At first glance, it appears that the Department of Defense (DoD) and the Intelligence Community (IC) have the same cyber security needs as other large organizations in the commercial world. While this is true to a certain extent, the business rules and requirements are significantly different.
The Federal Government, in general, and the DoD/IC are heavily scrutinized and regulated in terms of acquisition policy. The Federal Acquisition Regulations (FAR) and the applicable DoD regulations (DFAR) are comprehensive, administrative and largely bureaucratic in an attempt to protect the interests of the American taxpayer – Cyber Security Solutions have been affected by this process.
This administrative approach has had an initial negative impact on cyber security effectiveness with state sponsored and agile criminal groups enjoying repeated success. As a result, many DoD/IC agencies are reevaluating their cyber security requirements with a more solutions-oriented strategy.
DoD and IC requirements for an effective cyber system include:
- Best of Breed products that are relevant to agency priorities.
- Systems engineering capability to create custom solutions that will seamlessly interface with legacy systems.
- Domain Knowledge to properly identify specific requirements.
- Staff with high level security clearances to engineer, develop and maintain solutions.
A key element of any cyber security practice is the development of secure architectures through the use of robust security models coupled with intrusion detection, endpoint scanning, digital sandboxes and threat analysis tools. Special preference is given to technology with automatic operating features that can be leveraged by an experienced operator.
Since the threats are rapidly changing, continuing research is required to remain up to date on the latest technology. This effort is required to establish and maintain the most modern and secure enterprise networks.
The SANS 20 Critical Security Controls (20CSC) Identifies the 20 highest priority risk areas for cyber attacks and reviews the most effective products for each area. The list is endorsed by major Intelligence Agencies, Department of Homeland Security, Department of Defense, Department of Energy and other key agencies.
The list is beyond theoretical in that it reflects the combined cyber attack experience of multiple agencies and it is subject to revision as priorities constantly change. However, mere inclusion on the SANS 20CSC list is not enough for acceptance by most agencies. A total solution is required that reflects the systems need and business processes for a given requirement.
Since even the best of products require a level of customization to be effective, solution providers or systems integrators are required to meet agency needs.
The best solutions provider has experience using different tools and software that block, track and mitigate advanced persistent threats. A large part of experience lies in the use of “sandbox” technology that leverages custom rules to help prevent attacks.
In addition, the solutions provider utilizes security information and event management (SIEM) tools that scan network logs, traffic and memory to immediately detect a network breach and remediate it, thus minimizing the total network exposure and damage an intruder can cause.
Also required at the solutions level is experience with digital forensic software that scans, analyzes and tracks breaches on individual computers, mobile devices, databases and the overall network.
The most effective solutions also create and integrate enterprise level products and modifies them to meet the needs of classified environments that run behind the internal firewalls. This customization includes modifying the core software, integrating it with established legacy software and infrastructure, developing custom tools and administering the final end product.
Finally, the solutions provider additionally has significant experience in modifying existing software applications and specialized programs with the emphasis on maintaining the confidentiality, integrity and availability of classified information.
As with any customer solution, domain knowledge is critical to success. This is even more critical in the DoD and IC environments where high level security clearances are also required.
No matter how powerful the product or elegant the solution, prior experience with the agency infrastructure and legacy systems is required. In addition, the DoD has certain performance and certification standards for employees and contractor personnel that must be met.
Certifications and Security Clearances
Generally speaking, the Federal Government hires employees or contractors based upon a time and grade matrix with the more years’ experience commanding higher wages or bill rates. Because the cyber security industry is new and rapidly changing, the government‘s standard matrix does not always apply.
Instead, cyber security certifications are often used to evaluate employee compensation and determine whether a contractor’s service offering is acceptable. Although there are a large number of certifications and levels, the most frequently required include:
High level security clearances (Top Secret/SCI and above) are also a requirement in the DoD IC world even though many other areas of defense installations do not require high level clearances. This is because the rules of the U.S. Cyber Command are in effect and the clearance rules of the National Security Agency (NSA) apply to Cyber Command systems.
Recruiting of cleared individuals with the required certifications requires experience and a personalized recruiting effort. These individuals are difficult to find and knowledge of the security clearance recruiting market is a must.
About the Author: Jon M. Stout is Chief Executive Officer of Aspiration Software LLC (@AspirationSWLLC). Aspiration Software LLC is an Information Technology/Cyber Security services provider focused on the Intelligence Community (IC). For more information about cyber Security capabilities go to http://aspirationsoftware.com
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Implementing the SANS 20 Critical Security Controls
- 20 Critical Security Controls: Control 17 – Data Loss Prevention
- Enterprise Insurance Policies and the 20 Critical Security Controls
- SANS Twenty Critical Controls as an Information Security Standard of Care
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock