美海军首席信息官谈海军现代化及IT网络安全(英文)

2020-06-03 智邦网

编译 致远

据c4isrnet网2020年6月2日报道,去年12月加入美海军部的海军首席信息官艾伦•维斯就海军IT基础设施和网络安全态势的诸多短板不足提出看法。

去年,海军发布网络安全战备报告,指出存在的明显短板漏洞。艾伦•维斯接管IT业务以来,海军IT工作重点收缩到三条战线:现代化、创新、防御。

 在接受C4ISRNET网站访谈时,透露以下信息:

就任海军首席信息官以来,取得系列进展。

•立足“防御”(defend)角度,改变海军防御观和文化观,提高态势感知能力,风险评估方面全面重新审视“风险管理体系框架”( RMF );

把安全行为视为与遵从状态相对的战备状态, 改进和调整RMF以提高应对当前状态的能力,提出更协同一致的风险管理指标。

•强调推进“现代化”,启动海军人员身份验证计划,提供访问各处的身份证明,并与零信任机制密切结合。

与海军“综合资源管理”(ERP)计划结合,推出身份管理试点项目。ERP系统已于去年成功纳入云体系,海军正在推进身份管理和访问解决方案,并集成到海军ERP云解决方案。

 用软件定义的网络改善水兵与海军陆战队之间的信息共享。

构建365办公室和协同运行的零信任机制的协作系统,与网络系统协同运营。

上述工作将与NGEN-R需求建议书一起,吸纳新的军队供应商。根据建议书,去年海军向Leidos公司授予70亿美元IT合同,但目前遭到GDIT抗议。计划今年完成该工作,调整部分工作计划。

后勤是优先领域,正在推进“ log IT 系统计划”,集成了海军和海军陆战队数百个IT系统。

log IT业务投资占所有IT投资的近8%-9%。

What progress has the Navy made on IT modernization?

Since joining the Department of the Navy in September last year, Navy Chief Information Officer Aaron Weis has been outspoken about numerous shortfalls in the service’s IT infrastructure and cybersecurity posture.

In his current role, he plays a major role in correcting gaps identified by a Navy cybersecurity readiness report last year that found glaring holes in the service’s cyber posture. Since taking over the IT reigns, the service has narrowed its IT focus down to three lines of effort: modernize, innovate and defend.

In an interview with C4ISRNET, Weis discussed the progress the sea service has made on its cybersecurity posture and IT environment since he became CIO, as well as new pilot programs and how the Navy is spending funds on information technology.

What progress has the Navy made since you took over as CIO?

I think the progress is in a couple of areas. One is from a “defend” perspective — really highlighting that we’re going to have to change our perspective on defend and the cultural perspective. I talk a lot about moving from this culture of security by compliance to a culture where we have security as a constant state of readiness, where we’re always assessing our own readiness from a cybersecurity perspective.

Just the raising in awareness of that has helped spark a number of efforts. One of which is the Navy has undertaken a complete re-look at the RMF [risk management framework] for how we assess risk. The RMF, I think traditionally there’s an amount of just check boxes and forms that have to be filled out and managed. And there’s a recipe that you go through to get to RMF. The intent is right. And the outcome is intended to be that we’re managing risk. The downside is it takes a really long time and what comes out of it is not a current snapshot of risk.

How has that changed?

So the Navy now has taken a wholesale re-look at the RMF process. They’re looking at security as a state of readiness versus a state of compliance. They’re refining and retuning RMF to be more responsive to reflect current state and to be able to be a more consistent indicator of risk management versus the one and done.

What other successes can you point to?

I think another that comes out of that defend idea is we have really highlighted the need for modernization. Identity is a critical element of being able to defend. Traditionally, as somebody matures in their career in the Navy, you might acquire seven or more identities as you move on to a ship and then back to an ashore duty station, and maybe you’re on a different ship. So your identity morphs. It makes it very difficult for us to offer consistency and to be able to secure you. One of the foundations of zero trust is that we know who you are — that we can say that with authority. So we’ve been able to launch an identity program.

We’ve got some strong pilots right now that are being run to prove out technology, but we’re also launching an identity program around the ability to offer ubiquitous access and have that dovetail with a zero-trust architecture. So that has been launched.

