DIB Cybersecurity Strategy: Allison's Version

At the risk of sounding like I'm re-selling a Taylor Swift album, I felt moved to provide my version of a meaningful Defense Industrial Base Cybersecurity Strategy... you know, if I was in charge.

As Andy Sauer and I reminded each other during today's The DIB Dive Livestream, neither of us are in charge, and perhaps that's a good thing. I mean, it's lonely at the top, right?

The United States Department of Defense released its 2024 DIB Cybersecurity Strategy in March and while there were parts to cheer, the strategy mostly felt empty.

Now, before you "at" me... I think it's important to remember that I come from an environment where Goals and Objectives are measurable.

While it has generic themes and priorities, to me, this 2024 DIB CS Strategy is missing just that: Something measurable.

Granted, I understand that this Strategy is essentially nested in other U.S. Government strategies. These priorities don't exist in a vacuum, and they most certainly cannot exist in direct competition or disagreement with another Strategy running congruent or parallel. It's hard to tell the world that we need to set a high bar for companies to do business in the DIB using the DIB CS Strategy, and then over in the National Defense Industrial Strategy, talk about how we need to remove barriers from manufacturers to facilitate surge capacity in production.

So, then, what's the point? Why do these strategies exist?

To show the taxpayer what's being done? If anything, it shows the taxpayer where the priorities lay 12-24 months ago. These things aren't cutting edge. The teams writing the strategy are not often the same ones in the room talking to industry leaders or public-facing government personnel.

I don't mean to discredit the DIB SC Strategy. Far from it. I don't think there's anything wrong at its core.

But, much like a burrito bowl at your favorite dive Mexican restaurant, I just feel as though it needs meat to be meaningful. If I were in charge? I'd help adjust and revamp some of these Goals and Objectives.

Let's take the Goals as they're stated in the Strategy:

They make sense, right? Overall, they are reflective of some solid themes of the DIB cybersecurity for those who live and breathe this stuff.

GOAL #1: Strengthen the DoD governance structure for DIB cybersecurity

Makes sense, right? Of course this is a goal, and it should be a goal.

...but HOW do we do this?

The Objectives call out "strengthen interagency collaboration" and "advance the development of regulations governing cyber responsibilities of DIB contractors and subcontractors."

I'm torn here. I'm all for interagency collaboration (boooooo for operating in silos!), but from my small business perspective, this has not always proved helpful.

For example: I grow weary of incident reporting notification changes. The conversation about what a timeline should look like for incident reporting and to whom such an incident be reported seems to change weekly. If there's anything we want as a nation trying to secure its data is CLARITY in the reporting process when something happens.

And can you imagine the chaos of the delineation of cyber incident reporting "ownership" if something like a Cyber Force branch of the U.S. military comes to fruition?

So, what does this "strengthening the DoD governance structure" look like right now?

Objective 1.2 recognizes that "DFARS 252.204-7012 requires that NIST 800-171 cybersecurity requirements are applicable to subcontractors; however, visibility within the lower tiers remains a challenging area for the Department."

So, what are we going to do about that? How do we gain visibility?

Why, the CMMC Program , of course.

ALTERNATIVE OBJECTIVES:

• Streamline (de-duplicate?) at least one policy to facilitate clarity in incident response reporting.
• Clearly define the authority on CUI as it pertains to CMMC and communicate this to the DIB.
• Strategically analyze the supply chains of 3-5 various programs and initiatives, diving deep into full supply chains to better understand the flow of data, the challenges each level of contractor faces, and understand the DIB environment more clearly as strategies evolve. What does the supply chain look like, from start to finish, for a manufactured aircraft subassembly? How about for the contracting of services for landscapers on Air Force bases? What about state-of-the-art software development or something involving additive manufacturing that is not deemed Top Secret, but has question marks about its impending (and confusing) CUI labeling?

GOAL #2: Enhance the cybersecurity posture of the DIB

On this week's "The DIB Dive" with Andy Sauer, Andy firmly stated, and I'm paraphrasing here, that we needed to move beyond "cybersecurity awareness."

I would suggest that while there may still be small businesses ignorant to cybersecurity best practices, we need to focus on providing support to those that are skilled in their core competency of providing goods and services to the DIB, and have the desire to comply and protect data but are overwhelmed and tapped on resourced to close the gap.

DoD proposes evaluating "DIB compliance with DoD cybersecurity requirements," improving "the sharing of threat, vulnerability, and cyberrelated intelligence with the DIB," identifying "vulnerabilities in DIB information technology (IT) cybersecurity ecosystems," recovering "from malicious cyber activity," and evaluating "the effectiveness of cybersecurity regulations, policies, and requirements."

Of all four of the goals, this one certainly takes the biggest bite in coverage of shared priorities - but still has a lot of room to go if there's going to be any accountability to meeting the goals.

I will admit: The objective that refers to recovering from malicious cyber activity made me laugh out loud. Not because it was funny, but because it's a missed boat.

Standards like NIST 800-171 and CMMC don't focus on data backups and testing said backups. However, when even the most secure environments are at risk, why would we (as an ecosystem) not stress the importance of backups even more than we do now?

