Booz Allen Hamilton

A New Paradigm for Cybersecurity Compliance

Photo left to right: Kelby Johnson, Lead Associate; Colleen Lammers, Associate; Lawrence Downs, Senior Associate; Patrice Drake, Senior Consultant; Dustin Jones, Senior Consultant

The US Navy operates more than 300 shore-based and shipboard networks, including the largest intranet in the world with more than 750,000 users. Security of these networks depends on full compliance with Navy and Department of Defense cybersecurity directives and procedures. In 2008, Navy leadership recognized that a number of its commands were vulnerable and that it needed to better understand the security posture of Navy networks. Booz Allen was asked to help develop and stand up the Fleet Cyber Command Office of Compliance and Assessment (OCA), a centralized authority that has transformed compliance testing within the Navy.

Early in this engagement, our team evaluated existing network security compliance testing protocols and recommended a new approach based on continuous compliance and inspection. This model was implemented Navy-wide in 2011 as the Cyber Security Inspection and Certification Program. It was implemented at all Navy commands, more than 900 worldwide, and accounted for the vast differences between shore-based and afloat networks. To validate this approach, the OCA performed the first-ever major cyber inspection of a US Navy ship while it was underway. The new program elevated cybersecurity beyond simple compliance and inspection to a systematic life-cycle process that implements cyber­security best practices on a continuous basis. As such, the Navy now has a mechanism for identifying critical network security vulnerabilities and remediating them ahead of potential breaches.

Over time, the OCA's scope and mission have evolved from reacting to Defense Information System Agency inspections to proactively ensuring the Navy's commands meet cybersecurity standards on a continuous basis. Booz Allen's assistance in support of the OCA's Cyber Security Inspection and Certification Program has contributed to enhancing the security posture of all Navy networks.