The latest memo, which was published Monday, requires officials to share security testing data for software between services to avoid duplication and reduce the cost of authorizing software for use within the the departments.
It replicates reciprocity requirements outlined by a previous 2016 memo, but also introduces a requirement that the relevant service chief information security officer be notified if reciprocity cannot be achieved.
According to the memo, which was signed jointly by Air Force CIO Lauren Knausenberger and Navy CIO Aaron Weis, the agreement is intended to ensure that “scarce security resources be spent on due diligence and analysis rather than redundant and unnecessary testing or bureaucratic documentation.”
Speaking to FedScoop, former DOD CIO Terry Halvorsen, who signed the first memo in 2016, said that although the policy is not new, the decision to reaffirm it is “perfect timing.”
By reiterating the importance of reciprocity and the policy already in place, it continues to remind the DOD bureaucracy to strive to meet those goals, according to Halvorsen.
Former Air Force CIO Bill Marion, who now works at Accenture Federal Services, told FedScoop that the memo was needed “to overcome resistance to change that can result in prolonged timelines, increased costs, and duplication of efforts.”
The decision to reaffirm the commitment to cybersecurity reciprocity comes despite recent security concerns raised over the architecture and perceived lack of security documentation at the Air Force’s Platform One development environment. Sources speaking to FedScoop at the time described a bid by some officials to outright ban the use of some code, and said that talks to expand the platform with other services had been held up.
A spokesperson for the Air Force, said that “nothing had necessarily changed” on the Air Force side following the memo, but that it reinforces the spirit and intent of transparency and collaboration between the services.
A Navy spokesperson said the memo revitalizes the commitment of the two services to reciprocity.