This unclassified version of the 2023 DoD Cyber Strategy outlines how the Department of Defense (DoD) will operate in cyberspace to protect US national interests and advance defense priorities. For most members of the Defense Industrial Base (DIB), this report may be less than interesting. However, it outlines the DoD’s efforts and requirements for protecting covered defense information. The bottom line for defense contractors is the DoD’s commitment to supporting the Cybersecurity Maturity Model Certification (CMMC) Program (NIST SP 800-171). In addition, the strategy mentions DoD cybersecurity initiatives that have been established to assist defense contractors by providing cyber threat information, assistance in monitoring their information systems, incident management, technical assistance, and other functions. As to the practical value of these programs to defense contractors, that is another matter.
It is also important to note that the DoD Cyber Strategy is not a standalone document, it is coordinated and aligned with a family of National, Defense, and preceding Cybersecurity strategies. The report mentions that it has been influenced by Russia’s invasion of Ukraine and its employment of cyberattacks in preparing for and supporting the initial invasion. It also takes into consideration the subsequent Russian cyber-campaign that is supporting follow on Russian military operations and their attempts to disrupt the Ukrainian and NATO economies.
A key point of the strategy is the need for a collaborative effort in marshaling Defense cyber capabilities with US national and our allies’ cyber resources, as the threats are a combination of nation-state and criminal enterprises. What is clear is that a single-agency response is inadequate. The quote is military resources are most effective when used with other elements of national power, “creating a deterrent greater than the sum of its parts.” What is called for is a holistic approach to deter and defend against cyberattacks. What is implied in this unclassified version is this defense is augmented by an offensive capability as outlined in phrases such as “defending forward,” “hunt forward,” or in general terms the projection of defense.
This cyber defense is focused on four strategic priorities they are to defend against the multi-domain threat posed by the People’s Republic of China (PRC); deter strategic attacks against the US, its allies, and partners; deter and prevail in conflicts with the priority the PRC in the Indo-Pacific, and Russia in Europe; finally, to build a resilient Joint Force and defense ecosystem. The strategy to achieve these priorities is multi-dimensional and collaborative, it is outlined in the following four focus areas.
The first is to generate insights about cyber threats. The goal is to identify and engage these threats early in cyberspace and to have plans and strategies to reduce these threats in place. Disrupt and degrade malicious Cyber Actors is another defend forward strategy one that is focused on disrupting the threat by degrading their support infrastructures. This activity is in concert with supporting Federal agencies, departments, and allies. Enable the defense of US Critical Infrastructure; for the most part, the DoD is prohibited from engaging in civil matters. As required, it would be in a supporting role to support the Federal agencies, local governments, or commercial entities in ensuring the continuity of operations for critical infrastructure. Protect
the DIB; in this case, the DoD serves as the Sector Risk Management Agency for the DIB. In doing so, it has set compliance standards for safeguarding covered defense information; “toward this end, the Department will continue implementation of the Cybersecurity Maturity Model Certification Program, which requires companies to certify compliance with information security standards in order to receive certain priority contracts.” It has also leveraged public-private partnerships and collaborative efforts with other Agencies to establish programs designed to assist and protect the defense contractors that are the DIB. This includes cyber threat information, incident management, technical assistance, and other functions as mentioned above.
The DoD cyber strategy is focused on supporting the Joint Forces in their campaigns and contingencies from below the level of armed conflict, to armed conflict. These efforts include supporting advanced Joint Force Operations with offensive and defensive capabilities across the spectrum of conflict. The defense of the DoD Information Network (DODIN). Here, the strategy outlines the requirements to support the network in regard to cyber defense, inter-agency collaboration, and the use of technology to defend the network. Another requirement is to build cyber resilience in the Joint Force and to ensure its ability to operate in a contested cyberspace. Key to these efforts is the integration of cyberspace operations in Joint Forces campaigns and contingency plans throughout the operational spectrum. The strategy sets cyber defense and offense as essential elements in support of Joint Force operations.
The DoD cyber strategy approach is like system security. System security in this context is not an IT effort, nor a cybersecurity function; successful system security is a holistic effort involving all aspects of the organization. So are strategic cyber-operations, they too are not a standalone activity; they are a collaborative effort that requires the support of other Federal departments and US allies and partners. The strategy outlines the need to establish and promote successful information sharing and cyber operations best practices with other Federal agencies and US allies and partners. The strategy includes the development of a cyber workforce with a focus on cyber skills training and awareness across the DoD to include the DIB.
The takeaway for defense contractors is the fact the support of the DIB is one of the four DoD strategic focus areas. Another is that the requirement for compliance with the CMMC framework is not on hold and is not going away. The second point is that the DoD is providing tools and access to resources to support the cybersecurity of the DIB. Moving forward, the best advice is to start working toward compliance and recognize the effort to meet CMMC compliance is not trivial. Second, consider the cybersecurity tool sets by the National Security Agency and others. Though implementing these tools is also not a trivial task.