How Contractors Can Benefit from the CCORI
Given the never-ending threat of data breaches and identity theft, cybersecurity is a priority for most companies and individuals. However, due to their use of classified and sensitive information, government agencies have an even more heightened need for safety. And because they work so closely with those agencies, government contractors share that security requirement.
As dangers evolve, methods for assuring safety have had to advance as well. To increase network protection in recent years, the Defense Information Services Agency (DISA) introduced a new cyber assessment tool, the Command Cyber Operational Readiness Inspection (CCORI). This program is a modification of the Command Cyber Readiness Inspection (CCRI) and is designed to exceed the former standards.
How the CCRI Operates
The CCRI was the first Department of Defense (DoD) inspection program that used external parties for assessments. (Previously, areas of the DoD performed internal self-assessments.) During a CCRI, an outside team visits the site, reviews the quality of processes and documentation, and determines the degree of compliance to given security parameters. The inspectors conduct the CCRI by using a DoD checklist. They interview staff, analyze cyber assets, and note any system faults. Then the team files a report, which the organization could appeal. While the CCRI has its advantages and has helped avoid system breaches, many site commanders feared it was not identifying critical overarching issues.
How the CCORI Is Different
The CCORI is part of the DoD Next Generation (NEXTGEN) cybersecurity inspection initiative. The new program goes beyond the CCRI by providing a more mission-based assessment that focuses not only on compliance but on potential threats. Also, responsibility for the inspections no longer lies with DISA. Instead, the Joint Force Headquarters–Department of Defense Information Network (JFHQ–DoDIN) manages the CCORI program.
The inspectors complete a CCORI in phases. They conduct a mission analysis, assess cyber hygiene, emulate threats, review any outside cybersecurity service providers, and determine the effectiveness of cybersecurity measures. They examine system and network interdependencies, then pinpoint weaknesses by using strategies that real-life enemies could employ. This process is an advanced approach to readiness, which far exceeds the checklist evaluation. Instead, the inspection analyzes an organization’s ability to conduct and defend its mission.
The CCORI helps agencies “understand what impact the vulnerabilities found in a traditional CCRI have, in terms of the threat to their mission, if an adversary takes advantage of the vulnerabilities,” said Jimaye Sones, who was director of the DoD Information Networks (DoDIN) Readiness and Security Inspections when the program was launched.
“Commanders at sites where CCORIs are held will be able to understand that being ‘compliant’ does not necessarily mean their site is ‘secure,’ ” Sones explained. “Also, they will understand what impact the vulnerabilities found in a traditional CCRI have, in terms of the threat to their mission, if an adversary takes advantage of the vulnerabilities.”
While participating on a TechNet Cyber panel in May 2019, Captain Kris Kearton, who was then director of U.S. Fleet Cyber Command’s (FCC) Office of Compliance and Assessment, discussed the CCORI and its advantages.
“Under the old CCRI compliance-based inspection, it was difficult to understand the impact of vulnerabilities on the network much less prioritize their fix actions,” he said. “By starting with a common operational risk lexicon, we allow leadership at all levels to talk about how to reduce the cyber risks that support mission.”
What Contractors Should Know
Protecting its network is critical for every government contractor, and external assessments can be effective when all parties fully engage in the process. Instead of perceiving JFHQ–DoDIN teams negatively, organizations should welcome their input. These teams are focused on revealing vulnerabilities, so systems remain secure. This inspection process is a valuable tool for ensuring each mission’s integrity and success.
Even before an inspection, agencies and contractors should take time to scrutinize their procedures. For organizations to understand how cyber vulnerabilities can adversely affect a mission, they must fully understand their networks and be capable of identifying the areas that require the highest level of protection. To accomplish that, system managers must know precisely how their networks operate and how everything is connected. They must evaluate every path linking one system to another, then determine the weaknesses and related risks.
Cybercriminals are always looking for liabilities in government systems, so contractors should never let down their guard, even when a CCORI is not on the calendar. They should continuously prepare—reviewing and revising processes as needed—so they are ready for any cyber threat.
Disclaimer: The information contained in this article is for general educational information only. This information does not constitute legal advice, is not intended to constitute legal advice, nor should it be relied upon as legal advice for your specific factual pattern or situation.