Network / Cyber, Pentagon
John Sherman, then-Department of Defense Chief Information Officer, participates in a virtual panel discussion with Billington Cybersecurity at the Pentagon on April 15, 2021. (Department of Defense photo by Chad J. McNeely)
GEOINT — The Department of Defense has rolled out new cybersecurity guidance aimed at addressing what Chief Information Officer John Sherman characterized as slow and duplicative processes that hinder technology and software innovation.vacation.
The plan, according to a briefing document signed last week by Deputy Secretary of Defense Kathleen Hicks.The bill, adopted Wednesday, revolves around enforcing the concept of “reciprocity,” which essentially means that if an office certifies a system as cyber-secure, the certification process means all offices can accept it instead of starting over.
Secretary Sherman announced the new guidance Wednesday in his keynote address at the annual GEOINT Symposium in Orlando, Fla., telling the audience: Direct reciprocity is the default within the Department of Defense. ”
Sherman explained that the measure would “remove the need for people to check each other's homework over and over again” unless officials have a “good reason” to do so.
“We are going to default to reciprocity and start dynamite through this,” he added.
The move comes after a number of complaints surfaced from within the department and industry leaders over the Authority to Treat (ATO) process. ATO procedures are viewed as problematic because they are not only time-consuming and bureaucratic, but can also become redundant as different organizations often have their own Authorizing Officers (AOs). I'm here. The AO must grant that permission before granting her ATO to the software. Implemented.
There are often different standards for AO, so the software company that performs this process has to operate a little differently each time, and if the office next door may already have permission to use the same software. , the process will be slower.
“We've heard you loud and clear on this within the Pentagon. I'm not saying this will solve everything, but it will help a little bit,” Sherman said. he said.
Sherman revealed that the initiative is focused on reducing downtime, but stressed that the process can be more complex and may require additional steps. He said his office stands ready to assist.
“I think there's a second major aspect to this: If any authorized employee feels that they are being interfered with in any way, they will work with the chief information security officer to report directly to my office. “We'll be able to do that,” Sherman said.
In addition to saving time, reciprocity also saves money by allowing federal agencies to reuse internal and external findings from other organizations, resulting in reduced approval costs for IT systems running on different networks. Investment costs are reduced.
“This is from the deputy commissioner that reciprocity should be the default. It should be the first choice, rather than doing all the due diligence all over again,” Sherman said. defense scoop In an interview on Wednesday.
The guidance released Wednesday is officiallyResolving Interactions between Risk Management Framework and Cybersecurity” states, “The Department will implement a Risk Management Framework (RMF) in accordance with Department of Defense Directive 8510.01 to build, operate, and maintain cyber-secure and survivable capabilities. “We are teaching you how to do it.''
Sherman told DefenseScoop that while the RMF is a guide for the Department of Defense, the CIO plans to provide similar direction to the broader intelligence community.
“This is like the next hill to climb later, because of the different classifications and where those pieces of evidence are kept top secret or top secret versus, say, unclassified databases. Because it's different,” he told the media.
Teresa Hitchens in Orlando contributed to this report.
