Pentagon automating its Cybersecurity Scorecard

The Pentagon is updating its Cybersecurity Scorecard to deliver more-automated results to Defense Department leaders.

The department is looking to release Scorecard 2.0 in the near future to replace the current “static” version, which is compiled via self-reported information from agencies, said acting DOD CIO John Zangardi.

“It’s [not very] dynamic,” Zangardi said of the original scorecard at the Adobe Digital Government Symposium this week. “The idea with Cyber Scorecard 2.0 is to be dynamic, to get automated reporting. It’s to look at things in sort of a heat map so we understand the threat better.”

DOD CISO Essye Miller has been focused on automating the reporting of the scorecard since she took her position in December, Zangardi said. “There’s a lot of work for us to mature this, to move it forward.”

“We want to be dynamic,” he said. “We want to be able to get to the latest information quickly.”

The Cybersecurity Scorecard is a step in the right direction for the Pentagon, Zangardi said. By measuring 11 items related to basic cyber-hygiene — like strong authentication, removal of outdated software, implementing Host Based Security Systems, and properly patching and configuring systems — DOD leadership can better ensure compliance throughout the chain of command.

“It was a move from not knowing what you have to beginning to know what you have. And when you can measure something, you can do something about it,” he said, adding that “because we measured things, we could cajole people, we can encourage people to do the right thing, to make the investment — to move dollars.”

“Those 11 items are critical to moving us forward.”

The Pentagon CIO’s office feels so strongly about the scorecard, Zangardi said, that it will brief NATO allies on its success at the Consultation, Command and Control Board meeting in June. “encouraging them to move in a similar direction.”