Department of Defense officials are readying to add automation to its cyber security scorecard procedure to make better use of network security data and more rapidly integrate off-the-shelf commercial capabilities.

The DoD Cybersecurity Scorecard 2.0 will move past manual entry of critical network data to assess cyber hygiene, with hopes that building in continuous monitoring tools will address the most pressing network vulnerabilities across the Pentagon and services, according to the department’s CIO speaking at a Tuesday AFCEA event.

DoD CIO Essye Miller
DoD CIO Essye Miller

“It’s about moving to an environment where we have an opportunity for harvesting rich data, for machine learning, for artificial intelligence,” DoD CIO Essye Miller said during her keynote at the AFCEA DC cyber security summit.

Miller’s predecessor, John Zangardi, first proposed the idea of the new scorecard incorporating automation nearly a year ago, but DoD officials see an opportunity to make the move now as the department grows its cloud computing and enterprise shared services.

Data gathered from automated continuous monitoring would help identify the most pressing cyber vulnerabilities with DoD’s weapons and control systems.

“Where we sit today, there’s litany of weapon systems and whole operating systems still using user ID and password, and introducing risk to the network,” said Miller, who believes the new scorecard will help shift the mindset to addressing cyber resiliency needs.

Deputy DoD CIO Ed Brindley believes Cybersecurity Scorecard 2.0 would represent a new holistic approach to breaking away from a checklist mentality and using automation to identify where to incorporate more risk.

“Today, if compliance were a checklist-oriented mentality we would consult the checklist and then feel like ‘are we done?’ Right now, that is not important in terms of finding out what’s risk-informed and accounts for the threat,” Brindley said during the Tuesday AFCEA event. “We think there’s some opportunity in scorecard 2.0 to capitalize on automation in a way that will allow us to gain greater insight into the way we view the enterprise environment.”

Both Miller and Brindley called on the Pentagon’s commercial partners to deliver the automation capabilities DoD has yet to acquire to initiate the scorecard’s second phase.

Improving the scorecard would open up new opportunities with industry to deliver cyber resiliency capabilities that will be required once data automation tools identify new needs for DoD systems.

Brindley specifically mentioned comply to connect devices that must be updated and patched before they can be connected to the network.

“I’m sure you’re familiar with the concept of continuous monitoring, you’ve probably heard about comply to connect. Part of what we are talking about for scorecard 2.0 is how do we provision services and introduce comply to connect in an operational context in a way that we either assure ourselves and each other that the enterprise is to a level of health that we can see operationally,” Brindley said.

Miller hopes Cybersecurity Scorecard 2.0 opens up more opportunities for DoD to purchase off-the-shelf commercial capabilities that require fewer modifications to work within DoD’s systems.

“How do we get ourselves out of the thinking that we have to make or modify everything we buy? How do we move to an environment where I’m relying on our commercial partners to give us the capabilities that we need out of the box?” Miller said.

Miller and Brindley both said more discussions need to take place before finalizing the new scorecard, but they believe the process is representative of the department’s shift towards flexible, risk-based cyber decisions.

“There’s a sense that we’ve taken more risk out among the warfighters and the operational community than we have within the [Pentagon],” Miller said.