Federal Chief Information Officers were mandated by the Clinger-Cohen Act of 1996 to address information management and information technology (IM/IT) at the enterprise level.
The Secretary of the Navy established the office of the Department of the Navy Chief Information Officer in 1997 to provide top-level advocacy in the development and use of IM/IT and to create a unified IM/IT vision for the department. The DON CIO develops strategies, policies, architectures, standards and guidance, and provides process transformation support for the entire Department of the Navy. Additionally, the DON CIO ensures that the development and acquisition of IT systems are interoperable and consistent with the department's objectives and vision.
Rob Foster was selected as the DON CIO effective June 2015.
Q: Shortly after you arrived as DON CIO, the Office of Personnel Management (OPM) announced unprecedented compromises to its government employee personal databases, including an incident affecting current, former, and prospective federal employees, military members, and contractors. What is the DON doing to help personnel and to alleviate the potential problems caused by this data breach?
A: Secretary Mabus immediately initiated an all-hands-on-deck effort, engaging senior leadership from several Secretariat organizations to ensure that the DON community would be kept fully informed of the latest breach incident news and to establish and communicate avenues of mitigation and protection.
We established a link on the DON CIO website that takes you directly to the SECNAV’s OPM breach information site. The SECNAV website provides updated information regarding the nature and extent of personal information compromised, the notification process, and actions that should be taken to minimize personnel risk.
Specific links are available for frequently asked questions and a toolkit offering comprehensive resources for assistance, including credit monitoring and identity theft protection and official guidance for Sailors, Marines, and DON civilians. The ability to ask a question about the data breach is also provided. A link to the OPM Cybersecurity Resource Center is available for those who want to sign up for services because they have received a notification letter from OPM or for those who seek additional information because they believe they may be impacted but have not received notification.
Those who have not yet received a notice should not assume they are not affected. This was an unparalleled breach of information involving a great number of people, and the notification process will take considerable time to complete. I encourage all DON personnel to stay vigilant and informed, and take advantage of the tools provided within these sites to protect your private information.
Q: The Department is transitioning from the BlackBerry smartphones to Apple and Android devices. What prompted this change and when will users actually be able to obtain the new devices?
A: Two factors converged that led to the transition from BlackBerry to Apple and Android smartphones. The server supporting the Blackberry devices needed to be upgraded; and the functionality and software of the Apple and Android devices made them a good choice for supporting the DON’s needs. So we decided that following industry best practices in the smartphone area would serve the DON well.
The transition was at first limited to a relatively small pool of users in the Norfolk and San Diego areas. After evaluating usage by this small population, the capacity was increased to support more than 25,000 devices, and we are currently rolling them out to all CONUS users. Users who have Blackberrys will be receiving the new iPhones by January 2016.
Q: In your first CHIPS column as DON CIO, you wrote that you have been meeting with stakeholders to understand their objectives so that you can formulate a DON IT Strategic Plan that helps enable and deliver the outcomes outlined in the FY14-16 DON Transformation Plan. Can you discuss your efforts so far in this regard?
A: Since that column ran, I have had the opportunity to meet with many stakeholders throughout the Department of the Navy (DON), Department of Defense (DoD), and the Military Department CIOs. While I have not yet had a chance to meet with everyone that I would like to, some distinct patterns have emerged. To address the issues that are surfacing from these discussions, we need to adopt practices that have proven effective in both industry and in other government organizations.
I think that we can make progress by just changing our approach in some areas. What I propose are not original concepts; they have already proven effective elsewhere. Here are a few examples:
- Light Governance: By this, I mean delegating authority to an appropriate level (with commensurate accountability) — giving the freedom to take necessary action, but holding those with authority accountable for results.
- As Needed Infrastructure: This is the concept that we should only pay for the infrastructure we need and only for the time we’ll need it. One example is the adoption of cloud computing. We must keep pressing to get the necessary work done to be able to make more extensive use of commercial opportunities such as cloud. Similarly, we can also improve in sharing the services and IT commodities we use across the enterprise to ensure we get the most out of each dollar we spend.
- Balanced Industry Outreach: Industry has the ability to experiment, research, and develop new technology using funds generated by profits. The DON has R&D labs and encourages innovation, but we are by necessity more fiscally conservative with taxpayer dollars. A balanced approach means we look to industry because they have solved many of the challenges we face, while realizing we do not have to be first adopters of every new idea industry pushes to market.
