Categories: Capabilities, Software, Cyber, and Cloud Computing
Strengthening National Cyber Resilience: Beyond Compliance to Mission Assurance
- Alexandria, VA | June 11, 2025
In the face of evolving cyber threats, strengthening the resilience of national cybersecurity infrastructure demands a unified and cooperative approach. While the Department of Defense (DoD) enjoys sufficient authority and capability to secure its own military assets, effectively safeguarding critical commercial infrastructure and the Defense Industrial Base (DIB) presents unique challenges.
In the face of evolving cyber threats, strengthening the resilience of national cybersecurity infrastructure demands a unified and cooperative approach. While the Department of Defense (DoD) enjoys sufficient authority and capability to secure its own military assets, effectively safeguarding critical commercial infrastructure and the Defense Industrial Base (DIB) presents unique challenges. Understanding these challenges and addressing industry hesitations toward existing federal cybersecurity initiatives are pivotal to enhancing overall cyber defense capabilities.
Mike Farren, Strategic Growth and Business Analyst at Systems Planning & Analysis, emphasizes the notable disparity in the DoD’s cybersecurity approaches to military assets versus commercial critical infrastructure: “DoD understands weapon systems. We know exactly what the cybersecurity roles and responsibilities are, who does what, and the impact of losing a mission asset. We struggle to understand the critical infrastructure and, in particular, commercial critical infrastructure.
“We’re talking about the power substation or the wastewater plant, telecommunications, the basic IT backbone that we depend on. In many cases, DoD doesn’t really, truly recognize that as a true mission enabler. But it is. And what we also fail to understand is, since these are commercial firms providing these enablers, their focus is on their business.”
As noted in this previous post, Deloitte conducted a study and found that small businesses—and these comprise a surprisingly large portion of the DIB—typically spend only about 0.3% of revenue on cybersecurity. Farren states, “For a $10 million company, that translates to 1 to 2 cybersecurity professionals, and that’s not a particularly effective cybersecurity team that you’re putting in place.”
The Mission Stack: Understanding Cyber Vulnerabilities
A very useful visualization of this cybersecurity challenge lies in what Farren calls the “mission stack”—a hierarchical framework that reveals the interconnected nature of our digital infrastructure developed by the Cyber Warfare Directorate within the Office of the Deputy Secretary of Defense for Platform and Weapon Portfolio Management. Imagine a multi-layered pyramid where each level supports the mission-critical operations at the top:
Farren says the critical insight is that “An effective cyberattack at any level of the mission stack can compromise the mission. A power substation disruption, a telecommunications network breach, or a vulnerable supply chain connection can render even the most sophisticated weapon system inoperable or at least degraded. You must understand what mission it impacts, determine if we care about that mission, and then start allocating resources accordingly.” A challenge for the DoD is that many of these networks lie outside their authority to defend, despite their criticality to DoD missions.
This interconnectedness demands enhanced collaboration across federal agencies—including the DoD, Department of Homeland Security (DHS), and Department of Energy (DOE)—to ensure a coherent cybersecurity strategy.
“An effective cyberattack at any level of the mission stack can compromise the mission. A power substation disruption, a telecommunications network breach, or a vulnerable supply chain connection can render even the most sophisticated weapon system inoperable or at least degraded. You must understand what mission it impacts, determine if we care about that mission, and then start allocating resources accordingly.”
Federal Initiatives and Industry Challenges
Several federal cybersecurity initiatives already exist to foster information sharing, provide support, and mitigate threats. These include:
- Cybersecurity and Infrastructure Security Agency's (CISA) Joint Cyber Defense Collaborative (JCDC): Facilitates public-private information sharing, best practices dissemination, and coordinated responses to cyber threats.
- Federal Bureau of Investigation’s (FBI) InfraGard: Focuses on education, networking, and information sharing to protect critical infrastructure.
- National Security Agency’s (NSA) Cyber Collaboration Center: Provides direct cybersecurity assistance, including network defense, vulnerability analysis, and continuous penetration testing.
- Defense Cyber Crime Center’s (DC3) Defense Industrial Base Collaborative Information Sharing Environment (DCISE): Offers specialized no-cost cybersecurity services, forensic analysis, and sharing of best practices specifically tailored for companies in the DIB.
Yet despite the availability of these programs, industry adoption remains challenging. Farren explains a common sentiment from the commercial and industrial organizations:
“One of the interesting bits of feedback we got from industry sectors that constitute critical infrastructure was, ‘Thank you, but no thank you.’ Because what they find is when someone offers them something free, their regulators find out about it, and suddenly it becomes mandatory – and a financial burden.”
Administration Actions and CISA’s Evolving Role
In an attempt to address unity of action, the National Security Memorandum 22 (NSM-22), released in April 2024, codified responsibilities for safeguarding critical infrastructure across physical and cyber domains, assigning a prominent role to CISA. Complementing NSM-22, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), enacted in 2022, mandates centralized reporting of cybersecurity incidents to CISA across all critical infrastructure sectors.
While these actions significantly enhance oversight responsibilities, Farren points out practical challenges. “What didn’t come with [CIRCIA] was additional resources, additional manpower, or an effective scheme for handling the volume of reporting. This is still yet to play out.”
Strategic Path Forward
To foster greater cybersecurity effectiveness across critical infrastructure sectors, policymakers should consider several strategic actions:
- Incentivize Adoption: Explore financial incentives, such as subsidies or tax relief, specifically targeting smaller firms in the DIB to ease cybersecurity compliance burdens.
- Streamline Regulatory Concerns: Work closely with industry sectors to clarify how cybersecurity initiatives will be viewed by regulators, reducing reluctance stemming from perceived regulatory risks.
- Enhance Information Sharing: Strengthen existing initiatives like CISA’s JCDC and DC3’s DCISE by increasing their visibility and clearly communicating their value to industry participants.
- Resource Appropriately: Ensure federal cybersecurity programs have sufficient resources to manage increased reporting requirements effectively under CIRCIA.
Cybersecurity should no longer be a technical afterthought—it’s a critical component of national defense. As Farren emphasizes, “Cybersecurity is not just about compliance—it’s fundamentally about mission assurance.” The future of national security depends on our ability to view cyber defense as an integrated, strategic imperative.
Explore This Topic Further
Catch up with the previous posts in this series:
Subscribe now to get the final post, Rethinking Cybersecurity: A Strategic Shift for the DoD, to understand how strategic operational shifts can embed cybersecurity deeper into military functions.
Related Posts
We invite you to subscribe and stay informed. Never miss an update as we continue providing the rigorous insights and expert analysis you rely upon to protect and advance our national security.
