Is the DoD the gold standard for the federal government in cybersecurity? I took this question to several government agencies with the hopes to speak to cyber SMEs to get a definitive answer. Initially, I was just looking for a yes or no. What I found was both scary and hopeful, so please embark on this interview quest with me as we speak to two industry leaders to try and get to the bottom of this question.
Public Affairs offices within the DoD
Approaching several Public Affairs offices within the DoD related to cyber programs, I got a mix of answers. Some more promising than others…and some, well, frightening. One DoD agency in particular, initially was excited for the opportunity to answer the question that will be shared with the public, however, in the end, turned down the opportunity to answer the question saying, “We are unable to address conflicts or potential differences in policy between USG authorities. We are not positioned to provide comment on behalf of the entirety of DOD/OSD- as indicated by your topic of discussion.” As I am sure you can imagine, this answer had me scratching my head. If you don’t know this, there are only seven federal cyber centers in the USG. In order to make the cut of the seven, a Federal Cyber Center is defined the by National Security Presidential Directive 54/Homeland Security Presidential Directive 23,[1]. If one of the seven doesn’t feel qualified to answer that question…. Who is?
Input from DoD Industry Leader
I reached out to Angelique “Q” Napoleon, a Cyber Solutions Engineer, Senior Advisor at General Dynamics Information Technology, and among the three finalists (winner to be announced soon) for Woman Hacker of the Year 2022. Q and her team work to provide solutions and build on the existing relationships within the USG. When speaking with her I asked her why she thought I was unable to get the one of the federal cyber centers to answer my question.
She said, “First of all, I am not surprised to hear no one is interesting in going on the record to make a comment. A lot of these agencies are struggling with manpower and staying financially afloat, not that it is the exact reason not to comment, but some of these agencies are afraid to make any waves. Don’t get me wrong, they are good at what they do, but some of them are vulnerable and trying to stay alive and relevant, who would want to answer that question when they are battling for existence? So many agencies are standing up their own version of Defense Industrial Base (DIB) programs, so the internal competition is in full play.”
The Pentagon is getting 8% of the DoD budget to invest into cybersecurity initiatives. On March 28, the Biden administration’s fiscal year for 2023 showed an increase of $800 million (the 8%). I dug a little deeper and only saw U.S. Cyber Command being mentioned as a potential place for where the money will go. How is that possible when there are seven dedicated federal cyber centers? Does it make sense to keep splitting the budget or potentially starting up new cyber centers rather than investing and growing the ones existing? It’s hard enough to identify solid missions, figure out internal and external stakeholders, let alone picking a lane and sticking to it.
“Q” said, “I have worked for DoD for over 26 years. In addition, I have done commercial work as well. I am confident in saying that the DoD is the gold standard when it comes to policy. DoD has a lot of rules and regulations and some of the best policies in software assurance. Commercial entities abide in order to maintain their state and federal regulations…that is their driving force. National security is a game for keeps. Commercial entities care about employees, lawsuits and profit margins, as they should. GDIT is among one of the largest cleared defense contractors who strives to follow DoD best practices and implements them at every level. They are a great company and follow suit with DoD regulations. As someone who has been in this game for a while and has seen what bad and good cybersecurity posture can do, I am glad to be a part of a team that focuses on being the absolute best. The DoD’s sole objective is supporting the warfighter and those companies (primarily the DIB) are dedicated to supporting that same mission.”
Exploring those federal rules and regulations circles us to CMMC, where only the DIB will see those direct impacts. “Q” adds, “DoD needs to revisit a lot of their insider threat and telework policies. With pausing a lot of these major policy update’s due to the last 3 years of COVID impact, its time to really explore if any damage was done due to the stop work from COVID.”
Input from DIB Leader
I spoke to Kemal Piskin, CISO for LinQuest Corporation who is a part of the DIB, to help find the answer to the gold standard question.
“At LinQuest, we provide innovative and high quality technologies, solutions, and services to national security and industry customers focused on the convergence of C4ISR, information, and cyber systems. With that in mind, we primarily do work for the DoD, so we are completely in tune to what is happening in DoD and what their latest requirements list says. When we talk about NIST 800-171, it’s essentially a checklist referencing a set of controls and policies we need to adhere to, to maintain our DoD contracts and qualify for new ones. With this checklist, there is no guidance specifically relating on how to meet these controls and policies; however, DoD is becoming more prescriptive in that manor. For example, FIPS 140-2 is listed as a requirement, but it may make more sense to take a less specific and more risk based approach that ensures time such as “using modern cryptography.” Providing very specific parameters increases compliance costs and reduces flexibility while at the same time doesn’t take risk factors into consideration. Do I think the DoD is the gold standard in cyber security within the federal government? I think its not an apples-to-apples comparison with other federal agencies, so it’s really difficult to say. But I will say this, DoD has made great strides in trying to improve protecting critical information and giving our warfighters the edge. I believe by shifting to a more risk-based approach we can take things to the next level. CMMC certification is also a good step in validating who is actually protecting information and who is not.”
Piskin brought up a lot of interesting points and even referenced other NIST areas that are making major headway within the ITIL framework as they set out to manage IT systems. I was able to infer from his tone while discussing this topic that he, and like so many others, are looking for avenues inside DoD that will provide guidance on these checklists that will ultimately help the DoD to achieve the golden standard.
- “Hearing on NSPD-54/HSPD-23 and the Comprehensive National Cyber Security Initiative”. Senate.gov. Retrieved 7 January 2011.
- “Cybersecurity Policy”(PDF). Federation of American Scientists (FAS). National Security Presidential Directive (NSPD), Homeland Security Presidential Directive (HSPD). Jan 8, 2008. p. 15. NSPD-54, HSPD-23.
