Capt. Danelle Barrett is an Information Dominance Corps Officer and has been an Information Professional Officer for 25 years.
Q: I understand that you are working on the Fleet Readiness Council Cyber Security Plan of Action and Milestone for near-term fixes to address cybersecurity shortfalls together with U.S. Fleet Cyber Command, the type commanders, fleet commanders and systems commands on action items that can get accomplished within the next 12 months. Have the issues and any near-term fixes already been identified?
A: Many near-term fixes have been identified and are being implemented or will be within the 12 month window. I’ll give you a few examples. At NAVIDFOR we promulgated a Cybersecurity Readiness Manual (CSRM) that provides deckplate level advice on technical procedures to implement to improve the Navy’s cybersecurity posture. The best practices included in the manual were culled by our team using feedback from over two years’ worth of training and assist visits, Fleet Cyber Command Cyber Security Inspections, INSURV inspections, post-deployment feedback from deploying strike groups etc.
This is not a one-time effort; we are updating that manual every quarter and including additional information from new feedback we receive. We are trying to ensure that we codify those best practices and keep iteratively improving that guidance to Navy cybersecurity personnel to improve their readiness.
In August, we also updated the Commanding Officer’s Cybersecurity Handbook which provides guidance and oversight for command leadership (commanders, commanding officers, officers in charge, and cybersecurity management personnel) on the implementation and improvement of a command's cybersecurity program. We are working with NAVSUBFOR on combining their CYBER-1 Handbook of similar guidance into one document that will be released at the end of January 2015.
We are also working with the systems commands and getting great support from SPAWAR, NAVAIR, and NAVSEA to ensure that those best practices that need to be included in the Navy’s formal 3-M Preventive Maintenance system are included.
To that end the SYSCOMs have developed new Maintenance Requirement Cards for two systems, the Host Based Security System (HBSS) and the Windows Server Update Services (WSUS), and we expect those released to the fleet by 31 December 2014. Also, on the process side, Fleet Cyber Command is simplifying the cybersecurity orders issuing process to reduce the type and complexity of operational orders which can currently be confusing for the fleet to discern priorities. They are also implementing a “One Stop Shop” on their portal and on their Collaboration at Sea page to find all orders and their references — so lots of great synergy across many commands on many fronts to streamline guidance and direction.
Q: Are the participants responsible for identifying the near-term fixes under their responsibility? Can you describe how they will work together?
A: The short answer is yes, but the long answer is that many of the tasks are complex requiring close collaboration and coordination across many stakeholders. The initial goals were set by IDFOR in working with the other stakeholders (primarily fleet commanders, SYSCOMs/PEOs, platform type commanders (TYCOMS), Fleet Cyber Command and Task Force Cyber Awakening (TFCA). Due dates were set by IDFOR and were intentionally aggressive to ensure that we would get implemented solutions/outcomes by the 12-month point. We can’t just get together to admire the problems, we have to fix them.
What’s important to realize is that there were pockets of great work on many of these initiatives already started, but they were uncoordinated across all the stakeholders — or they had hit roadblocks of institutional resistance/institutional inertia. That’s where applying the Readiness Kill Chain process and bringing the Cybersecurity POA&M progress to the two four-star fleet commanders once a month at the Fleet Commander’s Readiness Council helps to keep everyone honest and initiatives on track.
Some of the tasks led to additional work being added to the POA&M as did other initiatives in the fleet like the INSERV report on “Achieving Better Onboard Network Security” — which resulted in several new short-term action items being added in August to the Cybersecurity POA&M effort for us to track and implement.
We also found that some of the action items had many tentacles that required more time to sort through. So to provide an example of where we had to modify some tasks, our original task to ensure all SYSCOMs and PEOs registered their programs in the Vulnerability Remediation Asset Manager (VRAM) system by the end of September so that everyone would have shared situational awareness on everything connected in Navy to the Department of Defense Information Systems (DODINS) uncovered questions about non-POR (program of record) systems, Combat Systems and Hull, Mechanical and Electrical (HM&E) systems as well. The task was revised to include those, and other systems that are not continuously connected to the DODINS so we could capture the whole scope. A 90-day extension was given but the task will still be completed well within the 12-month point.
Q: Will you be looking at programs of record, warfare systems, processes and naval networks?
A: Yes to all of those. Some tasks are process focused (i.e., reducing the number and type of operational orders to make direction to the fleet clearer, having a “One Stop Shop” with FLTCYBERCOM for the orders and a “One Stop Shop” identified by SPAWAR for all SYSCOM/PEOs patches and vulnerability remedies), others are focused on material solutions, training, and manpower for POR and non-POR systems. Tasks run the gamut.
Q: Do you anticipate that fixes can be accomplished in conjunction with scheduled modernization efforts and maintenance with existing funds?
A: Yes, where we have scheduled modernization, we are not looking to duplicate those improvements, i.e., the tools and capabilities that come with Consolidated Afloat Networks and Enterprise Services (CANES) upgrades, also understanding the complexities of ships' availabilities and funding spread out over the Future Years Defense Program (FYDP).
In some cases, existing funding will need to be reprioritized within a POR or additional funding set aside for emergent fixes. Our budget and acquisition processes are currently not agile enough to be responsive in the way we need them to be. For example, we are advocating that there be execution year funding set aside to quickly be allocated to addressing the most pressing cybersecurity concerns that emerge. Sort of like the aviation and surface enterprises do with execution year funding for steaming/flying days, Navy would have flexibility to allocate cyber “steaming days” in the same manner. This is one of the tough tasks that Task Force Cyber Awakening, the CNO N2/N6 (Deputy Chief of Naval Operations for Information Dominance) effort to work the larger systemic and governance issues, is helping with.
Q: Will you be reporting your progress directly to OPNAV N2/N6 as part of Task Force Cyber Awakening?
A: We closely collaborate on a daily basis with TFCA, and one of our key NAVIDFOR personnel, Cmdr. Damian Blossey, is our permanent representative to the TFCA effort. His full-time focus is TFCA, and he ensures that our two groups stay linked. We also have several others at the Action Officer level who do the same. It’s important that our efforts are aligned and stakeholders are not double-tasked, or receive duplicative or confusing tasking.
Our two groups coordinate closely, particularly when a task seems to be more appropriate with the other group, for example, a few of the tasks we started with like determining how execution year funds would be applied to fix emergent problems were really more TFCA/Echelon I appropriate so were passed to them and removed from our POA&M.
Our reporting for this effort is to the fleet commanders via the FCRC (Fleet Commanders’ Readiness Council), and our charter is primarily fleet-focused and short-term, again — what actionable cybersecurity efforts we can make a reality in a 12-month window. I suspect that we will continue beyond the initial 12 months but with new tasks. Any task we take on needs to be finished with the fleet seeing the outcome and improvement within that 12-month timeframe.