Since its establishment in 2001, the Department of Defense (DOD) Cybersecurity Service Provider (CSSP) Program has progressively and systematically matured to become one of the most critical components of the Department’s Defense — In-Depth strategy. Today, 24 DOD CSSPs are responsible for provisioning 24x7x365 cybersecurity services (e.g., protect, detect, respond, and sustain) to implement and protect DOD information networks; a task considered by many as daunting and ambitious as the DOD’s cyber landscape extends globally to more than 145 countries, 15,000 classified and unclassified networks, and 7.5 million computers and Information Technology (IT) devices worldwide.
As stated in DOD Instruction (DODI) 8530.01, Cybersecurity Activities Support to DOD Information Network (DODIN) Operations and more recently, DOD Chief Information Officers’ (CIO) Memorandum, Department of Defense Cybersecurity Service Provider Requirement, all DOD IT must be aligned to and receive cybersecurity services from an authorized CSSP. Alignment of subscribers, however, is considered by those closer to the program, as an unfeasible objective, at least at this point in time. Basic math implies that each of the authorized 24 DOD CSSPs may need to provision cybersecurity services to thousands of IT systems, networks, and devices worldwide to meet the above mentioned requirement (this does not take into account the capability and capacity of the CSSP to provision required cybersecurity services and the level of complexity and criticality of the subscribers’ technical and operational threat environment serviced). Further, the wide and deep attack-surface of the DOD’s cyber terrain is further complexed by the volume1, variety2, veracity3, and velocity4 of data generated by a myriad of IT and cybersecurity tools. Traditionally, managing vulnerabilities, incidents and events requires legions of CSSP personnel to comb through huge amounts of data to connect the dots and find latent threats. While top-performing DOD CSSPs may be properly organized, trained, equipped, and prepared to provision advanced functions and tailored services based on each subscriber operational threat environment, mission requirements, and operational priorities, increasing an already large number of subscribers could force most DOD CSSPs to simply offer basic essentially mandated and regulatory services to new subscribers, or even worst, offer partial services, less comprehensive services, or no services at all.
To further challenge an already intricate mission, every three years, DOD CSSPs partake in a rigorous formal evaluation using the DOD Cybersecurity Services: Evaluator Scoring Metrics or ESM. The ESM contains the criteria for which all DOD cybersecurity services are provided and CSSP evaluations are conducted. The criteria is built from CSSP stakeholder’s coordinated metrics and required cybersecurity functions of the DODI 8530.01 and requirements from other Executive, National, Federal, and DOD artifacts, which govern cybersecurity operations in DOD.
While the enactment of ESM version 9 introduced a more comprehensive maturity model and metrics designed to enhance the provision of cybersecurity services, the framework has proven challenging for most DOD CSSPs, who are still, after several years of publication, struggling to adequately follow the ESM criteria to improve the maturity of their service delivery levels. Simply put, most DOD CSSPs have found it difficult to fully embrace the evaluation battle rhythm outline in the ESM and the rigorous authorization process, which includes examination of artifacts (e.g., review of policies, procedures, tools, capabilities, and other evidence of service activity); interview of key CSSP personnel; technical (e.g., tools) and operational demonstrations; and performance measurements of key cybersecurity workforce and functions. The practice has compelled many CSSPs to surge resources to prepare for mandated evaluation cycles in order to meet ESM evaluation requirements. In point of fact, some under-resourced, under-manned, and under-funded CSSPs are simply never able to fully recover and get out of evaluation mode and find themselves continually responding and providing updated supporting artifacts to previous evaluation results.
Effective functioning of the DOD CSSP mission requires 24x7x365 focus on subscriber’s cyber terrain, which has significantly minimized the time spent for ongoing improvement. When paired up with a high OPTEMPO, a resource-limited CSSP is left with little to no time to review and integrate lessons learned to continually drive operational improvement and/or cooperate outside their own organization to help shape a joint and integrated cyber mission space through collaboration with DOD and/or Non-DOD organizations.
