A newly published Government Accountability Office (GAO) report on “Weapon Systems Cybersecurity” identified the U.S. Air Force as the only service that has issued service-wide guidance detailing how acquisition programs should define cybersecurity requirements and incorporate those requirements in contracts.
The report, which was a follow-up to a 2018 report on weapon system cybersecurity, called out the U.S. Air Force’s Cyber Resiliency Office for Weapon Systems, or CROWS. Specifically it cited the office for having developed the System Security Engineering Cyber Guidebook to “consolidate references to different DOD and Air Force instructions and guidance into a single document and provide more detailed explanations and suggestions for implementation.”
The 40-page report, which was addressed to congressional committees, underscored how important it is that DOD plan for and implement cybersecurity protections early and often throughout a program’s lifecycle. Report authors noted that it is easier, less costly, and more effective than attempting to add, or bolt-on, cybersecurity protections late in the development cycle once a system is fielded.
It also reminded committees that, because contractors play a pivotal role in designing and building DOD weapon systems, DOD must communicate its cybersecurity requirements in its acquisition program contracts.
“This is a significant milestone for the Air Force and our broader cyber resiliency mission,” said Joe Bradley, CROWS director. “Singling out the Air Force and CROWS approach, and noting other services could benefit from it, is a remarkable affirmation of the work our team is doing to bake cyber resiliency into new weapons systems.”
Katie Whatmore, a CROWS systems security engineering lead who oversaw the development of the guidebook, noted that the Air Force’s approach can assist in program development.
“The Air Force’s SSE Cyber Guidebook serves as a single source reference that enables program offices to address system security engineering as an integrated part of systems engineering,” she said. “By following the approach within the guidebook, programs will ensure appropriate requirements are included on contract and necessary analyses are accomplished in order to minimize cyber risks to our weapon systems.”
The CROWS team has worked across the enterprise to ensure all stakeholder organizations are in full support of its approach in creating a common starting point to reference when considering cyber resiliency best practices for their programs.