The Department of the Navy is shifting its IT development priorities toward cyber readiness and DevSecOps as it prepares to more fully implement zero trust.
The Navy is currently working on recommendations that focus on instating Continuous Authorization To Operate (cATO) procedures needed to streamline development cycles and safeguard network security.
Tony Plater, CISO at the Navy, said being cyber ready is the service's top priority. Plater described the ultimate goal as a more responsive and iterative approach to security.
“The right to operate is earned and managed every day because we need to be looking at cybersecurity every day. Including how our shift to cyber ready is going to shift us to an active cyber ready state, how it’s going to enable acquisition speed and how it’s going to better defend our information,” Plater said during Federal News Network’s The Connection Between Zero Trust and DevSecOps webinar.
The Navy views cybersecurity as a compliance problem and has identified cybersecurity requirements as well as audits to evaluate these processes. However, internal review has shown that Navy's current compliance model is not providing the cybersecurity posture needed.
“The Navy needs to fundamentally shift our cybersecurity from a compliance approach to an active cyber ready state,” Plater said. “Cybersecurity needs to be an enabler and it can’t be seen as a check at the end or as a barrier. We also think this active cyber state will help us better defend our information.”
Plater outlined that in order to be cyber ready, the Navy should follow key principles such as measuring cybersecurity more holistically through a risk and readiness framework that stays ahead of an evolving threat landscape.
“It’s not just patching and trying to keep up with every cyber vulnerability. It means understanding what the risks are, where the threat is, prioritize and then go at it,” Plater said.
Two other key factors that will support cyber readiness include accelerating the authorization process while avoiding risk, and fostering a culture of change needed to incorporate these new operating principles.
Plater stated that Navy plans to launch the first of these new cybersecurity pilot programs within the next 60 to 90 days.
“We will release a strategic intent memo which will outline our expectations for the services. Following that, those pilots will be used to help us guide actual policy. We will continue to work closely with DOD to share what we’re learning and then distribute that knowledge where it makes sense across the department,” Plater said.
According to Plater, guidance will soon be coming from the Navy and Marine Corps CISOs on how to make better and more comprehensive use of DevSecOps.
“The Navy has launched a new platform called Black Pearl. We have teams that meet on weekly basis who are working to establish the guidance, policy and processes it takes to certify pipelines that will produce securely coded products,” Plater said.
“By putting all this code through a DevSecOps process we can understand how the software is developed, the pipeline is developed and establish the correct security posture,” Plater added.
During the event Plater also gave an update on the Navy’s zero trust journey.
“We’re conducting gap analysis. Identifying routes to and from authorized users, looking at maturity within each pillar and formulating internal roadmaps to prioritize risks that are found,” Plater said. “We will continue to emphasize that you should not automatically trust traffic inside the perimeter and to authenticate, validate and verify every request.”