DoD SYSTEMS NEED CYBERSECURITY AND CYBER RESILIENCY TO ACHIEVE CYBER SURVIVABILITY
By Steve Pitcher
In 2015, the Deputy Secretary of Defense tasked the Joint Staff to improve requirements for weapon systems cybersecurity, which resulted in adding a Cyber Survivability Endorsement (CSE) to the Joint Capabilities Integration and Development System (JCIDS) Manual’s System Survivability Key Performance Parameter (SS KPP). The tasking was driven by the 2015 Director of Operational Test and Evaluation (DOT&E) annual report, which highlighted the same high-risk vulnerabilities being found in almost every tested system, and these repeated vulnerabilities should have been fixed prior to operational test and evaluation (OT&E).
This situation happened because requirements documents did not include contractually binding cybersecurity and cyber resiliency threshold performance requirements and instead relied on compliance with Federal Information Security Management Act (FISMA), National Institute of Standards and Technology (NIST), Committee on National Security Systems (CNSS), and Department of Defense (DoD) guidance. Because the only cyber threshold requirement for legacy systems was for enough cybersecurity compliance to obtain an Authorization to Operate (ATO), the DOT&E had again identified significant cyber risks that would require reengineering to mitigate or remediate them. Unfortunately, the recommended remediation efforts were frequently too costly or performance-robbing to yield operationally acceptable levels of performance and mission assurance.
A focus on cyber survivability ensures Warfighter systems are designed with sufficient cybersecurity and cyber resilience to prevent, mitigate, recover from, and adapt to cyber events by applying a risk-managed approach to building and maintaining systems, as stated in the 2021 JCIDS Manual. As illustrated in Figure 1, cyber resiliency and cyber survivability are closely related concepts, sharing similar technologies and practices; but cyber survivability holistically includes both cybersecurity requirements and cyber resiliency constructs.
Figure 1. The Holistic Relationship of Cyber Survivability to Cybersecurity and Cyber Resilience.
Although compliance with the DoD’s Risk Management Framework (RMF) remains compulsory, compliance with RMF isn’t sufficient to achieve and maintain an operationally relevant cyber risk posture, or a resilient, survivable capability for mission assurance. JCIDS is transforming acquisition, with CSE guidance placing cybersecurity and cyber resiliency minimum viable requirements on equal footing with all other system performance requirements, during cost, schedule, and performance risk trade-space decisions. Program Managers (PMs) can use Cyber Survivability Attribute (CSA) threshold requirements to justify (resourcing) specific technical controls from FISMA, NIST, and CNSS, but RMF guidance doesn’t define how a linkage to the CSAs could be used to support a PM’s efforts in pursuit of cyber survivability. In addition, requirements for obtaining a continuous ATO (cATO) or implementing Zero Trust could also be contractually defined by the CSAs.
CSE provides exemplar language for 10 holistic CSAs to support a resource sponsor’s tailoring of cyber performance requirements associated with the 4 pillars of the SS KPP. The Adapt pillar was added to proactively respond to cyber risks throughout a capability’s life cycle. All 10 CSAs must be considered early in a capability development effort to effectively understand the mission and resource risk implications for that capability. Selecting and tailoring a subset of the CSAs will assist in defining the threshold performance requirements most critical to the capability’s survivability and its move, shoot, and communicate functions.
CSE targeted the inability of cybersecurity processes to build-in sufficiently robust capabilities to prevent (resist/anticipate), mitigate (absorb/withstand), recover from, and adapt to the spectrum of cyber-events in plain language requirements that a PM can understand. The Services have developed System Security Engineering (SSE) guidance to decompose that plain language into cybersecurity technical controls for fielding survivable capabilities and have begun developing metrics for testing to define a system’s Cyber Survivability Risk Posture (CSRP).
This CSE Implementation Guide (CSEIG) is purposely not prescriptive on how to determine a CSRP, but it has provided information to allow the Services and Agencies to mature their own processes. These Agency and Service efforts—including the Office of the Under Secretary of Defense for Acquisition & Sustainment Deep Cyber Resiliency assessment, Army Cyber Operations Rapid Assessment-Platform, Air Force Measures of Performance Report, Air Force SSE Cyber Guidebook, Naval Air System Command’s SSE Process Guide, DoD Cybersecurity Test & Evaluation Guidebook, DoD Cyber Table Top Guide, MITRE’s work with the Air Force Research Laboratory’s CSA Tool, and the System Engineering Research Center’s Cyberattack Resilient Systems Report—are not sufficient to define a measurable CSRP for the DoD. However, they all contribute to the effort for maturing the measurement of cyber resiliency and survivability. This work is planned for inclusion in CSEIG version 4 to share their contributions toward a CSRP metric for cyber risk posture.
CSE does not identify any new cybersecurity requirements. The CSE process helps requirement sponsors better understand the cyber risks to the capability’s mission-critical functions and provides exemplar performance requirements to state those cybersecurity and cyber resiliency requirements as a set of cyber survivability threshold performance requirements. These requirements are identified early enough in the acquisition process to inform engineering decisions and enable programs to include them during operational risk trade-space decisions for fielding a survivable minimum viable capability.
Requirement sponsors and PMs need to make defendable operational risk trade-space decisions. CSE associates cyber technical controls with the CSAs to help them identify controls that will be most beneficial for that system’s survivability and its move, shoot, and communicate functions. Operational forces need systems that meet mission requirements and are survivable in their intended operating environment. The Warfighter needs and deserves cyber survivable capabilities, and, as mentioned, the CSE framework supports creation of threshold performance requirements to prevent, mitigate, recover from, and adapt to cyber events by applying a risk-managed approach to building and maintaining systems.
Even though CSE is only mandatory for capability developments that are subject to the JCIDS process, the Services have seen resource and mission risk benefits to justify including cyber survivability requirements in capabilities using all acquisition pathways. CSE is particularly well suited to the higher technology readiness levels associated with rapid acquisition capabilities. Conversely, if alternative acquisition pathways, such as Middle Tier of Acquisition and Joint Urgent Operational Needs, do not effectively consider cyber survivability threshold performance requirements, they are at risk of not providing a survivable operational capability. Programs going through all acquisition pathways consider, and sufficiently apply, the concepts outlined in the CSEIG to field survivable DoD capabilities.
CSE can reduce total life cycle costs (acquisition and sustainment) and improve mission assurance. This is counterintuitive, as the cost of implementing cybersecurity into legacy weapon systems has, at times, been found to be costly in both money and system performance. However, these outcomes were driven by the need to repeat the design and testing phases for flawed capabilities. When included in system design decisions, and made contractually binding, CSE’s cyber threshold performance requirements have the potential to support the acquisition of capabilities with acceptable levels of cyber resiliency and survivability, as well as sufficient operational performance.
ABOUT THE AUTHOR
Mr. Steve Pitcher is the Senior Cyber Survivability Analyst for the Joint Staff J6; Command, Control, Communications, Computers/Cyber (C4/Cyber) Directorate. He previously completed a 20-year career in the Air Force and then served as a civilian in the Missile Defense Agency before joining the Joint Staff in 2006. As part of the Joint Staff, he has focused on developing approaches to support coalition interoperability, data service, and hybrid mission planning and execution, and, more recently, has worked to define and promote properly articulated cyber survivability performance requirements to support system acquisition and to balance cyber security and cyber resiliency requirements with other functional requirements during operational risk trade-space decisions. Mr. Pitcher holds a B.S. in computer science and math from the University of Puget Sound and an M.B.A. from Embry-Riddle Aeronautical University. He is also a graduate of the Air Command and Staff College and Air War College and is a Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH).