The Defense Information Systems Agency (DISA), the National Security Agency (NSA), and Department of Defense Chief Information Officer (DoD CIO) are working with U.S. Cyber Command, the combatant commands, services, and agencies to evolve DoD’s cybersecurity architecture and create an implementation roadmap for the DoD Information Network Infrastructure.
The effort is known as NSCSAR (pronounced like the auto racing association with a similar acronym), which stands for Non-secure Internet Protocol Router Network (NIPRNET) and Secret Internet Protocol Router Network (SIPRNET) Cybersecurity Architecture Review.
“NSCSAR is trying to answer three questions,” said Pete Dinsmore, DISA’s risk technology executive. “Which cybersecurity solution do we need, how much is enough, and where can we take risk?”
“It is a framework for reasoning about cybersecurity from the end point to the Internet and incorporating everything in-between,” he said.
The analysis is enabled by comparing the current set of cybersecurity capabilities against a threat framework, which details the tactics and techniques used by adversaries. Capabilities are scored based on the level of effectiveness in mitigating the adversary.
Dinsmore emphasized the outside-looking-in approach of the framework.
“We’re taking an adversary perspective, looking at our defenses the way an adversary does and saying ‘Where can we mitigate the adversary and where are we having difficulties?’”
Ultimately, NSCSAR is intended to inform and influence decision-making bodies within the budget, portfolio management, and DODIN architectural domains. NSCSAR routinely releases recommendation, affirmation, and observation reports to stakeholders.
Dinsmore noted that the reports pointedly include affirmations.
“Affirmations are saying that a choice we made is doing what we need it to do. Too many times reports like this come out and say, ‘Here’s what you need to do,’ but they never say what not to touch [or what should stay the same]. As a result, you end up trying to implement a recommendation and undoing something that, otherwise, was doing a good job,” he explained.
NSCSAR is being implemented as an agile process on the spin concept. Every 90 days, a new spin cycle begins. With each new spin, NSCSAR is reassessing the environment to determine what facets need to be changed.
“Every 90 days were taking a new look; adding capabilities, adding questions, adding ability for analysis, and adding new threats. This allows us to be reactive [in a timely manner] rather than saying ‘We’ll be back to you in a year with a new report,” said Dinsmore.
NSCSAR completed its first spin in April, with the second spin scheduled to be completed June 30.
Finally, Dinsmore noted the importance of NSCSAR to help guide resource decisions.
“At the end of the day the budgets available for cybersecurity capabilities are either stagnant or decreasing. And we need to figure out how to best use our dollars,” he said.