Navy IT Strategy Head on Cybersecurity: ‘We’re Doing It Wrong’


By Kerry Burgott

  • Private sector CIOs briefed on Navy cybersecurity initiative
  • Continual assessment more effective than recurring certification

Bloomberg Government subscribers get the stories like this first. Act now and gain unlimited access to everything you need to know. Learn more.

A shift in the Navy’s cybersecurity approach from one of compliance to one of what Chief Information Officer Aaron Weis likens to the overall military theory of readiness will be a long-term transformation, and it will be “wicked hard.”

The mindset Weis is promoting is “currency,” or continual assessment of an IT product’s security status, instead of a certification that could end up stale by the end of its three-year period because of evolutions in technology and in adversaries’ capabilities.

CIOs at “top” defense vendors were briefed Tuesday morning on the status of Cyber Ready, Weis told the audience at WEST 2023, a conference co-hosted by AFCEA International and the US Naval Institute, Tuesday afternoon. Cyber Ready is the Navy initiative to replace the existing three-year Authority to Operate, or ATO, compliance certification cycle.

If the goal is for the Department of the Navy and its partners in the private sector to protect the Navy’s information and confirm acquisitions are secure enough to be used among all other IT, “we’re doing it wrong” by relying on ATO checklists, Weis said.

Managing the ATO process costs more than a billion dollars each year, frustrates department officials as well as industry participants, and results in “some of the worst cybersecurity I have ever seen in 32 years” in the field, he said.

In a memo released in August 2022, the Navy announced seven lines of effort in transforming the ATO system: cyber metrics, risk management reform, cyber currency, adversarial assessment, data analytics, acquisition changes, and workforce.

Cyber Ready has tested pilot programs for both the Navy and the Marine Corps and that has addressed enterprise information technology and tactical acquisitions. Weis did not have a definite timeline for implementing Cyber Ready across all programs.

To contact the reporter on this story: Kerry Burgott from San Diego at kburgott@bloombergindustry.com

To contact the editor responsible for this story: Amanda H. Allen at aallen@bloombergindustry.com

Stay informed with more news like this – from the largest team of reporters on Capitol Hill – subscribe to Bloomberg Government today. Learn more.