Information Systems Security Program

The Information Systems Security Program (ISSP), managed by the Office of the Secretary of Defense and funded under PE 0303140D8Z, is a critical element of the Department of Defense's (DoD) cybersecurity and information assurance strategy. The program's primary objective is to provide focused research, development, testing, and integration of cybersecurity technologies and technical solutions. These efforts are designed to ensure compliance with a broad range of statutory and policy requirements, including Title 10 U.S. Code Section 2224, the Federal Information Security Modernization Act (FISMA) of 2014, OMB Circular A-130, multiple DoD cybersecurity instructions, Executive Order 14028, and the National Cybersecurity Strategy.

The ISSP's goals are both strategic and operational. At the strategic level, the program supports integrated deterrence by enhancing the resilience of DoD information systems and networks. This resilience reduces the vulnerability of U.S. systems to cyberattacks and disruptions, thereby deterring adversaries by minimizing their potential gains.

The program also directly supports the DoD's posture in strategic competition with China and addresses persistent cyber threats from Russia, North Korea, Iran, and violent extremist organizations by providing advanced cybersecurity tools and expertise.

Operationally, the ISSP focuses on several key objectives. These include developing and modernizing communications security (COMSEC) and cryptography, with an emphasis on post-quantum cryptographic solutions to address emerging threats. The program also aims to integrate and synchronize the DoD information environment, enhance communications cybersecurity, and protect national security systems.

A major focus is the adoption and acceleration of Zero Trust (ZT) cybersecurity principles, including collaboration with Joint Warfighting Cloud Capability (JWCC) cloud service providers and industry partners to develop pilot activities and proof-of-concept evaluations.

Another significant objective of the ISSP is to defend against supply-chain attacks and oversee cybersecurity risk management across the DoD enterprise. The program works to develop and sustain Defense Industrial Base (DIB) cybersecurity activities and to integrate cybersecurity standards across the department.

Planned activities include deploying Microsoft 365 E5 licenses across the DoD Information Network (DoDIN), automating implementation plans, advancing the post-quantum cryptography strategy, streamlining risk assessment and authorization processes for software-enabled products and services, and standardizing the use of systems modeling language v2 for enterprise modeling.

The ISSP also invests in workforce development and academic engagement. Congressional adds in recent years supported the awarding of scholarships to students pursuing cyber degrees at National Centers of Academic Excellence in Cybersecurity, as well as the launch of a pilot Cyber Registered Apprenticeship Program.

The program continues to support the DoD Cyber Service Academy (DoD CSA) recruitment scholars and the Cyber Academic Engagement Office (CAEO), aiming to build a robust pipeline of cybersecurity professionals for future DoD employment.

Budget adjustments in recent years reflect both increases and decreases in funding, with a notable reduction in advisory and assistance services contracts to promote efficiencies and align with Executive Order 14222, which focuses on government cost efficiency. Despite these adjustments, the program maintains its commitment to advancing the DoD's cybersecurity posture and ensuring compliance with evolving federal mandates and strategic objectives.