How Grades Motivate Better Cyber Practices at DOD

From NextGov:

Nobody in the Defense Department is getting away with poor cybersecurity practices anymore.

Speaking Aug. 11 at an event hosted by Nextgov, one of the Pentagon’s top cybersecurity officials explained the “back to basics” approach of its Cybersecurity Implementation Discipline Plan. Released last October, the plan measures the military services’ progress adhering to 10 cybersecurity challenges.

The plan’s greatest value thus far is accountability, according to Marianne Bailey, DOD’s principal director and deputy chief information officer of cybersecurity.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

“We decided to do a scorecard, and that has been pretty incredible, because nobody—I don’t care how many stars you have on your shoulder—nobody likes a bad grade,” she said.

Bailey said the increased accountability runs up the DOD chain of command. Department and service CIOs meet “every single Friday” before DOD CIO Terry Halvorsen to review their scores in all 10 areas.

If users in one military branch are logging into a network without public key infrastructure, Bailey said the branch CIO will have to explain why.

Defense Secretary Ash Carter also makes cybersecurity a priority, holding monthly briefings and inviting service and branch CIOs to meet with him.

“Probably 98 percent of [vulnerabilities] were due to something simple and trivial that somebody knew they should have done but wasn’t implemented,” Bailey said. “There were formal military orders to go out and do this stuff, it’s not like anybody should have been surprised by it. But obviously, it didn’t get prioritized high enough with other mission things to do.”

The thrust of the directives under the plan was already mandated by other military orders, Bailey said, but accountability seems to make the difference.

“I’ve watched a culture change and that’s probably been the biggest thing,” she added.

Continue Reading