Balancing Risks on DISA's Complex Network
Sometimes cybersecurity successes are measured in increments.
When operating one of the most complex and critical networks on the planet, risk is a given. That risk comes in two forms, technical and operational, and managing both is a matter of balance.
Roger Greenwell, Defense Information Systems Agency (DISA) risk management executive and authorizing official, is responsible for maintaining that balance on the Defense Information Systems Network (DISN), a global enterprise network that enables information superiority and critical communications. The DISN is the core of the Department of Defense Information Network, a worldwide conglomeration of military networks.
The DISN includes hundreds of systems and applications as well as the hotline connecting the White House and the Kremlin. It also provides terrestrial transport, gateways, multinational information sharing and other special services. It allows satellite communications, including Enhanced Mobile Satellite Services; the Unified Video Dissemination System-Airborne Intelligence, Surveillance and Reconnaissance; digital intermediate frequency and commercial satellite communications.
“DISA operates one of the largest backbone networks in the world. We operate enterprise computing centers. We provide command and control capabilities around the world,” Greenwell says.
But his responsibilities do not end there, says David Mihelcic, DISA’s retired chief technology officer. “Roger’s responsibilities expand to joint combat support and command and control systems, the Global Command and Control System and the Global Combat Support System. His responsibilities expand to the management systems that then command and control all of that infrastructure and all of those other systems,” states Mihelcic, who now runs his own consulting business known as DMMI.
As the authorizing official, he is responsible for making decisions that balance mission and business requirements with security, reviewing and approving all plans of action to reduce risk, authorizing connections to the network and validating all agency requirements for cross-domain solutions and Internet-facing applications.
“The first priority is assuring that the systems and networks and enclaves that we operate continue to do so with acceptable risk. It’s about knowing how the agency is doing in terms of maintaining the configuration and management of patches, addressing changes, understanding new products and functions that are being added to applications, making sure that as we continue to update systems, that we are maintaining an acceptable risk,” he says.
He also is the Defense Department authority for issuing cloud computing provisional authorizations. As the department continues to adopt commercial cloud capabilities, DISA helps cloud service providers and department mission owners work through the provisional authorization process, which saves time and money compared to conducting independent assessments. The department’s cloud assessment process leverages the Federal Risk and Authorization Management Program (FedRAMP), the governmentwide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.
“The other key priority for me, as the department embarks on this journey to the cloud, is ensuring that we’re looking at risk from all angles. Some people view cloud as magic, where you move to the cloud and all of your security capabilities are essentially provided by the cloud provider,” he offers. “What we’re trying to do is make sure we educate people on their responsibilities as we move to the cloud and ensure we take advantage of best practices and then assess and understand what those cloud providers bring forward.”
He predicts expanded use of provisional authorizations. “I think we’re going to see a lot more provisional authorizations coming forward in the months ahead. We do need to look at our cloud security requirements guide, and there’s some work continuing in that space,” he says.
Furthermore, Greenwell leads agency efforts in operating and assuring a reliable and secure enterprise. His responsibilities include driving agency compliance with the department’s cybersecurity scorecard reporting requirements. He also leads DISA’s efforts in developing departmentwide security requirements guides, security technical implementation guides (STIGs) and content used by standards-based tools for automating the process for assessing compliance with the standards. Additionally, he is charged with leading other key cybersecurity-related initiatives such as incident response, penetration testing and architecture analysis for critical systems.
“We are focused on articulating the standards, evaluating controls and informing the risk management function overall and then balancing that risk with the operational mission requirements as we look across the cyber domain,” he explains. “We’re bringing all that together in a blended way, looking at technical risks, along with operational risk and creating that effective balance of ensuring we can continue to maintain capabilities.”
His is a job in which accomplishments—however crucial and far-reaching they may be—are noted in increments. “For me, accomplishments are a continual emphasis on everything we do. Accomplishments are like little milestones along the way. Things that stick for me are things like what we’ve been able to do with our [STIGs] for the department,” Greenwell states.
The STIGs are a critical piece of the overall cybersecurity puzzle. “We provide the standards that the department uses in order to be able to secure systems. We provide the analysis and tracking of compliance for circuits, the use of ports and protocols, the use of cloud computing and cross-domain systems throughout the enterprise … as we look at how to secure our boundaries.”
