Shifting from Compliance to Cyber Readiness: A Critical Evolution for the Department of the Navy

The new Department of the Navy Cyber Strategy, published in November, mandates a comprehensive reevaluation of the Navy’s approach to technology and cybersecurity. This inaugural version of the cyber strategy draws on the National Defense Strategy (NDS) and the Department of Defense Cyber Strategy as key precedents, setting the stage for a more resilient and agile cyber posture for the DON. According to an article from the Armed Forces Communications and Electronics Association, this strategy outlines seven lines of effort (LoE’s) designed to fortify the Navy’s cyber capabilities:

1. Improve and support the cyber workforce
2. Shift from compliance to cyber readiness
3. Defend enterprise information technology, data, and networks
4. Secure defense critical infrastructure and weapon systems
5. Conduct and facilitate cyber operations
6. Partner to secure the defense industrial base
7. Foster cooperation and collaboration

Asked about the strategy, Secretary of the Navy Carlos Del Toro stated, “We are focused on aggressively enhancing our cyber enterprise while fostering cooperation and collaboration with our allies and partners.”

Focusing on Cyber Readiness

Among these efforts, shifting from compliance to cyber readiness has garnered significant attention from industry experts. This shift represents a move away from the traditional compliance-based frameworks that have dominated DoD for so long. While well intended, such a framework often results in a checkbox mentality. Instead, the Navy is adopting a dynamic, readiness-focused strategy.

“We have to be ready for anything at a moment’s notice and the whole idea of compliance checklists can actually create an insecure system for the Navy,” noted Joel Krooswyk, Federal Chief Technology Officer at GitLab. This sentiment underscores the urgency and necessity of adopting a more proactive approach to cybersecurity.

Key Components of Cyber Readiness

• Dynamic Risk Management FrameworkThe strategy emphasizes a dynamic risk management framework that continuously evolves to address emerging threats. This approach moves beyond static assessments to real-time risk evaluation and mitigation.
• Enhanced Cyber Hygiene and ReadinessBest practices in cyber hygiene are prioritized, including regular updates, secure configurations, and user education to prevent phishing attacks. Real-time monitoring tools are implemented to ensure immediate detection and response to potential threats, reducing the window of opportunity for adversaries.
• Operational ResilienceEnhancing the resilience of IT systems and networks to withstand and recover from cyber incidents is critical. Regular cyber readiness assessments, which simulate attack scenarios, help test and improve defensive measures and recovery plans, in efforts to keep mission continuity even under cyber-attack.

Integrating Security from the Start

The strategy also pushes for integrating cybersecurity into the earliest stages of system development. “For new systems, the DON will integrate cybersecurity into the earliest stages of development through design and systems engineering processes that make cybersecurity an integrated element of acquisition instead of a separate effort,” states the document. This approach ensures that security is a foundational element rather than an afterthought.

Embracing Advanced Security Measures

To protect systems effectively, the strategy mandates the adoption of full zero trust architectures and Identity, Credential, and Access Management (ICAM). These measures are crucial for ensuring that only authenticated and authorized users can access sensitive information, thereby reducing the risk of cyber threats.

The Department of the Navy’s shift from compliance to cyber readiness marks a critical evolution in its cybersecurity strategy. By focusing on continuous risk management, enhanced cyber hygiene, and operational resilience, the Navy is better equipped to defend against sophisticated cyber threats and ensure the security of its missions. This proactive, readiness-focused approach not only strengthens the Navy’s cyber defenses but also sets a benchmark for aiming to enhance cybersecurity posture.

Cyber Readiness and TDI’s Cybersecurity Performance Management (CPM)™

The CPM framework aligns and can be used to supercharge the Navy’s shift towards cyber readiness. CPM is all about the “Get Real, Get Better” (GRGB) philosophy, focusing on continuous monitoring and measurement, offering key visibility into systemic risk to drive performance and maturity of cybersecurity far beyond standard RMF practices. This is accomplished by establishing baseline readiness metrics, implementing dynamic risk management, and fostering a culture of continuous improvement to proactively enhance cyber readiness.

CPM allows for risks to be measured consistently, applying a normalized method of assessing operational performance against set goals. These insights are available on demand across the organization to provide democratized situational awareness needed as part of a “cyber currency” mindset.

As the cyber threat landscape continues to advance, the Department of the Navy’s commitment to cyber readiness demonstrates a forward-thinking approach that prioritizes both security and operational effectiveness that when combined with CPM and a CPM automation solution such as CnSight®, offers an effective best in class approach needed to maintain maritime superiority.