Inspections and incidents across the Department of Defense (DoD) reveal a need to reinforce basic cybersecurity requirements identified in policies, directives, and orders. In agreement with the Secretary of Defense, the Deputy Secretary of Defense, and the Joint Chiefs of Staff, the DoD Chief Information Officer (CIO) identified key tasks needed to ensure those requirements are achieved. The DoD Cybersecurity Campaign reinforces the need to ensure Commanders and Supervisors at all levels, including the operational level, are accountable for key tasks, including those identified in this Implementation Plan. The Campaign does not relieve a Commander’s and Supervisor’s responsibility for compliance with other cybersecurity tasks identified in policies, directives, and orders, but limits the risk assumed by one Commander or Supervisor in key areas in order to reduce the risk to all other DoD missions.
As part of the Campaign, this Implementation Plan is grouped into four Lines of Effort. The requirements within each Line of Effort represent a prioritization of all existing DoD cybersecurity requirements. Each Line of Effort focuses on a different aspect of cybersecurity defense-in-depth that is being exploited by our adversaries to gain access to DoD information networks. The four Lines of Effort are:
1. Strong authentication – to degrade the adversaries’ ability to maneuver on DoD information networks;
2. Device hardening – to reduce internal and external attack vectors into DoD information networks;
3. Reduce attack surface – to reduce external attack vectors into DoD information networks; and
4. Alignment to cybersecurity / computer network defense service providers – to improve detection of and response to adversary activity
In conjunction with this Implementation Plan, a DoD Cybersecurity Scorecard effort led by the DoD CIO includes prioritized requirements within these Lines of Effort. Although similar to and supportive of one another, they maintain two distinct reporting mechanisms with two distinct targets. Commanders and Supervisors at all levels will report their status with the requirements in this Implementation Plan via the Defense Readiness Reporting System (DRRS), allowing leadership to review compliance down to the tactical level. In contrast, the Cybersecurity Scorecard is a means for the Secretary of Defense to understand cybersecurity compliance at the strategic level by reporting metrics at the service tier.
Securing DoD information networks to provide mission assurance requires leadership at all levels to implement cybersecurity discipline, enforce accountability, and manage the shared risk to all DoD missions. By including cybersecurity compliance in readiness reporting, this campaign forces awareness and accountability for these key tasks into the command chains and up to senior leadership, where resourcing decisions can be made to address compliance shortfalls.
The Cybersecurity Discipline Implementation Plan and Cybersecurity Scorecard efforts are critical to achieving the strategic goal of Defending DoD information networks, securing DoD data, and mitigating risks to DoD missions as set forth in the 2015 DoD Cyber Strategy. The aforementioned line of efforts and associated tasks shall be linked to DoD Cyber Strategy implementation efforts whenever possible.
The DoD Cybersecurity Campaign, reinforced by the USCYBERCOM Orders, will begin as soon as possible. Reporting on cybersecurity readiness in the scorecard and DRRS will begin as soon as possible.