The Defense Department implemented a back-to-basics cybersecurity program in 2015, establishing a cybersecurity scorecard as “a means for the Secretary of Defense to understand cybersecurity compliance at the strategic level by reporting metrics at the service tier.”
The DoD has made significant progress in establishing an improved cyber baseline, and now is planning a move to a more risk-based approach, said Ed Brindley, acting DoD deputy chief information officer for cybersecurity.
“We often refer to this as good cyber hygiene,” Brindley said.
Although the scorecard has been successful in its limited goals, it does not by itself ensure DoD’s networks and data are secure.
“It effectively shows us a level of compliance with DoD cybersecurity policies, but it doesn’t tell us about risk. If we understand the risk, that means we understand the threat level. The current scorecard doesn’t tell us that,” Brindley said.
To take the step from compliance to risk management, DoD is automating the current manual process of gathering scorecard data to enable a better understanding of the threat landscape that is closer to real time.
“Over the past two years, we…
