Mitigating Risk to DOD Information Networks by Improving Network Security in Third-Party Information Networks

Abstract

Poorly defended third-party information networks can act as an attack vector for cyber attackers to successfully breach larger and more robustly defended information networks. Therefore, third-party networks connecting to Department of Defense (DOD) information networks may pose a significant risk to the DOD. The DOD has attempted to alleviate this risk to its networks by requiring covered defense contractors to meet certain network security standards and by initiating a cyber threat information sharing program: the DOD Defense Industrial Base (DIB) Cyber Security/Information Assurance (CS/IA)Program. However, these DOD actions are not aggressive enough to adequately mitigate this risk to DOD networks. To adequately address this problem, an expanded and more aggressive incentive-based program is required. Existing federal government, incentive-based programs were analyzed as potential exemplars from which to build a new incentive-based network security program. The Department of Homeland Security's (DHSs) Safety Act Program was ultimately chosen as the primary exemplar. Using this model, an Enhanced DOD CS/IA Program was designed to offer the DOD a system that can influence the improvement of third-party network security through a structure of synchronized network security controls and incentives. By implementing the proposed DOD Enhanced CS/IA Program to improve the network security of third-party networks that connect to DOD networks, the DOD can better mitigate the risk of cyber attacks to its own networks.

Document Details

Document Type

Technical Report

Publication Date

Jun 01, 2016

Accession Number

AD1026676

Entities

Tags