DOD Has a New Cyber Resiliency Assessment Program

Defense Department officials say its new system to continuously assess cybersecurity posture of its network emphasizes more agility and resiliency to keep up with evolving security threats and help meet department goals toward Combined Joint All Domain Command and Control (CJADC2).

Launched in March, the Cyber Operational Readiness Assessment (CORA) program finished a nine-month pilot to replace its legacy system. Officials said the prior system, the Command Cyber Readiness Inspection (CCRI) program, was unscalable because of the sheer size of the Department of Defense Information Network (DODIN)’s global makeup of over 15,000 unclassified and classified networked and cloud environments across combatant commands and services.

“CCRI was a great method that was very rigid. It had a rigid scoring model with rigid checklists,” Charles Wille, deputy director for readiness and security inspections at Joint Force Headquarters-Department of Defense Information Network (JFHQ-DODIN), told GovCIO Media & Research. “But this cyber domain demands agility. Things change very quickly. The adversary turns on a dime. So, we need to turn on a dime. We need to be able to change that assessment criteria not in months, but in days or weeks.”

The new system helps the department move away from a compliance-focused cybersecurity mindset and pushes commanders to holistically and continuously assess how a cyber risk will affect mission.

JFHQ-DODIN Commander and DISA Director Lt. Gen. Robert Skinner highlighted the system in a March statement, saying “the assessment provides commanders and directors a more precise understanding of their high-priority cyber terrain and their overall cybersecurity and defensive posture enabling greater command and control and enhancing decision-making.”

JFHQ-DODIN leads DOD’s unified force approach to network operations, security and defense on behalf of CYBERCOM. Officials say the component is a key player in executing the department’s CJADC2 strategy as it looks to take on cyber threats abroad before they affect security systems at home.

Continuous Assessment Underpins Modern Cybersecurity

Nicholas DePatto, inspections branch chief at JFHQ-DODIN, told reporters in February that “technology changes so frequently, so fast, it’s hard for everyone else to keep up. A vulnerability that we are not even aware about today, right now, is probably being exploited in the wild. With the flexibility of CORA, we’re able to shift and adapt and overcome to start focusing on those unknown or newly discovered vulnerabilities for what is important to JFHQ-DODIN because of intel and threat reporting.”

One of the top priorities in the cybersecurity community right now, especially at DOD, is continuous automated assessment, DePatto told GovCIO Media & Research.  

“Imagine an assessment that happens without you even knowing you’re being assessed,” he said. “Computers come in, they do everything behind the scenes, and then they report to you or your commander saying, ‘Here’s what you did. Here’s how you guys are doing,’ and it’s continuous. So, you continuously figure out where your weak points are and continuously see how to improve. And it’s not a prep, assess prep, assess.” 

Unlike an inspection-based system like CCRI, continuous assessment systems are more secure and produce better data. 

“In order to get continuous, holistic assessments of terrain using capabilities, we need to look at our current future emerging technologies along the way,” Wille added. “Let’s say we have the capabilities we have today — are they telling us the truth? We do a CORA at places that matter, and we have this dataset that enable us to look at what we thought to be true about risk against what is true, and it allows us to fine tune those capabilities.” 

How DOD’s CORA Works

CORA allows assessors to pay particular attention to commands that need oversight, rather than overcommitting resources and time to commands that don’t.

For example, assessors can examine a command and, rather than being mandated to return for an immediate follow-up, instead turn their attention to another command that might need the risk assessment more.

CORA also prioritizes using private-sector mitigations recommended by Mitre’s ATT&CK guideline for classifying and describing cyberattacks. The ATT&CK knowledge base is used within the private sector and government as a foundation for cybersecurity products and services.

John Porter, acting director of DODIN Readiness and Security Inspections Directorate within JFHQ-DODIN, said CORA consolidates information about threats, vulnerabilities and impact before delivering it to commanders.

“Focusing on these essential remediation points allows DOD components to concentrate limited resources and staffing on correcting high-risk areas,” Porter said in a CYBERCOM statement.

“The main thing we want to see is that people aren’t just preparing for an inspection: When we’re not there, we want them to always be in an assessment mode,” Porter told reporters in February.