Implementing IT Strategies for Defense Organizations

DIB: The DoD’s Implementation Plan Brings CMMC Level 3 Requirements Before Phase 4 (Full Implementation). While much of the focus has been on CMMC Level 2, it’s equally important to prepare for the significant lift required for Level 3. The transition to L3 will depend on your existing CUI Program, leadership support, and your technical team’s skill set. Key elements to consider: 1. Access Control for only organization-owned/managed devices, no Personal devices (BYOD). Also, apply Golden Images to Level 3 assets, ensuring consistency and security, followed by conditional access controls or systems posture checks. 2. Must protect the integrity of Secure Baseline Configuration/Golden Images. 3. Encryption In Transit and At Rest with Transport Layer Security (TLS), IEEE 802.1X, or IPsec. 4. Bidirectional/Mutual Authentication technology that ensures both parties in a communication session authenticate each other (see encryption). 5. Conduct L3-specific End-User Training, including practical training for end-users, power users, and administrators on phishing, social engineering, and cyber threats and test readiness and response. 6. Continuous Monitoring (ConMon), Automation, and Alerting to remove non-compliant systems promptly. 7. Automated Asset Discovery & Inventory, ensuring full visibility of all assets. 8. Security Operations Center (SOC) and Incident Response (IR): Maintain a 24x7 SOC and IR team to handle security incidents promptly and efficiently. 9. HR Response Plans that include Blackmail Resilience to address scenarios like blackmail, insider threats, and other HR-related security issues. 10. Mandatory Threat Hunting to proactively identify and mitigate threats. 11. Automated Risk Identification and Analytics using Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR), Extended Detection and Response (XDR), etc. 12. Risk-Informed Security Control Selection to ensure tailored and effective protection measures. 13. Supply Chain Risk Management (SCRM), Monitoring & Testing of Service Provider Agreements (SPAs): Regularly monitor and test SPAs to ensure compliance with security requirements and to mitigate risks associated with third-party vendors and suppliers. 14. Mandatory Penetration Testing to identify and rectify system vulnerabilities. 15. Secure Management of Operational Technology (OT)/Industrial Control Systems (ICS), including Government-Furnished Equipment (GFE) and other critical infrastructure. 16. Root and Trust Mechanisms to verify the authenticity and integrity of software. Ensure devices boot using only trusted software. Provide hardware-based security functions such as TPM. 17. Threat Intelligence and Indicator of Compromise (IOC) Monitoring to stay ahead of emerging threats and quickly respond. #CUI #hva #ProtectCUI

When “Wartime Speed” meets legacy system reality.... it’s not that easy. The Department of Defense just released a new AI strategy, and it makes one thing very clear… speed outweighs perfection. The memo states that the risks of not moving fast enogh outweigh the risks of imperfect alignment. It mandates 30-days to share data and deploy models, and empowers leadership to waive deployment blockers for speed. I get it. Perfection is the enemy of progress. Innovation requires testing, learning, and accepting some failure. But speed on paper and speed in reality are not the same thing, especially inside legacy, mission-critical systems. Strip out the politics and you’re left with a simple question: can a legacy organization actually move at AI speed? Having led innovation inside critical financial infrastructure that underpins the markets and processes trillions of dollars in transactions every day, I can say this plainly: mandating speed, and measuring success by speed alone, doesn’t create speed. Because, it's not just processes, data ownership and deployment approvals slowing things down. 🔹 It's data and system logic that only a handful of people understand. And if it’s a Cobal system, very few people in this work even know how to work it 🔹 Integrations that don't exist yet 🔹 Agent capabilities that can't even connect to legacy systems built decades ago 🔹 Ownership buried across teams that don't talk to each other 🔹 Dependencies that were never documented because the person who knew them retired five years ago Mandates can't fix this. Those are execution realities every large, legacy, mission-critical organization should pay attention to… far beyond defense. If the Defense Department, or any such legacy organization, wants to move at AI speed, mandates won’t get it there. Here's what will: 1️⃣ Design around legacy constraints instead of pretending they aren’t there. You can’t reimagine your way past systems still running live operations; speed comes from defining where AI can safely plug in and where it can’t. 2️⃣ Shared meaning matters more than shared access Access to data isn't the bottleneck, common understanding is. If teams don’t agree on what data means, AI can’t help. 3️⃣ Optimize for decision velocity, not deployment velocity Shipping fast and operating fast are different things. Value comes from better decisions, not faster releases. 4️⃣ Test aggressively, promote carefully Failure accelerates learning in test environments, but not in production. Production failures... it's a $50K per hour problem. 5️⃣ Build observability before autonomy You can’t scale agents you can’t monitor, explain, or audit. Autonomy without visibility isn’t speed... it’s manafement chaos. None of this is ideological. It’s the physics of legacy organizations. Wartime AI speed has to be matched by legacy modernization, because how fast you can deploy AI is entirely dependent on whether your systems can absorb that speed without breaking.

