Cyber Resiliency and Cybersecurity Policy

The Cyber Resiliency & Cybersecurity Policy program, managed by the Office of the Secretary of Defense under Program Element (PE) 0606771D8Z, is a research, development, test, and evaluation (RDT&E) initiative focused on strengthening the Department of Defense's (DoD) cyber posture. The program's primary goals are to defend critical mission weapon systems, DoD Installation Critical Infrastructure (ICI), and Commercial Critical Infrastructure (CCI) from cyber threats, while also safeguarding sensitive unclassified information within the Defense Industrial Base (DIB) sector and supply chain. It also supports capability portfolio management for Joint Cyber Capabilities used by the Cyber Mission Force, aligning with departmental priorities to revive the warrior ethos, rebuild military strength, and reestablish deterrence.

Cybersecurity for Weapon Systems and Critical Infrastructure is a core objective of this program. The Office of Assistant Secretary of Defense for Acquisition (ASD(A))/Cyber Warfare Directorate (CWD) leads efforts to conduct mission-level cyber risk assessments for priority defense missions in support of Combatant Commands (CCMDs). Activities include enhanced risk assessments and wargames for missile defense missions, table-top exercises, and cyber risk assessments for both ICI and CCI. The program funds Integrated Sensing Monitoring Experiments (ISMX) and pilots to evaluate cybersecurity sensing and monitoring capabilities for weapon systems and ICI. These assessments inform the development and employment of the Cyber Risk Mitigation Tool (CRMT), which tracks and prioritizes vulnerability mitigations across the enterprise.

Weapon System Cyber Security and Cybersecurity Supply Chain Risk Management (C-SCRM) is another major focus area. In collaboration with the DoD Chief Information Office (CIO), the program supports C-SCRM initiatives in compliance with legislative requirements such as FY2019 NDAA Section 889 and Title 10 USC Sections 3252 and 4713. The program partners with other DoD organizations and the DIB/CCI sectors to assess and demonstrate scalable cybersecurity services, particularly for small-to-medium sized companies critical to the DoD supply chain. These efforts aim to enhance protection of Controlled Unclassified Information (CUI), data integrity, and supply chain availability.

Capability Portfolio Management for Cyberspace Operations is a third pillar of the program. The initiative conducts portfolio management of Joint Cyber Capabilities employed by the Cyber Mission Force, in collaboration with USCYBERCOM. Objectives include improving the lethality and readiness of Joint Cyber Warfighting Architecture (JWCA) components for both offensive and defensive cyberspace operations. The program also supports reforms in acquisition processes and the adoption of modern software practices to accelerate delivery of warfighting capabilities, ensuring the Cyber Operations Forces can operate effectively in contested environments and defend the homeland.

The program's planned activities for FY 2026 include completing Mission Resilience wargames focused on missile defense in support of Golden Dome for America, performing multiple cyber risk assessments for mission partners, and achieving full operational capacity for the CRMT on classified networks. The program will further integrate service datasets, vulnerability data, and threat reporting to enhance risk models and prioritization methodologies. Tailored cyber risk scorecards and dashboards will be developed for missile defense missions, and oversight will be provided for the mitigation of cyber vulnerabilities in ICI and CCI assets supporting Golden Dome.

Governance enhancements are also a priority, with the program conducting Integrated Acquisition Portfolio Reviews (IAPRs) at the 4-Star level to address cyber defense for priority DoD missions. The program will continue to codify cybersecurity policy and implementation guides for installations, facilities, and supply chain risk management, in coordination with the DoD CIO and USD(I&S). Additionally, it will support identification of required knowledge, skills, and abilities for personnel implementing cybersecurity policies and initiatives across the Department.

Congressional adds in FY 2025 have enabled expanded risk assessments and supply chain risk management pilots. The program's budget reflects adjustments for efficiency initiatives, contract reductions, and inflation, with requests for discretionary and mandatory funding for Golden Dome Cybersecurity. The Cyber Resiliency & Cybersecurity Policy program is structured to provide comprehensive support for the DoD's cyber defense needs, ensuring resilient operations and robust protection against evolving cyber threats.