US DoD unveils DIB Cybersecurity Strategy 2024 to strengthen national cyber defenses

The U.S. Department of Defense (DoD) has published its Defense Industrial Base (DIB) Cybersecurity Strategy, an actionable approach to maturing a more resilient Joint Force and Defense cybersecurity ecosystem. Spanning Fiscal Year 2024 – 2027, the DoD DIB Cybersecurity Strategy 2024 provides a path forward for the Department’s internal and industry-facing cybersecurity activities. The Department is working with the DIB, harnessing the expertise of Industry, academic institutions, and research and development organizations to achieve the goals and objectives of this strategy.

The Strategy’s vision, mission, goals, and objectives support the directives and priorities of the National Defense Strategy, 2023 National Cybersecurity Strategy, 2023 DoD Cyber Strategy, and the National Institute of Standards & Technology (NIST) Cybersecurity Framework (CSF). In addition to the National and DoD strategies, this effort was informed by the Department’s findings and response according to Section 1648 of the National Defense Authorization Act (NDAA) for FY 2020 and Sections 1728 and 1737 of the NDAA for FY 2021.

By enhancing the Department’s emphasis on collaboration with industry partners, the Strategy’s four goals and key objectives will steer DoD’s initiatives to safeguard the nation, uphold technological superiority, fortify the DoD governance structure for DIB cybersecurity, bolster the cybersecurity stance of DIB contractors, uphold the resilience of critical DIB capabilities in a cyber-contested environment, and enhance collaboration with DIB stakeholders.

The DoD DIB Cybersecurity Program is a public-private cybersecurity cooperative with over one thousand DIB companies participating in the voluntary program and membership is expected to increase in 2024 with a revision to the eligibility criteria. 

“We have identified opportunities to bolster cybersecurity of our DIB partners, which will improve our overall cybersecurity of the US,” Kathleen H Hicks, deputy Secretary of Defense, said in a Thursday media statement.  “As our adversaries continuously seek information about U.S. capabilities, the Department, in coordination with the DIB, must remain resilient against these attacks and succeed through teamwork to defend the Nation.”

The 2022 NDS establishes the mandate for integrated deterrence against strategic attacks on the U.S. and its allies and partners to build a resilient Joint Force and defense ecosystem. Under guidance put forth in the 2023 National Cybersecurity Strategy, the Strategy aims to use a whole-of-government approach to disrupt malicious cyber activity at scale and fortify the cybersecurity of the DIB as increasingly capable adversaries adopt tactics to undermine U.S. national interests.

By the 2023 DoD Cyber Strategy, the objectives of the Strategy aim to fulfill the requirement for the Department to continue leveraging public-private cooperation and supporting investment in rapid information-sharing and analysis. It responds directly to the requirement to ‘develop a comprehensive approach for the identification, protection, detection, response, and recovery of critical DIB elements, thereby ensuring the reliability and integrity of critical weapons systems and production nodes.’ 

The Strategy aligns with the priorities of the 2024 NDIS to expand resources for small businesses, increase vulnerability mitigation and supply chain resilience, and strengthen enforcement against cyber-attacks. 

Additionally, it is informed by the NIST CSF, a voluntary set of standards, guidelines, and practices published by NIST in coordination with stakeholders, including private industry. DoD’s Cybersecurity Reference Architecture incorporates the NIST CSF, the Joint Capability Area taxonomy, the MITRE ATT&CK framework, and the MITRE D3FEND framework to describe and provide supporting rationale for the capabilities that should be present in the architecture. The Department continues to lead by example by adopting the CSF and providing educational opportunities to the DIB on its applicability to other information environments.

Finally, CISA’s Cybersecurity Strategic Plan FY 2024 – 2026 outlines goals and objectives aligning with the DoD DIB Cybersecurity Strategy. CISA aims to drive the mitigation of exploitable vulnerabilities, improve cybersecurity capabilities, and promote the continued implementation of cybersecurity investments. 

When it came to strengthening the DoD governance structure for DIB cybersecurity, the DoD CIO called on the DIB Cybersecurity Executive Steering Group (ESG) to develop strategies to improve the cybersecurity of the DIB. Realizing that the Department’s responsibilities concerning the DIB are distributed, the Department seeks to strengthen the internal governance structure for DIB activities.  

The two objectives under this goal covered in the DIB Cybersecurity Strategy 2024 include strengthening interagency collaboration for cross-cutting cybersecurity issues and advancing the development of regulations governing the cybersecurity responsibilities of DIB contractors and subcontractors. 

