Comprehensive National Cybersecurity Initiative (CNCI)

In January 2008, President George Bush signed National Security Presidential Directive 54/ Homeland Security Presidential Directive 23 — more commonly known as the Comprehensive National Cybersecurity Initiative (CNCI). The CNCI recognizes that cyber security must be elevated to a level of importance on par with an organization’s core functions and missions. It emphasizes that cyber security is a leadership responsibility, not just a function of the Chief Information Officer and information technology staff. And it acknowledges that effective cyber security is multidimensional, multifaceted, and actively involves the entire organization.

Booz Allen’s Approach to Cybersecurity

The CNCI acknowledges cybersecurity as a complex, multifaceted challenge requiring a multidimensional response. But as we have seen with many similar complex, large-scale challenges, the key question is “where to start?” In our tech-savvy and tech-capable world, the default starting point seems too often to swing toward technical solutions.

While we agree that technology is an important starting point, Booz Allen views the cyber challenge in a much broader context. We see it as a mission integration challenge. In fact, we believe that the goals of the CNCI can only be met through an integration of technology, operations, culture, management, and policy changes.

Booz Allen’s mission integration framework provides a mechanism to understand what other expertise must be brought to bear. Strategy and policy, operations, technology, people and culture, and management must be leveraged in order to avoid the thinking that technology alone can solve this complex challenge facing our clients.

Consider the following points in this context:

Mission Integration Areas	Description	Sample Questions
Strategy & Policy	Oversight, strategy, leadership, national policies, and plans that govern cyberspace and guide an organization's cyber strategy	What is the national strategy for cyber and how does the CNCI fit into it? How can we foster collaboration amongst the various agencies? How do we go beyond cybersecurity to integrate the broader cyber issues (e.g., supply chain management) into our strategies and policies?
Operations	The processes, procedures, and practices by which an organization functions and performs effectively in the cyber realm	What do I need to do to secure my network from attack? How do we communicate and coordinate our cyber operations both internally and with other stakeholders? How do we minimize gaps and reduce redundancies in our efforts?
Technology	The technologies, networks, systems, applications, data, and protocols that enable cyber functions to occur	How do we leverage commercial assets or build our own technologies? How do we protect technology components given the globalized, complex nature of the supply chain? How will new technologies affect our current security strategies?
People & Culture	The behavioral approach and philosophy around managing cyber impacts on an organization	How do we educate Congress and government employees to improve their awareness of the cyber threat? How do we educate agencies and organizations to understand the importance and potential impact of cyber?
Management	Ability to obtain, provide, and efficiently manage resources for cyber initiatives	How do we recruit, hire, train, and retain knowledgeable and qualified cyber analysts and experts? How can we meet the cyber requirement given already stretched resources? How will the Wall Street bailout affect our budget? How can I secure funding for the outyears?

Cyber