In October 2018, Secretary of the Navy Richard V. Spencer asked a group of subject matter experts to review the Department of the Navy's cybersecurity posture. This group teamed with current operational military and civilian experts to compare Navy's cybersecurity governance structures against best practices from both government and industry for alignment of authority, accountability, and responsibility.
The review board took a hard, unbiased look at how successful government and private sector organizations approach, apply, and govern cybersecurity and compared those findings to the DON’s and its supporting industrial base’s cybersecurity current state.
The report highlights the value of data and the need to modify the DON's business and data hygiene processes in order to protect data as a resource. This review also provides an assessment of the culture, people, governance, processes, and resources as they pertain to cybersecurity in the Department of the Navy.
In short, the Department found it is at a severe risk for cyber-related attacks due to a lack of uniform top-down leadership, confusion and complexity over cybersecurity standards, and a general lack of understanding or appreciation from the workforce.
The DON is under attack due to its inability to agilely apply focused resources at an enterprise level.
Recommendations in the review specifically address policy, processes, and resources needed to enhance cyber defense and increase resiliency, as shown in Figure 1. These same factors are defined as critical paths, as shown in Figure 2, that will lead to a DON that is optimally focused, organized, and resourced to proactively respond to this existential threat to national security.
Cyber improvements will result in resilient trustworthy information systems that are significantly more secure and will increase the department’s ability to protect, detect, react, and restore information systems, even when under attack from a capable cyber-adversary.
With urgency, the Department of the Navy Secretariat, along with the Chief of Naval Operations and the Commandant of the Marine Corps, will coordinate with the Department of Defense and Congress for the resources required to compete and win in the cyber domain.
Leadership has already initiated this process as part of a broader review of how best to organize the Department to address the overall challenges of information management; to include not only cybersecurity, but also data strategy and readiness, business system rationalization, and artificial intelligence.
Link to SECNAV Cybersecurity Readiness Review
Link to SECNAV Cybersecurity Readiness Letter