On its goal of enhancing the cybersecurity posture of the DIB, the DoD recognizes the need for some DIB contractors to further enhance their cybersecurity posture to address advanced persistent threats (APTs). “The Department also acknowledges the need to work with DIB contractors on ways to enhance protections for availability and integrity of certain systems where loss of proprietary information or DoD data is not the key driver of technology advantage, but the availability of that capability is critical to national security,” it added. 

Robust cybersecurity may be achieved through iterative risk assessments and mitigation of gaps in security posture combined with facilitating DIB contractor adherence to cybersecurity regulations. A multitude of concurrent activities are required to avoid the loss or disruption of critical facilities and any associated programs or technologies. 

Furthermore, the DoD will engage with the DIB in conducting gap assessments, providing training and other resources, and incorporating DIB feedback. Alongside the sharing of cybersecurity best practices and quick adoption of evolving standards and guidelines, these efforts require continued collaboration between the department, the DIB, and NIST among other government and non-federal partners. 

The objectives under this goal include evaluating DIB compliance with DoD’s cybersecurity requirements; improving the sharing of threat, vulnerability, and cyber-related intelligence with the DIB; identifying vulnerabilities in DIB information technology (IT) cybersecurity ecosystems; recovering from malicious cyber activity; and evaluating the effectiveness of cybersecurity regulations, policies, and requirements.

On its goal of preserving the resiliency of critical DIB capabilities in a cyber-contested environment, the DIB Cybersecurity Strategy 2024 detailed that recent global and geopolitical events have highlighted U.S. dependence on foreign and sole-source suppliers and signaled the need for increased attention to supply chain vulnerabilities and dependencies. “Close coordination with sector-specific partners in a multi-tier cybersecurity ecosystem contributes to the development of requirements and best practices and provides early warning of bottlenecks in the supply chain of any critical system,” it added. 

The objectives covered by the DIB Cybersecurity Strategy 2024 under this goal include prioritizing the cyber resiliency of critical DIB production capabilities and establishing in policy the priority focus on cybersecurity for critical suppliers and facilities.  

The last goal of the DIB Cybersecurity Strategy 2024 includes improving cybersecurity collaboration with the DIB to include pilot programs in cybersecurity, war-gaming, routine engagement with industry working groups, cybersecurity training pathways, and cross-cutting education and awareness campaigns provided by multiple federal agencies. “Given the diversity and scale of the DIB, different businesses may need or benefit from different services, support, and information such as training and education or a range of cybersecurity services. The Department will invest in further defining subsectors of the DIB and tailoring programs for these DIB subsectors,” it added. 

Ultimately, the Department in collaboration with the DIB, seeks to ensure that the DIB is prepared to operate securely in the cyberspace domain without introducing undue costs or burdens. 

The objectives prescribed under this goal include leveraging collaboration with commercial Internet, cloud, and cybersecurity service providers to enhance DIB cyber threat awareness; working with the DIB SCC to improve communication and collaboration with the DIB; improving bidirectional communication with the DIB and expand public-private cybersecurity collaboration. 

In its conclusion, the DIB Cybersecurity Strategy 2024 identified that its implementation requires engagement external to the Department and the Department to set an example of cyber resiliency. “The Department must pursue the goals outlined above as an enterprise and operate in lockstep with the whole-of-government effort to better secure cyberspace. While this is an enormous task, the Department is driving progress across multiple fronts,” it added.

It also highlighted that the DIB Cybersecurity Strategy 2024 lays out the vision for the DoD “to further coordinate and execute resources in a collaborative manner with the DIB to effect change to the cybersecurity of our Nation’s most critical defense suppliers and producers. Our adversaries will not rest in their campaigns to seek information about U.S. capabilities; look for shortcuts to advanced technology; and counter, kill, or clone our warfighting capabilities.” 

The publication comes amidst the release of a final rule by the DoD’s Office of the DoD Chief Information Officer that solidifies revisions to the eligibility criteria for the voluntary DIB Cybersecurity Program. These revisions to the program will allow all defense contractors who own or operate an unclassified information system that processes, stores, or transmits covered defense information to benefit from bilateral information sharing. 

The DoD said the rule is effective on April 11, 2024. As the DoD is modifying the requirement for industry to obtain a medium assurance certificate with this final rule, the Department believes the burden to companies participating in the DIB CS Program is being reduced.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.