At this time, what senior DOD CSSP cyber executives need to beware of is that, in most situations, extensive evaluation preparation efforts require DOD CSSPs to pull resources from normal day-to-day operations over an extended period of time, which in turn, burdens, taxes, and/or handicaps their missions and their CSSP’s overall ability to adequately protect and defend their subscriber’s cyber terrain. Since preparing for triennial CSSP, evaluations are frequently handled through surge resources (e.g., spending the last 6 months prior to an evaluation updating doctrine, developing briefs, documenting evidence, and selecting demonstrations for auditors), the product of preparation and results of the evaluation efforts, often do not accurately reflect actual operations and may provide leadership with a false sense of cybersecurity and operational maturity, which limits informed and actionable risk management decisions.
Recommended Improvements to Increase DOD CSSPs Operational Readiness and Performance
Establish a CSSP-Wide Risk Scoring Methodology
At present, DOD CSSPs utilize various and disparate cyber risk scoring methodologies to calculate threats, vulnerabilities, risks, and impact levels of the subscriber’s systems and networks they protect, monitor, and defend. At the CSSP Program level, disparities in cyber risk methodologies by CSSPs have limited the Department’s ability to consistently, timely, and globally manage threats, vulnerabilities, risks, and impacts. More significantly, current methods have promoted non-comparative cyber data and information aggregation, analysis, and sharing approaches, which is unsupportive to a DoD-wide cyber risk decision making process.
To maximize the value to DOD CSSP alignment of subscribers, the DOD CSSP Program needs to formalize a common language and methodology standards for scoring the cyber risk. This newly developed risk scoring methodology will need to be institutionalized at all twenty-four DOD CSSPs to: standardize how DOD CSSPs make remediation decisions at network-speeds; prioritize and mitigate worst cyber problems first; manage the organizational attack-surfaces they protect and monitor; maintain acceptable levels of cyber risk; maintain accurate, timely, relevant, complete, understood, and trusted situational awareness; make informed and actionable cyber risk decisions; and evaluate and compare cybersecurity postures of subscribers.
Equally important, the new metrics, measures, and analytics used to develop the risk scoring models need to align and feed the JFHQ-DODIN Risk Assessment Methodology.
Establish a CSSP-Wide Workforce Calculation Methodology
The CSSP Program could be significantly improved through the joint development of a standard methodology to help DOD CSSPs determine a minimum baseline number of personnel needed to execute their missions. Currently, for example, a simple question to CSSP executives such as what and how many CSSP defenders does your CSSP need to support current subscribers could potentially draw blank stares and silence or even worse, twenty-four different answers from each of the authorized DOD CSSPs.
Today, aspects associated with CSSP workforce calculation are usually examined separately and independently by each DOD CSSP. There have been no direct efforts to methodically and synergistically identify, integrate, and jointly develop a common DoD-CSSP-wide Workforce Calculation Methodology to help baseline the minimum number of CSSP defenders needed to support
As DOD Components and CSSPs move to meet compliance with DOD CIO’s CSSP alignment requirements
(non-compliance could results in networks, applications, data, and services being disconnected from the DODIN), it is critical to ensure controls are also in place to certify DOD CSSPs have the workforce capacity, skills, experience, and expertise to offer adequate services to new subscribers. Elsewise, the changes of subscribers’ requirements for each DOD CSSP could hinder our joint ability to operate in a cyber contested environment.
What elements should be considered to help dictate the number of CSSP personnel needed to execute the CSSP mission? Some of these variables may include (not all inclusive): the cybersecurity services to be provisioned to subscribers; the need for more mature cybersecurity service levels not provided by the CSSP; the need to add new cybersecurity tools and mechanisms by CSSPs; a large increase in the number of total subscribers; the addition of new type of subscribers (e.g., cloud computing environments, cleared defense contractors, mission partners systems, Industrial Control Systems, weapon systems, Defense Research and Engineering Networks, etc.); a change technology coverage used by subscribers; the need to cover higher classification of systems and networks protected (e.g., JWICS, SAP/SAR); etc.
Establish a CSSP-Wide Continuous Improvement Program (CIP) Model
The historical knowledge of DOD CSSPs Certifying Authorities (CAs) and Program Managers (PMs) for both GENSER and SE CSSPs needs to be ultimately leveraged to formalize a process to continuously assess and improve the provision of DOD CSSP cybersecurity services.
