An influx of money from the CARES Act helped the Department of the Navy (DON) make major strides in modernizing its networks. Now, leaders say, it’s time to focus on bolstering those networks’ cybersecurity, including with a major pivot from compliance-driven approaches to a new philosophy called “Cyber Ready,” which focuses instead on continuous monitoring and ongoing risk assessments.
The idea of keeping constant tabs on a system’s cyber health certainly isn’t new — indeed, it’s central to the National Institute of Standards and Technology Risk Management Framework DoD already uses to authorize systems on its networks, as a theoretical matter anyway.
But Navy IT leaders think they’ve hit on a new framing that will help with the cultural changes needed to actually, finally, move away from checklist-based, single-point-in-time security approvals.
Aaron Weis, the Navy Department’s CIO, said describing the problem in terms of “readiness,” akin to the way the military measures its servicemembers and weapons systems’ ability to execute missions on a day-to-day basis, has found a good deal of resonance in the Navy and Marine Corps.
“The whole approach is that we measure readiness in a very holistic way, and it’s something that you dynamically manage,” he said this week at the Navy Department’s annual IT conference in San Diego. “It’s taking the way that we measure ourselves in a very complete way and bringing that to the topic of cybersecurity, and my sense is we’ve really hit on a message that resonates — an approach that can bear fruit — and we’ve gotten really favorable engagement on this idea.”
Exactly what “Cyber Ready” looks like in practice is still to be determined. The concept has only been under discussion since October, and the DON plans to test it with a handful of pilot projects in the coming year before drawing any broad policy conclusions.
But Weis said a key objective is to move away from the current practice of granting systems an Authority to Operate (ATO) once every three years. That approach, he said, incentivizes “bad behavior.”
“One of the things that we’re saying as part of Cyber Ready is that the idea of a three-year ATO is wrongheaded — you fill out a giant spreadsheet and do 10,000 pushups and then you get an ATO that’s good for three years,” he said. “People get that ATO and they go, ‘Yeah, job done.’ And then what happens? Over the next three years, that system hasn’t evolved or been updated. It’s no longer secured, and it ends up as a high-risk escalation that ends up on my desk. We need to get to this idea that you’re always earning your ATO. There are a lot of snazzy phrases for that, like continuous ATO, but the idea is you’re always earning and re-earning your ATO every day.”
And Navy IT leaders think their technology developers are hungry for changes along these lines.
Jane Rathbun, the deputy assistant secretary of the Navy for information warfare and enterprise services, said the acquisition community is often frustrated by the process of building new systems and only turning them over to cybersecurity officials for review and approval once they’re ready to deploy.
She said developers would actually prefer to have the CISO community embedded in their programs from the start.
“They also see a need for common platforms so that they can abstract the actual capability from the IT infrastructure, so that that can be prepared and ATO’d — and not repeated every time we want to add real capability to the Navy and to the Marine Corps,” she said. “They want inheritance. If we’ve gotten Marine Corps approval on some platform or solution that we now want to use in the Navy, we’re all one big happy family. We don’t need to be doing things twice … They do agree that they must comply with cybersecurity, and they want to do that. That’s never been the problem, it’s just about how we get there.”
Cyber Ready also dovetails with an effort the Navy has already had underway for the past two years to streamline its implementation of the Risk Management Framework. Since then, the Navy has reduced the number of security controls it considers “critical” from about 600 to just 72.
And Rear Adm. Susan BryerJoyner, the Navy’s chief information security officer, said her service is looking for ways to automate security checks for many of those remaining controls.
“We also have a commercial solutions opening for the tools that allow us to automate the workflows associated with the compliance checks, because there will still be compliance checks,” she said. “This is not the ticket to say nobody ever has to scan or patch again. This is the ticket that says we’re going to figure out a better way of understanding how well you’re scanning and patching. And on a near-real-time basis, we’re going to identify the vulnerabilities the Fleet Cyber Command commander needs to know about to order a network maneuver when we have unacceptable risk on the network.”
The new approach is also likely to lean heavily on automated approaches to red-teaming and penetration testing, according to Renata Spinks, the Marine Corps’ CISO.
While there’s definitely no intention to eliminate human red teams, the sea services do need ways to test their defenses against real-world threats on a much more ongoing basis, she said. And the frequency of those checks will often be determined by how much risk the DON is willing to accept for a particular system or segment of the network.
“If we use real-time information from the people who are closest to the network, our policy should align to what’s been proven. We shouldn’t set policy and try to make people retrofit their systems with some grand new idea, because that policy is going to be reversed,” she said. “Pen testing will not only tell me how ready you are, but it will also teach me the new things that the adversary is doing. What are some of the things that maybe we’ve become complacent about? Or, do passwords need to be 16 characters? Maybe that’s no longer effective. We need to know how to be ready for the next thing, not if it occurs, but when it occurs.”