U.S. Navy cyber experts are transforming security in their focus areas not only through new technologies, but also — and perhaps more comprehensively — through an entirely new approach to development. Cybersecurity no longer will be layered on at the end of system’s development, but built in to every step in the development process, providing greater protection for data and users.
This change in approach means much more than adjustments to technology. Cybersecurity is a high priority and an emerging requirement. As such, it competes with other program requirements so program managers have to examine financial obstacles along with technical ones. They also have to consider operational risk reduction to incorporate cybersecurity requirements that may impact the implementation of other programmatic requirements necessary for other valid mission capabilities.
The Program Executive Office Command, Control, Communications, Computers and Intelligence (PEO C4I) foundation for this new approach, especially on afloat platforms, is the Consolidated Afloat Networks and Enterprise Services (CANES) program managed by the Navy’s Tactical Networks Program Office (PMW 160). Additional key pieces to the new approach — used by CANES and other programs — are the Risk Management Framework (RMF), CYBERSAFE and the Information Assurance Technical Authority (IA TA) standards for cybersecurity. (You can read more about CYBERSAFE by going to this CHIPS article: www.doncio.navy.mil/CHIPS/ArticleDetails.aspx?id=7374.)
CANES, which is being implemented on ships and submarines across the Navy, replaces five legacy shipboard networks enabling a greater networking capability while also providing enhanced cybersecurity. From the system’s inception, instituting security controls has been a key concern of developers, and their approach to cybersecurity has several distinct features.
It involves a certification and accreditation process based on National Institute of Standards and Technology (NIST) standards as well as regular reviews by senior certification authorities. CANES involves a continuum of cybersecurity testing starting at the first stages of development and continuing throughout the application lifecycle. It has implemented additional automation for software patching requirements, and CANES is automating the network scanning and vulnerability management process to remove this burden from the Sailors in the fleet.
However, the focus on cybersecurity is larger than any one program or effort. It’s an enterprise-wide attempt across the entire Defense Department and the larger federal government to standardize security in the increasingly connected world, which is why RMF, CYBERSAFE and IA TA are so important.
The Risk Management Framework offers a unified information security framework that spans the entire federal government so that everyone is working to meet a consistent set of security controls. CYBERSAFE is a Navy initiative that aims to provide the maximum reasonable assurance that naval forces will have the cybersecurity in place to execute the mission. In keeping with the idea that cybersecurity needs to be a part of everything, not a separate entity, CYBERSAFE takes a holistic approach that ranges from user behaviors to inheritable security controls derived from NIST.
“As a leader for Navy cyber acquisition, PEO C4I has a large role to play in the implementation of CYBERSAFE,” Ed Lazarski, PEO C4I’s director of cybersecurity, explains. “The pilot test of CYBERSAFE was a PEO C4I program. Now, we’re working to ensure that future systems are developed with cybersecurity as a major focus.”
The Navy’s IA TA cybersecurity standards and protections come into play to make the overarching approach to cybersecurity a reality. These standards provide a defense-in-depth segment-and-protect approach to improving cybersecurity at the system-of-systems level, and PEO C4I is working to implement these standards as early as possible throughout the enterprise.
For any of these activities and programs to work, it means all pieces of C4I, surveillance and reconnaissance development and implementation processes must fit and follow the same rules, including adopting contract language that is consistent across all programs and funding profiles to support these emerging security enhancements. As the Navy and other services enter into agreements with their industry partners, they have to make clear the cybersecurity requirements and expectations so each piece of technology fits securely into a larger enterprise.
John Pope, PEO C4I executive director, explains, “The C4I systems that PEO C4I delivers connect our deployed ships and submarines to the shore. The C4I, combat and ship systems on these platforms rely on PEO C4I to provide high-capacity, cyber-hardened connections to the shore. To enable this, cybersecurity is now addressed upfront in C4I system requirements definition, design, production and test. As we budget for new systems and upgrades to deployed systems, the required cybersecurity components are now front and center in our planning.”
The result of all the efforts is to create a culture of cybersecurity across the Navy and all its partners that will help position the sea service to meet 21st century warfighting challenges.