Email this Article Email   

CHIPS Articles: From Subs to Cyber — Insights into Navy’s Developing Cybersecurity Safety Effort

From Subs to Cyber — Insights into Navy’s Developing Cybersecurity Safety Effort
By Capt. Mark Elliott, Sudha Vyas and Ed Lazarski - January-March 2016
SAN DIEGO—The battlespace of modern and future combat is trending to cyberspace as a critical terrain and as a means to deliver weapons effects. The Navy’s Cooperative Strategy for 21st Century Seapower articulated the need to coordinate offensive and defensive cyber operations with its operations in other domains. Effective implementation of cybersecurity lays the foundation for effective cyber-defense operations.

To ensure critical warfighting capabilities can operate, fight and win in a contested cyber environment, the Navy is modeling a focused cybersecurity program on a well-established and rigorous submarine force program that has ensured watertight integrity and safety. The Navy’s former Chief of Naval Operations, Adm. Jonathan Greenert, directed CYBERSAFE to pattern its work on Naval Sea Systems Command’s (NAVSEA) Submarine Safety, commonly called SUBSAFE, program — a quality assurance program designed to maintain the safety of the Navy's nuclear submarine fleet.

CYBERSAFE is a major Navy initiative to protect the Navy’s ability to operate in cyberspace by focusing on mission assurance of critical warfighting components. The goal of CYBERSAFE is to provide “maximum reasonable assurance” to ensure naval forces can execute their missions. To achieve this goal, the Navy is instituting a holistic approach to cybersecurity by addressing the following issues: user behaviors; force operations; definition and institution of the Defense-in-Depth Functional Implementation Architecture (DFIA); cybersecurity requirements; and inheritable cybersecurity controls derived from the National Institute of Standards and Technology.

By creating a “culture of cybersecurity” and understanding of the warfighting impacts of cyber, this initiative will help position the Navy for 21st century warfighting challenges.

Achieving this goal will require support and commitment from all organizations at all levels. On the acquisition side, this effort is being coordinated among the Navy’s five systems commands (SYSCOMs): NAVSEA, Naval Air Systems Command (NAVAIR), Space and Naval Warfare Systems Command (SPAWAR), Naval Supply Systems Command (NAVSUP) and Naval Facilities Engineering Command (NAVFAC). They are developing processes that consistently identify and implement security controls for a subset of mission-critical Navy systems. Results of this effort will lead to an increase of secure Navy systems that provide survivability and resiliency of critical warfighting capabilities with solutions including material, software and operations.

This new cultural and technical paradigm is necessary due to the interconnected nature of today's Navy systems. Adversaries can exploit potential vulnerabilities within and/or between systems. CYBERSAFE material solutions will segment enclaves, such as weapons, machinery and C4I (command, control, communications, computers and intelligence), with new control points which will allow the fleet to maneuver in response to threats in a contested cyber environment.

As part of a complete Navy-wide approach, CYBERSAFE has three main facets: Cyber System Level, CYBERSAFE Grades and Cyber Conditions of Readiness. The SYSCOMs and acquisition commands are working on the first two elements. The fleet, in collaboration with the SYSCOMs, is working to solidify the operational aspects of Cyber Conditions of Readiness.

In FY16, the SYSCOMs and associated program executive offices will start evaluating all their systems to determine if they are CYBERSAFE Grade A (Mission Critical Systems), B (Mission Essential Systems) or C (Non-Mission Essential Systems). Once these grades are determined, appropriate security controls will be applied to the systems.

Security Control Overlays for Grades A and B — which are derived from Committee on National Security Systems Instruction and National Institute of Standards and Technology security controls — are being finalized by the Information Technology/Information Assurance Technical Authority Board (IT/IA TAB). Vulnerabilities will decrease as the SYSCOMs consistently apply these security controls and as the controls are engineered into Navy systems. In addition to implementing the security controls, continued close coordination, oversight and testing will be necessary to achieve success.

To ensure comprehensive protection, the Navy is moving forward with new policies and processes designed to protect critical systems from the various forms of cyber-attack. Moving in parallel with the development and implementation of CYBERSAFE is the Navy’s transition from the existing DoD Information Assurance Certification and Accreditation Process (DIACAP) to the Risk Management Framework (RMF); the IT/IA TAB is producing numerous standards and specifications for the SYSCOMs to implement as part of the Navy’s holistic DFIA enterprise cybersecurity architecture.

CYBERSAFE, RMF and DFIA each require the Navy’s technical and acquisition communities to identify and engineer cybersecurity standards, specifications and security controls into the system design earlier in the development process. As these three initiatives move forward together, efficiencies can be found through policies that identify and leverage both common security controls and inherited security controls.

As CYBERSAFE and the other initiatives mature, Navy leadership will be in a better position to assess the cyber risk of systems, enclaves, platforms and strike groups. A more complete picture of cyber vulnerabilities, assisted by the emerging Navy Cybersecurity Situational Awareness capability, will facilitate risk decisions to reduce known vulnerabilities, improve the Navy’s overall cybersecurity posture and increase our overall operational readiness.

The Navy conducted its first functional test of the CYBESAFE processes in November 2015 with Automated Digital Network System (ADNS) Increment III. SPAWAR’s CYBERSAFE Test Drive helped evaluate how existing engineering and change processes throughout the acquisition lifecycle can be used to implement new security controls. The remaining SYSCOMs will undergo their CYBERSAFE Test Drives between January and March 2016 to ensure they have the instituted an executable CYBERSAFE process across their area of responsibility.

