The idea of a scorecard seems like a quaint notion, conjuring black and white photos of somebody’s grandad in a fedora, licking the pencil tip before recording the latest play at the old ballgame in his program. But scorecards still play an essential role in cybersecurity, by letting network administrators know what they know, and what they don’t. They help confirm compliance with security mandates, ensure that proper security measures are in place, and spot vulnerabilities that could be taken advantage of by hackers.
An Army team, in fact, recently received a Department of Defense Innovation, Modernization in IT Award specifically for its work in leading the service’s implementation of the DoD Cybersecurity Scorecard. The Army’s Cybersecurity Scorecard Team worked out a plan for tracking programs of record, worked with the Defense Information Systems Agency (DISA) to ensure that contracts supported security requirements, and improved compliance with the Federal Information Systems Management Act (FISMA), according to an Army release.
“It is very important that the Army keeps a very close watch on all aspects of cybersecurity and how they could impact our mission,” said Maj. Gen. Garrett Yee, acting director of the Army’s Cybersecurity Directorate. “This team worked very closely together and with Army leadership to make sure we are taking action to reduce the attack surface and decrease threats to Army systems.”
DoD knows the importance of a good scorecard. The department’s Cybersecurity Discipline Implementation Plan, which feeds into the department’s overall Cyber Strategy, notes that scorecard efforts “are critical to achieving the strategic goal of Defending DoD information networks, securing DoD data, and mitigating risks to DoD missions.”
In addition to providing the visibility necessary to bolster security and ensuring compliance, scorecards help organizations in buying secure products and assist users with how to best apply their resources. The Army scorecard team, made up of personnel from CIO/G-6, Army Cyber Command, and Army Network Command, also is credited with improving management of user accounts. Additionally, they align plans to remove unsupported legacy software and save DoD millions of dollars annually in resources and manpower, the Army said.
DoD and the U.S. Cyber Command increased their emphasis on scorecards and the Cybersecurity Implementation Plan at the end of 2015, following a critical report by the Pentagon’s chief weapons tester, plus an increase in attacks coming from China and Russia. A report last year by the Government Accountability Office found that the Cybersecurity Scorecard had been effective in creating better oversight and a forum for taking cybersecurity issues up the ladder to the secretary of defense. GAO’s main complaint about the scorecard was that it hadn’t yet been implemented throughout DoD, and that DoD was still working on automating data collection, which would improve its reliability.
The work by the Army’s scorecard team could help lay the foundation for future improvements, including the next iteration of the system. DoD said it plans to move to a more risk-based scorecard by March 2019. Because, after all, you can’t win the game if you don’t know the score.