𝗗𝗮𝘆 𝟭𝟬: 𝗣𝗿𝗲𝗽𝗮𝗿𝗲𝗱𝗻𝗲𝘀𝘀 𝗮𝗻𝗱 𝗥𝗲𝘀𝗽𝗼𝗻𝘀𝗲 We know the cost of response can be 100 times the cost of prevention, but when unprepared, the consequences are astronomical. A key prevention measure is a 𝗽𝗿𝗼𝗮𝗰𝘁𝗶𝘃𝗲 𝗱𝗲𝗳𝗲𝗻𝘀𝗲 𝘀𝘁𝗿𝗮𝘁𝗲𝗴𝘆 to anticipate and neutralize threats before they cause harm. Many enterprises struggled during crises like 𝗟𝗼𝗴𝟰𝗷 or 𝗠𝗢𝗩𝗘𝗶𝘁 due to limited visibility into their IT estate. Proactive threat management combines 𝗮𝘀𝘀𝗲𝘁 𝘃𝗶𝘀𝗶𝗯𝗶𝗹𝗶𝘁𝘆, 𝘁𝗵𝗿𝗲𝗮𝘁 𝗱𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻, 𝗶𝗻𝗰𝗶𝗱𝗲𝗻𝘁 𝗿𝗲𝘀𝗽𝗼𝗻𝘀𝗲, and 𝗿𝗲𝘀𝗶𝗹𝗶𝗲𝗻𝘁 𝗶𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲. Here are few practices to address proactively: 1. 𝗔𝘀𝘀𝗲𝘁 𝗩𝗶𝘀𝗶𝗯𝗶𝗹𝗶𝘁𝘆 Having a strong understanding of your assets and dependencies is foundational to security. Maintain 𝗦𝗕𝗢𝗠𝘀 to track software components and vulnerabilities. Use an updated 𝗖𝗠𝗗𝗕 for hardware, software, and cloud assets. 2. 𝗣𝗿𝗼𝗮𝗰𝘁𝗶𝘃𝗲 𝗧𝗵𝗿𝗲𝗮𝘁 𝗛𝘂𝗻𝘁𝗶𝗻𝗴 Identify vulnerabilities and threats before escalation. • Leverage 𝗦𝗜𝗘𝗠/𝗫𝗗𝗥 for real-time monitoring and log analysis. • Use AI/ML tools to detect anomalies indicative of lateral movement, insider threat, privilege escalations or unusual traffic. • Regularly hunt for unpatched systems leveraging SBOM and threat intel. 3. 𝗕𝘂𝗴 𝗕𝗼𝘂𝗻𝘁𝘆 𝗮𝗻𝗱 𝗥𝗲𝗱 𝗧𝗲𝗮𝗺𝗶𝗻𝗴 Uncover vulnerabilities before attackers do. • Implement bug bounty programs to identify and remediate exploitable vulnerabilities. • Use red teams to simulate adversary tactics and test defensive responses. • Conduct 𝗽𝘂𝗿𝗽𝗹𝗲 𝘁𝗲𝗮𝗺 exercises to share insights and enhance security controls. 4. 𝗜𝗺𝗺𝘂𝘁𝗮𝗯𝗹𝗲 𝗕𝗮𝗰𝗸𝘂𝗽𝘀 Protect data from ransomware and disruptions with robust backups. • Use immutable storage to prevent tampering (e.g., WORM storage). • Maintain offline immutable backups to guard against ransomware. • Regularly test backup restoration for reliability. 5. 𝗧𝗵𝗿𝗲𝗮𝘁 𝗜𝗻𝘁𝗲𝗹𝗹𝗶𝗴𝗲𝗻𝗰𝗲 𝗣𝗿𝗼𝗴𝗿𝗮𝗺𝘀 Stay ahead of adversaries with robust intelligence. • Simulate attack techniques based on known adversaries like Scatter Spider • Share intelligence within industry groups like FS-ISAC to track emerging threats. 6. 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆-𝗙𝗶𝗿𝘀𝘁 𝗖𝘂𝗹𝘁𝘂𝗿𝗲 Employees are the first line of defense. • Train employees to identify phishing and social engineering. • Adopt a “𝗦𝗲𝗲 𝗦𝗼𝗺𝗲𝘁𝗵𝗶𝗻𝗴, 𝗦𝗮𝘆 𝗦𝗼𝗺𝗲𝘁𝗵𝗶𝗻𝗴” approach to foster vigilance. • Provide clear channels for reporting incidents or suspicious activity. Effectively managing 𝗰𝘆𝗯𝗲𝗿 𝗿𝗶𝘀𝗸 requires a 𝗰𝘂𝗹𝘁𝘂𝗿𝗲 𝗼𝗳 𝗽𝗲𝘀𝘀𝗶𝗺𝗶𝘀𝗺 𝗮𝗻𝗱 𝘃𝗶𝗴𝗶𝗹𝗮𝗻𝗰𝗲, investment in tools and talent, and alignment with a defense-in-depth strategy. Regular testing, automation, and a culture of continuous improvement are essential to maintaining a strong security posture. #VISA #Cybersecurity #IncidentResponse #PaymentSecurity #12DaysOfCybersecurityChristmas

