The Navy published its first ever cyber strategy this month, arguing cyber and information warfare must be embraced as “core competencies for the naval services and recognizing their utility in maritime contexts.”
The strategy document identifies seven lines of effort (LOE) the Department of the Navy (DoN) expects to undertake to enhance its cyber posture: improve and support the cyber workforce; shift from compliance to cyber readiness; defend enterprise IT, data and networks; secure defense critical infrastructure and weapons systems; conduct and facilitate cyber operations; partner to secure the defense industrial base (DIB); and foster cooperation and collaboration.
The document said these LOEs will keep the strategy in line to support the Department of Defense Cyber Strategy and adhere to tenets of the 2020 DoN Information Superiority Vision and 2022 DoN Cyberspace Superiority Vision.
The report said the Navy will keep the USV and CSV tenets as north stars to guide cyber activities. The ISV called on the DoN to modernize its infrastructure, innovate and deploy new capabilities while defending its information and the CSV called on the Navy to secure systems, survive adversary cyberattacks via resiliency and strike an adversary in cyberspace when required.
Secretary of the Navy Carlos Del Toro directed the Navy Department’s Principal Cyber Adviser Chris Cleary and Chief Information Officer Jane Rathburn to draft this comprehensive cyber strategy.
In his foreword to the report, Del Toro said this effort aimed to ensure the Navy’s cyber posture “positions the naval services for success during competition, crisis, and conflict.”
Under the LOE section explaining how the Navy plans to shift from compliance to cyber readiness, it noted that for new systems, the department aims to integrate cybersecurity into the earliest stages of development via “design and systems engineering processes that make cybersecurity an integrated element of acquisition instead of a separate effort. Cybersecurity testing and validation will become an integral part of the software development process through Development, Security, and Operations (DevSecOps).”
The report said program managers will be directed to coordinate with their resource sponsors and operational community to use this new “Cyber Ready” approach to deliver secure solutions that remain secure over a system’s lifecycle.
The Navy also seeks to apply as much of this Cyber Ready approach to legacy and joint systems as possible, “which will help them meet policy requirements to reduce cyber risk over the system lifecycle.”
The report defined Cyber Ready as a strategic DoN initiative to improve cyber defenses by pivoting from the compliance mindset to a “dynamic model” based on a philosophy of readiness, where the right to operate is earned and managed daily.
The report also said it plans to incorporate strong cybersecurity language into contracts as part of the LOE to help secure the defense industrial base.
“The DON will team with acquisition stakeholders to ensure DIB cybersecurity contracts require statements of work containing the enhanced security controls language necessary to ensure robust cybersecurity practices.”