CYBERSAFE Team Conducts Initial Pilot at SPAWAR
CYBERSAFE Team Conducts Initial Pilot at
By Tina C. Stillions, Space and Naval Warfare
Systems Command Public Affairs.
San Diego, California — (NNS)
— November 6, 2015 — A multi-disciplined Navy audit team conducted a CYBERSAFE initial pilot at
the Space and Naval Warfare Systems Command (SPAWAR) during the week of Nov.
The week long effort was a two-phased process that included a "functional
audit" of the Office of the Chief of Naval Operations (OPNAV), Program Executive
Office Command, Control, Communications, Computers and Intelligence (PEO C4I)
and SPAWAR to make certain the organizations have identified the right
personnel, granted sufficient authority and established through processes to
execute the CYBERSAFE program. The second phase of the "test-drive" was an
end-to-end review of each organization's processes to ensure program managers
understood and were able to identify, develop and certify CYBERSAFE material
solutions, as well as identify and modify in-service programs through material
or non-material solutions. The Cyber threat is real.
"The purpose of the CYBERSAFE program is to provide maximum reasonable
assurance of the survivability and resiliency of critical warfighting
information systems and platforms," said Ed Lazarski, SPAWAR Office of the Chief
Engineer and director of Cybersecurity for PEO C4I. "The joint effort addresses
the security controls for a subset of mission-critical Navy systems. The result
will be more secure Navy networks."
CYBERSAFE is modeled after SUBSAFE which is the rigorous submarine safety
program begun after the loss of the USS Thresher in 1963. Like the submarine
program, CYBERSAFE will harden a critical subset of warfighting components,
which could be certain computer systems or parts of the network. CYBERSAFE will
apply more stringent requirements to these components before and after fielding
to ensure they are secure. CYBERSAFE will also require changes in crew
proficiency and culture to implement these requirements.
As a first test case, the audit team used PEO C4I's Automated Digital Network
System (ADNS) to walk through the process, which helped them identify how
existing procedures, such as the Enterprise Change Request process, can be used
to implement new security controls. During the exercise, the team assessed the
processes for CYBERSAFE certification to include establishing the CYBERSAFE
grade, identifying and implementing security controls, certifying CYBERSAFE and
continuously monitoring CYBERSAFE compliance.
"Because of the interconnected nature of today's Navy systems, a new approach
is required," said Lazarski. "Adversaries are able to exploit weaknesses in any
of these systems, including the cyber gaps between them, to access weapons and
platforms tasked with network security. In order to ensure comprehensive
protection, the Navy needs to protect all the critical systems from the various
forms of attack."
To accomplish that goal, material and software solutions, plus procedural
compliance, must be instituted so that cyber incidents are adequately prevented,
detected, analyzed, reported, responded to and restored from without abruptly or
unexpectedly impacting mission capability, in other words that they are
According to SPAWAR CYBERSAFE Program Director Sudha Vyas, the audit helped
determine the level of readiness for the organization, the first of the Navy
systems commands to take a program like ADNS and put it through a CYBERSAFE test
"We selected ADNS as the first program to put through the audit process,
because we wanted to identify who has a role in execution and what their role
would be," said Vyas. "The functional audit included leveraging draft policies
into auditable attributes in order to demonstrate that the necessary authorities
are in place. Although we may not have enough people yet, the test drive showed
us that we have enough structure to implement CYBERSAFE."
The team conducted individual functional audits of OPNAV, SPAWAR and PEO C4I
to assess compliance with the draft CYBERSAFE Instruction. During their review,
they uncovered no major process deficiencies and determined that all three
organizations are positioned to begin execution of the CYBERSAFE program.
"The team was great. At one point, we had 40-50 people in the room working
through the various processes," said Vyas. "SPAWAR did much of the initial heavy
lifting and we found no major deficiencies or roadblocks to prevent
implementation and execution of CYBERSAFE."
As the Navy's Information Dominance systems command, SPAWAR designs, develops
and deploys advanced cyber communications and information capabilities. With
more than 8,900 active duty military and civil service professionals located
around the world and close to the fleet, SPAWAR is at the forefront of research,
engineering, acquisition and support services that provide vital decision
superiority to our forces at the right time and for the right cost.
For more news from Space and Naval Warfare Systems Command, visit