Identity is the primary control plane for cybersecurity. Autonomous AI attacks are now operational. Organizations that govern identity with discipline will survive. Anthropic documented GTG-1002, in which Chinese state-sponsored actors used autonomous AI to execute 80-90% of cyber operations against 30+ targets. Reconnaissance, credential harvesting, lateral movement, and exfiltration happened autonomously. No malware. Valid credentials at machine speed while defenders manually triaged alerts. The system occasionally fabricated credentials, yet still managed to achieve successful intrusions. Even imperfect autonomous attacks are operationally dangerous. CISA and NSA advisories on Volt Typhoon and Salt Typhoon confirm that nation-state actors have industrialized identity compromise, living inside enterprise systems for months using legitimate accounts. The compounding threat: Non-human identities outnumber humans 45 to 1. Service accounts, API keys, OAuth tokens, certificates, CI pipelines, AI agents. Microsoft reports that over half are inactive, representing massive identity debt. WHY this demands action: As Marcus Aurelius observed, discipline begins with focusing on what we control. The evidence from NIST, MITRE, OWASP, and CSA is clear. The question is execution velocity. The 1-10-60 Rule is survival. Detect in one minute. Investigate in ten. Contain in sixty. HOW to operationalize defense: Deploy ITDR. CrowdStrike Falcon Identity Protection and Microsoft’s identity security stack detect Kerberos abuse and token replay that SIEM and EDR miss. Govern Non-Human Identities. Entro Security, Permiso, and Silverfort discover shadow NHIs and enforce lifecycle management. Establish AI Agent Governance. Every agent requires a named owner, an autonomy tier, scoped permissions, approved tools, tested kill switches, and SOC logging. Enforce Policy-as-Code. Use OPA or Rego for explicit deny controls. Prompts cannot be your last defense. Eliminate standing privilege. Just-in-Time access shrinks attack windows. Mandate phishing-resistant MFA. FIDO2/WebAuthn cryptographically bind authentication. WHAT success looks like: Autonomous threats contained at machine speed. Identity governance becomes a competitive advantage. WHAT failure looks like: Unexplainable breaches. Board crisis. Eroded trust. The technology exists. The question is whether we operationalize these controls before the next autonomous campaign pre-positions inside our critical infrastructure. Identity is where attackers and defenders share the same control plane. Whoever governs identity with discipline controls the outcome. What is your organization doing today to secure the identity fabric? #IdentitySecurity #ZeroTrust #ITDR #AISecurity #CyberLeadership

Last week, the U.S. DoD released an updated version of its Software Modernization Implementation Plan for the next 2 fiscal years. As a succinct summary: The plan positions the DoD to maintain competitive advantage through transformed processes, empowered teams, and innovation. Success relies on leadership engagement, Department-wide collaboration, and commitment to software modernization to deliver capabilities at the "speed of relevance." There are 3 strategic goals: 1. Accelerate the DoD Enterprise Cloud Environment 2. Establish Department-wide Software Factory Ecosystem 3. Transform Processes to Enable Resilience and Speed Major focus areas include: - Cloud innovation through expanded contract options and financial operations - Quick track authorization processes for SaaS - Enhanced cloud security through modern security models - Scale adoption of DevSecOps and modern software practices - Tools to increase software development productivity - Better software interoperability through APIs - AI and automation readiness in software factories - Standards for secure software development - Modernizing requirements, acquisition, and testing processes - Transforming legacy business and weapons systems - Developing software engineering talent What I really liked in the plan: - Emphasis on scaling adoption of DevSecOps practices - Infrastructure as code focus - Repository services based around git - cATO focus - API-first approach, enabling software interoperability through APIs - Secure software standards adoption, including SBOM - Preparing software factories for AI - Consideration of FinOps DevSecOps is in a season of rapid change. This plan is a great step in the right direction for the DoD. You can read the Implementation Plan in its entirety here: https://lnkd.in/gj-cmrGU #devsecops #ai #DOD #GitLab