The Pentagon is looking to overcome a resource-constrained environment by certifying commercial companies to conduct cybersecurity assessments of Department of Defense systems under a program directed by Congress.
The Strategic Cybersecurity Program was part of the fiscal 2018 annual defense policy bill, which meant it was signed in 2017. It directs the Pentagon to establish a program and assign personnel to improve the cybersecurity of offensive cyber systems, long-range strike systems, nuclear deterrent systems, national security systems and critical infrastructure of DoD.
However, there are just too many systems and too little resources available.
The program’s director, Patrick Arvidson, special assistant to the Office of the National Manager for National Security Systems at the National Security Agency, asserted there are likely over 4,500 systems and only nine certified NSA red teams across the various combatant commands.
“There’s no way that I can do an assessment of that many systems and I don’t even know what that term means yet,” he told an audience of mostly contractors Dec. 6 at the Charleston Defense Contractors Association Defense Summit.
When asked by the deputy secretary of defense what his plan is, Arvidson replied that he would certify commercial companies, acknowledging that he still has some work to do to figure out what exactly how to do it.
This approach has the added benefit, he said, of inspecting the defense industrial base. The 2018 DoD cyber strategy asserts that DoD assets must be prepared to defend non-DoD-owned defense critical infrastructure and defense industrial base networks and systems, somewhat of a departure from years past.
The deputy secretary of defense says industry needs to take responsibility for their own information security.
“Our focus working with DIB entities is to protect sensitive DoD information whose loss, either individually or in aggregate, could result in an erosion of Joint Force military advantage,” the strategy states.
Arvidson said the deputy secretary gave him a year to work on the plan. The working group has been stood up. The next steps include figuring out in the second quarter what gaps exist and figuring out in the third quarter how much it will cost.
“If Congress agrees with the plan in how much it’s going to cost, I’m going to certify all of you,” he told the audience. These companies will then offer their services to do assessments to a level that DoD decrees they should be in order to get a handle around what’s wrong with DoD systems and how they’re going to be fixed, Arvidson added.