Air Force closes in on new directive for IT governance

Air Force officials are drafting a directive that would update the role of the CIO, more clearly aligning it within the service's broader organizational structure, according to a spokesman.  

The Air Force instruction will cover the CIO's "governance roles and responsibilities; identification of key players, policies, and procedures; and the definition of strategic organizational structures detailing where the CIO governing bodies fall within the larger Air Force governing structure," Air Force spokesman Ed Gulick said in a statement to FCW. "We are formalizing a governance charter, which will inform these updated policies."

The directive is the latest effort by the Air Force to provide organizational clarity on IT security.

Air Force Chief of Staff Gen. Mark Welsh in March initiated Task Force Cyber Secure, an approximately yearlong project to assess the service's IT security vulnerabilities, from its main networks to far-flung assets. In scope and intention, the Air Force's task force mirrors one unveiled by the Navy in November 2014.

Lisa Disbrow, whom President Barack Obama has nominated to be undersecretary of the Air Force, alluded to the new CIO-related directive in submitted testimony before a Dec. 15 Senate Armed Services Committee confirmation hearing.

"The department will soon publish an updated set of policies for how we govern and operate enterprise IT/cyberspace capabilities," Disbrow said in her testimony.

"We are undertaking a nascent effort to align the Air Force IT governance and requirements processes with the Defense Enterprise Service Management Framework," which will use best IT practices in the commercial sector to support mission work, she added.

Disbrow's testimony also referred to "significant challenges" posed by legacy systems to the nuclear command, control and communication system (NC3). Commercial solutions sometimes introduce cyber vulnerabilities to the NC3, she added.

Striking a balance between government and commercial solutions – "and having the patience and resources to fund potential solutions" – are therefore the most pressing NC3 challenges, Disbrow said.

The challenge of addressing cyber vulnerabilities in weapons systems is a steep one for the Air Force. The service's Space Command, for example, spent $3 billion on cybersecurity last fiscal year, but not a penny defending software vulnerabilities in weapons systems that Pentagon officials have said are at great risk. (NC3 is under purview of the Air Force Global Strike Command, not the Space Command.)

Testimony covered Navy, Army cyber challenges

Testifying alongside Disbrow were Patrick J. Murphy and Janine Davidson, the nominees to be undersecretary of the Army and undersecretary of the Navy, respectively. Their submitted testimonies also offered clues to how they would tackle 'those services' substantial cybersecurity and IT challenges.

Murphy, a former Pennsylvania congressman, said in testimony that the service must "continue to streamline the IT and cyber acquisition process" to stay ahead of threats, "which requires current and cutting edge technologies."

Davidson, a Council on Foreign Relations scholar, noted in her testimony that IT advances are changing the relationship between people and technology, to the point that there is "vast potential to change the balance of manned and unmanned platforms in combat aircraft and across all platforms."

Separately in the hearing, the committee advanced the nomination of Marcel Lettre to be undersecretary of Defense for intelligence. Lettre, who is currently serving as acting undersecretary, plays a key role in inter-departmental cybersecurity discussions.

Lettre's nomination now heads to the full Senate for approval. Sen. John McCain (R-Ariz.), the committee's chairman, later told reporters he was confident the full Senate could find time to vote on Lettre's nomination, despite the clock ticking on the 2015 legislative calendar.