The Department of the Navy released new guidance with the goal of expanding the number of and type of cybersecurity worker.
The idea behind the policy is to accept more certifications and qualifications from sailors, seamen and civilians instead of the one-size fits all approach of yesteryear.
Rob Foster, the Department of the Navy’s chief information officer, said the DoN has about 23,000 cyber professionals helping to secure their networks and guidance updates the requirements, the training and the necessity of their efforts.
Foster said the training piece around cybersecurity and cyberspace has been in the works for the better part of three years.
Jennifer Harper, the Navy CIO’s cyber IT and cybersecurity workforce program lead, said the new guidance differs from the old guidance because the number and type of certifications and qualifications have increased.
“It no longer relies solely on certifications like the DoD 8570. Training, especially military training, is now an integral part of the program as well as academic degrees, commercial certifications, credentialing programs and on-the-job training,” Harper said on the Ask the CIO program. “The new guidance allows the DoN to map the degrees, the training and certifications to foundational cyberspace, IT and cybersecurity specialty areas as laid out in the National Initiative for Cybersecurity Education (NICE) framework.”
Harper said the previous focus only on the DoD 8570 limited who was or could be qualified to be a cyber worker.
“This way if you have a degree in cybersecurity that could count. Or if you military training in the past, that could count,” she said. “It’s no longer just pigeon-holed into just certifications.”
Foster said the Department of Navy, like every agency and private sector organization, is facing a supply and demand challenge as it relates to cyber workers. He said by expanding the certifications, training and degrees accepted increases the number of qualified cyber workers.
“Looking at their capabilities, qualities and not just looking at one or two aspects, but looking at multiple aspects as it relates to the NICE framework, and then doing an assessment to say they are qualified to operate in that position description,” Foster said. “We have a significant demand with a supply that is very hard to get whether that be qualified personnel on the outside with the credentials as they currently stand, the hiring process, which is somewhat lengthy, and the other piece of the puzzle would be hiring a contractor to do that, which in some cases could be a cost prohibitive factor. So the opportunity to get people inside the workforce, not just retool, but also be qualified for the tools they already have, document that in a framework that allows them to be able to function in that position description leads to a better capable workforce from the resources we have today.”
Those position descriptions are among the biggest changes brought forward in the policy.
Harper said the new position descriptions and specialty codes are based on the NICE framework.
She said current cyber workers may not see much or any difference with the new guidance.
“Their jobs will remain same. This will be an easier qualification program because it’s not just certifications. Now they can use their college degrees, they can use military training and other credentialing programs,” Harper said. “While it’s a big change, and I know change is hard, but moving forward this will actually be an easier program to follow.”
Another big change, Harper said, is the DoN more easily will be able to track cyber workers’ education and training as well as give sailors, seamen and civilians a roadmap to improve their cyber skillsets.
Aside from the cyber workforce, Foster said moving to the cloud, big data and, of course, cybersecurity from the technical perspective.
He said the DoN has been focused on migrating to the cloud for the last few years through pilots.
“Last month, there was some application training for the application owners on the migration. That training seminar was very well received by the application owners because as you can imagine the hosting and infrastructure is probably the easier part. The migration of the application is where the money is and that’s pretty much where the security and complexities lie,” he said. “A group of folks to include those that I call the functionalist that own the application and data thereof, as well as the technologist because it’s a marriage that has to take place. You can’t move someone’s data without them knowing what’s going to happen, ,where it’s going to be located and security associated with it and the functionality.”
He said another training session will occur in September by the Navy’s Program Executive Office-Enterprise Information Systems (PEO-EIS).
The Navy Department issued an request for proposals earlier this summer and now is reviewing the bids. Foster said he expects a final decision later this year.
Foster said what’s important about the move to the cloud is how you structure the relationship between the application owner, the technologist and the commercial or government service provider.
“The lines of demarcation needs to be very clear. The roles and responsibilities of those players need to be identified and there should be some contract language that supports some level of a service level agreement or liquidated damages or whatever you want to call it because the Navy can never relinquish the responsibility of the data, but if they transition the responsibility for somebody to host, what does that mean? How is that operated? What is the command and control? That is where the rubber hits the road and that is where we have to earn our money.”
Foster also issued a memo around “acceptable use” in order to reemphasize three main points: everyone in the Navy is responsible for cybersecurity; employees are not supposed to visit inappropriate websites or install non-authorized applications; and not forward government email to personal accounts.
“It’s a reemphasis that says we are trying to reduce our threat surface and have good cyber hygiene,” he said.
Shortly after that memo, the Navy also announced it would hold commanders more accountable for cybersecurity. The memo made it clear that military members and civilians can be reassigned or dismissed from government service altogether if they don’t stay current on their cyber defense training.
Foster said the DoN needs better and more data analytics tools, and needs to improve its platforms to support mobile computing.