After a horrifying independent review of the Navy’s current cybersecurity posture, the Navy asked Congress to approve a new position of Assistant Secretary of the Navy to handle cyber. This comes after the Navy eliminated the role of CIO last year.
Congress turned them down, so now they are going around Congress to create a Special Assistant to the Secretary for Information Management/Chief Information Officer, which does not require Congressional approval. They are also going to assign about 15-20 people to a team to work on the task. Since there is no new money for this, many of these people will be getting additional jobs. That, of course, will make them less effective, but at least the Navy is trying.
The Navy will also be hiring four senior leaders to run directorates inside this new office: a chief technology officer, a chief data officer, a chief digital strategy officer and a chief information security officer. Congress has authorized special pay in certain areas like this at the rate of 1.5 times that of the Vice President of the US or about $300,000 a year per person. They hope to attract folks from industry with numbers like this.
Their objective is to improve security across the Defense Industrial Base in light of the Chinese (and others) threat. A key priority is to get second, third and fourth tier suppliers to implement strict cybersecurity regulations, specifically NIST SP 800-171.
Many contractors have ignored the requirements of 800-171, in part because of the cost and in part because the DoD has not been enforcing it. In combination with the new proposed third party cybersecurity certification requirement (CMMC) that the DoD is talking about implementing next year, contractors who ignore these requirements may effectively eliminate themselves from getting any DoD contracts. A good strategy would be to up your cybersecurity program effort in advance of these new rules going into effect, because it will take a while to get your program up to speed.
Source: Federal Computer Weekly.