The Blog

DoD issues cyber-risk memo for weapons-buying

Relevant links are at the bottom of this post.

The Defense Department’s acquisition chief is targeting the integration of cybersecurity into military acquisition, recently issuing new guidance that revises existing policies and emphasizes information assurance and systems resiliency.

The new guidance, issued by Under Secretary of Defense for Acquisition, Technology and Logistics Frank Kendall, underscores previous efforts aimed at maintaining technological superiority and shoring up cybersecurity in military weapons systems, including the most recent iteration of Better Buying Power.

“A vital aspect of maintaining U.S. technological superiority and military readiness is ensuring the cybersecurity of our information technology systems, weapon systems and networks. Program managers must assume that the system they field, including their external interfaces, will be under attack,” Kendall wrote in an Oct. 30 memo prefacing the new guidance. “To be cost-effective, cybersecurity must be addressed early within acquisition and be thoughtfully integrated with systems engineering, test and evaluation and other acquisition processes throughout the system lifecycle.”

This guidebook is based on a set of key tenets that outline concepts and principles critical to cyber risk management in acquisition programs. According to the guidebook, those tenets include:

• Cybersecurity is risk-based, mission-driven, and addressed early and continually.

• Cybersecurity requirements are treated like other system requirements.

• System security architecture and data flows are developed early, and are continuously updated throughout the system lifecycle as the system and environment (including threats) change, to maintain the desired security posture based on risk assessments and mitigations.

• Cybersecurity is implemented to increase a system’s capability to protect, detect, react, and restore, even when under attack from an adversary.

• A modular, open systems approach is used to implement system and security architectures that support the rapid evolution of countermeasures to emerging threats and vulnerabilities.

• Cybersecurity risk assessments are conducted early and often, and integrated with other risk management activities.

• As the system matures and security controls are selected, implemented, assessed, and monitored, the PM collaborates with the authorizing official, the individual responsible for ensuring the cybersecurity risk posture of the system is managed and maintained during operations, to ensure the continued alignment of cybersecurity in the technical baselines, system security architecture, data flows, and design.

• Reciprocity is used where possible through sharing and reuse of test and evaluation products, i.e., “test once and use by all.”

Earlier this year, Kendall noted the importance of cybersecurity and the incorporation of cyber risk management into DoD acquisition programs and weapons systems and highlighted efforts to do so.

“We put out some guidance through the [Defense Federal Acquisition Regulations] last year, tightening up our requirements on industry. In fact, there were no requirements on industry for protection of unclassified technical data, and we were losing a lot of it through cyber theft,” Kendall said at a Pentagon press briefing in April unveiling Better Buying Power 3.0.