Cyber Resiliency & Cybersecurity Policy

Abstract

FY 2023 Accomplishments: Assessments: Conduct Cyber Risk Assessments in support of CCMDs: Combatant Commands Mission Level Cyber Risk Assessments (MLCRA): - Completed a year-long campaign of learning with the capstone being Mission Resilience II in support of USSPACECOM. Emphasis and focus were placed on the Command-and-Control capabilities and the cyber risk to the mission sets served by the system. The process identified several cyber risks to mission operations of the system. Results informed the 2023 Weapon System and DCI Cyber Hardening IAPR, USSPACECOM Integrated Priorities, and Strategic Cybersecurity Program 4-Star Level Briefings. Deep Cyber Resiliency Assessments (DCRAs): - Completed six DCRAs for Mission Partners across the DoD including a high priority special request from a Combatant Command (CCMD). Mission partners include Army Materiel Command, NASA, USTRANSCOM, USSTRATCOM, and USINDOPACOM. - DCRA continues to provide mitigation strategies based on mission analytics for DoD and OGA partners to prioritize critical cyber risk to mission elements in policy and priority risks. - DCRA efforts continue to develop tools and assessment capabilities to map and quantify non-kinetic effects to weapon platforms, weapon systems, and critical infrastructure (CCMD) Mission Analytics (CCMA): - Developed a methodology to measure and weigh combatant commands mission interdependencies and how to define risk to mission from kinetic and non-kinetic fires. - Defined the scope of the risk to mission effort to steady state and combat operations dependencies and how these dependencies change when moving between these postures. - Established working relationships with nine of 11 Combatant Commands (CCMD) and developed initial risk to mission dependency weightings for 14 of 55 relationship threats with a plan to be at 30 by the end of calendar year 2023. Prioritized this effort by functional to geographic command relationships first and functional to functional command relationships second. - Integrated and tested provisional results into Mission Level Cyber Risk Assessment (MR-II) with complete concurrence with results as valid and relevant. - Provided risk to mission insight to Deep Cyber Resilience Assessments to elevate developed tactical level cyber result to their relevant operational level mission impacts. Cyber Risk Mitigation: - In coordination with the Services, National Security Agency, DoD CIO, Joint Staff, USTRANSCOM, USEUCOM, USINDOPACOM, USCYBERCOM, Air Force Cyber Resiliency Office for Weapons Systems (CROWS), OUSD(I&S), and USSTRATCOM, refined the requirements and desired functionality for the Cyber Risk Mitigation Tool (CRMT). - Based on these requirements, the CRMT team refined visualizations to include dynamic scorecards, tree charts based on National Institute of Standards and Technology (NIST) vulnerability family, visualization of risk against operational and contingency planning (OPLAN/CONPLAN), mission and system decomposition, the interrelationship of systems/vulnerabilities via link diagram, potential mitigations based on available budget, and dynamic Sankey charts showing the relationship of missions, systems, planning, and organizations. - Updated SIPRnet-based version of the CRMT, which focuses on the status of Service Cybersecurity assessments covering priority weapon systems and critical infrastructure, to automatically import data from systems of record. - Successfully advocated to place additional ADVANA dashboards in the JWICs tool to show depth analytics on cyber vulnerabilities and mitigations. - Advocated and provided initial funding to put ADVANA on JWICS to enable the CRMT to provide in depth analytics on cyber vulnerabilities and mitigations while ensuring data security. - SIPRnet version of the tool is projected to be at full operational capability in September 2023 and the JWICS version is projected to be at initial operational capability in December 2023. - CRMT Data Analysis Team developed high impact Cybersecurity Scorecards in support of the Weapon System and Defense Critical Infrastructure (DCI) IAPR. Cybersecurity for Weapon Systems and Defense Critical Infrastructure (DCI): - Developed and coordinated the Strategic Cybersecurity Program Directive Type Memorandum for issuance. - Supported multiple OUSD(A&S) Integrated Acquisition Portfolio Reviews with cybersecurity contributions as a factor in determining overall acquisition risk – to include the