The department aims to clarify what beyond desktops qualifies as an endpoint.
The office of the Defense Department’s chief information officer is working on a document to clarify references in policy to various endpoints, according to an update on the department’s cybersecurity efforts provided this week at a meeting of the Software Supply Chain Assurance Forum.
The forum—co-led by Defense, the National Institute of Standards and Technology, the Homeland Security Department and the General Services Administration and attended by public and private sector representatives—meets quarterly under the Chatham House Rule, which doesn’t allow speakers or their specific affiliation to be identified.
Clarifying key terminology could have a significant impact on policy in an environment where priority, and funding, is generally given to the IT “behemoth,” as one official termed information technology, but where less cited operational technology, or OT, is “not entirely distinct.”
It’s great to have strategies, the official said, “but there’s always this challenge of going up against big IT, and the amount of money and resources that have been focused in that area.”
“I know that there’s a document being drafted right now by the DOD CIO that’s talking about endpoint management,” one public official said, asking “What’s an endpoint?”
“Right now, in the big picture, I’ve seen a lot of documents that refer to endpoints, to being everything that’s connected,” the official said. “But we’re still struggling on making sure we have the right solutions on all of our main desktops. So when we’re talking endpoints right now, and the solutions we’re focused on right now, it’s still at the desktop level.”
That could suggest a neglect of endpoints in industrial control systems that are central to critical infrastructure like electric utilities or water treatment facilities—and seen as high-profile targets for foreign adversaries.
Industrial control systems is one of many terms, including the “industrial internet of things” and “platform operational technology,” that have been used to refer to such technologies. They were developed before the internet and often still run on Windows XP and other outdated software.
“The terminology discussion is much needed,” the official said, “so that’s part of what we’re going to get to next in terms of how we clarify some taxonomy in this area.”