Naval Information Warfare Systems Command (NAVWAR) completed an enterprise-wide cybersecurity health ‘scorecard’ during fiscal year 2019 which reviewed 188 information technology (IT) systems to identify and address cybersecurity challenges to help leaders make informed investment decisions in today’s increasingly complex security environment.
NAVWAR’s Office of the Chief Engineer developed the scorecard, known as Cybersecurity Figure of Merit (CFOM), to provide a data-driven approach to inform program offices of their systems’ cybersecurity health. A figure of merit is a term used across industries that assigns a numerical quantity based on one or more characteristics of a system that represents a measure of efficiency or effectiveness.
CFOM is both a data collection and an analytical process leveraging a commercial off-the-shelf data visualization tool to generate a score to capture the cybersecurity health of a system based on 41 questions answered by the program office. CFOM also integrates data from the Enterprise Mission Assurance Support Service, a web-based, government-off-the-shelf solution, for advanced filtering.
Using that data, the NAVWAR’s Cybersecurity Technical Authority (CS TA) team provides recommendations for improving cybersecurity health aligned to National Institute of Standards and Technology (NIST) cybersecurity framework functions, including identify, protect, detect, respond and recover. In addition to the NIST categories, the CFOM assessment also includes questions about sustainment that focus on lifecycle sustainment costs, personnel, end-of-life hardware and software and updated documentation.
The Secretary of the Navy, Richard V. Spencer, highlighted the need for this type of cybersecurity situational awareness in the Cybersecurity Readiness Review, released in March 2019. The review identifies best practices in both government and private sector organizations who are able to contend with cybersecurity threats, and identifies cybersecurity dashboards and scorecards as imperative tools to predict and monitor system performance.
“We are in a great power competition across all the domains of warfare, including cyber and perhaps especially cyber,” said NAVWAR Commander, Rear. Adm. Christian Becker. “It’s imperative that we are using data in a smart way to continually evolve to maintain the competitive advantage.”
CFOM data is captured in aggregations and analytic storyboards, and enables scalable depictions, including single system views and enterprise-wide views. With advanced filtering, the CFOM tool aids leadership to narrow the aperture to identify the most critical systems in need of attention.
Much like FICO scores are to the credit industry, CFOM scores intend to provide an equivalent independent assessment to the Navy’s acquisition, operational and technical communities. In this case, the NAVWAR CS TA team is the independent assessor, providing a cybersecurity assessment and report of a particular system or system of systems. The results will inform the overall executive sponsor responsible for the program at acquisition milestone and gate reviews, help program managers make investment decisions throughout the lifecycle of a system, provide a return on investment tool for resource sponsors during programming and budgeting, and offer a high-level cybersecurity health assessment to commanding officers and Navy leadership.
The process for generating a CFOM report is straightforward. The program office answers the CFOM questionnaire for a specific system, the NAVWAR CS TA team then reviews the questionnaire and meets with program office representatives to validate answers. From there, a finalized questionnaire generates an overall score as well as an individual score out of 100 for each NIST framework function category. The CS TA develops and issues a CFOM report that details results and provides recommendations. Complete CFOM assessments and reviews will be conducted in conjunction with system engineering technical reviews.
As a pilot case for CFOM, the Tactical Networks Program Office (PMW 160) evaluated four variants of the Navy’s Consolidated Afloat Networks and Enterprise Services (CANES), demonstrating increased situational awareness of the system’s cybersecurity health. The feedback from the pilot also allowed the CFOM team to make necessary adjustments for a more accurate and impactful CFOM report.
"Cybersecurity Figure of Merit is a powerful tool to assess the impact of your cybersecurity investment," says Capt. Kurt Rothenhaus, PMW 160 program manager. "For the CANES program we were able to use the tool to articulate to our senior stakeholders how resourcing areas of the network would improve the cybersecurity resiliency in a measurable and consistent manner."
After the team incorporated the feedback from the CANES pilot, they assessed the systems across the NAVWAR enterprise, which took approximately 60 days.
“While we continue to hone and improve the CFOM tool, it serves as a significant first step in providing enterprise cybersecurity metrics to improve cybersecurity posture and to better understand the current cybersecurity health of IT systems,” said Brian Marsh, NAVWAR assistant chief engineer.
In the future, the NAVWAR CFOM team will be exploring the possibility of expanding to other Navy systems commands to use this data-driven approach to inform cybersecurity tasks, budgetary decisions and enhance risk perspective.
Naval Information Warfare Systems Command (NAVWAR) identifies, develops, delivers and sustains information warfighting capabilities and services that enable naval, joint, coalition and other national missions operating in warfighting domains from seabed to space. NAVWAR consists of more than 11,000 active duty military and civil service professionals located around the world.
Connect with NAVWAR