Presented by FedTech
In addition to measuring the effectiveness of cybersecurity measures on a running scorecard, the Pentagon is looking to build security into its acquisition process from the start.
The Defense Department is a major target for cyberattacks, so to the DOD is making cybersecurity an essential and basic part of its IT mission.
The top IT leaders within the Pentagon meet weekly with DOD CIO Terry Halvorsen to discuss how effectively the service branches and other DOD components are meeting the department’s own cybersecurity goals.
Additionally, the DOD is preparing to issue guidance that is designed to make cybersecurity an element of the department’s IT acquisition process from the beginning.
Maintaining and Measuring Basic Cybersecurity
Every Friday, the CIOs of the military service branches and other major DOD agencies meet with Halvorsen to discuss the data from the department's cybersecurity scorecard.
Marianne Bailey, the principal director in the office of the deputy defense CIO for cybersecurity, said no one at that meeting wants to draw negative attention, according to FedScoop. “No one wants to be an outlier, no one wants a bad grade,” Bailey said, speaking last week at the FedScoop Federal Cybersecurity Summit.
“He’s very assertive, proactive,” Bailey told FedScoop of Halvorsen. “He doesn't accept reasons why. [He says], ‘Just tell me how you're going to fix it.’ ”
Data from the cybersecurity scorecard, which measures progress on 10 key cybersecurity targets, is sent to Secretary of Defense Ashton Carter every month. Every three months, he and Halvorsen meet to review the progress, FedScoop notes.
“There is accountability from the very, very top, all the way down,” said Bailey, who said the regular meetings are “kind of unprecedented.”
The scorecard measures progress on targets set in the DOD’s Cybersecurity Discipline Implementation Plan, which was first announced in October 2015, amended in February and made public in May.
As online journal Defense Systems notes, the implementation plan is focused on four key areas: implementing strong authentication systems; hardening and securing endpoint devices; reducing the attack surface and points of potential intrusion; and coordinating cybersecurity and network monitoring with computer network defense service providers so that the DOD can mitigate cyberattacks and respond quickly to them.
The implementation plan is designed to simplify how the DOD approaches cybersecurity and to provide clear milestones and metrics for effectiveness. “We were getting a lot of complaints [from our cybersecurity workforce] that they were very inundated with all the things they were being barraged with to do,” Bailey said, according to FedScoop. “We had no way of measuring how we were doing.”
FedScoop reports: “The measures include requiring a PKI key for every login; having separate logins for system administrators used only when special admin privileges are required; and ensuring the department’s Host-Based Security System is installed on every endpoint.”
The DOD wants to get to a point where those types of basic cybersecurity measures become embedded within the Pentagon’s culture and proper storage of firearms, especially through more regular cybersecurity training.
“I think we will get there,” Bailey said, “I don't think we’re there yet. You get trained on that firearm a ton of times. Training, refresher training, you have to stay qualified ... We’re trying to get there on cybersecurity.”
Changing the IT Acquisition Process
Meanwhile, DOD wants to architect cybersecurity into its IT systems before they are purchased so that its systems can be secured into the future.
According to Federal News Radio, the Pentagon is preparing guidance to be released in the next two months that will give program managers more detailed instructions on systems security engineering.
Robert Gold, DOD’s director of engineering enterprise, told Federal News Radio that the guidance will give program managers “a more consistent set of approaches across all of our acquisition programs,” and will provide more information on how and where to engineer security features into programs.
“Ultimately this would eventually make its way into the development contract, but right now the specific guidance that we plan to publish is for program managers,” Gold said.
As Federal News Radio reports:
This content is made possible by FedTech. The editorial staff of Nextgov was not involved in its preparation.