DoD policy delegates cybersecurity compliance responsibilities to military leaders
The DoD's Cybersecurity Discipline Implementation Plan requires military leaders to take an active role in fortifying cyber defenses.
The U.S. Department of Defense (DoD) this month publicly disclosed its new Cybersecurity Discipline Implementation Plan, which assigns leaders across all military branches greater responsibility for fortifying operational systems against cyber intrusions.
The document, originally distributed in October 2015 and amended last month, is comprised of four “lines of effort” representing the most commonly exploited basic disciplines of cybersecurity. The four key tenets of the plan are: strong authentication, device hardening, reducing attack surface, and aligning and integrating military IT systems with Computer Network Defense Service Providers.
The plan instructs commanders and supervisors at all levels to report their progress toward meeting DoD requirements via the Defense Readiness Reporting System (DRRS), allowing senior leadership to review compliance “down to the tactical level.” This process complements a separate DoD Cybersecurity Scorecard, which the Secretary of Defense uses to gauge cybersecurity compliance at a higher strategic level.
“The DoD Cybersecurity Campaign reinforces the need to ensure Commanders and Supervisors at all levels, including the operational level, are accountable for key tasks,” the DOD plan states.
In keeping with the DoD's emphasis on cybersecurtity accountability, the Department of the Navy last month issued a notice that all users of its information systems must complete cybersecurity (CS) awareness training and demonstrate they are qualified to operate such systems responsibly. The notice advises, that “The continuing failure of a civilian employee to meet required Cyber IT/CS qualifications may be grounds for reassignment or separation under adverse action procedures.”