Hardly anyone questions the need for Department of Defense cybersecurity compliance requirements, but a growing number of defense community IT experts say striving to meet mandated cybersecurity benchmarks often wastes scarce funds and could get in the way of the intended security goals.

"Compliance is good, but there are systems and subsystems that we can't necessarily [make] compliant ... so we have to find other ways we can make the system secure as a system," VADM Ted Branch, deputy chief of naval operations for information dominance, said at November's C4ISR & Networks CyberCon conference. "I could just recommend that we spend the Navy into oblivion and update every system, but the fact of the matter is that's not practical or affordable."

Compliance trade-offs

Compliance does not always equate to strong cybersecurity. Compliance is often based on requirements that are outdated or have little relevancy to zero-day attacks and other modern-day adversary tactics, said Judson Walker, systems engineering director for Brocade.

"Many compliancy standards are oriented toward point products that do not address a true end-to-end cybersecurity strategy," he said.

Point products are implemented and managed as individual security components. "This can lead into a layered approach where [adopters] continually invest in higher priced hardware implementations," Walker said.

To create a true end-to-end security strategy, DoD could bring together multiple point products so they can be managed collectively via a set of unified security policies. "This is where software overlays provide a great complement to bring these point products together and to provide the ability to adjust without having to throw more hardware at the problem," he said.

Compliance mandates are often the result of a compromise between cost, ease of use and security. However, security may be traded away to meet budget or ease-of-use constraints, said Dave Archer, cryptography and multiparty computation research lead for security software company Galois.

"Security mandates are based on expectations about adversary capabilities, yet adversaries rarely limit themselves to the defenders' expectations," he said. Therefore, even well-conceived security mandates that are fully complied with can fail to provide security. Mandates can also fall behind the times, leaving compliant systems vulnerable.

Sometimes, ad hoc exceptions are made for systems that can't meet security mandates, but that's not a smart move. "The problem with this approach is that security mandates often form a web of protection," Archer said. "Removing threads from that web without reconsidering the whole security picture often results in nonobvious vulnerabilities."

When systems simply can't meet existing security mandates, Archer advises developing new mandates from the ground up. "NIST offers a process for security assessment that flows from an understanding of adversarial capabilities, types and sensitivities of data or controls to be protected, and available budget," Archer said. "Following this process, you can identify potential security risks specific to the system and then develop practices to secure the system against those risks becoming vulnerabilities."

Regardless of compliance mandates, a cybersecurity strategy needs to include active and passive threat management, vulnerability management, network/system monitoring and incident response plans, said Eric Basu, CEO of Sentek Global, an IT infrastructure management software developer. "A company should also take an aggressive approach to testing by hiring outside firms to conduct penetration tests and vulnerability assessments," he said. "It's important to have an outside opinion versus having your IT staff do the test, since the same vulnerabilities that they are missing now they'll likely miss during the test."

Rob Carey, Vencore's Navy and Marine Corps programs vice president and former DoD deputy CIO, is skeptical about cybersecurity mandates in general. "If compliance equaled adequate cybersecurity, you would see a trend line of attacks going down, or successful attacks going down," he said. "To this point, there is no evidence that the actions that the government has taken are causing, or blunting a larger number of attacks, whether they be sophisticated or whether they be softball phishing attacks."

Carey declared that he's a huge believer in moving more toward an effects-based cybersecurity strategy. "So when I take an action, I know exactly what it does at the resulting end state," he said. "Today, it is so nebulous that we can't see a result — I've got a risk balance, but I don't have the effects balance."

How mandates help and hurt

Security mandates are a double-edged sword. "Some sort of compliance is required, since organizations will otherwise ignore information security," Basu said. "But continuously changing [mandates] and increasingly onerous requirements actually forces organizations to put resources that could otherwise be spent upon 'real' security to trying to comply with an obscure regulation and repeated audits."

According to Archer, there are three times when mandates need to be revisited:

  • Changes in the value or type of assets being protected.
  • Changes in the adversary model, such as increased interest or capability.
  • Changes in the IT infrastructure.

"None of these — except perhaps the last — imply a fixed timeline for change, so it's hard to set a specific minimum period for security re-assessment," he said. "We suggest frequent review, perhaps once per calendar quarter, of changes in those three salient reasons that might motivate reassessment, rather than setting a specific periodicity for reassessment."

Compliance remains one of the most common purchasing drivers, said Mav Turner, director of product strategy for SolarWinds, a company that supplies management and security compliance technologies to government agencies. "Unfortunately, this can be at the cost of tools or solutions that might actually improve security," he added.

Turner noted that simply meeting compliance mandates can create a false sense of security. "Extra cybersecurity measures are always required beyond basic compliance," he said. "Compliance is just the starting place for an agency's cybersecurity posture."

Bill Hargenrader, a senior lead technologist with consulting firm Booz Allen Hamilton, said cybersecurity is more than just checking the box on a compliance audit and the DoD is showing increasing flexibility in how mandates are met. "One thing they are doing right is publishing a road map to a safer cyber space and giving the military services the autonomy to go above and beyond this road map," he said. "They are giving the go ahead for them to implement solutions that can surpass cyber milestones faster, and allowing the services to hone in on what matters most to that organization."

Hargenrader noted that cyber compliance also includes the management of people, processes, technology and workflows. "With more and more attacks, and more activities for cyber managers to track as well as more cyber tools to integrate, cyber professionals are caught in a risky juggling act," he said. "It's critical to consider tools that help IT security managers perform their functions efficiently, considering the dispersed nature of the workforce and IT assets."