Outcomes, Not Programs, Will Define DOD’s Cybersecurity Record

Alonzo Clark/National guard

Featured eBooks
Digital Transformation
Read Now

Federal IT Modernization Still a Major Challenge

Read Now

DHS’ next chapter as an enterprise services provider

Read Now

What's happening in health tech

Read Now
By Katherine Gronberg,
Vice President of Government Affairs, Forescout

By Katherine Gronberg

|

The Defense Department is changing how it defines and defends its networks.

In 2019, the Defense Department embarked on two new cybersecurity programs: Automated Continuous Endpoint Monitoring, or ACEM, and Comply-to-Connect, or C2C. These programs are changing the way the Defense defines and defends its networks. The outcome will be a vastly improved enterprise security posture as well as advanced automation that will let Defense redirect limited resources toward higher-order cybersecurity missions. 

ACEM and C2C share the common goal of ensuring that the department knows what is connecting to and what is happening on its networks (in agency-speak, “domain awareness”). ACEM is intended to help solve the problem of detecting and profiling Windows-based devices, or endpoints, and account for the software on them. C2C will solve the problem of detecting, profiling and securing non-traditional categories of devices such as internet of things or networked operational technology, including, for example, industrial controllers. Firmly grounded in the National Institute of Standards and Technology’s Cybersecurity Framework and the Center for Internet Security top 20 critical controls, these two programs will give Defense the capability to monitor every single connecting device for its compliance with the department’s security policies and automatically enforce these policies to mitigate risk. 

Detecting devices on networks has proven to be exceedingly difficult for all federal departments and agencies. Utilizing a program similar to C2C, called Continuous Diagnostics and Mitigation, federal civilian agencies discovered, on average, 75% more devices on their networks than they previously knew about. Defense faces the same problem. A connected device that is unknown—an unmanaged device—is one that cannot receive patches and updates and therefore introduces major cyber risk to the enterprise. Unmanaged devices present an easy path for adversaries to access and exploit higher-value parts of the network, or to degrade, deny, disrupt or even destroy critical network components. 

Between 2016 and 2018, several events occurred that underscored Defense’s lack of cyber domain awareness. In February 2016, in what has become known as the “Eight Star Memo” the Commanders of U.S. Northern and Pacific Commands sent a letter to then-Secretary of Defense Ash Carter asking for more focus on “cybersecurity of DOD critical infrastructure Industrial Control Systems.” Following this, the Homeland Security Department issued a directive to all federal agencies to remove products manufactured by Kaspersky Lab. 

In 2018 a scathing Government Accountability Office report highlighted the present reality that cyberattacks could “target any weapon subsystem that is dependent on software.” Also that year, in a discussion of the Defense’s first-ever completed audit, then- Comptroller David Norquist stated: “Our single largest number of findings is IT security around our business systems;” only five of the 21 audits conducted received a “passing” result. 

Yet in the background of these alarm bells, however, several important things began. Congress, dissatisfied with the department’s inability to account for the hardware and software on its networks, directed leaders to develop an automated means to determine the security and license status of deployed software, resulting directly in the two programs described here. U.S. Cyber Command then outlined six categories of endpoints to help identify and account for previously overlooked parts of the domain. 

The Navy and Marine Corps, which had been testing the C2C concept for some time, stepped forward and agreed to serve as “Pathfinders” for Defense’s planned enterprise C2C program. The anticipated outcomes for these services’ C2C deployments include: comprehensive network-based visibility, discovery and classification of devices; redundant manageability and control of devices; orchestration with mandated security and network management solution; and continuous monitoring and automated remediation.  These outcomes are game-changing because they have been neither achieved nor achievable at scale in the past. The Pathfinders will inform the enterprise deployment of C2C across Defense information networks. 

Knowing what is on your networks and what is happening on your networks are truly the basics of cybersecurity. In this sense, ACEM and C2C are simple and unremarkable. Yet these programs implement cyber basics in a manner not seen before: comprehensively and continuously. They build upon existing cyber capabilities but pave the way toward future desired end-states: above all, awareness of the true cyber domain and the automation of routine cyber tasks. These outcomes, not a program of record or catchy acronym, will be the legacy of the Defense’s current cyber leaders.

Katherine Gronberg is vice president for government affairs at Forescout.

NEXT STORY: Abusing a Robot Won't Hurt It, but It Could Make You a Crueller Person

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.