conduct of an IAPR focused solely on cyber hardening of weapon systems and defense critical infrastructure which was conducted in collaboration with multiple Combatant Commands. - Established Competitive Acquisition Pathfinder aligned with Cybersecurity for a priority DoD mission area. - Developed a Cyber Risk Mitigation Plan (CRMP) in support of identified installation cyber risks. - Supported Cyber Supply Chain Risk Management initiatives across the Department including support to implementation of Section 889/1656 Prohibitions on covered information and communication technologies for programs in acquisition and sustainment. - Began development and establishment of a standardized risk calculus for reporting control systems in relation to critical infrastructure, a control systems and critical infrastructure common lexicon, taxonomy, and ontology and an assessment reporting template of minimum required data for control systems and critical infrastructure. Initiated Planning for Installation Critical Infrastructure (ICI) Cybersecurity Engagement with NATO and supported ICI cybersecurity engagement with Poland. Weapon System Cyber Security - Cybersecurity Supply Chain Risk Management(C-SCRM): -Initiated conduct study of DIB Cybersecurity in Collaboration with DoD CIO. Collaborated with DoD CIO and other DoD Stakeholders in the Development of the initial DoD DIB Cybersecurity Strategy. Initiated planning for Weapon System C-SCRM Pilots. Capability Portfolio Management for Cyber Capabilities: - Conducted follow-on mission analysis to the USD(A&S)-chaired Cyberspace Operations Enterprise Integrated Acquisition Portfolio review (IAPR) meeting on June 28, 2022, which highlighted the need for a dedicated and enduring joint cyberspace operations capabilities System of Systems (SoS) Systems Engineering & Integration (SE&I) lead organization. Developed an Acquisition Decision Memorandum which formalized USSCYBEROMs authorities and responsibilities in this area. - In coordination with USCYBERCOM, developed options for PEO JWCA organization at USCYBERCOM. Cybersecurity Maturity Model Certification (CMMC): - Completed formal review and coordination of the 32 Code of Federal Regulations (CFR) proposed rule text on the Cybersecurity Maturity Model Certification (CMMC) 2.0 program with the DoD Office of General Counsel (OGC) and the Small Business Administration. Submitted the proposed rule to the Office of Information and Regulatory Affairs (OIRA) in the Office of Management and Budget (OMB) in July 2023 to support their mandatory review requirement. - Completed and submitted the Initial Regulatory Flexibility Analysis (IRFA), the Regulatory Impact Analysis (RIA) and the Paperwork Reduction Act (PRA) documentation to OMB/OIRA in July 2023 - Developed updates to CMMC Enterprise Mission Assurance Support Service (eMASS) to support the DCMA-developed NIST SP 800-171 scoring algorithm and POA&Ms for CMMC Level 2. Updated the data standard to reflect changes in CMMC 2.0, including change from 5 levels to 3; changes in assessor types; assessment scoring for security requirement objectives; conditional and final assessment certificates; and assessing against the NIST standard instead of the CMMC 1.0 model. Developed CMMC program adoption and effective-ness metrics. Developed a tool to map attack TTPS to CMMC security requirements. - Partnered with OUSD(A&S) to conduct a study related to securing the DIB and provided resources to support a pilot for DIB Cybersecurity Services to support small businesses that is being led by OUSD(A&S) Office of Small Business Programs. Supported a supply chain illumination associated with a supply chain for a key weapons system. The effort focused on identifying manufacturers, direct suppliers, and indirect suppliers to the program. The illumination identified potential fragile nodes within the supply chain that could hamper or halt production of the weapon, including but not limited to foreign exposer, financial and operational health, and raw or refined materials bottlenecks.

Document Details

Document Type
Accomplishment
Publication Date
Oct 01, 2025
Source ID
8f745fc2c9b292f20948258e8c154c5b

Tags

Fields of Study

  • Computer science

Readers

  • Cybersecurity.
  • Defense Acquisition Program Management
  • Enterprise Information Systems Architecture and Joint Command Capability Interoperability Support.

Technology Areas

  • Cyber
  • Fully Networked C3
  • Fully Networked C3 - Command and Control

Related Documents