Improving the Cybersecurity of U.S. Air Force Military Systems Throughout Their Life Cycles

Abstract

The governance structure for cybersecurity defined by the laws and policies at the federal, DoD, and Air Force levels is voluminous and complicated. Even summarizing this body of oversight would require a document of considerable length. We do not attempt a comprehensive review, but instead describe this governance structure in light of the principal issues raised in Chapter One. We first highlight key facets of legislation and federal and DoD policy, including some relevant history, to identify the stakeholders, requirements, and constraints within which Air Force cybersecurity must operate. The second part of the chapter outlines cybersecurity practice within the Air Force, paying particular attention to roles and responsibilities and feedback. One important aspect of the laws and policies is that they change frequently relative to the duration of the life cycle of a military system. In practice, this frequent reworking of the governance structure for cybersecurity means that military systems often fall under multiple governance structures over the course of their life cycles. As we document in this chapter, cybersecurity governance has changed significantly every several years, whereas many weapon systems have service lives in the decades. Indeed, some systems predate most of the modern governance structures and, while in sustainment, have to varying degrees been managed under multiple cybersecurity frameworks. These temporal changes therefore present a challenge to assessing the success or shortcomings of laws and policies, because many of the laws and policies have not been in effect long enough to correlate with specific outcomes.

Document Details

Document Type

Technical Report

Publication Date

Jan 01, 2015

Accession Number

ADA623202

Entities

Tags