New DISA Program Assesses Operational Risk

As the Defense Information Services Agency (DISA) knows, a network that complies with standards is not necessarily secure. DISA’s new evaluation program, the Command Cyber Operational Readiness Inspection (CCORI), is designed to go beyond standards. Its goal is to provide site commanders and federal agencies an understanding of mission operational risks.   

The new program modifies the Command Cyber Readiness Inspection (CCRI) and provides a more threat-focused, mission-based assessment. It will help agencies “understand what impact the vulnerabilities found in a traditional CCRI have, in terms of the threat to their mission, if an adversary takes advantage of the vulnerabilities,” says Jimaye Sones, director of the DOD Information Networks (DODIN) readiness and security inspections directorate.  

It isn’t just DISA that is aware of the need for information about operational risks. Many site commanders have indicated the CCRIs miss the larger picture.

During a recent inspection, for example, CCRI uncovered a comma missing from the login banner for some devices. According to DISA standards, this is a Category 1 finding—the most severe. The site commander wanted vulnerabilities put in the context of network access and mission. He needed to understand how vulnerabilities that are exposed to the outside world could impact his ability to accomplish a mission. This is what the revamped CCORIs are designed to determine.  

To understand the impact vulnerabilities can have on a mission, you need to understand your network and identify the parts that need the most protection. As Maj. Gen. Loretta Reynolds, USMC, commander of Marine Forces Cyber Command at Fort Meade, Maryland, said at the AFCEA USMC IT Day in April at Marine Corps Base Quantico: “We will probably not be able to defend the entire network. But we absolutely better know which parts we have to defend.”

To know what portions to protect, you need to know exactly what your network looks like and how everything is connected to it. System managers must be able to answer the critical question: How many ways can system A reach or connect to system B? It might seem like a simple question, but the answer can be baffling. Even in small- and medium-sized networks, not to mention large and global networks such as the DODIN, getting the answer in a timely manner—so that it can be readily used—is well beyond a person’s ability. Getting that answer in real time requires automation. Managers must be able to model and assess networks, identify mission systems and rank those systems’ criticality. Every possible path from one system to another must be evaluated, to then analyze the vulnerabilities and determine how much of a risk they might pose to systems requiring protection.

When an adversary is detected, an automatically generated network model lets operators and assessment teams quickly identify IT systems and network segments that must be protected. This network model is similar to sand tables used for centuries by global militaries that depict geographical elements such as mountains, rivers, forests and valleys. Within networks, these “geographical elements” are firewalls, routers, switches and load balancers. A network model enables people to visualize a complex environment easily and make tactical decisions quickly.

While DISA moves forward with the CCORIs, the agency will continue planning traditional CCRIs, as well as cybersecurity service provider and public key infrastructure audits at other DODIN sites. Whether conducting a CCORI or CCRI, there is a need for a tool to automatically and accurately map the network and put vulnerabilities into context of network access.

J. Wayne Lloyd is the federal chief technology officer at RedSeal.