Enhancing Cybersecurity and Cyber Resiliency of Weapon Systems

Expanded Roles Across a System's Life Cycle

Don Snyder, Chad Heitzenrater

ResearchPublished Mar 28, 2024

Cover: Enhancing Cybersecurity and Cyber Resiliency of Weapon Systems

Weapon systems must be secure in a cyber contested environment, or they will not be able to carry out the missions that they are designed to support. How can engineering managed by program offices enhance the cybersecurity and cyber resiliency of weapon systems?

This report lays the foundation for managing cybersecurity and cyber resiliency of weapon systems throughout their life cycles; it also outlines the overall activities to ensure that a weapon system meets all needs to operate in a cyber contested environment. The authors survey policy and relevant academic literature and use personal assessments of cybersecurity and cyber resiliency efforts in the Department of the Air Force (DAF) to identify gaps in the use of engineering for cybersecurity and cyber resiliency and to propose mitigations.

Key Findings

  • Systems security engineering has recently become the policy within the U.S. Department of Defense (DoD), but it has not yet become the general practice in the DAF.
  • The DAF relies on the Risk Management Framework for security; however, this process is largely carried out after systems engineering and design.
  • Wing-level organizations perform much of the day-to-day security monitoring of weapon systems; however, these organizations are not provided with authorized tools tailored to their weapon systems, and the tools that they have cannot comprehensively monitor or defend their weapon systems.
  • Cybersecurity and cyber resiliency are not central parts of current sustaining engineering or life cycle sustainment plans at the DAF.

Recommendations

  • The DAF should develop and maintain an integrated engineering-based plan for the cybersecurity and cyber resiliency of each weapon system throughout its life cycle.
  • To enhance systems security engineering, DoD should place into the program plan and contract language: (1) standards for designing systems with adequate cyber separability and (2) methods to assess cyber resiliency of designs.
  • After ample research, a military standard for cyber separability should be issued. In addition, the DAF should issue instruction for systems security engineering and a manual for implementing systems security engineering.

Topics

Document Details

Citation

RAND Style Manual
Snyder, Don and Chad Heitzenrater, Enhancing Cybersecurity and Cyber Resiliency of Weapon Systems: Expanded Roles Across a System's Life Cycle, RAND Corporation, RR-A1506-2, 2024. As of October 10, 2024: https://www.rand.org/pubs/research_reports/RRA1506-2.html
Chicago Manual of Style
Snyder, Don and Chad Heitzenrater, Enhancing Cybersecurity and Cyber Resiliency of Weapon Systems: Expanded Roles Across a System's Life Cycle. Santa Monica, CA: RAND Corporation, 2024. https://www.rand.org/pubs/research_reports/RRA1506-2.html.
BibTeX RIS

Research conducted by

This research was prepared for the Department of the Air Force and conducted within the Force Modernization and Employment Program of RAND Project AIR FORCE.

This publication is part of the RAND research report series. Research reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND research reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit www.rand.org/pubs/permissions.

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.