Welcome to the new Energy Central — same great community, now with a smoother experience. To login, use your Energy Central email and reset your password.

Intelligent Utility
Richard "Dick" Brooks
Richard "Dick" Brooks
Expert Member
Top Contributor
 · Posted in Intelligent Utility

The Pentagon must balance speed with safety as it modernizes software

This article (Click Read More button below), authored by Dr. Shea at the FDD, a highly respected visionary leader and technologist in the cybersecurity community, is offering prudent guidance to the Department of Defense, which is also germane to other agencies, including the Department of Energy as well as the energy industry - Click Read More below to access the full article. This quote from the article emphasizes what is needed for improvement and represents the baseline requirements:

"the Pentagon should require Software Bills of Materials (SBOMs) for all software it acquires and manages. SBOMs will prepare the Pentagon to quickly respond and mitigate software flaws that adversaries exploit to conduct espionage and disruptive cyberattacks. They should be complemented by Vulnerability Disclosure Reports (VDRs) from software’s original producers and a centralized system to track and share this information across the DOD enterprise." [NOTE: This advice is also consistent with NIST Guidance on SBOM's and VDR (now called Vulnerability Advisory Report VAR, effective Nov 1, 2024) "Ensure that third-party suppliers continuously enrich SBOM data with a VAR."]

FYI: The DOD has published the SWIFT RFI that seeks to address these needs as part of Secure by Design and Secure by Default best practices. See NASA materials for specific implementation guidance of these best practices

The DOD is well aware of the need to address cyber-risks:

"What's important to point out is that cyberattacks can impact production lines; they can shut a production line down," Garstka said, noting that such attacks on the DIB can impact real-world DOD missions.  

"We're not talking about hypotheticals here. If you're dependent on the DIB for operations of your space systems, you have to treat protecting the DIB as important as protecting the space system, space segment or ground segment," he added. 

Garstka also said it's crucial the services view the DIB as a key mission partner and that DOD gives industry the requirements necessary to meet the designs of next-generation space systems rather than having them fall victim to adversarial espionage campaigns in cyberspace. 

Â