The movement towards remote work and digital tools over the past few months has resulted in a massive change in the amount of data flowing over networks and has drastically increased the importance of advanced IT tools and capabilities across the DoD and the Defense Industrial Base (DIB). The increased reliance on IT networks and tools has highlighted the importance of maintaining a cyberdefense that is both strong enough to protect sensitive data from sophisticated threats, and nimble enough to quickly adapt to new developments and new threats.
However, this flexibility is nothing new within the DIB. Rather, according to the Chief Information Security Officer (CISO) for General Dynamics – Ordnance and Tactical Systems, Justin DePalmo, it is something that has been adopted as a best practice.
As the DIB moves to adopt the industry-wide Cybersecurity Maturity Model Certification (CMMC) and its related standards, DePalmo told us, educating employees, maintaining compliance, and staying on top of technical implementation is all necessary given the increasingly connected “team sport” nature of cybersecurity in this critical industry.
DePalmo will speak further and more in-depth on this incredibly important subject at this month’s Fal.Con for Public Sector virtual conference, where he will share industry best practices with peers across the public and private sector. We recently sat down with him to preview his remarks and learn more about what attendees can expect at this year’s event.
Here is what he had to say:
GovCyberHub (GCH): Can you tell our readers a little bit about yourself and your responsibilities as CISO for General Dynamics – Ordnance and Tactical Systems?
Justin DePalmo: I currently serve as the Chief Information Security Officer (CISO) at General Dynamics – Ordnance and Tactical Systems located in Saint Petersburg, Florida. I started my career at General Dynamics in 2008 in an end user support role with a desire to work in cybersecurity. Shortly after, a security analyst position became available as a result of expansion and growth in the cybersecurity field. Not only was the timing perfect, but my new boss at the time shared much of my passion for cybersecurity and became a mentor of mine whose knowledge was a critical part of my development as a cybersecurity expert and leader.
Today, that same leadership mentality and focus on cybersecurity is being applied across the entire IT organization since cyber cannot be successful if siloed.
As CISO, my responsibilities include compliance to customer and industry regulations, risk and vulnerability management, incident response, business continuity, network and endpoint protection, and cybersecurity practices across business operations. All of these areas are leveraged to adequately protect the confidentiality, availability, and integrity of General Dynamics and customer information.
GCH: What cybersecurity challenges does General Dynamics – Ordnance and Tactical Systems have as a private company that works on sensitive military projects and technologies? Are these special, more intensive measures that need to be put in place because of that?
Justin DePalmo: Not to be too cliché, but the saying “we are all in this together” is what comes to mind. Cybersecurity is a team sport and a unified security standard is being accepted graciously within the Defense Industrial Base (DIB). I applaud the efforts that the DoD and specifically, the Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, Ms. Katie Arrington, are driving to implement the Cybersecurity Maturity Model Certification (CMMC) across the DIB to further build upon the DFARS 252.204-7012 requirement.
By adopting and shifting to a uniform, industry-wide CMMC framework, we help address the challenges that the military faces maintaining security and interoperability of information across various levels of Controlled Unclassified Information (CUI) and other data types.
GCH: What best practices are transferable to your peers in the public sector, be they in the federal or state governments or in the military?
Justin DePalmo: This is a difficult question, as there are many valid answers when it comes to risk management. If I had to rank the top three best practices, I would first start off with a purple team engagement to obtain a view of what an attacker may see or gain access to, and what the cyber defenders may see or not see in their security toolsets.
These engagements can also tie into incident response exercises, and I just cannot say enough positive things about stress testing an organization this way.
The next area I would address is to make sure multi-factor authentication is enabled, not just for remote access but on internal networks as well. It is no secret that we as a society are password fatigued and too often fall victim to password re-use attacks. Lastly, awareness is critical. Not just for internal employees, but all entities that an organization hires or contracts out work to. For example, we tend to have an astonishing trust for email even though our adversaries have been extremely successful with phishing attacks.
GCH: The battlefield is becoming increasingly network connected, and as a result, the warfighter requires cybersecurity built into everything. As you produce and manufacture technologies for the warfighter, what measures is General Dynamics – Ordnance and Tactical Systems taking to ensure that vital links in the kill chain are protected from interference?
Justin DePalmo: Driving awareness is key here. Cybersecurity is extremely critical in what we do daily and appears to become more relevant each and every day. Culture change is not easy, but we need to seize opportunities to educate our employees and show that every action they take could have a potential negative outcome for our warfighter.
We also need to do this in a way that provides positive reinforcement and encouragement. Cybersecurity teams should not be seen as barrier to complete a mission, as our success is built upon strength in numbers.
This applies to our downstream partners as well. As we begin the shift to validating cyber requirements through the CMMC, cyber professionals have the perfect opportunity to engage our supply chain peers and further educate our suppliers and vendors on the importance of cybersecurity.
GCH: What are you planning to discuss during your session at the upcoming Fal.Con for Public Sector virtual event? What can attendees expect from their time in your session?
Justin DePalmo: I am delighted to have this opportunity and glad to be a part of this great event. I hope to help attendees prepare for future CMMC requirements both from a compliance side and a technical implementation side by providing them with some of the best practices that I’ve developed as I’ve managed General Dynamics – Ordnance and Tactical Systems’s ongoing compliance with the latest CMMC standards.
GCH: Who do you think would benefit from attending Fal.Con this year? Why is now an important time to hold this event and why is it important to bring this community together – even virtually?
Justin DePalmo: Our world was shaken up quite drastically over COVID-19, but we all came together as a society. The same collaboration has been widely felt amongst the cyber and greater IT communities as we applied digital transformation at a faster pace than ever before. With that in mind, it is our job as cyber leaders to share lessons learned and best practices.
There is a wealth of knowledge across the cyber community, and in this field, it is not feasible to know it all. I believe those who attend Fal.Con for Public Sector this year, who are supporting our government entities will not only see, but agree that we need to continue on our journey together and support our overall cybersecurity mission.
To register for Fal.Con for Public Sector and Justin DePalmo’s discussion, click HERE.