DISA Cyber Program Focuses on Operational Risk
The U.S. Defense Information Systems Agency, or DISA, launched a new cyber assessment program, known as a Command Cyber Operational Readiness Inspection (CCORI), that provides the Defense Department and federal agencies a greater understanding of the operational risk their missions face because of their cybersecurity posture, according to an agency statement.
The new program modifies the Command Cyber Readiness Inspection (CCRI) and provides a more threat-focused, mission-based assessment. “Commanders at sites where CCORIs are held will be able to understand that being 'compliant' does not necessarily mean their site is 'secure,’” Jimaye Sones, director of the DOD Information Networks (DODIN) readiness and security inspections directorate, says in a statement. “They will understand what impact the vulnerabilities found in a traditional CCRI have, in terms of the threat to their mission, if an adversary takes advantage of the vulnerabilities.” The directorate, aligned within DISA, conducts assessments under the authority of the Joint Force Headquarters–DODIN and Cyber Command.
CCORIs analyze three levels of effort to review operational risk: mission, threat and vulnerabilities. Mission analysis is gradually introduced into the four phases of the operations order: site selection, scoping/pre-inspection, inspection and post-inspection.
“Once a site is selected, the team scopes the assessment based on the unit’s mission,” Sones says. “A threat element simulates a contested work environment using specific software tools across internal and external attack vectors of the network, while also conducting a standard, compliance-based CCRI against the highest priority vulnerabilities.”
The task renders an operational risk maturity model, determined by a National Institute of Standards and Technology (NIST) Cybersecurity Framework maturity level, Sones says.
DISA led three pilots between April and February to develop and test new processes using the CCORI methodology, leading to further refinement and maturation of operational assessment processes. While DISA moves forward with the CCORIs, the agency will continue planning traditional CCRIs and cybersecurity service provider and public key infrastructure audits at other DODIN sites. “All of the federal agencies and combatant commands operating on the DODIN will benefit from this program aimed at providing mission assurance,” Sones says.