The 4 prongs of DOD's cybersecurity discipline plan
The Pentagon's implementation plan looks to enforce better cyber hygiene throughout the department.
The Defense Department is taking a four-pronged approach to improving cybersecurity—and extending it further down the chain of command— as part of its Cybersecurity Discipline Implementation Plan.
The plan, which was originally issued in October, updated in February and made public this month, focuses on four key areas, or what it calls lines of effort:
Strong authentication. DOD is looking to more strictly enforce access requirements and reduce anonymity on its networks. The department has encountered problems what weak authentication practices let unauthorized users—including those posing as administrators with special privileges—into the network. This effort will focus on servers, routers and other high-value assets, as well as privileged administrator accounts.
Device hardening. By making sure devices are properly configured and are up to date with software patches, DOD can help ensure that an attacker could get inside the network and escalate privileges. This area also covers disabling active links in emails.
Reduce the attack surface. Cutting down on the number of ways someone can get into DOD information networks would make it easier to secure the access points that remain. The plan says that commanders and supervisors must ensure that only authorized devices can gain access in order to build trust among DOD enclaves. Reducing the attack surface also is a goal of the Joint Information Environment, which is employing the Joint Regional Security Stacks to lower the number of security enclaves at more than 1,000 network access points to 50.
Alignment to cybersecurity/computer network defense service providers. Monitoring the network perimeter and standardizing the way incidents are reported would improve the quick detection and rapid response to any cyber incident.
The implementation plan aligns with another DOD program, a cybersecurity scorecard that grades DOD components’ cybersecurity practices on a monthly basis. But the implementation plan, acknowledging that human error is at the root of many security breaches, focuses on extending good cyber hygiene down the line further to users.