I am finally getting over chuckling about every time I hear the word cybersecurity. The word cyber was coined to describe a human having intimate relations with a computer. But from what I can remember there really was not a term for computer security specialists until after “hackers” started to come to light in the 80s. So how did we get to cybersecurity? I’m going to discuss one angle of it through the eyes of my current role.
The DoD was one of the first organizations to standardize computer security with the publication of the “Rainbow Series” books in the mid 80s and early 90s. They developed a formalized risk assessment model dubbed Information Assurance (IA).
IA is more of a defensive stance on computer security. It is based off of implementing specific controls in order to reduce risk. And like any other government operation, it is very tedious and time consuming (think like doing your taxes, but about 10 times longer).
The general process for the legacy DITSCAP/DIACAP IA is to determine a classification and confidentiality level for your system. If you are interested in seeing that information it is here.
After you have to determined how you want to classify your system, then you have to implement the standard controls to meet that level of risk. These controls and a checklist are organized in DoD 8500.1 and 8500.2. IA is typically not the group that will implement the controls, although this does seem to happen. IA is more of an assessment role that provides guidance to administrators and system owners on their current status. It is kind of like being a supply chain manager and assessor. It is not a glamorous job, and there is a lot of paperwork.
That process has changed a bit now, and the Risk Management Framework has began to be implemented. Different programs are at different points in the process, but the goal is to have systems be continuously monitored. At this point in the eyes of the federal government the term IA is now Cybersecurity. And there is still a lot of paperwork.
This is just the viewpoint from where I see it, and there are a lot of details that are left out since I don’t want to put everybody to sleep.
From a real world standpoint the DoD is doing the best they can with a very large group…their suppliers, partners and, of course, themselves. There is an awful lot of moving parts to ensure that everything that should be done is actually happening.
I hope to get in to some of the tools of the trade in the coming months.