In a new report, Navy, Air Force and Defense Information Security Agency (DISA) leaders provide insights into managing cyber risk and protecting critical infrastructure. Here is a quick summary.
A recent survey of senior Department of Defense (DoD) cyber officials revealed a consistent focus on delivering accurate and actionable cyber risk information to support “operationally informed risk decisions.”
The Federal News Network (FNN) published the results of this survey in a report titled “Cyber Technologies in DoD: Protecting Core Infrastructure.” Respondents included: Bill Marion, the former Air Force deputy chief information officer; Chris Cleary, the Navy’s first chief information security officer; and Roger Greenwell, the Defense Information Security Agency (DISA)’s risk management executive and chief information officer.
Below, we highlight a few of the most salient quotes that speak to the way these teams are adapting their security approach in response to the rapidly evolving threat landscape.
Streamlining implementation of the Risk Management Framework (RMF)
To start, each of the respondents addressed service-specific measures they’ve taken in implementing the Risk Management Framework (RMF), a set of criteria developed by the DoD to standardize how all federal IT systems are architected, secured and monitored.
Recalling the Air Force’s strategic goal of achieving “cybersecurity that works,” Marion outlined his team’s “risk-informed approach” designed “to empower our senior cybersecurity officials to fuse operational requirements, system forensics and threats to inform risk assessment and tolerance over the system life cycle.”
The Navy, according to Cleary, is pursuing an “RMF reform initiative, which focuses on streamlining the existing RMF implementation process.” This sets out four separate lines of effort that “have spawned improvement initiatives across the spectrum of RMF steps and tasks.” He pointed to automation of the RMF as an emerging area with the potential to deliver significant improvements.
Greenwell pointed to the commercial cloud environment, and the capabilities that it offers, as a primary focus area for DISA as they look to manage the migration of applications to that environment. He cited as a priority the ability of mission partners to better “see and leverage the information within the enterprise assessment and authorization tools for their risk management decisions.”
When it comes to RMF reform, the Army and the National Institute of Standards and Technology (NIST), publisher of the RMF, are thinking along the same lines as these DoD leaders. The FNN report includes a section on the Army’s “Project Sentinel,” which is an effort to “fix RMF authorization bottlenecks.”
The FNN report also provides a summary of NIST plans in support of RMF implementation improvements, including details on the next update to Special Publication 800-53, the document that provides the foundation of the RMF. NIST plans to publish that update, revision 5, later this year. Among other upgrades, revision 5 will include a pivot to online delivery that will allow authorizing officials to select only the controls that apply to the specific cyber problem set they need to solve, in contrast to current practice that requires working through a static, 480-page list of security controls.
Prioritizing risk in policy and investment decisions
In an environment of limited resources, setting priorities is essential in achieving objectives. With that in mind, the respondents unanimously cited effective cyber risk management as a top priority to be considered in developing policy and making investments. Marion cited a “paradigm shift from compliance to a predetermined set of controls, to now making operationally-informed risk decisions” as a major achievement for the Air Force.
Addressing the Navy’s cyber investment strategy, Cleary talked about prioritizing ashore, afloat, and air networks “based on the priorities laid out in the National Defense Strategy and based on cost effectiveness” with the aim of “provid[ing] mission assurance in a cyber-contested environment across critical warfare areas.”
Greenwell sounded a similar note for DISA risk prioritization, focusing on the need to “optimize our investments and bring more powerful capabilities to the warfighter.” He emphasized that DISA was “continuously reviewing the threats, the advancing capabilities of our adversaries and the evolution of technology to prioritize our investments.”
Protecting the expanding attack surface
These cyber leaders were unanimous in their focus on the increasing connectivity of devices never previously exposed to outside intervention. This rapidly expanding attack surface is a key factor driving cyber risk prioritization decisions.
Marion, for example, noted that “as the landscape gets more interconnected and complex, the drive for innovation can create potential seams, which introduce additional risk vectors.” He pointed to studies chartered by the Defense Authorization Act as having provided “extremely valuable insights on the risks to our weapon systems and industrial control systems (ICS).”
Similarly, the US Cyberspace Solarium Commission report included a recommendation that Congress should direct the DoD to conduct a vulnerability assessment of all segments of the nuclear command, control, and communications enterprise and National Leadership Command Capabilities, and to continually assess weapon system cyber vulnerabilities.
Marty Edwards, a former federal cyber official and currently Tenable’s vice president of operational technology (OT) security, applauded this increased focus on the expanded attack surface, noting that “the ability for DoD to view and take action across the board on all devices within their vast array of networks is critical.” He added, “Systems that directly support mission operations are very often closely linked or depend upon ICS and/or OT - and that makes them far more critical to the mission owner in my eyes than most enterprise IT-centric systems."
Report cyber risk, not cyber vulnerabilities
For much of the 21st century, vulnerability management has been largely a CVSS-driven process of identifying known vulnerabilities, patching those vulnerabilities and reporting progress on that patching to organizational decision-makers. One point that came through this survey loud and clear is that senior cyber leaders are no longer only interested in knowing the status of cyber vulnerabilities – they want to understand the cyber risk associated with each vulnerability, in order to make well-informed decisions about how to establish priorities and best protect their most critical assets.
At Tenable, we understand the critical need to deliver actionable cyber risk information to decision-makers, which is why we’ve moved far beyond traditional vulnerability management. The Tenable Risk-Based Vulnerability Management Solution delivers comprehensive, continuous visibility and informs technical and business decisions, enabling you to:
- Assess all your assets for vulnerabilities and misconfigurations continuously
- Measure the vulnerability’s risk to your business using threat intelligence and asset criticality
- Predict which vulnerabilities present the most risk to your organization, so you know what to focus on first
- Deliver risk-based information to decision-makers
Tenable’s Risk-Based Vulnerability Management Solution is built upon a five-step Cyber Exposure Lifecycle, which helps you continuously improve your security program. Applying the solution via this lifecycle will help you gain complete visibility into your attack surface and prioritize your remediation efforts based on the 3% of vulnerabilities that pose the greatest risk to your organization – reducing your cyber risk over time.
To learn more about how DoD officials are managing cyber risk, check out the full report from Federal News Network.