El Pent\u00e1gono ha lanzado nuevas directrices sobre ciberseguridad, con la intenci\u00f3n de resolver lo que el director de informaci\u00f3n, John Sherman, ha caracterizado como procesos lentos y duplicados que obstaculizan la innovaci\u00f3n tecnol\u00f3gica y de software. El plan, gira en torno a hacer cumplir el concepto de \u201creciprocidad\u201d, que esencialmente significa que si una oficina certifica que un sistema es ciberseguro, entonces todas las oficinas pueden aceptarlo en lugar de tener que rehacer el proceso de certificaci\u00f3n.<\/p>\n
GEOINT \u2014 The Pentagon has rolled out new cybersecurity guidance, with the intent of resolving what Chief Information Officer John Sherman<\/a> has characterized as sluggish, duplicative processes that hinder technology and software innovation.<\/p>\n The plan, according to a one-pager<\/a> signed by Deputy Defense Secretary Kathleen Hicks last week and released on Wednesday, revolves around enforcing the concept of \u201creciprocity,\u201d which essentially means if one office certifies that a system is cyber secure, then all offices can accept it instead of having to redo the certification process.<\/p>\n Sherman announced the new guidance during a keynote at the annual GEOINT symposium in Orlando, Fla. on Wednesday, telling the crowd that, \u201cImmediately after I get done talking we\u2019re about to publish new guidance the Deputy Secretary signed out that is going to direct reciprocity by default within the Department of Defense.\u201d<\/p>\n Sherman explained that this move will assure \u201cthat folks don\u2019t have to check each other\u2019s homework over and over again,\u201d unless an official has \u201cbona fide reasons\u201d to perform rechecks.<\/p>\n \u201cWe\u2019re gonna move to reciprocity by default and start to dynamite through this,\u201d he added.<\/p>\n The move comes after a multitude of complaints within the department and industry heads surfaced\u00a0over authority to process (ATO) procedures. ATO procedures have been viewed as a problem because they\u2019re not just slow and bureaucratic, but they can be redundant as different organizations often each have their own Authorizing Officer (AO) who has to give a piece of software an ATO before it can be implemented.<\/p>\n AOs often have different criteria, so the software company going through this process has to operate a little differently each time, dragging the process down when the office next door may already have been cleared to use the same software.<\/p>\n \u201cWe\u2019ve heard you loud and clear on this within the DoD. I\u2019m not going to say this is going to solve every bit of it, but it\u2019s going to help us a bit,\u201d Sherman said.<\/p>\n Though Sherman made clear that this initiative is dedicated to cutting down time, he emphasized that the process can be more complicated and might require another step, which he said his office is prepared to assist with.<\/p>\n \u201cThere\u2019s going to be a second major aspect of this. It\u2019s going to be, if an authorizing official feels like they\u2019re being hindered in some way, they can elevate it directly to my office working with our chief information security officer,\u201d Sherman said.<\/p>\n In addition to saving time, reciprocity also saves money, as it lets federal entities reuse other organization\u2019s internal and external findings which in turn reduces costs in investments from approving IT systems that operate on various networks.<\/p>\n \u201cThis is coming from the deputy secretary on down that reciprocity should be a default. It should be the first choice as opposed to having to redo all the due diligence again,\u201d Sherman told DefenseScoop<\/a> in an interview Wednesday.<\/p>\n The guidance published Wednesday, formally titled \u201cResolving Risk Management Framework and Cybersecurity Reciprocity Issues,\u201d states that the \u201cDepartment implements the Risk Management Framework (RMF), in accordance with DoD Instruction 8510.01, to guide how we build, field, and maintain cyber secure and survivable capabilities.\u201d<\/p>\n While the RMF is guidance for the Pentagon, the CIO also plans to provide similar direction for the breadth of the intelligence community, Sherman told DefenseScoop.<\/p>\n \u201cThat\u2019s kind of our next hill to climb later, because of different classifications and where those bodies of evidence are kept on secret or top secret, versus unclassified databases and so on,\u201d he told the outlet.<\/p>\n