Mark Compton became the NAVWAR Command Information Security Officer (CISO) in September 2018, where he works to drive cyber resilience through situational awareness, incident response, IT policy support, and development of a cyber workforce in support of information warfare.
From 2014 to 2018 he was the Deputy Program Manager for the Navy’s Command and Control Systems Program Office (PMW 150), providing operational and tactical command and control capabilities that include targeting support, chemical-biological warnings, and logistics support for the Navy, Marine Corps, joint and coalition warfighters.
Q: We heard from you earlier this year when NAVWAR hosted the first Systems Command (SYSCOM) CISO Forum. How are the SYSCOMs continuing this work together, or are there additional initiatives, that are advancing the DON CIO's Modernize, Innovate and Defend objectives from his Information Superiority Vision?
Mark Compton: As you’ll recall, we held that first SYSCOM CISO Forum the day after the Department of Navy (DON) IT Conference in early March. It was the end of that next week that we entered the new reality of operating in a COVID-19 environment, so the DON CISO and the CISOs from each SYSCOM were pretty busy over the ensuing months focusing on how we collectively continued to protect our networks, systems, applications and information while operating in a dramatically increased telework environment.
But despite the fast pace, we knew it was more important than ever to continue the collaboration of our first forum, focusing on the “Defend” component of the DON Information Superiority Vision. In the first week in July, we held our second SYSCOM CISO Forum, but this time over DoD Commercial Virtual Remote (CVR) Teams. Again, Mr. Chris Cleary, DON CISO, laid the foundation for discussion with the lines of effort supporting the “Defend” objective. During this half-day, we spent time discussing needed reforms in the Risk Management Framework (RMF) process and the role of quantitative cyber risk analysis in assessing risk to mission.
And not surprisingly, we discussed the challenges the SYSCOMs faced and our lessons learned in our first months of COVID-19 operations. A lot of that discussion centered on collaborative tools, especially CVR Teams, their information security implications, and the reinforcing of our cybersecurity culture in a telework environment. We are planning our next forum to coincide with the DON IT Conference this November.
Finally, the SYSCOM CISOs continued our collaboration by bringing our Cyber Planning and Response Center (CPRC) teams together this September to conduct a Table Top Exercise (TTX) focused on cross-SYSCOM coordination and communications in the event of a cybersecurity incident. The Naval Sea Systems Command CPRC afloat manager highlighted the ever-increasing need to share information across the SYSCOMs in a timely manner given the interconnected relationships of our systems. We are able to uncover the unknowns in a cyber incident much more efficiently when we communicate fluidly across our incident response teams. This was the first cross-SYSCOM TTX, and based on the enthusiastic discussion and feedback, it won’t be our last.
Q: What are some of your key focus areas and top initiatives?
Mark Compton: Our program executive offices (PEO), program offices, Naval Information Warfare Centers (NIWC), chief engineer’s office and office of the CIO, have been laser focused on transitioning our systems from the DoD Information Assurance Certification and Accreditation Process (DIACAP) to RMF, in order to meet the directive from Fleet Cyber Command. This puts us in compliance with more recent federal directives, strengthens our cybersecurity posture, and shifts from compliance checks to a more risk-based approach. As of 1 October we have transitioned 94 percent of our systems and will be at 100 percent by the end of the calendar year.
We’ve also been eliminating high-risk vulnerabilities in our systems, especially our legacy systems, reducing the number in the High-Risk Escalation (HRE) Process by about 60 percent this year with the goal of zero systems in HRE. With the near completion of DIACAP to RMF, the road is paved for us to go to the next level and introduce fundamental RMF reform, culminating in continuous monitoring and authorization of our systems. Our chief engineer’s office and office of the CIO, in collaboration with DON CIO, are leading an initiative for revolutionary change in the way we continuously protect the systems we deliver to the fleet.
Our CPRC also supports the NAVWAR strategic objective to “drive cyber resiliency”, led by our chief engineer, with other members from PEO C4I and Space Systems and the Fleet Readiness Directorate. Our particular focus is on reducing cyber vulnerabilities in the fleet by driving up information assurance vulnerability system patch compliance, and driving down time to patch availability, thus decreasing the window of vulnerability. We’ve made great improvements since we began tracking and exposing the metrics two years ago to NAVWAR senior leadership, program managers and cybersecurity action officers. Making patches available is only a leading part of the story, as our PEOs and program offices are also striving to decrease the time to patch by automating the patching process, where we’ve nearly tripled this capability in our systems over the past few years.