The ESM provides clear and concise requirements, specifications, and guidelines to consistently and accurately ensure the provision of cybersecurity services. Metrics are adhered to differently by DOD CSSPs, and DOD CSSP CAs and PMs should leverage the knowledge and lessons learned gained from spearheading GENSER and SE CSSP assessments of all 24 authorized CSSPs to baseline a CSSP CIP (to be given to all twenty-four DOD CSSPs to tailor) that includes a strategic roadmap for the successful operationalization and standardization of a DOD-wide CSSP CIP.
Given that DOD CSSP CAs and PMs have first-hand experience managing the evaluation process of all DOD GENSER and SE CSSPs, they are clearly best positioned to help the Department baseline a DOD CSSP-wide CIP Program that promotes ongoing improvement of provisioned cybersecurity services and supporting processes (i.e., compliance, performance, and effectiveness).
Cybersecurity services provisioned externally to DOD Component subscribers as mandated by current policy could be complemented with internal measures (e.g., daily, weekly, monthly, quarterly, and annual tasks) to persistently introduce, verify, and validate needed DOD CSSP process changes and corrective actions to maintain high level objectives of protection, monitoring, detection, analysis, diagnosis, and response shifting in accordance with the differing attack-surfaces and operational threat environments and classification levels it supports.
A plan, do, check, act best practice approach to ensure for quality, information security, and business continuity could assist DOD CSSPs promoting ongoing improvement of provisioned cybersecurity services; improve the cybersecurity tools used to service subscribers; enhance the level of satisfaction and conformity of cybersecurity services provisioned; and better manage business and mission functions to proactively recover from disruptive cyber incidents when they arise.
For almost two decades, the DOD CSSP Program has synergistically and methodically orchestrated an extraordinary effort to formalize and normalize the CSSP mission. At present, DOD CSSP doctrine provides clear and concise guidance to manage the CSSP program; evaluate and authorize both General Services and Special Enclaves DOD CSSPs; guide day-to-day operations; define, measure, and report the provision of cybersecurity services; train and certify the DOD CSSP workforce, etc. Nonetheless, the CSSP Program could be significantly improved through the joint development of a standard CSSP-Wide Risk Scoring Methodology to consistently, timely, and globally manage threats, vulnerabilities, risks, and impacts; a CSSP-Wide Workforce Calculation Methodology to help DOD CSSPs determine a minimum baseline number of personnel needed to execute their missions; and a CSSP-Wide CIP Model to formalize a process to continuously assess and improve the provision of DOD CSSP cybersecurity services. When brought together, these artifacts will constitute the next generation blueprint for DOD CSSPs of the future.
About CSIOS Corporation
CSIOS is an award-winning Maryland based veteran-owned and small disadvantaged business provider of cyberspace operations (defensive, offensive, and information network operations) and cybersecurity services to U.S. Federal customers worldwide.
CSIOS distinguishes itself as the only U.S. firm providing cyberspace operations and cybersecurity services certified under quadruple International Organization for Standardization (ISO) standards: ISO 9001:2015 (Quality Management System), ISO/IEC 20000-1: 2011 (Information Technology Service Management System), ISO 22301: 2012 (Business Continuity Management System), and ISO/IEC 27001: 2013 (Information Security Management System). The scope of CSIOS certifications is ‘The ‘Provision of Cyberspace Operations (Defensive, Offensive, and Information Network Operations) and Cybersecurity services to U.S. Federal customers worldwide.’ No other cyber firm has attained this exceptional service level
CSIOS’s service delivery levels for cyberspace operations and cybersecurity services are factually reputed, first-class, and have been recognized nationwide-in 2018, CSIOS was recognized at the state-level with Maryland’s 2018 Cybersecurity Defender of the Year Award and at the national-level by The Silicon Review Magazine as one of 50 Most Valuable Brands of 2018. Also in 2018, CSIOS Cyberspace Operations Team was recognized at the national-level with the American Business Awards 2018 Information Technology Team of the Year Gold Stevie Award.
1. Volume refers to the amount of data produced every second across all information system and network channels.
2. Variety refers to the different types of data used.
3. Veracity refers to the quality or trustworthiness of the data collected.
4. Velocity refers to the speed at which new data is being generated, collected and analyzed, at any given time.