The Defense Information Systems Agency is coordinating with the DoD CIO office, the National Security Agency and the military services in a sweeping review of cyber capabilities that could steer Defense Department operations in cyberspace going forward.
Officials at DISA are in the midst of a week-long deep dive on the future of the military's joint regional security stacks, a "summit" coming on the heels of a classified report by DISA, DoD CIO and NSA on their current cyber portfolio, as well as ongoing, monthly reports to the Pentagon chief on the current DoD information security picture.
The three initiatives are part of a broader DoD focus on gauging current and future capabilities, threats and requirements. The goal is a clearer, department-wide cyber operational picture, DISA officials indicated at a Jan. 12 breakfast held by AFCEA DC in Arlington, Virginia.
"What in cybersecurity is providing us the best protection it can for the cost? What are we going to stop, from a legacy sensor or something else people are hugging onto…so that [we] can go buy some innovative capabilities?" said John Hickey, DISA CIO and risk management executive. "We're looking at this from a threat base, we're looking at the current tools we have, then we're going to lay out a plan that says, these are the things providing best defense, these are the things we need to do in the future."
DISA officials aren’t the only ones evaluating IT and cybersecurity efficacy – even Defense Secretary Ash Carter is keeping an eye on it, in the same way past secretaries regularly monitored reports on traditional defense programs, they said. The monthly scorecards inform the defense secretary of ongoing progress – or lack thereof, such as who may be running outdated, unsupported versions of software that may presenting security vulnerabilities, the officials said.
Even as the DISA leaders addressed the Arlington audience, at their Fort Meade, Maryland headquarters officials at the Fort Meade, Maryland headquarters were convening as part of a week-long meeting to map out what’s next for JRSS, one of DoD’s leading efforts in coordinating enterprise-wide military network security.
"We're focusing on a couple areas: defining, refining what JRSS 1.5 and 2.0 will look like, and the discussion of the operational construct of how JRSS will be operated," said Alfred Rivera, director of DISA's development and business center. "The whole [concept of operations] of how we, as the operator of the JRSS stack, are interoperating, working with the other network operation centers, the 24th Air Force, Army Cyber…understanding our roles and relationships with respect to managing that regional construct that supports those posts, camps and stations."
Those meetings come just as leaders wrapped up a classified assessment by DISA, the DoD CIO and the NSANational Security Agency that evaluated enterprise cybersecurity tools across the military. While the DISA officials declined to elaborate on the study given the classified nature, Hickey described it as thorough and said that "we’re looking at the existing tools – whether that’s a sensor at the boundary or it’s an endpoint or it’s a web content-filtering capability…we look at these different tools and say, ‘What is the threat that they’re defeating, and what is the value of that threat?’"
And as budgets remain flat or declining across DoD, it's likely that some legacy systems and programs could see the ax as the Pentagon increasingly focuses on cyber. At DISA, that sharpening focus comes as agency officials evaluate lessons learned over the past year since the agency's major reorganization.
"We have our program managers looking across whole portfolio saying, 'Where does it make sense to cut, to not only consolidate but look at economies of all these tools we have so that the war fighter, the [network operations] guy, the cybersecurity guy [all] have a common framework of tools…and can do their jobs," Rivera said. "It really is a prioritization of what has continued to grow as we build this infrastructure, and now taking a step back and saying, 'How do we pull this together as one ubiquitous capability?"