Thinking About Cyber Compliance in Terms of Mission Success
- Ken Larson
- 17 minutes ago
- 4 min read
“NATIONAL DEFENSE MAGAZINE” By Joe Wingo
“First, prioritize compliance mandates based on risk. Next, tie compliance into operational reporting, viewing it as an ongoing initiative that is tracked over time. Finally, demonstrate how lack of compliance translates into higher operational risk.”
________________________________________________________________________________
“Cybersecurity in the federal government, and particularly in the Defense Department, is extremely complex and subject to a litany of regulations, guidelines and directives from the White House, Congress, the Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology and the department itself.
Consequently, cybersecurity leaders in the office of the secretary of defense and the military services are under increasing pressure to comply with policy directives for adopting zero trust architectures, NIST’s cybersecurity guidelines and a seemingly constant stream of executive orders.
These regulations and directives seek to achieve crucially important objectives and have been baked into the department’s strategy.
For example, in May 2024 the Defense Information Systems Agency published its latest five-year plan for 2025-2029, which included zero trust integration — a cybersecurity model that mandates strict identity authentication for every request to access an organization’s devices or data — as one of three top priorities.
In the strategy document, the Pentagon’s Chief Information Officer John Sherman said: “We are determined to get zero trust across the department by 2027.”
Another extremely important detail embedded in the strategy is the Defense Information Systems Agency’s repeated description of itself as a “combat support agency,” a point that often gets overlooked in the rush to comply with cybersecurity directives. While it is critical for agencies across the Defense Department to meet the highest cybersecurity standards, there should always be an eye to how they can protect and support the warfighter.
Merely achieving zero trust compliance in the department will not be as significant unless tied to that.
Zero trust capabilities must be aligned with military objectives. Too often, compliance in and of itself becomes the overriding objective, resulting in a bureaucratic checklist that does not directly align with the defensive posture of the warfighter. Zero trust and other cybersecurity objectives should be seen more as warfighting imperatives and less like compliance mandates.
The consequences of not viewing cybersecurity in terms of mission success and baking it into mission planning are real. Cybersecurity can be easily overlooked and underfunded. As adversaries are becoming increasingly adept at infiltrating networks and operational systems, a mindset is needed that says the mission can’t be accomplished unless cybersecurity is completely integrated into planning as an element of operational success.
Thus, Defense Department mission planners should consider taking the following steps to ensure cybersecurity compliance measures are correlated to the operational mission.
First, prioritize compliance mandates based on risk. An essential component of the planning process is recognizing which threats pose the greatest risk to the military mission and elevating those protection measures to the highest priority levels through action and remediation.
Compliance items cannot be weighted equally but must instead be measured by how successfully each item reduces operational risk across the phases of competition and conflict. Compliance requirements that don’t measurably reduce risk should be deprioritized, and those that do reduce risk should be built into operational reporting.
This process of prioritization has already begun within the department. For example, the secretary of the Air Force’s operational imperatives process looked at specific military objectives as well as the threats, vulnerabilities and risks to achieving those objectives, and then used intelligent analysis to develop prioritized funding strategies to ensure mission success. This process may serve as a good example for other Defense Department organizations.
Next, tie compliance into operational reporting. Military decision-makers don’t usually spend a lot of time reading compliance reports. They are much more interested in operational reports that focus on readiness and capabilities to achieve success on the battlefield. Consequently, points like zero trust compliance need to be integrated into those operational reports to underscore their importance to achieving the mission.
Additionally, it’s worth emphasizing that compliance is not just a one-time event but must be viewed as an ongoing initiative that is tracked over time.
Finally, demonstrate how lack of compliance translates into higher operational risk. Leadership must communicate how adversaries are now leading their offensive operations with cyberattacks to strongly convey the importance of cybersecurity as essential to operational success.
Compliance frameworks based on best practices such as the Cybersecurity Maturity Model Certification program not only enhance the security posture of military operations but may also stretch the Defense Department’s budget by avoiding potential fines and other negative impacts of cyberthreats.
Cursory scans of today’s headlines about cyberwarfare show that adversaries are ready and able to strike against our interests through cyberattacks. The country’s defense would be best served by changing the way it looks at and communicates about cybersecurity compliance to a mindset that unequivocally demonstrates that warfighting success rests on the success of cybersecurity.”
Joe Wingo is director of Defense Department business strategy at Armis
Comments