Navy retools cyber policy
The new policy signed by Navy Secretary Ray Mabus sets up a program for preventing insider threats, among other actions.
Navy Secretary Ray Mabus has made significant additions to the service's cybersecurity policy by requiring the implementation of a layered approach to cyber defense and the establishment of a departmentwide program to tackle insider threats.
Navy organizations, including the Marine Corps, "shall implement a defense-in-depth/defense-in-breadth [cybersecurity] strategy to mitigate information security risks throughout the entire life cycle of a system or network," the memo states. It is dated May 2 but was released publicly this week.
Defense Department officials have long espoused a defense-in-depth approach to cybersecurity that mirrors the multiple barriers an assailant often faces in attacking a government building, for example. Mabus is trying to drive home the point by reminding commanders that they will be accountable for implementing defense-in-depth.
The memo acknowledges the perils of the Navy's far-flung IT footprint by requiring a program to prevent personnel from stealing Navy data. "The [Department of the Navy] shall establish an integrated set of policies and procedures to deter, detect and mitigate insider threats before damage is done to national security, personnel, resources and/or capabilities," the memo states.
The memo also updates acquisition strategy by calling on officials to make sure cybersecurity is considered at every phase of a system's development and implementation.
The memo also rebrands the DON Information Assurance Program as the DON Cybersecurity Program.
The Navy, including its CIO shop, has in recent years released several policy documents aimed at overhauling its approach to cybersecurity. In February, Mabus issued a memo that differentiates the IT and cybersecurity workforces for training purposes. Starting in 2014, the service undertook a comprehensive assessment of its cyber risk through Task Force Cyber Awakening.
Given that there is no shortage of cyber-related policy guidelines to follow, the memo asks officials to report any way the new policy might conflict with existing federal and DOD policies.
DON CIO Robert Foster issued his own memo this week that instructs DON officials on acquiring cloud computing services. The memo delegates approval authority to the deputy CIOs of the Navy and Marine Corps for the business case analyses officials must complete in order to buy cloud services.
That move is in keeping with DOD CIO Terry Halvorsen's push to decentralize the cloud acquisition process.