The Defense Department is a major target for cyberattacks, so to the DOD is making cybersecurity an essential and basic part of its IT mission.
The top IT leaders within the Pentagon meet weekly with DOD CIO Terry Halvorsen to discuss how effectively the service branches and other DOD components are meeting the department’s own cybersecurity goals.
Additionally, the DOD is preparing to issue guidance that is designed to make cybersecurity an element of the department’s IT acquisition process from the beginning.
Maintaining and Measuring Basic Cybersecurity
Every Friday, the CIOs of the military service branches and other major DOD agencies meet with Halvorsen to discuss the data from the department's cybersecurity scorecard.
Marianne Bailey, the principal director in the office of the deputy defense CIO for cybersecurity, said no one at that meeting wants to draw negative attention, according to FedScoop. “No one wants to be an outlier, no one wants a bad grade,” Bailey said, speaking last week at the FedScoop Federal Cybersecurity Summit.
“He’s very assertive, proactive,” Bailey told FedScoop of Halvorsen. “He doesn't accept reasons why. [He says], ‘Just tell me how you're going to fix it.’ ”
Data from the cybersecurity scorecard, which measures progress on 10 key cybersecurity targets, is sent to Secretary of Defense Ashton Carter every month. Every three months, he and Halvorsen meet to review the progress, FedScoop notes.
“There is accountability from the very, very top, all the way down,” said Bailey, who said the regular meetings are “kind of unprecedented.”
The scorecard measures progress on targets set in the DOD’s Cybersecurity Discipline Implementation Plan, which was first announced in October 2015, amended in February and made public in May.
As online journal Defense Systems notes, the implementation plan is focused on four key areas: implementing strong authentication systems; hardening and securing endpoint devices; reducing the attack surface and points of potential intrusion; and coordinating cybersecurity and network monitoring with computer network defense service providers so that the DOD can mitigate cyberattacks and respond quickly to them.
The implementation plan is designed to simplify how the DOD approaches cybersecurity and to provide clear milestones and metrics for effectiveness. “We were getting a lot of complaints [from our cybersecurity workforce] that they were very inundated with all the things they were being barraged with to do,” Bailey said, according to FedScoop. “We had no way of measuring how we were doing.”
FedScoop reports: “The measures include requiring a PKI key for every login; having separate logins for system administrators used only when special admin privileges are required; and ensuring the department’s Host-Based Security System is installed on every endpoint.”
The DOD wants to get to a point where those types of basic cybersecurity measures become embedded within the Pentagon’s culture and proper storage of firearms, especially through more regular cybersecurity training.
“I think we will get there,” Bailey said, “I don't think we’re there yet. You get trained on that firearm a ton of times. Training, refresher training, you have to stay qualified ... We’re trying to get there on cybersecurity.”
Changing the IT Acquisition Process
Meanwhile, DOD wants to architect cybersecurity into its IT systems before they are purchased so that its systems can be secured into the future.
According to Federal News Radio, the Pentagon is preparing guidance to be released in the next two months that will give program managers more detailed instructions on systems security engineering.
Robert Gold, DOD’s director of engineering enterprise, told Federal News Radio that the guidance will give program managers “a more consistent set of approaches across all of our acquisition programs,” and will provide more information on how and where to engineer security features into programs.
“Ultimately this would eventually make its way into the development contract, but right now the specific guidance that we plan to publish is for program managers,” Gold said.
As Federal News Radio reports:
“Systems security engineering is the use of engineering and management principles and concepts to optimize security throughout all stages of a system life cycle. The objective is to eliminate or reduce vulnerabilities in the system. The guidance is part of a broader push within the Defense Department to make programs more cybersecure. As more programs are connected to the internet, DOD has seen the need to protect them from the increasing number of cyberattacks. Defense Undersecretary for Acquisition, Technology and Logistics Frank Kendall released a policy last year requiring program managers to conduct cybersecurity risk assessments and to assist program users in writing testable measures for cybersecurity.”