SAN DIEGO—The battlespace of modern and future combat is trending to cyberspace as a critical terrain and as a means to deliver weapons effects. The Navy’s Cooperative Strategy for 21st Century Seapower articulated the need to coordinate offensive and defensive cyber operations with its operations in other domains. Effective implementation of cybersecurity lays the foundation for effective cyber-defense operations.
To ensure critical warfighting capabilities can operate, fight and win in a contested cyber environment, the Navy is modeling a focused cybersecurity program on a well-established and rigorous submarine force program that has ensured watertight integrity and safety. The Navy’s former Chief of Naval Operations, Adm. Jonathan Greenert, directed CYBERSAFE to pattern its work on Naval Sea Systems Command’s (NAVSEA) Submarine Safety, commonly called SUBSAFE, program — a quality assurance program designed to maintain the safety of the Navy's nuclear submarine fleet.
CYBERSAFE is a major Navy initiative to protect the Navy’s ability to operate in cyberspace by focusing on mission assurance of critical warfighting components. The goal of
CYBERSAFE is to provide “maximum reasonable assurance” to ensure naval forces can execute their missions. To achieve this goal, the Navy is instituting a holistic approach to cybersecurity by addressing the following issues: user behaviors; force operations; definition and institution of the Defense-in-Depth Functional Implementation Architecture (DFIA); cybersecurity requirements; and inheritable cybersecurity controls derived from the National Institute of Standards and Technology.
By creating a “culture of cybersecurity” and understanding of the warfighting impacts of cyber, this initiative will help position the Navy for 21st century warfighting challenges.
Achieving this goal will require support and commitment from all organizations at all levels. On the acquisition side, this effort is being coordinated among the Navy’s five systems commands (SYSCOMs): NAVSEA, Naval Air Systems Command (NAVAIR), Space and Naval Warfare Systems Command (SPAWAR), Naval Supply Systems Command (NAVSUP) and Naval Facilities Engineering Command (NAVFAC). They are developing processes that consistently identify and implement security controls for a subset of mission-critical Navy systems. Results of this effort will lead to an increase of secure Navy systems that provide survivability and resiliency of critical warfighting capabilities with solutions including material, software and operations.
This new cultural and technical paradigm is necessary due to the interconnected nature of today's Navy systems. Adversaries can exploit potential vulnerabilities within and/or between systems. CYBERSAFE material solutions will segment enclaves, such as weapons, machinery and C4I (command, control, communications, computers and intelligence), with new control points which will allow the fleet to maneuver in response to threats in a contested cyber environment.
As part of a complete Navy-wide approach, CYBERSAFE has three main facets: Cyber System Level, CYBERSAFE Grades and Cyber Conditions of Readiness. The SYSCOMs and acquisition commands are working on the first two elements. The fleet, in collaboration with the SYSCOMs, is working to solidify the operational aspects of Cyber Conditions of Readiness.
In FY16, the SYSCOMs and associated program executive offices will start evaluating all their systems to determine if they are CYBERSAFE Grade A (Mission Critical Systems), B (Mission Essential Systems) or C (Non-Mission Essential Systems). Once these grades are determined, appropriate security controls will be applied to the systems.
Security Control Overlays for Grades A and B — which are derived from Committee on National Security Systems Instruction and National Institute of Standards and Technology security controls — are being finalized by the Information Technology/Information Assurance Technical Authority Board (IT/IA TAB). Vulnerabilities will decrease as the SYSCOMs consistently apply these security controls and as the controls are engineered into Navy systems. In addition to implementing the security controls, continued close coordination, oversight and testing will be necessary to achieve success.
To ensure comprehensive protection, the Navy is moving forward with new policies and processes designed to protect critical systems from the various forms of cyber-attack. Moving in parallel with the development and implementation of CYBERSAFE is the Navy’s transition from the existing DoD Information Assurance Certification and Accreditation Process (DIACAP) to the Risk Management Framework (RMF); the IT/IA TAB is producing numerous standards and specifications for the SYSCOMs to implement as part of the Navy’s holistic DFIA enterprise cybersecurity architecture.
CYBERSAFE, RMF and DFIA each require the Navy’s technical and acquisition communities to identify and engineer cybersecurity standards, specifications and security controls into the system design earlier in the development process. As these three initiatives move forward together, efficiencies can be found through policies that identify and leverage both common security controls and inherited security controls.
As CYBERSAFE and the other initiatives mature, Navy leadership will be in a better position to assess the cyber risk of systems, enclaves, platforms and strike groups. A more complete picture of cyber vulnerabilities, assisted by the emerging Navy Cybersecurity Situational Awareness capability, will facilitate risk decisions to reduce known vulnerabilities, improve the Navy’s overall cybersecurity posture and increase our overall operational readiness.
The Navy conducted its first functional test of the CYBESAFE processes in November 2015 with Automated Digital Network System (ADNS) Increment III. SPAWAR’s CYBERSAFE Test Drive helped evaluate how existing engineering and change processes throughout the acquisition lifecycle can be used to implement new security controls. The remaining SYSCOMs will undergo their CYBERSAFE Test Drives between January and March 2016 to ensure they have the instituted an executable CYBERSAFE process across their area of responsibility.
As CYBERSAFE is implemented; it will drive Navy programs to add cybersecurity controls to legacy systems while also requiring these security controls to be incorporated early into a system’s design. This acquisition focus, combined with an emerging emphasis to develop a Navy-wide culture of cybersecurity awareness will position Navy leadership to make cybersecurity risk decisions that will result in improved operational readiness.
Capt. Elliott, Ms. Vyas and Mr. Lazarski are the CYBERSAFE Directors for OPNAV, SPAWAR and PEO C4I , respectively.