In a perfect world, all IT systems would be fully protected from cyber threats. This means that the commercial products that make up these systems would inherently, or through additional protection, be secure against cyber attacks. Unfortunately, our world is not perfect. Our world is pretty vulnerable. In addition, security risk is compounded by connecting to the Internet, which was not built with security in mind. For the Department of Defense (DoD), the increased use of commercial products and information sharing has also increased the vulnerability of DoD systems. However, there are fundamental steps that can be taken to improve the security of mission-critical DoD systems.
The Challenge of Maintaining Cyber Security Accreditation
The process of testing an IT system against a set of standards is known as certification. The formal authorization of a system based on the certification is known as accreditation. An accreditation authority is responsible for accrediting a system with an acceptable level of risk, typically measured as low, medium, or high. The system owner is responsible for managing and maintaining the accepted risk level throughout the system’s life cycle. The DoD has had a Certification and Accreditation (C&A) Process in place for many years to protect the information stored and transmitted in DoD systems. Technological advances and increased connectivity combine to make it more challenging for system owners to maintain low risk levels and, hence, maintain their accreditations.
The DoD acquisition process has, for several years, focused on speed of capability delivery. The use of Commercial-off-the-Shelf (COTS) products in system development helps to bring increased capabilities to war-fighters more quickly through a process known as Rapid COTS Insertion. The transition to COTS-based systems has helped the DoD gain superiority in many capability areas. However, the reliance on COTS means these systems are inherently flawed from a security standpoint. Furthermore, security risk increases exponentially when these systems are interconnected over commercial networks allowing exposure to a host of malicious actors.
A Life-Cycle Approach to Improving Cyber Security
The solution to this pervasive problem is increasing the attention given to security considerations at program inception. Cyber defense needs to be baked-in rather than bolted-on. Typically, system development includes design, integration, test, production, deployment, and life-cycle support phases. Cyber security considerations must be integrated into every phase of the development process to address current and future security concerns. If system security features are an afterthought, integration complexity, delivery schedule and project costs will all be dramatically impacted. The use of security guidelines must be implemented early in system development. The Defense Information Systems Agency (DISA) has developed the Security Technical Implementation Guidelines to provide guidance on securely configuring information systems and software. The National Institute of Standards (NIST) and, specifically, the Special Publication 800-37 provide guidelines for implementing the Risk Management Framework.
Yet, even the best security strategies still have their challenges. For example, development teams must be careful when managing vulnerabilities during the integration and test phases since software stability is required. A system’s software build should be stable when that system undergoes final acceptance and pre-production testing.
COTS products and a focus on net centricity are the keys to the military’s rapid deployment of advanced capabilities to the war-fighter. Yet, this has made protecting these systems from exploitation a greater challenge. Unfortunately, there is no silver-bullet solution that ensures 100% protection—cyber security is a constant battle. However, a security strategy that is implemented throughout the system life cycle can reduce vulnerability to malicious software and ensure certification and accreditation. System owners must define and maintain an acceptable level of risk on a warfare system. This means that conscientious and constantly evolving cyber security measures must be continuously practiced if net-centric systems are to remain secure as new threats evolve.