FedInsights by Forescout

Rise of IoT, OT, other non-traditional devices requires a new approach to cybersecurity

Key Aspects of the Comply to Connect Program

The proliferation of devices that are connected in society today is also driving that same connectivity and reliance across DoD operations. As you get more complex, so does the need for having greater security and tools that work together to provide a wider solution. Let’s not forget that our adversaries have a vote too. The sophistication of what they are doing with their cyber attacks at the same time with the complexity of all of these devices being connected really brings about a new capability, a new program and a new framework that C2C is going to be delivering.

IoT Devices and Cybersecurity

The program office will be developing that enterprisewide policies, testing them, making sure they don’t impact other organizations, any network or subnetworks and working with the services and agencies to ensure their rollout is seamless,” he said. “They are also providing the training for the administrators in the field. I was a squadron commander and the last thing I wanted to hear was a mandate to install and implement something new, and then put it on my back to go figure out how to get my people trained.

Back in April 2019, the Homeland Security Department issued a binding operational directive (BOD) to require agencies to patch critical vulnerabilities in 15 days. This cut the time period in half of the previous 2015 BOD requiring the patches in 30 days.

Patching of networks and systems has been a huge problem for agencies for much of the last 25 years. Back in 2004, the Government Accountability Office found agencies struggled with risk assessments and testing all patches before deployment.

This is why something as basic as the concept of comply-to-connect is such an easy concept to get behind.

Comply-to-connect (C2C) requires new devices to meet security requirements before they’re allowed access to the network. An automated process scans, analyzes and ensures the device is patched and up to date.

The Marines Corps has led this effort and now the Defense Information Systems Agency (DISA) is planning to expand it in the coming year. The Marines Corps issued a policy last May explaining how C2C will work.  DISA issued a request for information in June seeking a platform that would give real time visibility of all IP endpoint, network infrastructure, and internet of things devices.


Dean Hullings, the global defense solutions strategist for Forescout Technologies, said the goals of the comply-to-connect program was to close the gaps of existing security tools and make existing security processes more efficient for network administrators.

The Marines Corps and Navy comply-to-connect pilots were pathfinder efforts to establish what the framework looks like and what tools work together the best to provide that automation and effectiveness.

Hullings said the Army, the Air Force, the Fourth Estate and many others are moving toward C2C and the Defense Department’s chief information officer is working on a memo detailing how the initiative will work on an enterprise level.

“The proliferation of devices that are connected in society today is also driving that same connectivity and reliance across DoD operations. As you get more complex, so does the need for having greater security and tools that work together to provide a wider solution,” said Hullings on the Innovation in Government show sponsored by Carahsoft. “Let’s not forget that our adversaries have a vote too. The sophistication of what they are doing with their cyber attacks at the same time with the complexity of all of these devices being connected really brings about a new capability, a new program and a new framework that C2C is going to be delivering.”

Hullings said DoD has recognized that comply-to-connect is a key cog in their cyber protection machine is the basic challenge of keeping laptops, desktops and other devices secure. He said the size and scale of DoD makes it even more difficult to ensure devices aren’t infected with malware, giving hackers a way to get on the network and then move laterally looking for more valuable data.

“If you look at a lot of the recent breaches, they hit an internet of things device or some non-traditional device that is now connected to networks. That connection was made for efficiency of those operations like a security camera that is now IP connected. All it takes is getting into the network and then the lateral movement,” he said. “So you have to have an understanding of everything that is connected to the network and you have to be able to continuously monitor all of those devices connected to the network in order to stop those breaches from happening. Certainly, that is what C2C has attempted to achieve in delivering their capabilities and then integrating all of those tools together to stop that lateral movement to make sure that a device that supposed to be a security camera or a printer is acting and operating like only a security camera or printer and not reaching out to other database or other services on the network they shouldn’t have any need to access.”

Hullings said comply-to-connect becomes even more important with the rise of operational technology (OT), which have sensors that are connected through the network. He said OT doesn’t normally have end point “agents” or software that reports the device’s cyber hygiene level back to the network tools.

“If a vulnerability assessment scanner would interrogate one of these end points, you’d overload that operating system and you’d actually crash that device,” he said. “You are trying to apply security so the end point continues to work, but in doing so you are actually making the end point stop working so you are defeating your own purposes. So you have to have newer, modernized ways of looking at the solution that is provided to secure these devices, yet not impact how they are operating. That is what C2C is delivering, agent-less solutions that can use other methodologies of understanding what that device is and use policy based security to wrap a barrier around that devices that is different than wrapping the same level of security around a traditional end point.”

Hullings said the good news for DoD is Congress appropriated funds to expand the comply-to-connect program enterprisewide. DISA created a program management office to help spread the program across the military.

“The program office will be developing that enterprisewide policies, testing them, making sure they don’t impact other organizations, any network or subnetworks and working with the services and agencies to ensure their rollout is seamless,” he said. “They are also providing the training for the administrators in the field. I was a squadron commander and the last thing I wanted to hear was a mandate to install and implement something new, and then put it on my back to go figure out how to get my people trained.”

Featured speakers

  • Col. Dean Hullings (retired)

    Global Defense Solutions Strategist, Forescout Technologies

  • Jason Miller

    Executive Editor, Federal News Network

Sign up for breaking news alerts