What’s an example of an identity pilot you’re working on?

We’ve got a identity management pilot that we’re doing in conjunction with Navy Enterprise Resource Planning, or ERP. The Navy’s ERP system is an SAP ERP system that was moved to the cloud last year very successfully, and we are now working to implement an identity management and access solution that integrates with that Navy ERP cloud-based solution. And we are using that pilot to prove out a suite of tools that we hope to be able to fan out and expand use of beyond just that single system.

At AFCEA West in March, you mentioned that you wanted to use software-defined networking to improve information sharing between sailors and Marines. What progress have you made on that?

We have a team that we assembled who’s working through several aspects of the modernize [line of effort]. Network and network architecture is one of them. Another strong effort is the collaboration tools around Office 365 and zero-trust elements that go with that. They have been working in conjunction with the cyber component. So what we are seeing now and what we expect to see more of are proposed architectures that we can put in place for some targeted pilots that we want to take some specific enclaves within the network and use those as areas to try out some of the software-defined networking and the other architectural concepts that we’re putting in place.

The idea is that we would launch those efforts to intercept the new service provider that we would onboard in conjunction with the NGEN-R request for proposals — [a $7 billion IT contract awarded last year by the Navy to Leidos, but currently under protest by GDIT] — where we have a new service provider and we’re bringing to them the “should be” architecture. The plan was that that presented an ideal opportunity to intersect that trajectory and skate to where the puck is going.

With NGEN-R potentially being delayed through some protests, we will continue to look at where we can prove that out even ahead of a potential future partner coming onboard. But those are concepts that we’re working through; the team has continued to have a cadence around that. That has spanned through the COVID-19 crisis; they haven’t stopped that work through the telework and COVID-19 crisis.

Is there a timetable for starting those pilots?

We’re adjusting based on when we expect to see a new partner come onboard and for when we want to do those things on our own ahead of that. So I think we’re having to do some readjustment between the protest work and then as well as the COVID-19 work that may intercept some of that. We’re just assessing our timeline. I would like to see it done this year. I would like to see us be in some pilots here in the second half of calendar year 2020.

Editor’s note: Weis declined to provide an example of specific pilots because they aren’t finalized.

You also mentioned in recent months that you think the Navy needs to spend smarter. What are some areas that you’re looking at in this budget cycle that have been under-prioritized in the past?

When you run some benchmarks, we probably are spending at an appropriate amount consistent with others who have mission-critical activities in the IT space. And I use the financial industry as a good benchmark in terms of criticality of their IT infrastructure. So although we may be spending at a world-class level, we’re not necessarily always getting the world-class outcomes and output. So we’re looking at where do we want to be able to lean in and shape.

One of the first areas that we’re doing right now is the logistics — the log IT systems. That’s a portfolio that spans several hundred systems across the Navy and Marine Corps. We’re working together with the business process owners and the business side of this to look at how do we optimize log IT. How do we reduce the number of systems around an aligned business process and, along the way, shape that funding to potentially optimize our spend in log IT? And then how do we free that up or reinvest in some of the network modernization and defend activities that we feel needs more prioritization?

And that’s happening now. That log IT work and assessment is happening. There’s already system consolidation that’s happening. The log IT portfolio is one that probably approaches 8 to 9 percent of the total IT spend at this point. So that’s an area where we feel like it’s a large line item and we’ll benefit from the combination of business process work together with system work.


相关新闻

美海军研究无人水面舰船、无人潜航器研发相关问题(英文)

DARPA开发“海上列车”中型无人舰船分布式编队远程作战能力(英文)

Systematic公司推出新型SitaWare Edge指挥控制 C2 软件系统(英文)

俄、中、美、意合作提出记忆性神经交互芯片解决方案(英文)

美特战司令部启动“任务指挥”计划  打造联合全域指挥控制平台(英文)

Systematic公司推出新型SitaWare Edge指挥控制 C2 软件系统(英文)

俄、中、美、意合作提出记忆性神经交互芯片解决方案(英文)

DARPA启动AISS计划  开发安全微芯片供应链系统(英文)

美军组织四个作战司令部多域协同数据共享作战演习(英文)

美国防部启动第5个5G试验基地—内利斯空军基地(英文)