Lessons Learned in Building and Implementing an Effective Cybersecurity Strategy
MetadataShow full item record
Today's missions rely on highly integrated and complex technology that must be protected from a wide range of adversaries in a very dynamic and contested cyber environment. The predominant response to the growing, shifting cyber threat has been to apply cyber hygiene best practices and focus on satisfying compliance mandates for an authority to operate. While necessary, these steps alone are not sufficient, given the pace of technology change and the increasing abilities of our adversaries. For organizations developing or acquiring complex, software-enabled technologies, a cybersecurity strategy provides a critical set of guidelines that enable intelligent, risk-based decisions throughout the life cycle. The strategy identifies planning, design, monitoring, and enforcement considerations for integrating cybersecurity into all products, processes, and resources. As such, it defines expectations for how the individual technology components, their assembled configurations, and their interactions will meet the security requirements of a mission. Effective cybersecurity requires the application of engineering rigor to the process of defining security requirements in the context of other system imperatives. Cybersecurity engineering is a discipline focused on analyzing and managing mission and system cyber risk and trade-offs across the life cycle. Cybersecurity engineers evaluate interactions, dependencies, and system response to attacks. They identify security practices and mechanisms that need coordination across the life cycle, spanning components, people, processes, and tools. They prepare the technology to handle the operational environment where it will ultimately reside. In this paper, we introduce the purpose of a cybersecurity strategy and describe the role of cybersecurity engineering in implementing it. We identify six key cybersecurity engineering activities and share observations on how these activities can be used to address the challenges acquisition programs face as they work to improve cybersecurity under resource and time constraints.
RightsThis publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.
NPS Report NumberSYM-AM-21-057
Showing items related by title, author, creator and subject.
Woody, Carol; Creel, Rita (Monterey, California. Naval Postgraduate School, 2021-05-20); SYM-AM-21-220; SYM-AM-21-145Today's missions rely on highly integrated and complex technology that must be protected from a wide range of adversaries in a very dynamic and contested cyber environment. The predominant response to the growing, shifting ...
Daponte, Aaron M.; Maguire, Gregory A.; Roldan, Calvin J. (Monterey, CA; Naval Postgraduate School, 2020-06);The Department of Defense (DOD) lacks a suitable method for identifying and managing the cybersecurity risks associated with commercial off-the-shelf (COTS) unmanned aerial system (UAS) use. With no method in place to ...
Maule, Randy William (Monterey, California. Naval Postgraduate School, 2019-04-30); SYM-AM-19-037Current organizational structures have proven insufficient for cyber and information assurance. The acquisition role may be resourced and expanded to support information assurance and systems compliance. A supply chain ...