Having data backups - and testing them regularly - allows a company to be resilient (ah, there's that word again), and it also prevents the decision needing to be made on whether or not a ransom is to be paid.

This section talks a lot about DoD offerings: NSA's Cybersecurity Collaboration Center , DC3/DCISE Service Offerings , and refers to something created nearly 7 years ago: the Vulnerabilities Equities Policy and Process (VEP) .

When it comes to some of the tools and offerings: Information sharing is wonderful, but what good is vulnerability data to a small business if they don't know what to do with it? Who is the intended audience?

Andy also pointed out on the LinkedIn Livestream: The NSA has some PR to work on when it comes to small business. There's a lack of trust. Not many small businesses eagerly raise their hand to ask NSA to put something on the small business' network. Can you blame us? (Full Disclosure: I was one of these weird companies who shrugged and said she didn't mind, mostly to prove a point.)

Even without addressing the trust issue:

How do we know if the objectives and goals have been met? How do we gage improvement with these objectives? Without something measurable, how do we know we're all rowing in the same direction?

I'm a big fan of the work that DCISE and DC3 has done to get non-cleared contractors a seat at the table with the DIB Cybersecurity program . DoD should use this win to set the next goal.

ALTERNATIVE OBJECTIVES:

• Achieve [insert specific percentage increase here] growth of DIB Cybersecurity program active membership by end of 2025.
• Work with the subject matter experts at DC3 to set measurable goals based on historical data.
• Clearly map offerings from DoD, NSA, DC3, etc. to actual compliance requirements to (HT to Jacob Horne for beating this drum ad nauseum).
• Start a marketing campaign that provides DIB companies with resources and options for best practices in data backup management.

GOAL #3: Preserve the Resiliency of Critical DIB Capabilities in a Cyber-Contested Environment

This section highlights the value of the DIB Government Coordinating Council (GCC) and the Sector Coordinating Council (SCC).

As someone who has been fortunate enough to be in the room during these meetings (thanks to the support of the National Defense ISAC ), this goal is a solidly good priority.

When the DIB GCC and SCC partners get together, candid conversations can take place and action items result.

You know what I'm going to say next.

So, what's the measurable output here?

I'd venture and say that while the DoD can't write the private sector's goals for them, there should be some reliance here from the industry as a whole.

The second objective within this goal is not as clear to me as other sections are. If the intent here to allow for the creation of [yet another] new policy or a layer of bureaucracy, I remind readers of my DIB Dive analogy:

There's a clear plastic bin I have outside my office lobby, essentially tapped to the window. On humid days, the bin falls down. I would simply add more tape and reaffix to the window. It would rain, and the thing would fall again.

cringe

What's the definition of crazy?

ALTERNATIVE OBJECTIVE:

• Explore the ability to increase the frequency of GCC/SCC meetings, providing shorter time frames in between meetings and more specific tasks and goals to be met.

GOAL #4: Improve cybersecurity collaboration with the DIB

This section (again) highlights the value of the DIB Government Coordinating Council (GCC) and the Sector Coordinating Council (SCC). Why not emphasize it by covering it twice?

No, but really, the emphasis on public-private cybersecurity collaboration is great, but there are plenty of times that key representation of the private sector feels left out of the conversation.

Small business is regularly told what it needs, but I can't recall the last time that I looked around the room in many industry or government-led meetings and saw more than two or three of us.

If DoD was serious about this goal, it would seek to bring input from communities vital to the success of securing the DIB - specifically small businesses and managed service providers (MSP)s, since many MSPs manage small business IT environments.

If the DoD truly wanted to "increase efforts to bring small businesses into [the] Defense Industrial Base" as the director of the Defense Department's Office of Small Business Programs said in March 2023 , some meaningful and measurable goals must be set.

And for the love of Pete, please don't ask the Small Business Administration for support or insight in this arena. Go straight to the SMB.

Some estimates suggest that 73% of companies in the defense industrial base are small business .

So, why does DoD allow Big Primes and consultants to speak on small business behalf?

ALTERNATIVE OBJECTIVE:

• Grow the active engagement of SMBs, supporting their attendance to GCC/SCC meetings (in-person or virtually) by 100%.

Cyber threat actors are only coming after the DIB harder and faster. We have to do something different, and we have to move quickly for anything to be meaningful. I recognize that moving quickly is challenging (er, next to impossible) in government, but there are still small steps that can be taken to get us moving in the right direction.

Some over-simplification of what's above, if you just scrolled down to the bottom and want a summary:

DoD's DIB Cybersecurity goals must be measurable for the sake of clarity and accountability.

If DoD focused on a few specifics, we'd be rowing in the right direction:

1. Seek to understand specific and complete supply chains in the DIB, from top to bottom, to determine where existing DoD assumptions need to be adjusted.
2. Work to clean up and streamline existing confusing/conflicting policies instead of creating new ones to layer on top of the noise.
3. Improvement in marketing efforts to communicate current DoD resource offerings to the DIB and how they [partially] apply to governance frameworks and regulations.
4. Grow the active engagement of actual small and medium businesses across DoD conversations, rather than relying on the word of Big Primes, consultants, and other government agencies to speak on behalf of SMBs.