Quantifying Cyber Vulnerability And Risk In Acquisitions

Cost, schedule, and performance are the heavy hitting metrics used to gauge the effectiveness of an acquisitions project in the United States Air Force. Delving deeper into requirements: the mission capability, reliability, and effectiveness are paramount when evaluating the status of a weapons system that is under development. Notably underdeveloped in the highest-level priorities is cyber security and resiliency. This paper will explore the root causes inhibiting the Air Force cyber community from effectively integrating policy and testing requirements within the Air Force acquisitions community. It will outline current processes and break down methods currently employed to assess cyber vulnerabilities. The current deliverables from risk analysis and assessment models are developed with low fidelity relative to an enterprise network. Securing a system of systems is contingent upon properly defining the attack surface in relation to the impact and severity of a security compromise on other systems. This challenge is not easily defined or communicable to higher levels of leadership. Furthermore, any vulnerability or risk assessment can only be as accurate as the tools and data within the model. A path forward is proposed in that drives an effects-based vulnerability assessment. This paper advocates for the integration of a quantified risk-based vulnerability analysis methodology into the process for issuing a network Authorization-To-Operate (ATO) in order to fundamentally reshape the cyber security posture of Air Force weapons system development.