As CYBERSAFE is implemented; it will drive Navy programs to add cybersecurity controls to legacy systems while also requiring these security controls to be incorporated early into a system’s design. This acquisition focus, combined with an emerging emphasis to develop a Navy-wide culture of cybersecurity awareness will position Navy leadership to make cybersecurity risk decisions that will result in improved operational readiness.

Capt. Elliott, Ms. Vyas and Mr. Lazarski are the CYBERSAFE Directors for OPNAV, SPAWAR and PEO C4I , respectively.

SAN DIEGO (Nov. 4, 2015) Space and Naval Warfare Systems Command (SPAWAR) Resource Manager Gretchen Kozub, left, and SPAWAR CYBERSAFE Program Director Sudha Vyas review steps in the CYBERSAFE program during a pilot of the program at SPAWAR headquarters. An OPNAV CYBERSAFE team supported by 17 individuals from 10 organizations conducted the pilot with SPAWAR personnel to ensure the organization has the processes and personnel in place to execute the CYBERSAFE program.  U.S. Navy photo by Rick Naystatt
SAN DIEGO (Nov. 4, 2015) Space and Naval Warfare Systems Command (SPAWAR) Resource Manager Gretchen Kozub, left, and SPAWAR CYBERSAFE Program Director Sudha Vyas review steps in the CYBERSAFE program during a pilot of the program at SPAWAR headquarters. An OPNAV CYBERSAFE team supported by 17 individuals from 10 organizations conducted the pilot with SPAWAR personnel to ensure the organization has the processes and personnel in place to execute the CYBERSAFE program. U.S. Navy photo by Rick Naystatt

SAN DIEGO (Nov. 4, 2015) Space and Naval Warfare Systems Command (SPAWAR) and OPNVAV CYBERSAFE team members participate in the initial pilot of the CYBERSAFE program at SPAWAR headquarters. Pictured from left to right are: Capt. Mark Elliott, OPNAV N2/N6 CYBERSAFE Program Director; Ed Lazarski, SPAWAR Office of the Chief Engineer and Director of Cybersecurity for PEO C4I; Sudha Vyas, SPAWAR CYBERSAFE Program Director and Lt. Cmdr. Evan Williams, SPAWAR Deputy Program Manager (Engineering) for Automated Digital Network System (ADNS). U.S. Navy photo by Rick Naystatt
SAN DIEGO (Nov. 4, 2015) Space and Naval Warfare Systems Command (SPAWAR) and OPNVAV CYBERSAFE team members participate in the initial pilot of the CYBERSAFE program at SPAWAR headquarters. Pictured from left to right are: Capt. Mark Elliott, OPNAV N2/N6 CYBERSAFE Program Director; Ed Lazarski, SPAWAR Office of the Chief Engineer and Director of Cybersecurity for PEO C4I; Sudha Vyas, SPAWAR CYBERSAFE Program Director and Lt. Cmdr. Evan Williams, SPAWAR Deputy Program Manager (Engineering) for Automated Digital Network System (ADNS). U.S. Navy photo by Rick Naystatt

SAN DIEGO (Nov. 4, 2015) Lt. Cmdr. Evan Williams, Space and Naval Warfare Systems Command (SPAWAR) Deputy Program Manager (Engineering) for Automated Digital Network System (ADNS) discusses elements of the CYBERSAFE process with Capt. Mark Elliott, OPNAV N2/N6 CYBERSAFE Program Director and Ed Lazarski, SPAWAR Office of the Chief Engineer and Director of Cybersecurity for PEO C4I.  Elliot's CYBERSAFE team visited SPAWAR to perform a pilot of the CYBERSAFE program to ensure the systems command has the processes and personnel in place to execute the CYBERSAFE program.   U.S. Navy photo by Rick Naystatt
SAN DIEGO (Nov. 4, 2015) Lt. Cmdr. Evan Williams, Space and Naval Warfare Systems Command (SPAWAR) Deputy Program Manager (Engineering) for Automated Digital Network System (ADNS) discusses elements of the CYBERSAFE process with Capt. Mark Elliott, OPNAV N2/N6 CYBERSAFE Program Director and Ed Lazarski, SPAWAR Office of the Chief Engineer and Director of Cybersecurity for PEO C4I. Elliot's CYBERSAFE team visited SPAWAR to perform a pilot of the CYBERSAFE program to ensure the systems command has the processes and personnel in place to execute the CYBERSAFE program. U.S. Navy photo by Rick Naystatt

SAN DIEGO (Nov. 4, 2015) Space and Naval Warfare Systems Command (SPAWAR) and OPNVAV CYBERSAFE team members participate in the initial pilot of the CYBERSAFE program at SPAWAR headquarters. The OPNAV CYBERSAFE team, supported by 17 individuals from 10 organizations conducted the pilot to ensure organizations have the processes and personnel in place to execute the CYBERSAFE program.  U.S. Navy photo by Rick Naystatt
SAN DIEGO (Nov. 4, 2015) Space and Naval Warfare Systems Command (SPAWAR) and OPNVAV CYBERSAFE team members participate in the initial pilot of the CYBERSAFE program at SPAWAR headquarters. The OPNAV CYBERSAFE team, supported by 17 individuals from 10 organizations conducted the pilot to ensure organizations have the processes and personnel in place to execute the CYBERSAFE program. U.S. Navy photo by Rick Naystatt
Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer