Operational risk is focus of DISA's cyber assessment program

FORT MEADE, Md. Defense Information Systems Agency (DISA) officials launched a cyber assessment program called Command Cyber Operational Readiness Inspection (CCORI), which aims to provide combatant commands and federal agencies with a greater understanding of the operational risk their missions face because of their cybersecurity posture. CCORI’s seek to provide a more threat-focused, mission-based assessment.

Officials designed the model as a modification of the Command (CCRI), which focuses on evaluating an organization’s compliance with Department of Defense (DoD) security orders and directives, and assessing network vulnerabilities, physical and traditional security, and user education and awareness.

“Commanders at sites where CCORIs are held will be able to understand that being 'compliant' does not necessarily mean their site is 'secure,’” explains Jimaye Sones, director of the DoD Information Networks (DODIN) readiness and security inspections directorate, which is aligned within the Defense Information Systems Agency and conducts assessments under the authority of the Joint Force Headquarters-DODIN and Cyber Command. “Also, they will understand what impact the vulnerabilities found in a traditional CCRI have, in terms of the to their mission, if an adversary takes advantage of the vulnerabilities.”

CCORIs will also provide the mission owner and the Joint Force Headquarters-DODIN commander a greater understanding of the level of risk to the DODIN.

CCORIs analyze three levels of effort to review :

  • Mission
  • Threat
  • Vulnerabilities.

Mission analysis is phased in to the four phases of the operations order:

  • Site selection
  • Scoping/pre-inspection
  • Inspection
  • Post-inspection

“Once a site is selected, the team scopes the assessment based on the unit’s mission. A threat element simulates a contested work environment using specific software tools across internal and external attack vectors of the network, while also conducting a standard, compliance-based CCRI against the highest priority vulnerabilities. In the end, an ‘operational risk’ maturity model is determined by a National Institute of Science and Technology Framework maturity level,” Sones says.

The CCORI inspection model supports the DoD Cybersecurity Culture and Compliance Initiative and the subsequent resource management decision to enable military service cyber components and federal agencies with DODIN inspection teams.

DISA led three pilots to develop and test new processes using the CCORI methodology from April 2016 through February 2017. These efforts are leading to further refinement and maturation of operational assessment processes. The first full CCORI was conducted in October 2016 and subsequent CCORIs were conducted in January and February.

While DISA moves forward with the CCORIs, the agency will continue planning traditional CCRIs, as well as cybersecurity service provider and public key infrastructure audits at other DODIN sites.

Read more on cybersecurity:
DARPA contracts with Vencore Labs for advanced cyberdefense research
Navy & Old Dominion University sign CRADA to assess security in cyber-electronic warfare systems
DoD cyber crime center to receive support from Lockheed Martin in contract extension