Enhanced Cyber Security for DoD Acquisition Projects

This post is also available in: עברית (Hebrew)

The US Defense Department is doubling down on its effort to build cybersecurity into the acquisition cycle as a means of better protecting defense programs of the future.

DoD is preparing guidance to be released in the next two months that will give program managers more detailed direction on systems security engineering.

The guidance will give program managers “a more consistent set of approaches across all of our acquisition programs,” Robert Gold, DoD’s director of engineering enterprise told Federal News Radio.

The guidance is part of a broader push within the Defense Department to make programs more cybersecure.

As more programs are connected to the internet, DoD has seen the need to protect them from the increasing number of cyber attacks.

Defense Undersecretary for Acquisition, Technology and Logistics Frank Kendall released a policy last year requiring program managers to conduct cybersecurity risk assessments and to assist program users in writing testable measures for cybersecurity.

“Cybersecurity is a pervasive problem for the department,” Kendall said last year. “It is a source of risk for our programs from inception all the way through retirement, and it includes the industrial base that supports us and their databases and their information.. Everything associated with the product is a potential point of attack.”

The Navy has especially taken the cybersecurity and hacking prevention to heart. In 2014 it launched its Cyber Awakening initiative after being hacked by Iran.

The service did a top-to-bottom scrub and reallocated roughly $300 million in existing funding to remediate cyber problems on its networks, within its weapons platforms and in the industrial control systems that keep the lights on aboard its bases. Last fall the Navy made Cyber Awakening a permanent office and put the CYBERSAFE program within it.

CYBERSAFE includes major cyber hygiene components through which the Navy hopes to influence individual sailors’ behavior, but for now, it is highly focused on ensuring cybersecurity is a key priority in Navy procurement plans.

While those acquisition commands will be in charge of certifying the equipment they’re procuring as “CYBERSAFE,” the central Navy Cybersecurity division will try to ensure they’re doing so with a coherent and common set of guidelines.