The Defense Department is putting the finishing touches on a major update to the key collection of documents that govern cybersecurity policy for the entire military. Among other objectives, DoD wants the revised policy to do two things: bring the Pentagon’s processes more in tune with those used by other federal agencies and drive decisions regarding cyber into the early phases of the acquisition process for military systems.
The series of documents, referred to collectively as DoD Instruction 8500, make up what the department calls the capstone policy for its entire cybersecurity program, and the overhaul will be released “very soon,” said Dominic Cussatt, the deputy director for cybersecurity policy in the Office of the DoD Chief Information Officer. He said the updated version will lean much more heavily on other standards the various interagency efforts are creating.
DoD is taking a “pyramid” approach to cyber policy making. Where procedures and best practices are applicable to the whole government, it’s working with the National Institute of Standards and Technology to help write them and incorporate them by reference into its own policies. In the narrower area of systems that handle national security information, it’s working with the Committee on National Security Systems to do the same.
The goal, Cussatt said, is to only write DoD-specific cybersecirity policies in areas that truly are military-specific.
“Historically, DoD has published very proprietary policy. We wrote policy for our constituency and really focused on our needs and our mission,” he told attendees at AFCEA’s recent cybersecurity symposium in Baltimore, Md. “But we’ve started to find that we have more in common than not with our federal partners in terms of the challenges we face. So we all agreed that NIST was a great place to define the minimum baseline policy requirements that the whole government would use. They already had a great body of knowledge out there and we worked with them to update it and incorporate some of the DoD policies into it. So anything that we can do that’s appropriate for the whole federal government, we’re doing it there and not restating it in DoD policy.”
The department also is using the policy update and the interagency process to try to promulgate a common lexicon across the military services and across government. Agreeing on a single set of definitions for technical terms isn’t something DoD hasn’t been particularly good at up until now, said Mark Nehmer, the division chief for risk management at U.S. Cyber Command.
“If I’m in the Army, I can’t speak to somebody in the Navy and expect them to understand what I’m saying. God forbid we should ever try and talk to the Marines, because nobody ever understands them,” he said. “The idea is, by doing this this way, we train everybody to the same standards, we train everybody with the same language, we train everybody with the same certifications and the same endgame in mind. That way, if there’s a problem in the Pacific, I can take forces from anywhere on the globe and electronically marshal them to help the folks there execute their mission. We can only do that if we all speak the same things, if we all understand what we do and how we do it.”
Cussatt said the new policy also will include language that provides for reciprocity in the testing of its systems for cybersecurity. It certain cases, it will accept the testing other agencies have done on a given system as good enough for DoD.
“That way we’re not double-testing, over-testing and re-testing, we can just interconnect as quickly as possible,” he said.
DoD also will loosen its own tight leash on the catalog of security controls systems have to meet in order to operate on its networks. It will rely instead on governmentwide standards published by NIST-standards it helped to write.
“One of the biggest things the 8500 rewrite will do is to sunset our own proprietary catalog of security controls, which used to be 8500.02,” he said. “We’ve worked with NIST to rewrite their Special Publication 800-53, and we’ve ensured that everything that was in our 8500 is incorporated in the new NIST catalog. Their latest revision was just published in April, so it’s ready to go. When our new revision of 8500 hits the street, we’ve now got the catalog ready to go to pick it up and run with it.”
Also, DoD will jettison the information assurance process it’s used for several years in order to accredit systems for military use, known as DIACAP. There, too, it will turn to NIST, relying on the agency’s governmentwide Risk Management Framework.
“All of our partners in the intelligence community and in the civilian agencies are already in the process of moving to the RMF or they’re already there,” Cussatt said. “So this document gets what used to be our [certification and accreditation] process established within the department, and it’s now going to be the same as what everyone else is doing. It also provides some clarity on what types of IT have to go through this RMF process, because it’s very involved. It’s labor- intensive and resource-intensive. We want to make sure people understand what they’re supposed to be running through that process, and not running the piece- parts through it when they don’t need to. Cybersecurity will apply to all of the IT, but the RMF process will only be done on broader collections of IT.”
Cussatt said the policy also will update and reemphasize language telling acquisition managers to undertake cybersecurity considerations at the earliest possible phase of the planning of a new military system. He said DoD also is writing educational materials for acquisition professionals to support the policy.
“One of them is a cybersecurity guidebook for program managers, and it’s going to talk specifically about how cyber is interwoven into DoD’s acquisition lifecycle, and telling people exactly what they should be doing at each milestone,” he said.