Cybersecurity Priorities: Aligning Defense Resources with Critical Missions
Focus: SPA Perspectives

Categories: Capabilities

Cybersecurity Priorities: Aligning Defense Resources with Critical Missions

Mike Farren, Strategic Growth and Business Analyst at SPA
Author: Mike Farren, Strategic Growth and Business Analyst
  • Alexandria, VA | May 14, 2025

In the increasingly complex domain of national defense, effectively prioritizing cybersecurity resources is a critical yet challenging endeavor. With finite resources, the fundamental question facing the Department of Defense (DoD) becomes clear: What constitutes reasonable cybersecurity?

Mike Farren, Strategic Growth and Business Analyst at Systems Planning & Analysis (SPA), is a retired Navy Cryptologic Warfare Officer and a long-serving Cyberspace Operations subject matter expert supporting the Cyber Warfare Directorate within the Office of the Deputy Assistant Secretary of Defense for Platform & Weapon Portfolio Management. He frames the challenge succinctly:

“It’s one thing to try to make something completely impervious to cyber assault, but you probably can't afford that.”

SPA Strategic Growth and Business Analyst, Mike Farren
Farren describes cybersecurity as similar to protecting a home from burglars: “There’s a certain base level that you have to do. You lock the door, close the windows, have outdoor lighting, and put up a beware of dog sign—even if all you have is a little Chihuahua. But my house probably doesn’t need a moat, motion-activated sensors, and shotguns…unless it does”
Mission-Driven Cybersecurity
The key to prioritizing cybersecurity effectively lies in deeply understanding the critical mission it supports. SPA cyber SMEs emphasize that cybersecurity shouldn’t be pursued in isolation or merely for compliance purposes. Instead, as Farren stresses, cybersecurity must be mission-driven: “We don’t do cyber for cyber’s sake. We do it because a critical DoD mission needs to be accomplished.”
Within the defense industrial base (DIB), this mission-driven approach is especially pertinent. Although companies within the DIB may not always be directly tied to an immediate mission, their activities often support mission-critical systems. Consequently, the principles of prioritization apply, extending from the highest level of critical infrastructure down to individual systems within a company service provider. At each step, you need to determine the criticality of that single point, which will drive the level of protection on it.
Challenges within the Defense Industrial Base

Farren highlights the DoD’s Cybersecurity Maturity Model Certification (CMMC) as an example of how the department seeks to establish tiered cybersecurity requirements based on the sensitivity of Controlled Unclassified Information (CUI). The model ranges from basic protective measures for simpler manufacturing roles (Level 1) to rigorous controls for firms engaged in advanced capabilities (Level 3).

However, Farren notes a critical gap: “It tends to be tied to the sensitivity of the CUI data as opposed to the criticality to the mission that data supports or enables. And I think that is still where DoD struggles in terms of where we apply the next cyber dollar.”

Real-World Impacts: The NotPetya Cyberattack

This issue extends beyond direct DoD assets into critical commercial infrastructure, such as power grids, telecommunications networks, and logistics operations—assets not always recognized as mission-critical but essential for operational success. A notable example is the 2017 NotPetya cyberattack, attributed to Russia. While the attack initially targeted Ukraine, it inadvertently affected global enterprises critical to U.S. interests, such as the shipping giant Maersk, which faced a shutdown costing more than $300 million. Pharmaceutical giant Merck, among many other firms, faced similarly significant operational disruption. These incidents underscore how vulnerabilities in commercial infrastructure can ripple through defense operations, significantly impacting readiness and mission success.

Small Business Cybersecurity: A Significant Concern
As Farren notes, this presents challenges. “The biggest question, and one of the biggest controversies with CMMC, is the impact on small businesses. Expecting them to bear the cost upfront to secure their networks in order to compete for a contract that they may not win is a challenge.”

Cybersecurity compliance can place a disproportionate burden on smaller firms within the DIB, which often have only modest IT and cybersecurity budgets. Deloitte research shows:

  • Small businesses typically spend only about 0.3% of revenue on cybersecurity.
  • Firms generating under $10 million annually may afford only half a dedicated cybersecurity staff member.
  • These constraints severely limit their ability to meet stringent DoD standards.

To help these smaller firms improve their cybersecurity approaches, the US government provides free or low-cost Cybersecurity-as-a-Service offerings, such as the Cybersecurity and Infrastructure Security Agency’s (CISA) Joint Cyber Defense Collaborative (JCDC), facilitating faster information sharing and coordinated responses to threats.

Innovative Solutions for Effective Cybersecurity
To alleviate these issues, Farren suggests the DoD consider innovative solutions such as incentivizing cybersecurity improvements through direct funding support, tax incentives, or subsidizing compliance costs.

“Can DoD incentivize the adoption of better cybersecurity practices? Do we actually pay the firms? Do we provide tax incentives? Does DoD in some way bear the cost of their cybersecurity? Those decisions are still to play out,” Farren explains.

Ultimately, adopting a nuanced, mission-focused strategy enables the DoD (and the US government writ large) to leverage its finite cybersecurity resources more effectively. As Farren emphasizes, it’s about ensuring robust, practical protections precisely where they’re most needed, rather than exhausting resources on generalized compliance or overly defensive measures. This strategic alignment not only safeguards mission-critical assets but also supports a stronger, more secure defense industrial ecosystem essential for national security.

SPA would advise policymakers to explicitly align cybersecurity investments with clear, mission-critical objectives. This includes comprehensive interagency dialogues among the DoD, Department of Homeland Security (DHS), and other critical infrastructure stakeholders to address shared cybersecurity threats effectively.

Explore Further

This is the first of a four-part series on cybersecurity issues and challenges. Subscribe now to be informed when the rest of the series is published. Among other insights, you will get a deeper exploration of the “mission stack” framework and how it relates to broader cyber resilience in the upcoming post, “Strengthening National Cyber Resilience: Beyond Compliance to Mission Assurance.”

Share this post

Subscribe for Future FOCUS: SPA Perspectives Updates

Related Posts

We invite you to subscribe and stay informed. Never miss an update as we continue providing the rigorous insights and expert analysis you rely upon to protect and advance our national security.





      w

      Lorem ipsum dolor sit amet, consectetur adipiscing elit eiusmod tempor