BALTIMORE–The Department of Defense will implement the Cyber Expected Service program to bolster its cyber workforce and take another look at its Cloud Access Point (CAP) protection as it considers commercial cloud services for its agencies’ data platforms, according to DoD Acting Chief Information Officer (CIO) Dr. John A. Zangardi.

Zangardi delivered the closing remarks at the Armed Forces Communications and Electronics Associations’ Defense Cyber Operations Symposium in Baltimore on Thursday, and focused on addressing cyber challenges within his department’s agencies.

Department of Defense Acting CIO Dr. John A. Zangardi. Photo: Department of Defense
Department of Defense Acting CIO Dr. John A. Zangardi. Photo: Department of Defense

“The theme for this week’s cyber symposium was absolutely correct: connect and protect,” Zangardi said, which gave industry professionals the opportunity to discuss solutions in a forum with the DoD’s Defense Information Systems Agency.

The DoD will begin to implement the Cyber Expected Service program in July, which Congress included in the FY ‘16 Defense authorization bill, and allows the department more flexibility with pay and personnel hiring outside of Title 5 guidelines in order to strengthen its cyber workforce, according to Zangardi.

“This will help the DoD attract and develop the next generation of cyber talent,” Zangardi said, who sees the current hiring process as cumbersome. The Cyber Expected Service lets the department offer market-based pay structures to leverage better packages for potential civilian cyber personnel.

Zangardi pointed to a continued emphasis on cyber hygiene, including continuously updating software and including two-factor authentication, as a key component for the successful response to the recent WannaCry ransomware attack and as a model for future decisions regarding acquisition of cloud computing services.

The DoD is also looking at updating the “scorecard” system it uses to keep track of the cyber security posture of its agencies.

“The current scorecard is static and relies on manual entry,” Zangardi said, who hopes to create a 2.0 system that automatically records cyber progress. The scorecard was first included in the DoD Cybersecurity Discipline Implementation Plan released in October 2015.

Zangardi also provided an update on the DoD’s cloud computing acquisition process. He said the department is considering applying its CAP protection to data at or above the Level 4 security level. CAP is the current system for connecting the Department of Defense Information Network with commercial cloud providers.

The DoD is also finalizing details regarding its Defense Federal Acquisition Regulation Supplement clause when it comes to accepting deals with cloud service providers. Zangardi said there have been questions from providers on how to meet the safeguarding and protection against cyber vulnerabilities guidelines in the clause, and hopes his department will clarify the details by the end of this year.