How Much Does a Pound of Cyber-Hardening Cost for Defense Systems?

By Jim Keffer

Jim is the Director for Cyber at Lockheed Martin Government Affairs (LMGA) where he leads and manages Lockheed Martin (LM) interactions with senior U.S. government leaders associated with cyber policy, programs, budgets and operations. He also engages with LM cyber-focused and technology-related business units to articulate cyber-related U.S. government priorities and capability gaps across the corporation while simultaneously leading and participating in the development of LM proposals to business opportunities for advancing national security. His last military assignment was as the Chief of Staff for U.S. Cyber Command and the US Air Force’s senior career intelligence officer. During his career, he commanded units at the squadron, group, wing and agency levels, ranging in size from 70-7,000 members, deployed to Iraq and also served as an Air Force Attaché to three central European nations. Jim is a Special Government Employee for U.S. Strategic Command’s Strategic Advisory Group Intelligence Panel, serves on the Veteran Launch and X-IO Technologies Advisory Boards, and is a Special Advisor to the National Cryptologic Museum Foundation. He also is a member of the AFCEA and INSA Cyber Committees.

SPONSORED CONTENT — As I’ve talked to many Department of Defense leaders over the years, I’ve often heard them ask, “how much would a pound of cybersecurity for a weapon system cost me?”

Truthfully, up until this point, we had a difficult time responding. That is, until now – more on that in a moment.

The reason that answer has been elusive is due to today’s cyber environment. The fifth domain is constantly evolving. Technology and threats continue to change and we’re now reliant upon a complicated ecosystem of interconnected, interdependent systems of all types – including DoD weapon systems that are essentially flying, floating, underwater, or ground-based software systems. This digital ecosystem creates a powerful multiplying effect for warfighters in achieving national security objectives and protecting our national interests.

However, there is a real downside – the countless cyber touchpoints an adversary can exploit to negatively impact military training, readiness, and operations.

Starting at the lowest rung of the global supply chain, all the way through the sustainment phase of operational systems, we know threat actors are aggressively pursuing ways to obtain the United States’ and its allies’ most valuable data. At the same time, near peer competitors to the U.S. are bolstering their cyber and electronic warfare capabilities to advance their own security postures.

Case in point – during his confirmation hearing, U.S. Secretary of Defense Mark Esper has gone on the record to say that he thinks the U.S. will “need to be very concerned about Chinese technology getting into our systems or the systems of our allies.”

Further recognizing this increasing threat, Congress’ National Defense Authorization Acts over the past several years have directed the DoD to address the cyber risks of weapons systems. As such, beginning in 2014 Congress and the DoD started applying pressure on industry to address the challenge of cyber-hardening weapon systems.

To be most effective, cyber-hardening has to be “baked in” from the initial concept of a weapon system. For systems already in operation, the quicker risks are identified, the quicker they can be mitigated before adversaries can find them and use them against our military.

But one of the biggest hurdles standing in the way of meeting this challenge has been the lack of a simple, common method to measure and discuss the cyber resiliency of a weapon system; not to mention the processes needed for determining how to mitigate risks and associated costs with doing so.

In effort to turn that around, Lockheed Martin has invested its top Cyber Fellows, cyber experts and resources to develop and pilot the Cyber Resiliency Level™ (CRL) model, with the goal of ensuring warfighters can operate in and through cyber-contested environments.  It is a risk-based, mission-focused, cost-conscience framework. And since its creation earlier this year, our team has found the CRL gives us a tremendous vehicle for talking with our customers. In close collaboration with the customers, application of the model will help determine what level of cyber risk they can accept for a particular part of a system or for a particular mission, and break that down into what it takes to mitigate those risks and provide the associated cost/benefit analysis.

While there are models designed or in development to measure the cybersecurity posture of a company, such as the U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC), there hasn’t been one that speaks directly to the unique cyber design needs of systems. The CRL model was developed to be a companion to those cybersecurity measurement efforts.

As technologies and threats change, the CRL model can adjust accordingly. Because not every system is created equally, you can use the CRL as a basis for understanding those unique cyber-hardening needs. For instance, the risk tolerance for a training system may be higher than it would for an operational system such as Nuclear Command, Control and Communications Systems. In turn, our customers can decide how to respond to risk and have more flexibility to drive investments to obtain the cyber-hardening they need.

Today, we’re using the CRL model on our own systems and are already seeing the benefits. For example, Lockheed Martin and the U.S. military have been in lockstep working on a major satellite development program, using the CRL model along the way. The joint team conducted a cyber table top, one of several techniques that can be used to assess a system’s resiliency, and used the data to help determine mitigation techniques to increase the system’s overall CRL.

It’s Lockheed Martin’s hope that the CRL model will be used by the aerospace and defense industry as a foundation for cyber-hardening DoD weapons, mission and training systems. We encourage DoD and industry at large to use it to better communicate and develop cyber-hardening requirements. Because, ultimately, it would be a tremendous advantage for our military customers and warfighters if we all spoke using a common language regarding cyber-hardening of weapon systems.

In a conflict with peer competitors, our military leaders fully expect to operate in a cyber-contested environment. And we are committed to making their systems as cyber-hardened as possible so they can complete their missions, achieve the objectives and come back home safely.  That’s why we do what we do.

CRL is one of Lockheed Martin’s many contributions to make this happen, and the next time I hear, “how much would a pound of cybersecurity for a weapon system cost me?” I can answer, “Let’s work through the CRL model together to find your best answer.”


The Cipher Brief is fortunate to work with many national security experts who have experience both in and out of  government.  This fits our vision of being the brand that brings the public and private sectors together to best address national security issues.  Our standard for editorial content is that it cannot advocate for a particular business or product, but many of our experts passionately advocate for some products and services that they work on.  Our way to allow all of the conversations to occur is to bring you occasional Sponsored Content – and brand it that way – when our private sector experts advocate for a company or service.  


Register now for The Cipher Brief’s 2020 Threat Conference, the only apolitical national security conference that embraces the private sector’s role in the future of national security.  Discuss critical issues with the most influential leaders in government and business with one goal in mind: ensuring the future of U.S. national security.  Seats are limited.  Apply for yours today.

Related Articles