The Pentagon’s nascent Cyber Operational Readiness Assessment (CORA) continues to advance in its goal to strengthen the Defense Department’s cybersecurity posture, but the road thus far has been “bumpy,” a top Pentagon tech official said.
On day two of the AFCEA International TechNet Cyber conference in Baltimore, Lt. Gen. Robert Skinner – director of the Defense Information Systems Agency, and commander of the Joint Force Headquarters-Department of Defense Information Network (JFHQ-DoDIN) – highlighted significant advancements in the new cyber readiness program while also candidly acknowledging challenges encountered along the way.
JFHQ-DoDIN established the CORA program – previously known as the Command Cyber Readiness Inspection program – in March of this year.
“It’s going amazing. Now those who are going through it may not say that” Skinner said on June 26. “We found a lot of bumps, yes. But is that unexpected? I wouldn’t say.”
CORA aims to help strengthen the posture and resiliency of the DoDIN by supporting the network’s areas of operation commanders and directors to harden their information systems, reduce the attack surface of their cyber terrain, and create a more proactive defense.
According to Skinner, ensuring that the CORA team was fully trained in assessing cyber readiness, adding new cyber assessment capabilities or key metrics, and delivering actionable results to agencies are key to the program’s mission.
“The end goal is really having continuous assessments and continuous monitoring of those critical capabilities within those critical assets to really give you a day-to-day understanding,” Skinner said.
“[And] for those who are being assessed [that] weren’t quite sure of the level of their cybersecurity posture … now they know, and the posture is already increasing across the enterprise,” he added.
But since its inception the team has faced several challenges, from training to delivery of assessments. For example, training became a challenge for the CORA team, and according to Skinner, the team had not received enough.
“This is an episodic environment right now,” Skinner said. “As you change something to focus on other things. The risk is higher, because you haven’t been looking at those things for a long time, or as detailed … And there’s an expectation that we are deep diving into these things … and trying to assess and understand.”
But the good thing, Skinner said, is that the team has used these challenges “to share with everyone. And so, they already know what the expectation is and what the standards are for, for future assessments.”
