Concerns about cyber security have risen to the fore as the U.S. military relies on computers as the brains of systems ranging from enterprise financial systems to combat aircraft, tanks and ships. Government and industry officials now are working to embed policies and processes to ensure issues are addressed throughout the acquisition process, not treated as an afterthought, a panel of experts said.
“It’s better to be baked in not bolted on,” said Mike Papay, vice president, Cyber Initiatives, Northrop Grumman Information Services, a panelist at Defense Daily’s Cyber Security Summit in Washington yesterday.
Embedding cyber security in acquisition is important, from getting it right in the requirements, to ensuring government, industry and academia work together, he said.
“A holistic approach to security is critical,” said Kristen Baldwin, principal deputy in the Office of the Deputy Assistant Secretary of Defense For Systems Engineering. “We have to include security as a discrete practice within system engineering.”
Engaging with security issues later in the acquisition process can be more costly and disruptive.
But, “it’s not enough to start early,” she said, cyber security must be addressed throughout the life cycle of the program.
However, “it needs to be very structured…the process won’t happen on its own,” said Linton Wells, director, National Defense University Center for Technology and National Security Policy, during the panel.
As of last summer, DoD has required all programs to have Program Protection Plans, “to provide the single focal point for security activity on that program,” Baldwin said. This streamlines the approach and consolidates different areas in one place.
The plan is addressed at major developmental points, such as acquisition milestone A, B and C.
Baldwin said more requirement engagement is important. She singled out the Army’s AH-64 Apache helicopter program by Boeing [BA] as a success.
As the program came up on Milestone B review, her office conducted a critical analysis with the program’s chief engineer, identifying the most critical areas. The program looked into their software development practices and what standards they were using. Then program officials rewrote the Program Protection Plan, presented it to the Defense Acquisition Executive and went right through the milestone review.
Dave Bennett, Senior Executive Service officer, Vice Component Acquisition Executive at the Defense Information Systems Agency (DISA), said
“We’re no longer interested in bolting on security” after receiving a solution, he said. Language in DISA contracts states the agency wants a product that is certifiable when it is received.
Department of Homeland Security (DHS) Director for Software Assurance National Cyber Security Div. Joe Jarzombek said the “IT/Software security risk landscape is a convergence of defense in depth and defense in breadth.”
DHS focuses on the supply chain for software assurance, he said, and the department offers lots of help, such as sample contract language and pocket guides.
Risk, he reminded the audience, is different for programs and enterprises: risk management for programs is cost, schedule and performance, while for enterprises, it is regulation compliance, the business case and the changing threat environment.
The General Services Administration (GSA) also offers assistance.
Shondra Lyublanovits, director of the Security Services Division, Office of Integrated Technology Services at GSA said her office offers government solutions, access to IT products, services and strategy. What she wants in return is to know what works, and what does not.
For example, strategic solutions includes green IT, Cloud IT services. The office also offers advice, customized suites of software and services and can help with such things as market research.
Papay said from the industry perspective, contracts need to be agile, and it’s important to leave room for change. Additionally, it’s important for proposal evaluators to consider that a best value solution doesn’t always mean it’s the lowest price.
While the government offers guidance and help, sometimes it’s not the regulations that need to change, but the behavior and the culture.
For example, Jarzombek said “hackers will change behavior not legislation.” Framing the need for cyber security helps executives understand the importance of information assurance and cyber security programs.