Army Sgt. Kyle Plumley, an intel analyst for Joint Force Headquarters out of Columbus, Ohio, works three laptop computers May 16 as part of Cyber Shield 2018 at Camp Atterbury, Ind. (DVIDS)
TECHNET CYBER 2022: A top Army official said the service’s updated cyber security risk management framework will significantly change how the service attacks a glaring, decades-old weakness: bureaucracy.
Risk Management Framework 2.0 will get the service “to this notion of continuous monitoring much faster so we spend a vast majority of our time actually focusing on the security of applications, systems and networks that are in operation and not spending, where we traditionally were, about 80% of our time just getting the paperwork ready so we could get an approval to operate,” Lt. Gen. John Morrison, Army deputy chief of staff (G-6), said Tuesday at the AFCEA TechNet Cyber 2022 conference.
Implementing the new construct, which was announced earlier this year, has been a “bit of a challenge” for the service, he added.
“Cybersecurity is not traditionally an operation and I don’t think it’s germane to the US Army. I think it’s across the joint community,” Morrison said. “And we’ve got to crush legacy information assurance processes and policies so we drive ourselves to our cybersecurity operations.”
RELATED: Army wants to help industry shore up ‘risk’ in supply chains
The Army also wants to realign how the service approaches the duties of authorizing officials who provide oversight through the updated framework. To that end, the service is creating an Army Risk Management Council, which will be chaired by the Army’s G-3 and chief information officer.
The council will make decisions on things like what risk is acceptable or whether to apply the appropriate resources — time, money or people — to buy down that risk. He added the council is currently in final staffing and it should be approved “in the next month or so.”
“So if you pull the string, it’s not that we’re just blowing off bureaucracy,” Morrison said. “We are doing the right level of bureaucracy we need to do the initial assessment of risk, putting the right defensive overwatch in it by Army Cyber [Command] so that as something comes onto the network, there’s a clear handshake between the system owner and the network owner, continuous monitoring on the backside, and then when we identify risk… We now have a mechanism to adjudicate that risk at the Army level that will help us move forward much more rapidly than we have in the past.”
Meanwhile, the Army is working on its unclassified networks with the Defense Information Systems Agency on its zero-trust security and network architecture program, Thunderdome. Morrison said the service wants to “leverage the investments” made by the department in the program.
RELATED: DISA Has 14 Ways It Wants Industry To Help It Move ‘Into The Future’
On the classified network side, Morrison said the Army is extending its infrastructure modernization efforts out into U.S. Indo-Pacific Command region this year.
“We are also aligning a lot of our tactical applications of emerging technologies, cloud, tactical cloud, data fabrics, also to INDOPACOM [area of responsibility] because what we want to do is get plenty of reps and sets and learn by doing,” Morrison said.
