Cybersecurity Compliance has always been a challenge for DoD programs of record whether it be through the implementation of a new training system or the ongoing maintenance of a currently authorized system. Meeting the challenge of an ever-increasing threat from adversaries combined with the rules and regulations of the DoD make for an extremely difficult situation that often pits government against industry when it comes to what is required and what is practical. Throw in the ever-changing nature of Cybersecurity with the industry’s relatively small pool of qualified professionals and the problems related to Cybersecurity compliance begin to compound exponentially. Something has to give.
One of the more recent developments in the DoD Cyber realm has been the gradual shift to the Defense Information Systems Agency (DISA) Windows 10 Secure Host Baseline otherwise known as SHB as the DoD base standard for all systems moving forward. What SHB has ultimately done is move Cybersecurity from the tail end of a system’s development lifecycle to the very beginning and transitions Cybersecurity engineering from the “bolted on” approach of the past to a truly “baked-in” solution for the future. With SHB, programs of record are required to start with a secured version of Windows from the very onset which results in Cybersecurity being involved in every step from conception to delivery and negates the often 11th hour hassles and complexities of Cybersecurity being the last piece of a components’ delivery schedule.
Another major change and one of the greatest cost savings of the SHB deployment model is it provides the ability to automate system Cold Start procedures. This automation ability will remove the need for contractors and government alike from combing through thousands of manual steps which more often than not lends itself to human error causing a chain reaction of finger pointing and frustration among all parties involved. With SHB, the Cold Start deployment specifics are baked in to the actual system images making them easily tested and the results reproducible and verifiable among the different parties involved in a system’s delivery. This will transition Cybersecurity from an iterative patch-scan-repeat process to a systems engineering role and ultimately lead to greater quality deliverables at a lowered total cost. Now, will there be hurdles and lessons learned? Absolutely, however this progressive step by the DoD is a long overdue and welcomed change that sets the stage to combat the Cyber threats of tomorrow