DoD to unite IT, building control systems along same cyber lines

Thursday - 8/22/2013, 5:55am EDT

Jason Miller reports.

Download mp3

The Defense Department is expanding the number and types of devices that are covered under its cybersecurity regulations.

DoD's Chief Information Officer Teri Takai is expected to issue the new regulations in October.

Daryl Haegley, the program manager for business enterprise integration in the office of the deputy undersecretary of Defense for installations and the environment, said Wednesday DoD is updating the 8500 series guidance as part of the evolution of cyber directives. In the 1990s, DoD initially focused on communication security, or ComSec. It then moved to information assurance, and now it's full on cybersecurity.

So with that full on cybersecurity approach, DoD will tell its agencies and services to focus on more than just email or business systems, but anything that is connected to the network.

"It says specifically that all information services and platform IT need cybersecurity considerations. So now it makes on par the industrial control system world and the information service world," Haegley said at a panel discussion sponsored by Government Executive magazine in Washington. "They define IT here, information services — your email, the things that travel on servers, laptops and smartphones and those sort of things — information security for that. Then platform IT or operational technology or industrial control systems, those networks also have their own category and they also will need the cybersecurity evaluations."

Industrial control systems (ICS) are those that run the water, air conditioning, heating, electrical, telecommunications and other facilities or physical security systems.

New risk management framework

Haegley said DoD also is updating regulations that would move the Pentagon closer to the civilian government around risk management, which would be a significant change. The National Institute of Standards and Technology recently updated its special publication 800-37 to address cyber risk management.

"Essentially what the CIO and DoD also helped them understand, the old DICAP process — the certification process that was long and it took a number of years sometimes to get things through. Then once you had a stamp, you were good for three years. You had to check back in in three years," he said. "That is not keeping pace with what we need for good security practice. DoD is now going to adopt this risk management framework and apply that to its information security and ICS security requirements. In the instruction, it essentially mirrors a lot that is already in that special publication, but there are some nuances."

DoD created the Defense Information Assurance Certification and Accreditation Process (DICAP) in 2007.

Haegley said he couldn't discuss the specific differences between DoD's new risk management framework and the NIST publication because the document still is in draft form.

A third major change in these new upcoming directives is around reciprocity of certifications. Haegley said DoD will tell the military services and agencies to trust each other when approving products or services that meet the new standards.

Reciprocity has been a huge stumbling block for the entire government. Each agency spends tens of millions of dollars redoing cybersecurity accreditations and authorizations. This redundant and wasteful effort is the reason the Office of Management Budget introduced and mandated the FedRAMP cloud cybersecurity approval process.

Moderate level of change

Haegley said the updated cyber regulations will be a significant change in some regards, but just a typical update in other ways. He said the DoD CIO's office has been collaborating across the department on the creation of the updated policy, so no one really should be surprised about what's in it.

"It does state that there are cybersecurity implications to anything that is connected. The major change is that it includes platform IT or industrial control systems and that connectivity needs cybersecurity as part of its evaluation. That has not been part of it before," he said. "But all the other standards of certification requirements, periodicity, skill sets and a lot of roles of what the organizations will do has not really changed that much."

Haegley said one Navy organization, for example, already is designing systems and putting out requirements saying the new technologies must meet the new risk management framework.

DoD faces a major challenge to apply cybersecurity rules and procedures to industrial control systems.

DoD found it has more than 2.5 million unique industrial control systems across the services and agencies.

Haegley said some ICS are managed by vendors, while others are managed by DoD. Some are more than 20 years old and have been retrofitted to communicate with the network, while others are newer and have that electronic communications ability built in.