Program Executive Office Command, Control, Communications, Computers, Intelligence and Space Systems (PEO C4I and Space Systems) is making continuous adjustments as it strives to build more cyber-secure systems that will meet the Navy’s maturing cyber requirements and standards, while also adjusting to ever-evolving threats. Numerous initiatives within the PEO’s 11 program offices are incorporating processes that will integrate the necessary Cybersecurity Technical Authority (CS TA) Standards into the development phase and will also automate cyber hygiene processes to increase cyber resiliency and help ensure technologies remain safe from a cyber-attack.
One of the primary ways programs are positioning themselves to enhance their cybersecurity is through the implementation of the Risk Management Framework (RMF), which has been adopted by the Department of Defense (DoD) to assess the implementation of security controls and then authorize Navy systems to operate and connect to the DoD Information Network (DoDIN). With a determination to complete the transition to RMF by December 2020 as directed by Operation Triton Bastion, program offices are documenting the NIST SP 800-53 security controls and control enhancements their programs have implemented. These controls can be effectively satisfied by other systems through a security control inheritance process, and then system owners can focus on addressing any remaining security controls that have not yet been implemented.
Foundational to this approach are the PEO’s infrastructure programs, which will provide a modern architecture that supports improved cybersecurity. The three primary cybersecurity infrastructure programs are the Consolidated Afloat Networks and Enterprise Services (CANES), the Shore Tactical Assured Command and Control (STACC) and the Computer Network Defense (CND) programs. By leveraging these architectures, the remaining C4I programs can employ emerging agile-software development processes that support Navy goals to deploy capabilities faster. Access to cloud capabilities—supplemented with the cyber analytic initiatives within the Information Assurance and Cyber Security Program Office (PMW 130) —will also support improved cyber capabilities across all programs.
Concurrently, PEO program managers have been making great strides to implement cyber hygiene requirements across 300 systems to improve the automation of the scanning, patching and vulnerability management processes. Automation is an effective way to ensure security patches are up to date while reducing burdens on the fleet’s system administrators. This focus on automation is already paying dividends. Metrics show that a majority of C4I programs are consistently issuing patches within the 21-day standard for the highest-priority vulnerabilities. This accomplishment results from a commitment to maintaining a high security posture while continuing to transition to more automated processes that reduce cycle-time and lessen the burden on fleet operators.
Program managers are also leveraging a variety of sources to identify cyber concerns that need to be addressed. The Navy’s Security Control Assessor provides early feedback through the RMF process, and the program offices receive additional feedback from Naval Information Warfare System Command’s (NAVWAR’s) Chief Information Security Officer who monitors programs’ compliance with Fleet Cyber Command’s (FCC’s) “Top 20 Vulnerabilities.” Program managers also work with the Fleet Readiness Directorate (FRD) Cybersecurity Readiness Office to monitor the status of patching and scanning in the fleet. FCC’s Office of Compliance and Assessment provides additional feedback as it conducts cyber inspections at sites Navywide.
In addition to the above sources of cyber vulnerability information available to a program manager, NAVWAR Office of the Chief Engineer cybersecurity experts provide more tools and processes to support the development process such as secure code reviews, penetration testing, cyber risk assessments and implementation of a Cybersecurity Figure of Merit (CFOM). CFOM is a NAVWAR initiative to provide a quantitative measurement of a system’s cybersecurity properties. Agile software development processes and Model Based System Engineering (MBSE) initiatives are also being implemented at NAVWAR and being leveraged to improve the cybersecurity of systems in the fleet.
Effective cybersecurity requires programs to address cyber concerns early while leveraging a variety of tools and information provided by the PEO, NAVWAR and FCC. Throughout PEO C4I and Space Systems’ program offices and fielded systems, there is a concerted focus to provide the fleet with cyber-secure systems that are resilient in a cyber-contested environment. While meeting all the evolving mandates is challenging, program managers have been adjusting to this increasing cybersecurity demand by adjusting resources and increasing prioritization in the development and modernization process with the goal of providing the fleet with the most cyber-secure capability possible.
Program Executive Office Command, Control, Communications, Computers, Intelligence and Space Systems (PEO C4I and Space Systems) provides integrated communication and information technology systems that enable information warfare and command and control of maritime forces. It acquires, fields and supports systems that extend across Navy, joint and coalition platforms.
Ed Lazarski is the Director, Cybersecurity in PEO Command, Control, Communications, Computers, Intelligence and Space Systems, in Naval Information Warfare Systems Command (NAVWAR) Office of the Chief Engineer.