Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

  • Twitter
  • Facebook
  • LinkedIn

Department of Defense Officials Report on Cyber Risk-Based Decisions

Department of Defense Officials Report on Cyber Risk-Based Decisions

In a new report, Navy, Air Force and Defense Information Security Agency (DISA) leaders provide insights into managing cyber risk and protecting critical infrastructure. Here is a quick summary. 

A recent survey of senior Department of Defense (DoD) cyber officials revealed a consistent focus on delivering accurate and actionable cyber risk information to support “operationally informed risk decisions.”

The Federal News Network (FNN) published the results of this survey in a report titled “Cyber Technologies in DoD: Protecting Core Infrastructure.” Respondents included: Bill Marion, the former Air Force deputy chief information officer; Chris Cleary, the Navy’s first chief information security officer; and Roger Greenwell, the Defense Information Security Agency (DISA)’s risk management executive and chief information officer.

Below, we highlight a few of the most salient quotes that speak to the way these teams are adapting their security approach in response to the rapidly evolving threat landscape.

Streamlining implementation of the Risk Management Framework (RMF)

To start, each of the respondents addressed service-specific measures they’ve taken in implementing the Risk Management Framework (RMF), a set of criteria developed by the DoD to standardize how all federal IT systems are architected, secured and monitored. 

Recalling the Air Force’s strategic goal of achieving “cybersecurity that works,” Marion outlined his team’s “risk-informed approach” designed “to empower our senior cybersecurity officials to fuse operational requirements, system forensics and threats to inform risk assessment and tolerance over the system life cycle.”

The Navy, according to Cleary, is pursuing an “RMF reform initiative, which focuses on streamlining the existing RMF implementation process.” This sets out four separate lines of effort that “have spawned improvement initiatives across the spectrum of RMF steps and tasks.” He pointed to automation of the RMF as an emerging area with the potential to deliver significant improvements. 

Greenwell pointed to the commercial cloud environment, and the capabilities that it offers, as a primary focus area for DISA as they look to manage the migration of applications to that environment. He cited as a priority the ability of mission partners to better “see and leverage the information within the enterprise assessment and authorization tools for their risk management decisions.” 

When it comes to RMF reform, the Army and the National Institute of Standards and Technology (NIST), publisher of the RMF, are thinking along the same lines as these DoD leaders. The FNN report includes a section on the Army’s “Project Sentinel,” which is an effort to “fix RMF authorization bottlenecks.”

The FNN report also provides a summary of NIST plans in support of RMF implementation improvements, including details on the next update to Special Publication 800-53, the document that provides the foundation of the RMF. NIST plans to publish that update, revision 5, later this year. Among other upgrades, revision 5 will include a pivot to online delivery that will allow authorizing officials to select only the controls that apply to the specific cyber problem set they need to solve, in contrast to current practice that requires working through a static, 480-page list of security controls.

Prioritizing risk in policy and investment decisions

In an environment of limited resources, setting priorities is essential in achieving objectives. With that in mind, the respondents unanimously cited effective cyber risk management as a top priority to be considered in developing policy and making investments. Marion cited a “paradigm shift from compliance to a predetermined set of controls, to now making operationally-informed risk decisions” as a major achievement for the Air Force.

Addressing the Navy’s cyber investment strategy, Cleary talked about prioritizing ashore, afloat, and air networks “based on the priorities laid out in the National Defense Strategy and based on cost effectiveness” with the aim of “provid[ing] mission assurance in a cyber-contested environment across critical warfare areas.”

Greenwell sounded a similar note for DISA risk prioritization, focusing on the need to “optimize our investments and bring more powerful capabilities to the warfighter.” He emphasized that DISA was “continuously reviewing the threats, the advancing capabilities of our adversaries and the evolution of technology to prioritize our investments.”

Protecting the expanding attack surface

These cyber leaders were unanimous in their focus on the increasing connectivity of devices never previously exposed to outside intervention. This rapidly expanding attack surface is a key factor driving cyber risk prioritization decisions.

Marion, for example, noted that “as the landscape gets more interconnected and complex, the drive for innovation can create potential seams, which introduce additional risk vectors.” He pointed to studies chartered by the Defense Authorization Act as having provided “extremely valuable insights on the risks to our weapon systems and industrial control systems (ICS).”

Similarly, the US Cyberspace Solarium Commission report included a recommendation that Congress should direct the DoD to conduct a vulnerability assessment of all segments of the nuclear command, control, and communications enterprise and National Leadership Command Capabilities, and to continually assess weapon system cyber vulnerabilities.

Marty Edwards, a former federal cyber official and currently Tenable’s vice president of operational technology (OT) security, applauded this increased focus on the expanded attack surface, noting that “the ability for DoD to view and take action across the board on all devices within their vast array of networks is critical.” He added, “Systems that directly support mission operations are very often closely linked or depend upon ICS and/or OT - and that makes them far more critical to the mission owner in my eyes than most enterprise IT-centric systems."

Report cyber risk, not cyber vulnerabilities 

For much of the 21st century, vulnerability management has been largely a CVSS-driven process of identifying known vulnerabilities, patching those vulnerabilities and reporting progress on that patching to organizational decision-makers. One point that came through this survey loud and clear is that senior cyber leaders are no longer only interested in knowing the status of cyber vulnerabilities – they want to understand the cyber risk associated with each vulnerability, in order to make well-informed decisions about how to establish priorities and best protect their most critical assets.

At Tenable, we understand the critical need to deliver actionable cyber risk information to decision-makers, which is why we’ve moved far beyond traditional vulnerability management. The Tenable Risk-Based Vulnerability Management Solution delivers comprehensive, continuous visibility and informs technical and business decisions, enabling you to:

  • Assess all your assets for vulnerabilities and misconfigurations continuously 
  • Measure the vulnerability’s risk to your business using threat intelligence and asset criticality 
  • Predict which vulnerabilities present the most risk to your organization, so you know what to focus on first 
  • Deliver risk-based information to decision-makers

Tenable’s Risk-Based Vulnerability Management Solution is built upon a five-step Cyber Exposure Lifecycle, which helps you continuously improve your security program. Applying the solution via this lifecycle will help you gain complete visibility into your attack surface and prioritize your remediation efforts based on the 3% of vulnerabilities that pose the greatest risk to your organization – reducing your cyber risk over time. 

To learn more about how DoD officials are managing cyber risk, check out the full report from Federal News Network.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.