Jumping the Hurdles: Security, Accreditation, and Funding

From AFCEAWiki

There are many hurdles to deploying new capability to the warfighter, even more for IT-related systems. When technology baselines change every 12-18 months and cyber-time is measured in days, not Fiscal Years, our acquistion processes more often get in the way than facilitate improvement and maintenance.

As the rest of the world becomes more cyber-aware, so do our adversaries. Unfortunately, security policy-makers have adopted the physical "double fence" approach to security. This virtual Maginot Line is well-intended: We need to know who we can trust to do what, and so we accredit both the person and the systems. However, the processes are risk-averse, knowing our own lack of agility will prevent us from responding quickly to intrusions. This barrier model means that if you can ever get in, there are fewer restrictions on what you're assumed to be able to do. So they've made it harder to qualify for doors through the wall.

The consequence is that it takes more than a single cyber cycle to get past the door. We can sometimes see two or three generations waiting to get in. At times, a user simply declares digital bankruptcy and quits the process altogether, leaving great ideas in the ash can.

Part of the problem on both sides of the fence is money. There's not enough to do it right the first time, so it takes even more to rework and retest. It's become a vicious cycle, and there are few palatable or politically-acceptable solutions at hand.