A new cyber assessment program, known as a Command Cyber Operational Readiness Inspection (CCORI), focuses on providing combatant commands and federal agencies with a greater understanding of the operational risk their missions face because of their cybersecurity posture.
The CCORI model is a modification of the well-known Command Cyber Readiness Inspection (CCRI), which focuses on evaluating an organization’s compliance with DOD security orders and directives, and assessing network vulnerabilities, physical and traditional security, and user education and awareness.
CCORI’s seek to provide a more threat-focused, mission-based assessment.
“Commanders at sites where CCORIs are held will be able to understand that being ‘compliant’ does not necessarily mean their site is ‘secure,’” said Jimaye Sones, director of the DOD Information Networks (DODIN) readiness and security inspections directorate, which is aligned within the Defense Information Systems Agency and conducts assessments under the authority of the Joint Force Headquarters-DODIN and Cyber Command. “Also, they will understand what impact the vulnerabilities found in a traditional CCRI have, in terms of the threat to their mission, if an adversary takes advantage of the vulnerabilities.”
CCORIs will also provide the mission owner and the Joint Force Headquarters-DODIN commander a greater understanding of the level of risk to the DODIN.
CCORIs analyze three levels of effort to review operational risk: mission, threat, and vulnerabilities. Mission analysis is phased in to the four phases of the operations order: site selection, scoping/pre-inspection, inspection, and post-inspection.
“Once a site is selected, the team scopes the assessment based on the unit’s mission. A threat element simulates a contested work environment using specific software tools across internal and external attack vectors of the network, while also conducting a standard, compliance-based CCRI against the highest priority vulnerabilities. In the end, an ‘operational risk’ maturity model is determined by a National Institute of Science and Technology Cybersecurity Framework maturity level,” said Sones.
The CCORI inspection model supports the DOD Cybersecurity Culture and Compliance Initiative and the subsequent resource management decision to enable military service cyber components and federal agencies with DODIN inspection teams.
From April 2016 through February 2017, DISA led three pilots to develop and test new processes using the CCORI methodology, leading to further refinement and maturation of operational assessment processes.
The first full CCORI was conducted in October 2016 and subsequent CCORIs were conducted in January and February.
While DISA moves forward with the CCORIs, the agency will continue planning traditional CCRIs, as well as cybersecurity service provider and public key infrastructure audits at other DODIN sites.
“All of the federal agencies and combatant commands operating on the DODIN will benefit from this program aimed at providing mission assurance,” said Sones.