Cyber The Case for Built-In Cybersecurity

The Case for Built-In Cybersecurity

The concept of cyber resiliency can mean multiple things to different people. With so many definitions in existence, three working definitions from NIST, the Chairman of the Joint Chiefs of Staff, and Air Force were leveraged to establish the following description:

"Cyber resiliency is the ability to anticipate, withstand, recover from, and adapt to changing conditions to maintain the functions necessary for mission effective capability.” 

Using the Cyber Resiliency Level® Framework

Lockheed Martin and the military have been working shoulder-to-shoulder since day one. The Cyber Resiliency Level® (CRL®) framework helped the joint team identify the program’s “as-is” state, beginning with a cyber tabletop (CTT) early in the requirements and architecture definition phase.

A CTT is one of several assessment techniques that can be used to assess a system’s resiliency to different kinds of cyber-attacks. The process helps teams think like an adversary and examine all the ways an attacker might try to compromise the platform. Lockheed Martin’s cyber experts conducted CTTs and were able to use the CRL framework to drive changes in requirements to make the platform more cyber resilient.

After conducting the CTT exercises, the team used the data to help determine mitigation techniques.


Approximately 22% of new requirements were generated based on CTT findings, which focused on driving the average Cyber Resiliency Level for each category from CRL 2 – Managed, to CRL 3 – Optimized, yielding a platform architecture that can be survivable under a cyber-attack.

"The CRL provided us with a repeatable process to continuously address and mitigate threats throughout the program's lifecycle," said Ethan Puchaty, Lockheed Martin’s principal cyber architect. "We are now developing new capabilities specifically tailored to counter the threats that the platform faces. Our customer’s participation in the CTT is critical; it's become much easier to see any identified CRL 2 risks and understand better how to get to CRL 3, and even CRL 4 – Adaptive, if technology is mature enough."