The Army Cyber Command is changing its information assurance accreditation methods by increasing automation and training additional compliance teams.
The Army Cyber Command is rethinking how it conducts cybersecurity assessments, audits and certifications, says an official with the command. In the next few years, the command hopes to put in place a more streamlined method for running assessments, training inspection teams and creating a centralized repository for inspection data. This new process will also mesh with Defense Department-wide efforts by the U.S. Cyber Command to conduct in-depth security and risk analysis of department computer networks.
Over the next several years, Army Cyber plans to codify the methodology behind its information assurance and computer network defense inspections, said Greg Weaver, compliance division chief at Army Cyber, said March 20 at the AFCEA Belvoir Industry Days conference in Oxon Hill, Md.
These processes include meeting government guidelines requiring the command’s personnel to be trained, certified and task organized to conduct inspections, Weaver said. Army Cyber is the Army’s computer network defense service provider, but he said that the organization needs to build out its technology and capabilities to conduct better information assurance assessments. “The capability exists to do better reporting of our enterprise from an assessment standpoint,” he said.
Army Cyber has laid out a plan to provide more efficient assessments and to create a data repository to store this information, but much of the process is still tentative and subject to change, Weaver said.
A key constraint facing Army Cyber that there is no centralized authority to store assessment data. An archive is necessary because it provides the command’s analysts with a place where they can access the information needed to brief superiors about threats and vulnerabilities in Army networks, Weaver said.
A standardized checklist does exist in the Army CIO's office, Weaver said. But command’s primary goal is to have organizations manage their own maintenance lists so that commanders can work through their information assurance checklists before Army Cyber inspectors arrive, he said.
The accreditation process also needs more automation because much of it is now done manually, Weaver said. At some point, he added that technology must mesh data across Army organizations to prevent them from asking the same questions over again. Army agencies use the same checklist, but Weaver noted that they often answer those questions differently, which throws off compliance data. The service must improve how its component organizations define and answer cyber assessment questions, he said.
One concept Army Cyber is considering is to create “command teams” designed to hold individual commands responsible for network security. Assessments are an annual process, and ideally organizations will work on their own monthly assessments to prevent lots of work during the annual check. However, not all commands follow this advice. “It’s a maintenance cycle,” he said, noting that commanders will be held accountable for yearly information assurance assessments and inspections.
To achieve the inspections within budget, the command will leverage existing certification/accreditation processes. The new process will allow organizations to access the data repository to validate an organization’s IA process. This also allows ARCYBER to see what risks are accepted by an organization, Weaver said. By collecting data in this manner, the command can make decisions based on facts, rather than estimates, to support fundamental assessment results, he said.
Army Cyber's efforts to streamline its accreditation methods also allow it to support larger departmentwide efforts such as the Command Cyber Readiness Inspection (CCRI) process. This pilot effort is a series of Cyber Command-directed inspections that will cover the entire DOD and look at every individual organization's and command’s networks in depth. These deep assessments will look at all aspects of an organization’s cybersecurity policies, processes and systems down to the lowest tactical level, Weaver said. The deep inspections will not happen often, but he predicted that initial results “will be ugly” for most organizations.
This process, which is managed by the Defense Information Systems Agency, will allow visibility into all Defense Department areas, Weaver said. The CCRI will assess organizations’ cyber defenses and use red and blue teams to locate network vulnerabilities, Weaver said. Army Cyber will participate in the CCRI in fiscal 2013. To do so, Army Cyber plans to establish five teams to support this process. However, they are currently unfunded, he said. One possibility is to tap National Guard or Army reserve units for this activity, he said.