Navy retools cyber policy
- By Sean Lyngaas
- May 20, 2016
Navy Secretary Ray Mabus has made significant additions to the service's cybersecurity policy by requiring the implementation of a layered approach to cyber defense and the establishment of a departmentwide program to tackle insider threats.
Navy organizations, including the Marine Corps, "shall implement a defense-in-depth/defense-in-breadth [cybersecurity] strategy to mitigate information security risks throughout the entire life cycle of a system or network," the memo states. It is dated May 2 but was released publicly this week.
Defense Department officials have long espoused a defense-in-depth approach to cybersecurity that mirrors the multiple barriers an assailant often faces in attacking a government building, for example. Mabus is trying to drive home the point by reminding commanders that they will be accountable for implementing defense-in-depth.
The memo acknowledges the perils of the Navy's far-flung IT footprint by requiring a program to prevent personnel from stealing Navy data. "The [Department of the Navy] shall establish an integrated set of policies and procedures to deter, detect and mitigate insider threats before damage is done to national security, personnel, resources and/or capabilities," the memo states.
The memo also updates acquisition strategy by calling on officials to make sure cybersecurity is considered at every phase of a system's development and implementation.
The memo also rebrands the DON Information Assurance Program as the DON Cybersecurity Program.
The Navy, including its CIO shop, has in recent years released several policy documents aimed at overhauling its approach to cybersecurity. In February, Mabus issued a memo that differentiates the IT and cybersecurity workforces for training purposes. Starting in 2014, the service undertook a comprehensive assessment of its cyber risk through Task Force Cyber Awakening.
Given that there is no shortage of cyber-related policy guidelines to follow, the memo asks officials to report any way the new policy might conflict with existing federal and DOD policies.
DON CIO Robert Foster issued his own memo this week that instructs DON officials on acquiring cloud computing services. The memo delegates approval authority to the deputy CIOs of the Navy and Marine Corps for the business case analyses officials must complete in order to buy cloud services.
That move is in keeping with DOD CIO Terry Halvorsen's push to decentralize the cloud acquisition process.
Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.
Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.
Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.