The Defense Department recently issued a military-wide cybersecurity discipline implementation plan, a document that aims to hold leaders accountable for cybersecurity up and down the chain of command and report progress and setbacks.
The plan was originally issued in October but updated in February and made public on the DoD CIO site in early March. It shares some similarities with the Pentagon's other large-scale cyber assessment tool, the department's strategic cybersecurity scorecard that reports service-level compliance directly to the Defense secretary. The difference between the two is that the discipline implementation plan targets tactical-level compliance, and each has different reporting mechanisms – the discipline plan routes users to the Defense Readiness Reporting System to report their status with the requirements.
The new plan centers on four lines of effort, which actually correspond with the cybersecurity scorecard. They include:
- Strong authentication to degrade the adversaries' ability to maneuver on DoD information networks;
- Device hardening to reduce internal and external attack vectors into DoD information networks;
- Reduce attack surface to reduce external attack vectors into DoD information networks; and
- Alignment to cybersecurity/computer network defense service providers to improve detection of and response to adversary activity
"The requirements within each line of effort represent a prioritization of all existing DoD cybersecurity requirements. Each line of effort focuses on a different aspect of cybersecurity defense-in-depth that is being exploited by our adversaries to gain access to DoD information networks," the document states. "Securing DoD information networks to provide mission assurance requires leadership at all levels to implement cybersecurity discipline, enforce accountability, and manage the shared risk to all DoD missions … this campaign forces awareness and accountability for these key tasks into the command chains and up to senior leadership, where resourcing decisions can be made to address compliance shortfalls."
Each of the four lines of effort includes a thorough explanation of the goal, followed by multiple tasks and questions designed to assess compliance, vulnerability and progress. An appendix further details prioritizes tasks from the discipline implementation and from previously issued DoD cybersecurity campaign guidance, and weights DoD's cybersecurity objectives.
"Work on these tasks can proceed in parallel; these lists guide the application of limited resources to the most critical tasks for securing and defending segments of the network across the Department," the document notes. "Of primary importance is implementing a healthy cybersecurity culture across all ranks, one that ingrains a self-correcting discipline similar to the nuclear enterprise or other critical, highly reliable organizations. If we fail to change the culture, we will fail to secure the enterprise regardless of any defenses installed otherwise."
Despite the use of the term 'discipline' in its title though, one thing the new plan seems to lack, at least in the unclassified version: consequences for failing to meet goals or maintain security. It's not immediately clear what might happen to people who fall short of requirements or fall to cyberattacks.