Lockheed Martin [LMT] on Tuesday released a new model for evaluating cyber resiliency of weapon systems and establishing mitigation plans for improving the digital security of legacy systems and new programs.
The company’s Cyber Resiliency Level (CRL) model encompasses a scale for identifying a platform’s vulnerabilities based on experiences across its weapons programs as well as a database for metrics and requirements that will be made available to military customers.
“This is the first model I’ve seen that’s directly focused on the cyber resiliency of defense systems, mission systems, weapon systems and training systems,” Jim Keffer, director of cyber affairs for Lockheed Martin government affairs, told reporters. “There’s an urgency behind this, that’s why we’ve decided to release it as soon as we felt an initial copy was ready to go out. It’s a living model so it will keep being developed and refined and improved over time as we learn things and threats and technology changes.”
Keffer said the Pentagon’s increasing emphasis on cyber resiliency requirements in new programs and a recent GAO report highlighting a slew of digital vulnerabilities in legacy systems pushed Lockheed Martin to develop the assessment model.
“As we decided to release this model, there were internal deliberations. Everyone said we need to get this model out. We don’t want to keep it internally and just use it for us, because it’s got so much more benefit to the entire defense industrial base and to our customers,” Keffer said. “This model is designed for development, from baking in requirements, all the way through until the system goes to the boneyard.”
Dawn Beyer, Lockheed Martin’s leader developer for CRL, told reporters the company plans to run CRL on 10 pilot programs before the end of the year, adding that the version released Tuesday is the third iteration of the model since it began last October.
“We want to be able to provide the stakeholders with an understanding of cyber investments necessary for increased cyber resiliency, and to enable the stakeholders the ability to prioritize and select solutions for their maximum effect against cyber attacks,” Beyer saud,
The CRL scale cover four levels of cyber resiliency and six categories of measurement; visibility, cyber hygiene, requirements, test and evaluation, architecture and information sharing.
Beyer noted that the CRL model, and its metrics database and guidebook, could help give Lockheed Martin a leg up in sustainment contracts for legacy systems facing persistent cyber vulnerabilities.
“A big part of what makes this model successful, as well, is this workbook of metrics that we have now. These are metrics that are used across the information systems,” Beyer said.