He touts DISA’s cooperation with industry on the development of the STIGs as one of those accomplishments. In previous years, the agency developed the STIGs internally without working with industry at all. “We’ve now been able to reach out and partner with industry, leveraging those vendors’ expertise. We’re able to effectively produce a lot more STIGs much faster,” he reports.
By working closely with industry, the agency also is able to develop STIGs for a wider range of technologies. “We’re able to cover a broader breadth of products and capabilities because many vendors now express an interest in wanting to make sure their product is configured properly,” Greenwell notes. “They’re actually reaching out to us and asking how they can participate in the STIG development process. That’s foundational to one of the key things we do in making sure everybody can configure systems properly.”
Greenwell touts the efficiencies gained through a close collaboration with industry. “The efficiency derived from this process often allows the STIGs to be released nearly simultaneously with new vendor product releases and facilitates the agility needed to quickly adapt to changing priorities. The needs of the warfighter and the overarching Defense Department policies are at the core of this process,” he says.
The incremental but significant accomplishments include a transition from the Department of Defense Information Assurance Certification and Accreditation Process, commonly referred to as DIACAP, to the Risk Management Framework, which integrates security and risk management activities into information system development. “We did so in an incremental fashion, focusing on priority controls and addressing the lower-priority controls over time, ensuring we’re focusing on the most important things as we bring operational systems on the network,” he says. “Our focus now is making sure we’re maximizing the use of our tools, such as continuous-monitoring tools providing actual system status details.”
The transition to the Risk Management Framework aids in determining which controls are necessary in a given system environment. “You can’t eliminate risk. Ultimately, you need to understand what a system environment is really intended to do and what controls are necessary,” he explains. “The risk with operating a public-facing website and the risk associated with a command and control system are two very different things. I wouldn’t put the same level of security controls in that public-facing website as I would put on a command and control system.”
Greenwell touts the benefits of automation to the risk management mission. “It’s one of the most critical pieces of risk management. The only way we’re going to be able to get efficiencies is to take advantage of automation,” he asserts. “Automation is critical to being able to maintain an acceptable risk to security.”
In addition to enhancing security, automation also allows the department to more rapidly field systems. “We’re getting the capability more secure in the process, but more importantly, we’re actually getting capabilities out to the warfighters quicker.”
Mihelcic describes automation as critical to a concept known as continuous integration or continuous deployment, which he says is the gold standard in industry but not yet widely practiced in the Defense Department. “That is an approach where developers are building code, and every time they complete a module, they check that code in. That code is checked for functionality and security properties. It’s compiled. It’s tested in an automated fashion, and then it’s deployed to operations,” Mihelcic explains.
The result, says the retired chief technology officer, is that software is both more secure and more rapidly deployed. “Security isn’t an afterthought. It’s integrated with that process, and it can happen in real time. It won’t delay the deployment of that software,” Mihelcic states. “Industry delivers updates to their systems multiple times a day, but with Defense Department systems, it can take months or even years to deliver updates. We’ve got to get out of that Defense Department model of operations and move to the industry model where we can deliver new capabilities every day and do that securely.”
He cites the Defense Collaboration Services (DCS), which provides a stand-alone chat service with an in-browser web conferencing service and includes audio, webcam, white boarding, presentation sharing, desktop sharing and polling, among other features, according to a DISA website. By leveraging the milCloud virtual data center environment, DCS increases operational efficiencies by consolidating administrative, hardware and software resources for a scalable and secure, globally accessible solution. DCS reached full operational capability in 2015.
“One of the areas where we’ve been able to take advantage of a lot of our automation is around DCS. They’ve certainly implemented a great level of automation in their development processes and how they actually maintain the infrastructure in their environment,” Greenwell says.
He indicates the agency’s use of automation will continue to grow. “This is a continuing focus area for the agency. Automation is definitely not where I want to see it. We’re working very closely within our innovation directorate and also across our operations directorate in terms of how we bring automation into play with the patch management, configuration management, how we maintain and manage the network.”
Software-defined networking also is “a lot of what we’re working to implement now,” he notes. “We refer to a concept of software-defined everything.”