An effective cybersecurity posture is achieved when there is confidence that information and information systems are protected against attacks. This is done through the application of security services in such areas as availability, integrity, authentication, confidentiality, and non-repudiation. Since technical mitigation has no value without trained people to use them and operational procedures to guide their application, it is paramount that in implementing an effective and enduring cybersecurity framework, organizations achieve a synergistic balance from all three facets of a Defense in Depth strategy: people, operations, and technology. Within the Department of Defense (DOD), Cybersecurity Service Providers (CSSPs) play a unique component of the Department of Defense’s defense in depth strategy.
A CSSP is an organization that provides one or more cybersecurity services to implement and protect the Department of Defense Information Network (DODIN). Cybersecurity services include capabilities in four main categories:
- Protect— this includes vulnerability analysis and assessment, red teaming, virus protection, subscriber protection and training, information operations condition implementation, and IA vulnerability management;
- Monitor, Detect, Analyze and Diagnose— this includes network security monitoring and intrusion detection; attack sensing, warning, and indications; and situational awareness;
- Respond—includes containment, eradication, recovery, and incident reporting;
- Sustain Capability—includes memoranda of understanding and contracts; policies and procedures; cyber technology development, evaluation, and implementation; personnel levels and training/certification; security administration; and the primary information systems that support the CSSP.
Within the Department of Defense, there are 23 approved (certified and accredited) CSSPs authorized to provision cybersecurity services to DOD organizations in accordance with DOD Instruction (DODI) 8530.01, Cybersecurity Activities Support to DOD Information Network Operations and the Evaluator Scoring Metrics (ESM), DOD Cybersecurity Services.
As defined in DOD O-8530.1-M, DOD Computer Network Defense Service Provider Certification and Accreditation Process, General Service (GENSER) CSSPs (provision cybersecurity services to unclassified networks) and Special Enclave (SE) CSSPs (provision cybersecurity services to classified networks) use the ESM to provision and conduct self-assessments of its provisioned services. The ESM contains the criteria for which GENSER and SE evaluations are conducted. ESM metrics are built from the required cybersecurity functions of the DODI 8530.01 and include requirements from other DOD and Federal documents, which govern cybersecurity operations in DOD.