Navy looking at cloud as GFE to reduce CMMC burden

Jane Rathbun, the Department of the Navy’s CIO, said tools from NSA and NCIS along with a new initiative could help small firms meet CMMC requirements.

When it comes to meeting the mandates the Defense Department outlined in its Cybersecurity Maturity Model Certification regulation, the Department of the Navy isn’t letting small businesses twist in the wind.

The DON’s chief information officer’s office is using current tools and developing new capabilities to ease the burden of CMMC on small firms. The current tools include emphasizing small firms to enroll in the National Security Agency’s Cybersecurity Collaboration Center as well as the Naval Criminal Investigative Service, both of which work directly with small and mid-sized businesses with DoD contracts to improve their cybersecurity. So far, there are 640 DON vendors taking advantage of NSA’s tools and information through the center.

But Jane Rathbun, the Department of the Navy’s CIO, said a new initiative under consideration could make the adherence to CMMC even less burdensome.

Jane Rathbun is the Department of the Navy’s chief information officer.

“Something I’ve been thinking about since before I became the CIO and I was the deputy assistant secretary for information warfare in acquisition, is this improving collaboration environments for our commercial partners with our programs, and trying to solve some real world problems about how to transition or transfer data between the contractor and the program office,” Rathbun said on Ask the CIO. “The thought there was, and still is, and something we’re working on with the acquisition arm, is how would we actually go about creating commercial cloud environments, what we call within those cloud environments mission enclaves, where both the contractor and the program office can enter an agreement about how they’ll operate collectively in a common cloud mission enclave, to store work, do work, to communicate and collaborate, and in an effort to really have better collaboration, but also to have better cybersecurity.”

The common cloud environment could be considered a government furnished equipment (GFE) that is secured by the government and it would eliminate some of the investments small businesses would have to make.

Rathbun said this idea remains in the planning stages for fiscal 2025, but she would like to launch a pilot this year. She said the DON is in talks with several companies who are interested in testing out this cloud as GFE approach.

“We [met] with our aviation counterparts to talk through how we would do this in more detail,” she said. “Technically, it’s not impossible to do. It is just it’s a policy and a both sides feeling comfortable about how proprietary data would be protected in a shared ecosystem.”

More help for small firms

The timing of the DON’s potential pilot comes as the Defense Department made the a key piece of the CMMC program official on Dec. 16. The Pentagon is also finalizing a proposed CMMC acquisition rule. DoD expects to issue that regulation next year, at which point the department can start including CMMC requirements in contracts.

Concerns about the impact of CMMC on small businesses remain high across the federal sector.

Rep. Scott Fitzgerald (R-Wis.) is planning on introducing the “Small Business Cybersecurity Act of 2024,” that would allow companies with 50 or less employees to claim a tax credit of up to $50,000 for CMMC costs.

Companies with less than 50 employees are numerous in the defense industry, especially among those further down the supply chain. In 2020, National Defense Magazine surveyed 450 small businesses and found 70% have fewer than 50 employees and 55% had less than $5 million in annual revenue.

DoD estimates that approximately 76,000 companies will need to get an audit from a CMMC third-party assessment organization (C3PAO).

While the CMMC pilot is in the works, there are several other DON initiatives that are saving money and securing networks and systems.

Navy takes Flank Speed to sea

For instance, Rathbun said the Navy’s Office 365 instance, known as Flank Speed, in October met all 91 target zero trust activities. The Navy completed that milestone three years ahead of the DoD CIO’s 2027 deadline. Additionally, the Navy also achieved 60 of the 61 advanced zero trust activities.

“We feel really good about the Flank Speed platform, from a capability perspective and from a customer experience and operational resiliency perspective. The experience is far superior to the previous solution set that we refer to as NMCI,” Rathbun said. “We are getting ready to launch several initiatives, or have started working them, what we call Nautilus, which is the next phase of Flank Speed, which will be key capabilities that really take advantage of the cloud environment that we’re in things like, instead of shipping you a computer or configuring the computer before it comes to you, we’ll just ship you a computer. You’ll click a web address and you will download your image, which is more the way a modern industry works on delivering end user devices. We have put in a pretty robust virtual private network capability through our Flank Speed ecosystem.”

Rathbun said the Navy is pushing Flank Speed to the tactical edge.

She said the DON is piloting a hyper-converged infrastructure coupled with low Earth orbit satellite capabilities aboard a ship that gives users access to Flank Speed.

“We have piloted it on some ships. The ships have been able to link into conversations in the Pentagon via their Flank Speed connectivity. It’s really been a game changer. The clarity is incredible,” Rathbun said. “Now we’re in the process of figuring out how could the HCI stack support the ship, while the ship is not connected to the cloud and the infrastructure, if they’re standalone and working in a low bandwidth or disconnected environment? Can this hyper converged infrastructure maintain itself and support internal communications while not connected? Much of our what’s on Flank Speed is especially on the communications and collaborations path, is software-as-a-service. So SaaS is continuously being updated and patched. But if you’re not disconnected, can we give a quality of service without getting a significant degrading of that service, and so that’s what we’re testing right now.”

30 systems decommissioned

A second initiative called Cattle Drive, which began in 2020 and aims to eliminate redundant systems and applications across the Department of Navy, has retired or decommissioned about 30 systems and applications since 2022.

Rathbun said her big focus over the four years is to retire another 47 systems with six of those planned for 2025.

“I also want to move to data analytics to a service construct. So how many data analytics capabilities do we have across the department? How much are we spending? How do we drive to a more holistic platform approach to data analytics? We will be doing that and leveraging our Jupiter platform in doing so, and that will have a big Cattle Drive component,” she said.

The DON is tracking savings from Cattle Drive, and Rathbun has set up a process where organizations that decommission systems, can keep the funding.

“If it’s a logistics system, we tell the logistics community, ‘hey, you decommission this system and you take the money that you were using to sustain that system and put it to something that is a higher priority for you,” she said. “We do collect the information on what that cost of avoidance or cost savings is.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    (AP Photo/Bernat Armangue)US Mideast Tensions

    Navy project brings promise of cloud to the middle of the ocean

    Read more

    Navy used threat of cyber vulnerability to expand VDI

    Read more