Download eBook for Free

FormatFile SizeNotes
PDF file 0.8 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.


Purchase Print Copy

 FormatList Price Price
Add to Cart Paperback74 pages $20.00 $16.00 20% Web Discount

Research Questions

  1. What should cybersecurity in acquisition achieve, and what are the key principles for managing cybersecurity?
  2. What laws and practices shape the management of cybersecurity within the Department of Defense?
  3. What are the root causes of deficiencies in cybersecurity management of military systems in the Air Force?
  4. How can these problems be addressed?

There is increasing concern that Air Force systems containing information technology are vulnerable to intelligence exploitation and offensive attack through cyberspace. In this report, the authors analyze how the Air Force acquisition/life-cycle management community can improve cybersecurity throughout the life cycle of its military systems. The focus is primarily on the subset of procured systems for which the Air Force has some control over design, architectures, protocols, and interfaces (e.g., weapon systems, platform information technology), as opposed to commercial, off-the-shelf information technology and business systems.

The main themes in the authors' findings are that cybersecurity laws and policies were created to manage commercial, off-the-shelf information technology and business systems and do not adequately address the challenges of securing military systems. Nor do they adequately capture the impact to operational missions. Cybersecurity is mainly added on to systems, not designed in. The authors recommend 12 steps that the Air Force can take to improve the cybersecurity of its military systems throughout their life cycles.

Key Findings

Root Causes of Deficiencies in Air Force Management of Cybersecurity

  • The cybersecurity environment is complex, rapidly changing, and difficult to predict, but the policies governing cybersecurity are better suited to simple, stable, and predictable environments, leading to significant gaps in cybersecurity management.
  • The implementation of cybersecurity is not continuously vigilant throughout the life cycle of a military system, but instead is triggered by acquisition events, mostly during procurement, resulting in incomplete coverage of cybersecurity issues by policy.
  • Control of and accountability for military system cybersecurity are spread over numerous organizations and are poorly integrated, resulting in diminished accountability and diminished unity of command and control for cybersecurity.
  • Monitoring and feedback for cybersecurity is incomplete, uncoordinated, and insufficient for effective decisionmaking or accountability.
  • Two underlying themes carry though these findings: that cybersecurity risk management does not adequately capture the impact to operational missions and that cybersecurity is mainly added onto systems, not designed in.


  • Define cybersecurity goals for military systems within the Air Force around desired outcomes.
  • Realign functional roles and responsibilities for cybersecurity risk assessment around a balance of system vulnerability, threat, and operational mission impact and empower the authorizing official to integrate and adjudicate among stakeholders.
  • Assign authorizing officials a portfolio of systems and ensure that all systems comprehensively fall under some authorizing official throughout their life cycles.
  • Encourage program offices to supplement required security controls with more comprehensive cybersecurity measures, including sound system security engineering.
  • Foster innovation and adaptation in cybersecurity by decentralizing in any new Air Force policy how system security engineering is implemented within individual programs.
  • To reduce the complexity of the cybersecurity problem, reduce the number of interconnections by reversing the default culture of connecting systems whenever possible.
  • Create a group of experts in cybersecurity that can be matrixed as needed within the life-cycle community, making resources available to small programs and those in sustainment.
  • Establish an enterprise-directed prioritization for assessing and addressing cybersecurity issues in legacy systems.
  • Produce a regular, continuous assessment summarizing the state of cybersecurity for every program in the Air Force and hold program managers accountable for a response to issues.
  • Create cybersecurity red teams within the Air Force that are dedicated to acquisition/life-cycle management.
  • Hold individuals accountable for infractions of cybersecurity policies.
  • Develop mission thread data to support program managers and authorizing officials in assessing acceptable risks to missions caused by cybersecurity deficiencies in systems and programs.

Table of Contents

  • Chapter One

    Cybersecurity Management

  • Chapter Two

    Cybersecurity Laws and Policies

  • Chapter Three

    Findings and Recommendations

Research conducted by

The research reported here was prepared for the United States Air Force and conducted by RAND Project AIR FORCE.

This report is part of the RAND Corporation Research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.