Another focus area of ours is the protection of our controlled unclassified information (CUI). It was a priority to get clear guidance to our teleworking folks during the COVID-19 pandemic on what types of CUI are, and are not allowed, in CVR Teams conversations and documentation. I think the DON CIO and OPNAV N2N6 did a good job in clarifying the requirements, and in providing job aids that inform the workforce of which authorized Navy telework capabilities can be used for different types of CUI and different levels of classified information. We have recently made a big push to develop and deliver CUI training to our workforce and contractor support personnel, and I see a lot of evidence in recent briefs and documentation that our team is making good progress in implementing these procedures.
We’re also focusing on preparing the NAVWAR Enterprise for a Command Cyber Operational Readiness Inspection (CCORI). It looks like we are going to be the first SYSCOM to be inspected under this relatively new construct that takes a mission-based, threat-focused, operational risk approach rather than the more traditional Command Cyber Readiness Inspection (CCRI) that is a compliance-based approach. At NAVWAR, our mission is to rapidly deliver cyber warfighting capability from seabed to space, so we know the fleet expects us to perform exceptionally well not only in this inspection, but also in what we do every day, in everything, to deliver and support that capability.
Q: You mentioned the CPRC a couple of times. What is the primary function of the NAVWAR Cyber Planning and Response Center?
The NAVWAR CPRC's primary function is to serve as NAVWAR’s central cyber incident response coordination point for U.S. Fleet Cyber Command. While our CPRC is centered in our Command Information Security Office, its membership is a federation of over 40 cybersecurity leads and action officers from across the NAVWAR Enterprise, including three PEOs, NIWC Pacific and Atlantic, 20 program offices, the Chief Engineer’s Office, the Fleet Readiness Directorate and the Office of the CIO. The scope encompasses several hundred networks, systems and applications that provide information warfare capability to the fleet.
Q: What unique advantage does NAVWAR bring to the Navy's cybersecurity posture with the use of the Cyber Planning and Response Center?
Mark Compton: Besides coordinating cyber incident response, our CPRC also serves as a coordinating body for executing defensive cyber measures from U.S. Fleet Cyber Command, all of which enhance the cyber resiliency of the information warfare capabilities we deliver to the fleet. This directly supports warfighting commanders in maintaining cyber readiness in accordance with CNO's FRAGO 01/2019: A Design for Maintaining Maritime Superiority.
Q: As we kick off a new fiscal year, and make our way to the end of calendar year 2020, what other cybersecurity related initiatives and trends will you be focusing on?
Mark Compton: As the NAVWAR CISO, this year I intend to continue increasing my outreach to support collaborative efforts in cybersecurity to include the cross-SYSCOM initiatives that I already mentioned and the Cybersecurity Working Group that supports the cross-SYSCOM Information Technology/Cyber Security Technical Authority Board (IT/CS TAB). There is so much great work going on in the IT/CS TAB, from Zero Trust Networks Next Generation Architecture, to DevSecOps (Development, Security and Operations), to CYBERSAFE, to Model Based Systems Engineering, and everything in-between. All of these initiatives contribute to accelerating, streamlining and securing the information warfighting capabilities we deliver to fleet.
Along with John Armantrout, cybersecurity program manager (PMW 130), I’m also serving as NAVWAR advisor to the San Diego Cyber Center of Excellence Board of Directors. This is a non-profit dedicated to cyber innovation and increasing the cyber technical talent in the San Diego region. Partnerships like this and others with business and academia help enable our recruiting, developing and strengthening a technologically savvy, knowledge seeking and solution-driven cyber workforce that is so essential to our mission success.
I will also be working closely with our contracts, small business, acquisition, and program management competencies supporting implementation of the Cybersecurity Maturity Model Certification (CMMC) framework. We will be assisting program managers and system owners in assessing the CMMC security level requirements for their systems, and working with industry, particularly small businesses, to understand and meet the CMMC requirements as they are implemented.
Most importantly, I’ll be continuing to focus on promoting a cybersecurity culture where every member of our NAVWAR workforce remembers that every day, in everything they do, they are the defenders of the information that drives our nation’s competitive advantage.
Mr. Compton was interviewed by Kara McDermott who provides contractor support to NAVWAR Public Affairs and Corporate Communications.
Connect with NAVWAR
Facebook: https://www.facebook.com/NavalInformationWarfareSystemsCommand
Twitter: https://twitter.com/navwarhq
Instagram: https://www.instagram.com/navwar_usnavy
LinkedIn: www.linkedin.com/company/navwar