The Defense Information Systems Agency (DISA) is working with the National Security Agency (NSA), Department of Defense Chief Information Officer (DoD CIO), U.S. Cyber Command, combatant commands, services, and other agencies to evolve the department’s cybersecurity architecture and create an evolving roadmap to apply changes to the DoD Information Network (DODIN) infrastructure, DISA said May 9.
The new effort is the Non-secure Internet Protocol Router Network (NIPRNet) and Secret Internet Protocol Router Network (SIPRNET) Cybersecurity Architecture Review, or NSCSAR. It is pronounced like the auto racing association with a similar acronym, NASCAR.
NSCSAR is focused on attempting to answer three core questions: which cybersecurity solutions does the department need, how much is enough, and where can they take risk, Pete Dinsmore, DISA’s risk technology executive, said in a statement.
“It is a framework for reasoning about cybersecurity from the end point to the Internet and incorporating everything in-between,” he said.
The review effort works by comparing the current set of cybersecurity capabilities against a threat framework, which details the tactics and techniques adversaries use. The capabilities are then scored based on the level of effectiveness in mitigating adversaries.
“We’re taking an adversary perspective, looking at our defenses the way an adversary does and saying ‘Where can we mitigate the adversary and where are we having difficulties?’“ Dinsmore said.
NSCSAR has been implemented on the spin concept, with a new spin cycle beginning every 90 days. In each new spin, NSCSAR reassesses the environment to add capabilities, questions, ability for analysis, and new threats.
Dinsmore said this allows the department to be more timely than adding a new report only once per year.
NSCSAR is eventually meant to inform and influence decision-making actors in the budget, portfolio management, and DODIN architectural domains. NSCSAR has started to already release routine recommendation, affirmation, and observation reports to department stakeholders.
Dinsmore highlighted the importance of affirmation reports.
“Affirmations are saying that a choice we made is doing what we need it to do. Too many times reports like this come out and say, ‘Here’s what you need to do,’ but they never say what not to touch [or what should stay the same].”
Without the affirmation report, an actor tries to implement a recommendation but may undo something that is otherwise working well, Dinsmore said.
The first spin was finished in April, with the second expected to be complete on June 30.
“At the end of the day the budgets available for cybersecurity capabilities are either stagnant or decreasing. And we need to figure out how to best use our dollars,” Dinsmore said.