The Defense Department’s top weapons buyer and top technology officer gave direction to program managers on inserting a cybersecurity risk management system into program lifecycle plans.
The guidebook emphasizes a risk-based approach that treats cybersecurity like any other system requirement. This is the first version of the cybersecurity risk management framework (RMF) guidebook. It will be updated as lessons learned are identified, the memo stated.
“A vital aspect of maintaining U.S. technological superiority and military readiness is ensuring cybersecurity of our information technology systems, weapons systems and networks,” stated an Oct. 30 memo signed by Frank Kendall, the undersecretary of Defense for acquisition, technology and logistics, and Terry Halvorsen, the DoD chief information officer. “Program managers must assume that the system they field, including their external interfaces, will be under cyber attack.”
The guidebook explains concepts and activities for the implementation of the risk management framework into development, operational testing, fielding and sustainment of systems.
Program managers need to understand, plan for and integrate cybersecurity into their programs in a cost-effective manner. They also must coordinate requirements generation, systems security engineering, ongoing risk assessments, program protection planning and test and evaluation.
DoD wants program managers to create a cybersecurity strategy as well. The strategy should reflect the program’s long-term approach and implementation of cybersecurity throughout the initiative’s lifecycle.
“The cybersecurity strategy should be used as a tool for PMs, [authorizing officials], cybersecurity, and acquisition oversight authorities to plan for, document, assess, mitigate and manage risks as the program matures,” the guidebook stated.
The RMF is the common information security framework for the federal government and its contractors.
DoD began its transition to the RMF in March 2014. DoD required the establishment and use of an integrated enterprisewide decision structure for cybersecurity risk management and a three-tiered risk management approach.
That three-tiered approach addresses risk from an organizational to a tactical perspective. The organizational strategy includes methods to assess cybersecurity risks, evaluate the significance and types of risks and the mitigation measures of the risk.
The tactical tier addresses risk management from the information system perspective and is guided by the higher levels. The decisions at the higher tiers impact the selection and deployment of safeguards and measures at the tactical level and therefore the tactical tier has a greater level of autonomy in each agency.
The RMF governance structure for DoD runs from the DoD CIO at the top tier down to the program’s authorizing official at the tactical level.
Cybersecurity has become a bigger priority over the years as technology becomes more and more essential to weapons systems.
Cyber has become so important that the Marine Corps said it would be sacrificing its capacity to invest more heavily in its cyber capabilities.
DoD announced last year that it was doubling down on its technological investments to stay ahead of its adversaries. The Defense Innovation Initiative will invest heavily in cyber, space and other areas throughout the coming years.