Following a nine-month pilot effort, the Pentagon today officially launched a new model for measuring the cyber readiness of its main network defense command — marking a shift from compliance to operational readiness.
The Joint Force Headquarters-Department of Defense Information Network (JFHQ-DoDIN) established the Cyber Operational Readiness Assessment (CORA) program, previously known as the Command Cyber Readiness Inspection program.
The program transition transforms an inspection compliance program into an operational readiness program, underpinning mission assurance.
“CORA is a vital aspect of continually understanding our cyber readiness through fusing many risk factors including access control, detecting anomalies, adjusting to adversary threat information, and executing cyber orders,” Lt. Gen. Robert Skinner, commander of JFHQ-DoDIN, said in a press release.
The new processes will help strengthen the posture and resiliency of the DoDIN by supporting the network’s areas of operation commanders and directors to harden their information systems, reduce the attack surface of their cyber terrain, and enhance a more proactive defense.
“CORA represents a consolidated look at threat, vulnerability, and impact designed to give [DODIN areas of operation] commanders and directors relevant information for making decisions about cyber terrain, forces, and other resources,” said John Porter, JFHQ-DODIN’s acting director of DODIN Readiness and Security Inspections directorate.
According to Porter, the CORA team developed key indicators of risk to ensure alignment with JFHQ-DODIN cybersecurity priorities and to direct focus onto the most critical areas of remediation.
“These metrics will allow organizations to focus their mitigation efforts on risk and exposure to common adversarial tactics, techniques, and procedures,” he said.
In addition to the key indicators of risk, CORA is also hyper-focused on securing network perimeter devices, public and DoD-facing assets servicing the public or external DoD components, and any information systems with a direct interface to an external information system.
According to the department, the new CORA model is a more agile process encouraging and enabling adjustments in strides. The assessment can be adjusted as new orders, policies, or directives are issued, add new assessed technology if Security Technical Implementation Guides exist, and adjust key risk indicators as the threat landscape changes.
“Ultimately, the assessment provides commanders and directors a more precise understanding of their high-priority cyber terrain and their overall cyber security and defensive posture enabling greater command and control and enhancing decision making,” Skinner said.