A New Perspective Aids Cyber Inspections Amid Mission Risk
The JFHQ-DODIN adds new factors from the U.S. Cyber Command.
The Defense Department is employing a new design for its Next Generation (NEXTGEN) cybersecurity inspection that links the inspection to an organization’s operational mission. In an era of persistent engagement in cyberspace, the goal of these new mission-based, threat-focused cyber inspections contributes to increasing the security and resilience of the Department of Defense Information Network (DODIN). These inspections simultaneously give commanders and directors a deeper understanding of their cyberspace operating environment and associated risks to their mission.
The Command Cyber Operational Readiness Inspection (CCORI) initiative builds on the Command Cyber Readiness Inspection (CCRI) program. The DODIN Readiness and Security Inspections (DRSI) directorate of Joint Force Headquarters–DODIN (JFHQ–DODIN), a subordinate command to the U.S. Cyber Command (USCYBERCOM), conducts both. The CCORI inspection integrates the National Institute of Standards and Technology (NIST) Cybersecurity Framework—as adopted by Executive Order 13800, Strengthening the Cybersecurity of the Federal Networks and Critical Infrastructure; NIST Special Publication 800-53, Security Controls for Information Systems; and the Office of the Director of National Intelligence (ODNI) Cyber Threat Framework into a single cybersecurity inspection methodology.
Additional factors used to customize in-depth inspections are the organization’s mission, mission-essential cyber terrain, network and system interdependencies, cyber-related priorities and operations, and the support received from the cybersecurity service provider.
Prior to using the new framework to build the operational evaluations, CCRIs were conducted using Defense Department-created checklist standards. A CCRI examines vulnerabilities on an asset or device on a mission owner’s network, with heavy emphasis on compliance to technical requirements. CCRIs produce a cyber hygiene or vulnerabilities score for assets on an inspected entities’ network. They do not consider mission analysis, threat indicators of compromise and measures of performance or effectiveness.
In contrast, the CCORI incorporates these aspects and covers not only the mission owners but also their cybersecurity service providers. A CCORI takes place in phases. Highlighted actions include a mission analysis, a cyber hygiene assessment, threat emulation and application of cybersecurity measures of effectiveness and measures of performance. In addition, CCORI findings are reported to the inspected mission owner and the commanders of JFHQ-DODIN and USCYBERCOM.
“The bottom line is the CCORI raises the bar for all of us. Each inspection is a microcosm of effectiveness of security controls for the DODIN, a global and joint area of operations. Ideally, all entities and cyber terrain will operate at the same high standard,” says Dr. James Matlock III, DRSI director. “JFHQ–DODIN cybersecurity inspections contribute to the effectiveness of mission owners and their assigned cybersecurity service provider at the tactical level. CCORIs also contribute to cybersecurity policy, doctrine and future defensive cyberspace operations capability acquisitions,” he adds.
The JFHQ–DODIN assists organizations in determining threats and vulnerabilities to their networks and the processes that impact their mission objectives. It is a significantly advanced and mature approach to readiness, which moves far beyond evaluating against a checklist but evaluates an organization’s ability to conduct its mission, defend its mission space and, in turn, defend the DODIN.
The shift from the uniquely information assurance compliance-based CCRI to the operational-focused CCORI directly supports the 2018 National Defense Strategy and 2018 DoD Cyber Strategy. “Compliance is of course important, but it is only one part of the equation. Compliance is how a mission owner hardens their cybersecurity posture, but the past several years have proven that compliance by itself is not sufficient,” Matlock explains.
The NEXTGEN CCORI is intrinsic to USCYBERCOM’s responsibility and authority for the operational risk associated with the DODIN, and it reflects an overarching shift to ensuring the DODIN is ready for all kinetic and non-kinetic engagement. Likewise, grounding NEXTGEN inspections to NIST’s Cyber Security Framework enables the JFHQ–DODIN commander to share DCO information with the defense industrial base and other federal organizations such as the Department of Homeland Security in a manner that contributes to USCYBERCOM’s defend-the-whole-of-government and defend-the-nation missions.
“We approach the CCORI inspections as independent, objective fact finders,” Matlock states. “Our inspections’ objective is to evaluate and strengthen the effectiveness of inspected mission owners and their assigned CSSPs in order to have a secure and ready cybersecurity environment for all entities conducting their missions on the DODIN.”
The JFHQ–DODIN sets the standard for the conduct of DODIN inspections. DRSI and JFHQ–DODIN work closely with service cyber components to train and certify their personnel, as well as with the Defense Security Service, to build a cadre of qualified teams. Increasing the number of Defense Department teams conducting CCORI inspections in turn will increase the persistent security posture of the DODIN and all its component parts.
John K. Porter III is the deputy director, DODIN Readiness and Security Inspections Directorate, JFHQ–DODIN.
The work undertaken by JFHQ–DODIN will be among the topics discussed at TechNet Cyber 2019, being held at the Baltimore Convention Center May 14-16.