The Department of Defense’s (DoD) organization responsible for protecting and defending its network globally is adopting a three-part approach to improve cyber readiness and cybersecurity tactics across the department, a senior DoD official said this week.
During the DAFITC 2023 conference, Lt. Gen. Robert Skinner, commander of the Joint Force Headquarters-Department of Defense Information Network (JFHQ-DoDIN) and the director of the Defense Information Systems Agency, explained that JFHQ-DoDIN is piloting the third iteration of the Command Cyber Readiness Inspections (CCRI) to improve how it protects the department’s network globally against malicious activity.
JFHQ-DoDIN – a subordinate headquarters under the U.S. Cyber Command (Cyber Com) – must raise the bar to ensure Pentagon officials can move past worrying over “easy intrusions,” which Skinner classified as rudimentary cyberattack tactics.
“It’s a daily effort to get readiness at a higher state [and] as we operate and maneuver the domain, how do we make it more effective and efficient for them to be more compliant, which leads to readiness?” Skinner said.
The focus of CCRI 3.0 is inspecting risk on forward-facing devices and terrain because, according to Skinner, that’s the easiest way for adversaries to gain access to the department’s network.
Part one of this iteration is for officials across all the services and agencies to ask themselves how they control access and elevated privilege, how “elevated privilege” is granted and managed, and who are the system administrators.
Leaders also need to assess incident response processes and assess “how at risk they are and if they need to do something as an enterprise to mitigate or drive down that risk,” Skinner said.
Part two focuses on training to improve the overall readiness and security of the DoDIN.
In this phase, JFHQ-DoDIN will look at training standards for system administrators with elevated privileges. By cultivating training standards, the department can holistically observe the DoDIN, shifting from a force posture standpoint to a force training readiness.
“Here’s the standards, here’s how we’re going to assess against those standards based on readiness and then understand the risks. So, you got the risk of the terrain and risk of the force to support that terrain and [then] protect that terrain and secure that terrain all together,” Skinner said.
In addition, Cyber Com, which for a long time has focused on the training of the cyber workforce, is pivoting its attention to cybersecurity service providers (CSSPs), local defenders, and maintainers of a network.
Two months ago, the department launched a joint mission essential task for CSSPs. In the next few months, roughly 30 CSSPs across the DoD will closely assess their respective readiness levels, Skinner said.
Part three of CCRI 3.0 is maneuvering the cyber domain.
Skinner explained that – unlike the sea, land, air, and space domains – the cyber domain is manmade and in a split second can be altered. JFHQ-DoDIN is looking at a few pilots within the maneuverability portfolio, including one on the cyber boundary and security-as-a-service for the boundary. According to Skinner, the security-as-a-service pilot makes maneuvering the cyber domain less complex.
Skinner said he expects CCRI 3.0 to be rolled out to all the services and defense agencies in the next quarter.