These are three areas that have come to light as I’ve met with stakeholders, and I am sure they will be integrated into the DON IM/IT Strategic Plan. The strategic plan development work has begun and I expect it to be completed in mid-January 2016.
Q: You also wrote in your column that the DON CIO will be actively engaged in Secretary of the Navy Mabus’ effort to spur innovation. Mr. Mabus seeks not only to improve warfighting capabilities but also to strengthen the DON’s business processes and to innovate across all areas. How will the DON CIO team contribute to SECNAV’s objectives?
A: While innovation is everybody’s business, a key role that DON CIO can play is in helping to create an environment that is conducive to innovation and process improvement. Having responsibility for DON IT policy, we will examine current and future policy we develop to ensure it is not unnecessarily burdensome, and does not needlessly impede experimentation and innovation.
We will also look for creative ways to enable innovation and improve current processes at all levels while adhering to policy. The DON Information Enterprise includes a range of functions and services. Some of our functions are executed by process steps that are worth deconstructing and examining to ensure they are necessary and effective.
DUSN Management led a Navy-Marine Corps team that recently completed a study of the IT procurement request (ITPR) process. I appreciate the efforts of this team that worked together over several months. They developed viable courses of action that will ease the burden of getting IT purchases approved while still adhering to policy. I plan to institute some of the changes they recommended in the coming weeks.
With our range of functions and services, there are different levels of risk that we can assume in each. The key is to thoroughly assess risk versus return as we experiment or pilot innovative technologies that can lead to improved capabilities.
Q: The development of cyber workforce personnel across all cyber mission areas continues to be a major effort within DoD and the DON. How is DON CIO working with DoD, the Navy and the Marine Corps to support this effort?
A: DON CIO is partnering with DoD and Navy and Marine Corps Cyberspace Workforce organizations to support the development and operation of Cyber Mission Teams to support the U.S Cyber Command’s Cyber Mission Force (CMF). DoD began to build a CMF in 2012 to carry out DoD’s cyber missions. The CMF will include nearly 6,200 military, civilian, and contractor support personnel from across the military departments and defense components.
DON CIO also works closely with key DoD leadership in the DoD Principal Cyber Advisor (PCA) office and supporting DoD offices to address total workforce requirements. Specific efforts include ensuring viable career paths for military cyber personnel; incorporating Reservists into the Cyber Forces; improving the recruitment, retention and development of our civilian Cyberspace Workforce; and transitioning to improved training, education, and qualification for all members of that workforce.
We will continue to work closely with the Navy and Marine Corps and find new and innovative ways of meeting our cyber training, tactics, and exercise needs. This will ensure that we have the cyber capabilities needed to meet DON missions with a ready and capable workforce.
Q: Spear phishing continues to be a successful method of infiltrating government and industry networks. DoD and industry cyber/IT leaders have said that we must find more effective ways of educating the workforce. Do you have any recommendations to improve cybersecurity training for DON system users?
A: The Department currently mandates that all personnel complete DoD cybersecurity awareness training before being granted access to DON networks, and take refresher training annually. We have also made available to DON users such specific audience training as DISA’s Mission Assurance for Senior Leaders and System Administrator courses.
Recently, DON CIO supported DoD CIO’s proposal to improve user training with short videos on issues like spear phishing and by providing information that spells out, in terms the general user population can understand, what threats such as "Heartbleed" and “Stuxnet" really are. We also proposed DoD CIO establish realistic training that demonstrates for users what these threats look like and the damage they can do when people fail to follow the proper precautions.
We are also looking at what other agencies are doing and investigating interactive training that would provide users with the ability to take appropriate actions to counter threat activities like phishing and actually see the results of their actions on their screens. Additionally, with the growth of “free” public wireless available, we believe that training is needed that specifically addresses the connection of personal and government computing devices to free public wireless.
DON CIO has joined with multiple DON organizations to develop policy detailing the processes and training required for continuing access to DON networks and information that goes beyond the DoD Cybersecurity Awareness course. New requirements include training on information classification, privacy, personally identifiable information (PII), and DON Operations Security.
In general, DON CIO is working with other DoD Components and the DoD CIO to increase users’ awareness of their responsibilities regarding access to and use of government information and information systems. DoD has stated that people must be held accountable for their actions regarding cybersecurity. We will work to ensure that our personnel understand what they are accountable for, and what they need to do to responsibly use DON information technology tools.
DON CIO website: www.doncio.navy.mil/