I have been working with leaders across the Department of the Navy (DON) to fundamentally transform our approach to cybersecurity, by pivoting from a compliance mindset to a dynamic model rooted in the philosophy of readiness and currency, called “Cyber Ready”. I’m excited to announce on August 4th, Secretary Del Toro released the Strategic Intent memorandum as a guide to achieve Cyber Ready. Here’s why that is important:
- DON has historically viewed cybersecurity as a compliance problem that must be addressed through extensive lists of requirements, checklists, processes, audits and governance forums. We now have over a decade of data that tells us the compliance model is insufficient. It doesn’t provide real-time visibility of our cybersecurity posture, discounts the adversary’s point of view, and is very labor intensive.
- Under the Risk Management Framework, systems achieve an Authority to Operate (ATO) by implementing a set of security controls as assessed by an authorizing official. With Cyber Ready, systems will be required to implement a sufficient number of controls to attain their initial ATO and must maintain that ATO through continuous monitoring and ongoing security assessments, which include adversarial testing and preparedness of system operators and defenders.
- Our assertion is that an approach more rooted in how the military views the problem of readiness is a better approach than compliance. Readiness is a wide aperture look at the state of staffing, training, supply chain and logistics that commanding officers strive for every day. Applying this Cyber Ready approach can use the same mindset to solve for the problem of cyber security. Cyber Ready is a better way to strengthen the Navy’s cybersecurity.
Thinking differently about the ATO
The primary building block of our current compliance model is the ATO and the best place to start changing our approach to cybersecurity. Everything on the DON networks must have an ATO but the process to obtain an ATO is lengthy and is generally only re-evaluated every three years. Shifting to a Cyber Ready model means reducing the time to earn an initial ATO by taking a Minimum Viable Product (MVP) approach, then shifting efforts from compliance to earning and re-earning an ATO on an ongoing basis, using the model of “currency”, borrowed from the aviation community. Cyber currency will form the basis of an ongoing ATO and a footing for Cyber readiness.
From guidance to action
The Cyber Ready STINT Memorandum outlines the DON’s approach to implementing Cyber Ready. Specifically, it outlines several Lines of Effort (LOE) and directs the Navy and Marine Corps to identify lead personnel and supporting organizations for each LOE. The LOEs are:
- Cyber Metrics: Measure cybersecurity holistically with a risk and readiness mindset.
- Build on RMF Reform. Accelerate the ATO process with automation and leverage inheritance models to reduce the allocated control sets that programs are responsible and accountable for.
- Cyber Currency: Move to an ongoing ATO that is maintained through Cyber Currency.
- Adversarial Assessment and automated “purple teams”. Adopt a “trust but always verify” mindset (leveraging automated penetration testing, audits, and data from continuous monitoring).
- Data Analytics: Democratize insight by providing visibility into the Cyber Ready posture to those who need to know the risks they are assuming.
- Acquisition Changes: Provide programs the tools to develop systems that are “born” Cyber Ready and remain ready through Cyber Currency.
- Workforce: Deliver ongoing training to keep the acquisition and cyber workforce informed of the current processes and tools.
The Navy and Marine Corps will also conduct Cyber Ready pilots to discover and demonstrate innovative methods of accelerating the deployment of secure capabilities and validate the Cyber Ready process. Approved pilots will demonstrate one or more of the following:
- Inheritance to achieve an Authority to Operate (ATO) with a Minimum Viable Product approach that is based on Service approved and allocated controls
- Measure cybersecurity holistically with a risk and readiness mindset, evaluating mitigations in place are sufficient to lower risk as designed vice compliance
- Continuous monitoring (CONMON) with auto penetration testing
- Automation and streamlining of the Risk Management Framework process
- Visibility into the Cyber Ready posture to anyone who has a need to know
The Cyber Ready approach provides the perfect context for the continued rapid transition to DevSecOps development models. Cyber Ready both builds on DevSecOps and further enables it. Cyber Ready and DevSecOps can form the foundation of rapidly developing and deploying capability anywhere, from the enterprise to the tactical edge.
Cyber Ready promises significant improvements to the DON’s cybersecurity, but we expect challenges as we change the long-established way of authorizing systems. In the STINT memorandum, the Secretary acknowledged, “a complex, enterprise-wide change management effort like this will only succeed with the enthusiastic, fully committed support of many stakeholders, a well-developed, resourced and aggressively executed plan, effective oversight, and sustained senior leadership support.” He’s absolutely correct, and I’m excited because I’ve made the rounds and know that DON senior leaders get it and are ready to support.