| “Cyber defense of DoD systems is [my] highest cyber priority; if DoD systems are not dependable in the face of cyber warfare, all other DoD missions are at risk.”|
– Secretary of Defense Ashton Carter, April 18, 2015
The Department of Defense recently issued the DoD-wide Cybersecurity Discipline Implementation Plan
that will hold leaders accountable for cybersecurity compliance.
Inspections and incidents across the DoD reveal a need to reinforce basic cybersecurity requirements identified in policies, directives, and orders, according to the Implementation Plan executive summary.
In agreement with the Secretary of Defense, the Deputy Secretary of Defense, and the Joint Chiefs of Staff, the DoD Chief Information Officer (CIO) identified key tasks needed to ensure those requirements are achieved. The DoD Cybersecurity Campaign reinforces the need to ensure commanders and supervisors at all levels, including the operational level, are accountable for key tasks, including those identified in the implementation plan.
The Campaign Plan does not relieve a commander’s and supervisor’s responsibility for compliance with other cybersecurity tasks identified in policies, directives, and orders, but limits the risk assumed by one commander or supervisor in key areas in order to reduce the risk to all other DoD missions.
As part of the Campaign, the Implementation Plan is grouped into four Lines of Effort. The requirements within each Line of Effort represent a prioritization of all existing DoD cybersecurity requirements.
Each Line of Effort focuses on a different aspect of cybersecurity defense-in-depth that is being exploited by adversaries to gain access to DoD information networks. The four Lines of Effort are:
- Strong authentication - to degrade the adversaries' ability to maneuver on DoD information networks;
- Device hardening - to reduce internal and external attack vectors into DoD information networks;
- Reduce attack surface - to reduce external attack vectors into DoD information networks; and
- Alignment to cybersecurity / computer network defense service providers - to improve detection of and response to adversary activity.
In conjunction with this Implementation Plan, a DoD Cybersecurity Scorecard effort led by the DoD CIO includes prioritized requirements within these Lines of Effort. Although similar to and supportive of one another, they maintain two distinct reporting mechanisms with two distinct targets. Commanders and supervisors at all levels will report their status with the requirements in this Implementation Plan via the Defense Readiness Reporting System (DRRS), allowing leadership to review compliance down to the tactical level.
In contrast, the Cybersecurity Scorecard is a means for the Secretary of Defense to understand cybersecurity compliance at the strategic level by reporting metrics at the service tier.
Securing DoD information networks to provide mission assurance requires leadership at all levels to implement cybersecurity discipline, enforce accountability, and manage the shared risk to all DoD missions. By including cybersecurity compliance in readiness reporting, this campaign forces awareness and accountability for these key tasks into the command chains and up to senior leadership, where resourcing decisions can be made to address compliance shortfalls.
The Cybersecurity Discipline Implementation Plan and Cybersecurity Scorecard efforts are critical to achieving the strategic goal of defending DoD information networks, securing DoD data, and mitigating risks to DoD missions as set forth in the 2015 DoD Cyber Strategy. The line of efforts and associated tasks are to be linked to DoD Cyber Strategy implementation efforts whenever possible.
The Implementation Plan cautions that the marketplace has lowered the cost of computing resources, reducing the cost of entry and enabling the success of less sophisticated actors. This has resulted in steadily increasing levels of cybersecurity risk to the department’s networks and critical infrastructure. These threats and risks have been recognized by DoD for several years, and the department has responded with policies and procedures directing the implementation of cybersecurity practices for DoD IT.
The implementation plan was first issued in October, updated in February and made available on the DoD CIO website in early March.