The Department is over-optimized for exceptional performance at the expense of providing timely decisions, policies, and capabilities to the warfighter. Our response will be to prioritize speed of delivery, continuous adaptation, and frequent modular updates. We must not accept cumbersome approval chains … or overly risk-averse thinking that impedes change. —2018 National Defense Strategy
I always enjoy the last few minutes of competitive sports. Football is my favorite, but my kids are getting me into Champions League soccer as well. The offense is cranking, poised to make the big play. The defense is playing a bend-but-don’t break strategy. If you’re not at the edge of your seat or glued to the TV, you’re not a fan.
Like the offense in a two-minute drill, the Department of Defense has been racing to win at cybersecurity for a number of years. There is palpable tension between leaders wanting to build a “rapidly innovating joint force” that brings the best capabilities to bear and the need to be compliant with various security regulations. It’s like having the perfect play called, but the referee won’t let you snap the ball as you watch precious seconds tick off the clock.
I should mention that I have a bias against compliance regimes (e.g. RMF, NIST, CNSS, etc.). Not because any of them are bad per se, but because the cybersecurity policy landscape a mess. While these are manageable from the perspective of a single government organization that has learned where it fits in the milieu, it is untenable from an industry perspective that must go through a different and arduous process for nearly every government customer. A common industry refrain is “stay away from government business” because of the complexity and empty calories required. My bias is compounded by the fact that some cybersecurity personnel assert their systems are complaint and therefore they must be secure. Any red team member will tell you compliance simply does not equate to security.
The Compliance Spin Cycle
The basic premise of the policy frameworks is sound and when implemented correctly they help get systems to a baseline level of security. However, there are at least two significant issues that arise along the way. First, there is usually hundreds of hours of work to document that a system meets the controls set out in a policy. The same type of work is duplicated across separate but overlapping policies (e.g. FIPS 199, NIST 800-53, CJCSM 6510.02, etc.) and then repeated in other organizations (e.g. Air Combat Command, Space and Naval Warfare Systems Command, Department of Justice, etc.). Instead of doing the work once and having the results widely adopted by other organizations, hundreds of hours multiply into tens of thousands of hours of repetitive work to satisfy the requirements of the policy de jour. Second, most systems are deployed to a complex environment in which security frameworks cannot anticipate, nor prescribe foolproof solutions. In these environments, compliance to all prescribed controls does not bring additional security.
Teamwork Makes the Dream Work—Radical Reciprocity
Will innovation continue to be shackled by the weight of current regulation or will leadership select another approach? An important method to increase government acquisition speed and improvement of cybersecurity is to streamline the policies required to meet a baseline of security. If policy names are an indication, something like FIPS 200 (Minimum Security Requirements for Federal Information Systems) would work to initially qualify innovative solutions. Further, compliance verification technology should be used to prove security against a baseline of security controls rather than doing hundreds of hours of documentation. This verification should be available at nominal cost and completed in days, not weeks or months. Finally, leaders should make compliance reciprocity mandatory and trust the results of their cybersecurity colleagues. For example, why shouldn’t the Navy accept a Department of Justice Authority to Operate or the DoD accept the Department of Homeland Security’s approved product list by default? As an encouraging sign, the draft revision of the risk management framework places special emphasis on both reciprocity and transparency.
Innovation in the national-security environment is traditionally a complex process, even more so as we innovate in the cyber domain. As new innovations spring up, the Secretary’s guidance is clear: innovation is required to build a more lethal force, and the military must use new methods to evaluate and field innovative capabilities. The cybersecurity operational portfolio must include an empiric assessment of the current and future performance of the systems. Importantly, as new capabilities come online, the military must not hesitate to retire the old ones.
These approaches will be a catalyst to speed cyber innovation and make it possible for cyber innovators to develop unique, sophisticated, agile, and modular tools that help enable the military cybersecurity innovation industry. Coming back to the sports analogy, it’s time for the referees to let the players play so we can get out there and win one for the home team.
This article was originally posted on the USNI blog: https://blog.usni.org/posts/2019/10/17/security-innovators-dilemma-a-view-from-industry-and-a-need-for-smarter-compliance