Pentagon shifting to new model for assessing network readiness
Following a series of pilot efforts, the Pentagon’s main network defense command is rolling out a new model for measuring the readiness of the network.
Beginning March 1, Joint Force Headquarters-Department of Defense Information Network (JFHQ-DODIN) will establish the Cyber Operational Readiness Assessment (CORA) program, marking a shift from compliance to operational readiness.
Over the past few years, JFHQ-DODIN, a subordinate headquarters under U.S. Cyber Command responsible for protecting and defending the Pentagon’s network globally, has tweaked its readiness program, the Command Cyber Readiness Inspection (CCRI) program, opting now for CORA.
“We really believe that this is something that’s going to be revolutionary when it comes to assessing the command as well as the Department of Defense and being able to harden the overall DODIN,” John Porter, director of DODIN readiness and security inspections, told reporters during a media briefing Feb. 27.
Officials explained that the shift to the new model allows organizations to be more flexible, agile and responsive to threats in a highly dynamic yet unpredictable environment.
CORA “enables commanders and directors to make the right decision when applying resources to increase the security posture of their network. It allows us to iterate and change on a dime to figure out what is important now,” Nicholas DePatto, inspections branch chief, told reporters. “As everyone understands, technology changes so frequently, so fast, it’s hard for everyone else to keep up. A vulnerability that we are not even aware about today, right now, is probably being exploited in the wild. With the flexibility of CORA, we’re able to shift and adapt and overcome to start focusing on those unknown or newly discovered vulnerabilities for what is important to JFHQ-DODIN because of intel and threat reporting.”
CORA is also risk-informed for defensive cyber operations-internal defense measures, specific actions taken on the network in response to either intelligence, a threat or an incident.
“The cyber operational readiness assessment, aka CORA, has become a more agile process, encouraging and enabling adjustments based on current threats. We began this evolution by developing key indicators of risk from the risk-based metrics to assure alignment with Joint Force Headquarters-DODIN’s cybersecurity priorities and to direct focus onto the most critical areas of remediation,” Porter said. “This, in turn, allows organizations to focus their mitigation efforts on risk and exposure to common adversaries [tactics, techniques and procedures]. Focusing on these essential remediation points allows DOD components to concentrate limited resources and staffing on correcting high-risk areas or areas that matter most.”
Officials explained it is a living inspection that can flex to operational needs and adapt to emerging needs given the unpredictability of potential future vulnerabilities.
“We know that the department long term needs to get to continuous holistic assessment of terrain … We need to use capabilities current, future and emerging to get it that. However, we don’t know if those capabilities are correct. We don’t know if our investments are making us the right dividend,” said Charles Wille, deputy director of DODIN readiness and security inspections. “CORA is really not only to get at risk today, but also to help us understand as we roll out more and more automation and capabilities, is that capability, what we know to be true, and what we think to be true, do those things line up.”