Subject: DoD Scorecard Reporting
Our client struggled to meet and reflect compliance against reportable metrics identified within the DoD CIO Cyber Hygiene Scorecard. The DoD SECDEF Scorecard is a monthly reporting which provides a roll up view of how an agency is performing against the DoD SECDEF priorities. Adding to this challenge was the rate by which client enclaves and Programs of Record (PORs) were being transitioned to the client’s Medical Community of Interest (Med-COI) network. Legacy CIOs and Program Managers had not reported to the DoD Scorecard, but were being asked to quickly assess, address, and report against this learning curve as soon as the they were connected to the Med-COI. Given this volume and inherent adoption challenges, the earlier manual approach proved unwieldly, inefficient, error-prone, and counter-productive when leadership tried to quickly identify risk areas that required their involvement and direction.
In 2018, our Cyber Operations Center (CyOC) team was tasked to assure responsibility for the DoD Scorecard. We quickly developed and implemented a much more streamlined, automated scorecard process and platform. Reporting officials are now able to submit their data into a Microsoft Sharepoint portal via eSurvey forms once a month, have the data carry forward, and present myriad outputs for both current and trend compliance reporting. All of the data is online and accessible 24/7, 365 days/year. Moreover, the platform was designed to allow for discrete data mining for specific compliance issues, effected resources, etc. Representative compliance Scorecard focus areas include PKI compliance and Microsoft Windows Assets (WIN 10, WIN XP, and Server 2003).
Our team also developed an automated reporting structure which reduced reporting timeframes and allowed for a focus on corrective actions rather than reporting. This resulted in multiple areas of the DoD SECDEF scorecard getting compliant and turning green for the first time in the client’s history.
The Mission Impact:
• Enhanced Decision-Making: This compliance reporting platform has permitted the client’s leadership to more quickly and directly identify target areas for engagement, reducing enterprise cyber risk.
• Automated Solution to Reduce Cost and Enhance Security: The CyOC team helped save client personnel countless hours that were previously spent on reporting. This process automates many administrative tasks, allowing the security analysts time to focus on the protection and overall security of the systems and better support the warfighter.
• Enhanced Cyber Personnel Development: The team also offered virtual training to alleviate some of the concerns of new sites transitioning over to the MED-COI, and may have never had to collect and report these data types previously.