Tuesday, June 14, 2011

Navy Begins Routine Cybersecurity Inspections of 900 commands - on 36 month cycle

According to Naval Network Warfare Command's retiring commander, RADM Ned Deets, the Navy is preparing for "stem to stern" inspections in cybersecurity. This will involve a regime of inspections focused specifically on IT security.

"We've never had an inspection force (for cybersecurity). We do now—nascent, but growing.  We've built an inspection plan that will eventually inspect, on a three year cycle, 900 command units across the Navy. It looks a lot like a lot of the other inspection programs we have across the Navy, like INSURV and things of that nature", RADM Deets said.

Each year every one of the 900 commands should expect to be subjected to some sort of cybersecurity inspection. 

"We'll do an administrative inspection to take a look at your program first (year).  Second (year) will be unit-level training and advice and assistance to ensure that you're ready to operate in your unit, and third (year) will be a stem-to-stern inspection of everything associated with your networks and long-haul communications, physical security included. In the Navy, we expect what we inspect, and we have never inspected in this area before,"  RADM Deets continued.

"The network security posture is still not on a lot of commanders' daily reports, and it really needs to be," Admiral Greenert said. "The workforce awareness is pretty low on information assurance. We still need to go in and slap people's hands, because they want to plug things like thumb drive into our computers or they want to charge their iPads. We're not really complying yet with the existing security directives, and up to nine out of ten of the exploits that we've had have been known vulnerabilities. They could have been cut off."

RADM Deets said the Navy lacks the ability to oversee and defend its networks to the degree it would like to, in part, because there are so many of them. 

You can listen HERE. It's a good interview.


Anonymous said...

Good thing much of this inspection can be done virtually across the network. 900 commands in perpetual state of 3 stage cybersecurity inspection is an excellent idea whose time has come. It will take quite an inspection force to get this done. I would love to see that checklist.

NIOC Network Ops Officer said...

With NETWARCOM going away this summer, who will pick up responsibility for these inspections? Who would have this expertise? Isn't this pie in the sky? We don't even have the expertise at our commands to maintain the networks as it stands now. Where will we find the personnel to check compliance? 900 commands? You have to be kidding me. You are, aren't you?

Anonymous said...

Super to see this kind of attention focused on our networks.

Anonymous said...

This is some real job security for the Navy cyber police. Are they going to use the billets from the NNWC shutdown?

Anonymous said...

OK - Anyone who has seen the NCDOC stock command brief for the past several years has seen the same bullet set that I have recently - We have a culture problem in that in excess of 80% (I think its bigger) of the exploited problems on our networks are known and preventable.

Increasing our inspection regime is certainly a good thing but until we start holding people (COs/DAAs/PMs) responsible for the state of the network(s) then there will be little change.

Anonymous said...

@ 3:32pm

Great point.