has been done and recognize people for their efforts.