With increasing frequency, we read about computer networks being hacked — in both the public and private sectors. You may have been affected by one of the latest incidents on your own home network, the attack that brought several popular websites, including Amazon, Twitter and Netflix, to a standstill for hours. Though it did not affect our DON network, it is a compelling reminder that cyber intrusions are increasing in number and nature.
As the DON Chief Information Officer, I am not on the operational side of defending the network; that is U.S. Fleet Cyber Command/10th Fleet’s role. However, the DON CIO has a significant role in the security of our networks. Department of the Navy Cybersecurity Policy, (SECNAV Instruction 5239.3C, May 2, 2016) describes the DON CIO’s responsibilities as the official designated to manage the DON's Cybersecurity program. One of DON CIO’s core goals is to optimize operations and enhance mission effectiveness by assessing and shaping cybersecurity strategy, policy, doctrine, and resourcing to enhance the security of the network and information environment.
For example, I signed the Acceptable Use of DON Information Technology memo in February 2016 to specify clearly the acceptable use of DON IT resources and to remind users that everyone is responsible for the security of the department’s IT resources. This memo was a coordinated effort between the DON CIO and the Deputy Under Secretary of the Navy for Policy (DUSN(P)) as part of our partnership for the protection of national security information and information systems.
The DON CIO also coordinated with DUSN(P) on an ALNAV that provides interim policy for the acceptable use of wireless-enabled personal portable electronic devices (PPEDs) in DON spaces (ALNAV 019/16"Acceptable Use of Authorized Personal Electronic Devices in Specific Department of the Navy Spaces," March 25, 2016).
We are also working diligently with organizations across the DON to transition from the current certification and accreditation model to the Risk Management Framework (RMF) process. The RMF is a risk-based cybersecurity approach emphasizing continuous monitoring and diagnostics, and risk mitigation. In one of our early efforts to support this transition, the DON CIO collaborated with Navy and Marine Corps cybersecurity stakeholders to develop information types and impact levels to assist in categorizing the information processed on DON IT systems (DON Information Type Baselines for Risk Management Framework Categorization of Information Technology, February 10, 2016).
The DON CIO actively supports the DoD-wide effort to achieve cyberspace workforce excellence by recruiting, training, and retaining a diverse cadre of civilian and military personnel. The publication earlier this year of the DON Cyberspace Information Technology and Cybersecurity Workforce Management and Qualification policy (SECNAV Instruction 5239.20A), and the corresponding SECNAV Manual 5239.2 provide top level guidance for a new and improved DON cyber IT and Cybersecurity Workforce Program. This program addresses cyber IT and cybersecurity workforce education, training and credentialing, and establishes a career development and advancement framework for DON civilian cyber personnel. Transition to this qualification program will be a team effort between the DON CIO, Navy, and Marine Corps.
These are just a few initiatives in which the DON CIO is engaged to improve cybersecurity processes and compliance. A common theme is our collaboration and partnering with DoD and other DON organizations to share and leverage ideas and successful tactics.
Policy and processes require a knowledgeable and vigilant workforce. Everyone who uses a DON keyboard, tablet or phone should know what our policies are and must understand what constitutes safe, and unsafe, practice. Ensuring you are current in relevant training is important to maintaining a strong “cyber IQ.” DoD and DON training in Cyber Awareness, Privacy, and Operational Security — to name a few — are important building blocks to preserving a secure IT environment.
Each of us has a critical role in protecting our information and systems and in strengthening our cybersecurity posture.