DoD wants to build cybersecurity into programs with new policy

The Defense Department is doubling down on its effort to build cybersecurity into the acquisition cycle as a means of better protecting defense programs of the future.

DoD is preparing guidance to be released in the next two months that will give program managers more detailed direction on systems security engineering.

The guidance will give program managers “a more consistent set of approaches across all of our acquisition programs,” Robert Gold, DoD’s director of engineering enterprise told Federal News Radio on Sept. 7.

Gold described the guidance as a more detailed way of explaining how and where to engineer security features into programs.

Advertisement

“Ultimately this would eventually make its way into the development contract, but right now the specific guidance that we plan to publish is for program managers,” Gold said.

Systems security engineering is the use of engineering and management principles and concepts to optimize security throughout all stages of a system life cycle. The objective is to eliminate or reduce vulnerabilities in the system.

The guidance is part of a broader push within the Defense Department to make programs more cybersecure.

As more programs are connected to the internet, DoD has seen the need to protect them from the increasing number of cyber attacks.

Defense Undersecretary for Acquisition, Technology and Logistics Frank Kendall released a policy last year requiring program managers to conduct cybersecurity risk assessments and to assist program users in writing testable measures for cybersecurity.

“Cybersecurity is a pervasive problem for the department,” Kendall said last year. “It is a source of risk for our programs from inception all the way through retirement, and it includes the industrial base that supports us and their databases and their information. It includes what we hold in government. It includes the logistics support information, the sustainment information, the design information, the tactical information. Everything associated with the product is a potential point of attack. We are under attack in the cyber world, and we’ve got to do a better job. All of our managers need to be much more conscious of this and be much more attentive about best practices that let us stay ahead of the threat.”

The Navy has especially taken the cybersecurity and hacking prevention to heart. In 2014 it launched its Cyber Awakening initiative after being hacked by Iran.

The service did a top-to-bottom scrub and reallocated roughly $300 million in existing funding to remediate cyber problems on its networks, within its weapons platforms and in the industrial control systems that keep the lights on aboard its bases. The Navy also used the Cyber Awakening to make tradeoffs between roughly 300 competing cyber spending priorities between now and fiscal 2021.

Last fall the Navy made Cyber Awakening a permanent office and put the CYBERSAFE program within it.

CYBERSAFE includes major cyber hygiene components through which the Navy hopes to influence individual sailors’ behavior, but for now, it is highly focused on ensuring cybersecurity is a key priority in Navy procurement plans. So CYBERSAFE offices are also being set up the Naval Sea Systems Command, the Naval Air Systems Command and the Space and Naval Warfare Systems Command.

While those acquisition commands will be in charge of certifying the equipment they’re procuring as “CYBERSAFE,” the central Navy Cybersecurity division will try to ensure they’re doing so with a coherent and common set of guidelines.