Automation and AI Could Ease CORA Assessments

Defense Department leaders at AFCEA TechNet Cyber in Baltimore this week said that technologies like automation and artificial intelligence will play a role in improving the effectiveness of the new Cyber Operational Readiness Assessment (CORA).

Charles Wille, deputy director for readiness and security inspections at Joint Force Headquarters- Department of Defense Information Network (JFHQ-DODIN), said that AI could play a role in helping identify potential threats or risks or even help with grading agencies’ ability to detect, defend and respond to emerging threats.

“There’s two veins to this: You have AI for cybersecurity in one, and cybersecurity for AI. We have this challenge here, but in this vein, we need both. We need to make sure that, as we employ AI technology, that they’re secure. And we need to leverage AI capabilities for cybersecurity,” Wille said.

“We’re looking for ways to automate that and do it at a continuous basis,” Nicholas DePatto, inspections branch chief at JFHQ-DODIN, added. “How can we automate what we’re doing? There’s going to be manual parts to everything. But if you can automate 80% to 90% of the [CORA] assessment, you could do it.”

DePatto said CORA could reach a point where continuous assessments are happening in the background without interfering with an employee’s normal work day. Eventually, a risk score report could be generated and delivered to commanders and directors to help them understand risk within the agency and where to specifically focus efforts closing gaps in security.

“The end goal is having continuous assessments and continuous monitoring of those critical capabilities within those critical assets, to really give you a day-to-day understanding,” Lt. Gen. Robert Skinner, director of the Defense Information Systems Agency and JFHQ-DODIN commander said during a keynote address Wednesday.

Wille implored those being assessed by CORA to work with their assessors to improve the process.

“We have to come to this mindset that we need to assess, we need to harden. We need to be resilient,” Wille said. “The assessor is not your adversary. We need to bring that downward, inspection to assessment… We know who the adversary is and that’s not the assessor.”

Skinner said that while CORA was progressing, it had run into some expected “bumps in the road” around training and assessment expectations.

“The level of cybersecurity posture we’re driving to a higher level, and so they just weren’t ready for that. But it’s a good thing, because now they know, and the posture is already increasing across the enterprise,” Skinner told GovCIO Media & Research. “The good thing is that we’ve learned from the first ones that we’ve done. We’ve been able to share that with everyone else and they already know what the expectation is and what the standards are for future assessments.”