Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Department of Defense Officials Report on Cyber Risk-Based Decisions

In a new report, Navy, Air Force and Defense Information Security Agency (DISA) leaders provide insights into managing cyber risk and protecting critical infrastructure. Here is a quick summary. 

A recent survey of senior Department of Defense (DoD) cyber officials revealed a consistent focus on delivering accurate and actionable cyber risk information to support “operationally informed risk decisions.”

The Federal News Network (FNN) published the results of this survey in a report titled “Cyber Technologies in DoD: Protecting Core Infrastructure.” Respondents included: Bill Marion, the former Air Force deputy chief information officer; Chris Cleary, the Navy’s first chief information security officer; and Roger Greenwell, the Defense Information Security Agency (DISA)’s risk management executive and chief information officer.

Below, we highlight a few of the most salient quotes that speak to the way these teams are adapting their security approach in response to the rapidly evolving threat landscape.

Streamlining implementation of the Risk Management Framework (RMF)

To start, each of the respondents addressed service-specific measures they’ve taken in implementing the Risk Management Framework (RMF), a set of criteria developed by the DoD to standardize how all federal IT systems are architected, secured and monitored. 

Recalling the Air Force’s strategic goal of achieving “cybersecurity that works,” Marion outlined his team’s “risk-informed approach” designed “to empower our senior cybersecurity officials to fuse operational requirements, system forensics and threats to inform risk assessment and tolerance over the system life cycle.”

The Navy, according to Cleary, is pursuing an “RMF reform initiative, which focuses on streamlining the existing RMF implementation process.” This sets out four separate lines of effort that “have spawned improvement initiatives across the spectrum of RMF steps and tasks.” He pointed to automation of the RMF as an emerging area with the potential to deliver significant improvements. 

Greenwell pointed to the commercial cloud environment, and the capabilities that it offers, as a primary focus area for DISA as they look to manage the migration of applications to that environment. He cited as a priority the ability of mission partners to better “see and leverage the information within the enterprise assessment and authorization tools for their risk management decisions.” 

When it comes to RMF reform, the Army and the National Institute of Standards and Technology (NIST), publisher of the RMF, are thinking along the same lines as these DoD leaders. The FNN report includes a section on the Army’s “Project Sentinel,” which is an effort to “fix RMF authorization bottlenecks.”

The FNN report also provides a summary of NIST plans in support of RMF implementation improvements, including details on the next update to Special Publication 800-53, the document that provides the foundation of the RMF. NIST plans to publish that update, revision 5, later this year. Among other upgrades, revision 5 will include a pivot to online delivery that will allow authorizing officials to select only the controls that apply to the specific cyber problem set they need to solve, in contrast to current practice that requires working through a static, 480-page list of security controls.

Prioritizing risk in policy and investment decisions

In an environment of limited resources, setting priorities is essential in achieving objectives. With that in mind, the respondents unanimously cited effective cyber risk management as a top priority to be considered in developing policy and making investments. Marion cited a “paradigm shift from compliance to a predetermined set of controls, to now making operationally-informed risk decisions” as a major achievement for the Air Force.

Addressing the Navy’s cyber investment strategy, Cleary talked about prioritizing ashore, afloat, and air networks “based on the priorities laid out in the National Defense Strategy and based on cost effectiveness” with the aim of “provid[ing] mission assurance in a cyber-contested environment across critical warfare areas.”

Greenwell sounded a similar note for DISA risk prioritization, focusing on the need to “optimize our investments and bring more powerful capabilities to the warfighter.” He emphasized that DISA was “continuously reviewing the threats, the advancing capabilities of our adversaries and the evolution of technology to prioritize our investments.”

Protecting the expanding attack surface

These cyber leaders were unanimous in their focus on the increasing connectivity of devices never previously exposed to outside intervention. This rapidly expanding attack surface is a key factor driving cyber risk prioritization decisions.

Marion, for example, noted that “as the landscape gets more interconnected and complex, the drive for innovation can create potential seams, which introduce additional risk vectors.” He pointed to studies chartered by the Defense Authorization Act as having provided “extremely valuable insights on the risks to our weapon systems and industrial control systems (ICS).”

Similarly, the US Cyberspace Solarium Commission report included a recommendation that Congress should direct the DoD to conduct a vulnerability assessment of all segments of the nuclear command, control, and communications enterprise and National Leadership Command Capabilities, and to continually assess weapon system cyber vulnerabilities.

Marty Edwards, a former federal cyber official and currently Tenable’s vice president of operational technology (OT) security, applauded this increased focus on the expanded attack surface, noting that “the ability for DoD to view and take action across the board on all devices within their vast array of networks is critical.” He added, “Systems that directly support mission operations are very often closely linked or depend upon ICS and/or OT - and that makes them far more critical to the mission owner in my eyes than most enterprise IT-centric systems."

Report cyber risk, not cyber vulnerabilities 

For much of the 21st century, vulnerability management has been largely a CVSS-driven process of identifying known vulnerabilities, patching those vulnerabilities and reporting progress on that patching to organizational decision-makers. One point that came through this survey loud and clear is that senior cyber leaders are no longer only interested in knowing the status of cyber vulnerabilities – they want to understand the cyber risk associated with each vulnerability, in order to make well-informed decisions about how to establish priorities and best protect their most critical assets.

At Tenable, we understand the critical need to deliver actionable cyber risk information to decision-makers, which is why we’ve moved far beyond traditional vulnerability management. The Tenable Risk-Based Vulnerability Management Solution delivers comprehensive, continuous visibility and informs technical and business decisions, enabling you to:

  • Assess all your assets for vulnerabilities and misconfigurations continuously 
  • Measure the vulnerability’s risk to your business using threat intelligence and asset criticality 
  • Predict which vulnerabilities present the most risk to your organization, so you know what to focus on first 
  • Deliver risk-based information to decision-makers

Tenable’s Risk-Based Vulnerability Management Solution is built upon a five-step Cyber Exposure Lifecycle, which helps you continuously improve your security program. Applying the solution via this lifecycle will help you gain complete visibility into your attack surface and prioritize your remediation efforts based on the 3% of vulnerabilities that pose the greatest risk to your organization – reducing your cyber risk over time. 

To learn more about how DoD officials are managing cyber risk, check out the full report from Federal News Network.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training