DoD Streamlines Cybersecurity with New Reciprocity Guidance

The US Department of Defense has released new cybersecurity guidance to resolve slow and duplicative processes, enforcing "reciprocity" by default to reduce time and costs. The guidance aims to streamline cybersecurity practices, accelerate innovation, and better respond to emerging threats.

Bijay Laxmi
New Update
DoD Streamlines Cybersecurity with New Reciprocity Guidance

DoD Streamlines Cybersecurity with New Reciprocity Guidance

The US Department of Defense (DoD) has released new cybersecurity guidance aimed at resolving slow and duplicative processes that hinder technology and software innovation. The plan, announced by Chief Information Officer John Sherman at the GEOINT Symposium in Orlando, Florida, revolves around enforcing the concept of "reciprocity."

The new guidance, signed by Deputy Defense Secretary Kathleen Hicks, directs reciprocity by default within the DoD. This means that if one office certifies a system as cyber secure, all offices can accept it without having to redo the certification process. The move aims to reduce time and costs associated with Authority to Operate (ATO) procedures, which have been criticized for being slow, bureaucratic, and redundant.

Why this matters: This new guidance has the potential to significantly impact the efficiency and effectiveness of the DoD's cybersecurity practices, ultimately enhancing national security. By streamlining these processes, the DoD can accelerate the adoption of innovative technologies and better respond to emerging cyber threats.

Sherman stated that the initiative will "dynamite through" the current process, ensuring that officials don't have to "check each other's homework over and over again" unless there are "bona fide reasons" to perform rechecks. "Immediately after I get done talking, we're about to publish new guidance the Deputy Secretary signed out that is going to direct reciprocity by default within the Department of Defense," Sherman announced.

The new guidance is expected to save time and money by allowing federal entities to reuse other organizations' internal and external findings, reducing costs in investments from approving IT systems that operate on various networks. "We've heard you loud and clear on this within the DoD. I'm not going to say this is going to solve every bit of it, but it's going to help us a bit," Sherman added.

Sherman emphasized that the process can be more complicated and might require another step, which his office is prepared to assist with. The guidance, formally titled "Resolving Risk Management Framework and Cybersecurity Reciprocity Issues," states that the DoD implements the Risk Management Framework (RMF) to guide how it builds, fields, and maintains cyber secure and survivable capabilities.

The CIO plans to provide similar direction for the breadth of the intelligence community, with Sherman noting that this will be the "next hill to climb" due to different classifications and where bodies of evidence are kept. "This is coming from the deputy secretary on down that reciprocity should be a default. It should be the first choice as opposed to having to redo all the due diligence again,"Sherman stressed.

The new DoD memorandum on cybersecurity reciprocity comes as the Biden administration pursues a broader effort tohold the software industry accountablefor insecure software. The goal is to shift the security burden from technology users to the companies that build it, creating incentives for long-term investment in cybersecurity and resilience.

The DoD's new cybersecurity reciprocity guidance represents a significant step forward in streamlining processes and reducing redundancies. By enforcing reciprocity by default, the DoD aims to save time and costs while enabling faster innovation and deployment of secure technologies. As the initiative expands to the intelligence community, it has the potential to transform cybersecurity practices across the federal government.