MFGS, Inc. Blog - Cybersecurity and DevSecOps Resources for the DOD

Stolen from the Desk of the Software Angel of Death

Written by John Keane | Oct 7, 2025 10:15:00 AM

Before I get into the details of Cybersecurity, I must inform you of my personal biases about definitions and processes. I have been immersed in Information Technology terminology and associated definitions for over 40 years. Most definitions suffer from several problems.

The first problem is they are seldom written in plain, simple language; instead, they need a dictionary or glossary to further define the words within the definition. Some definitions even contain made up or undefined terms, making the use of a glossary or dictionary impractical, if not impossible.

The second problem is many definitions contain not only what we are trying to specify, but also how we intend to achieve our goals. Mixing the two results in a conundrum when the ‘how we intend to do something’ opens up the issue of changing the definition. I was taught—and achieved great success in—writing policy documents that clearly separated the definition from the goals, allowing for the core meaning to remain stable while allowing flexibility in the approach used to provide the solutions.

The third problem is the irresistible desire of some people to amend even approved definitions or create different “frameworks” that repackage the definition, all under the guise of unique requirements. I have often described this as “creating the façade of uniqueness.”

Cybersecurity is an opportunity-rich environment that has led to the creation of several different definitions which create conflict within various communities. One of the most recent reports from the GAO (GAO-25-108436) highlighted a number of concerns with Cybersecurity to include comments such as:

  • What does Cybersecurity mean? (poorly defined)
  • Why do various, reasonably similar regulations use different definitions with slightly different information requirements? (oppressive burden)
  • We are no closer today than we were 10 years ago to creating a solution! (lack of progress)
  • We are spending money on compliance that would be better spent on Cybersecurity (what are we really doing??)

When I recently became aware of a discussion on LinkedIn with the challenge to define Cybersecurity without using the words risk, attack or threat, I jumped at the opportunity to submit a proposed definition - at which time the discussion paused.

  • I used one Generative AI tool to develop my first proposal.
  • I followed up with a second, more refined definition that did not include the words risk, attack, threat, control, framework, resilience, digital or protocol.
  • I circulated the definition on LinkedIn and got 281 responses:
    • 85% liked it and 15% loved it.

The proposed definition follows but please note: the Generative AI tool did much more than provide a simple definition; it expanded the definition to include key aspects. In my words, the definition of Cybersecurity was simplified but, including an initial set of key aspects, exposed the complexity of what we are trying to achieve. However, this is not the final definition or set of key aspects.

FIRST Cybersecurity Definition (according to Generative AI)

Cybersecurity is the practice of safeguarding computers, servers, mobile devices, electronic systems, networks, and information from harmful intrusions and unauthorized access. It encompasses the methods, technologies, and processes designed to protect the confidentiality, integrity, and availability of computing assets and online resources.

Key aspects of cybersecurity include:

  • Network protection: Securing communication pathways between computing systems.
  • Application safety: Ensuring software programs operate without vulnerabilities.
  • Information preservation: Maintaining the privacy and accuracy of data.
  • Operational procedures: Establishing secure handling methods for sensitive information.
  • Device security: Hardening endpoints such as computers and smartphones
  • Identity verification: Confirming user authenticity before granting system access.
  • Data protection: Implementing measures to prevent unwanted data exposure.
  • Cloud safeguards: Securing information stored in remote service environments.
  • Incident handling: Responding to and recovering from security breaches.

I submitted this proposal to two other Generative AI tools and got positive feedback except for some minor suggested word changes. Even AI seems to be hooked on creating the facade of uniqueness.

I initially hesitated to use one of the NIST definitions because there are seven in the NIST glossary, but the glossary pointed out another path. I followed up on the following definition to find it is included in at least nine other sources. Thank you, NIST.

Since it is IDENTICAL in multiple places (NIST Glossary, CNSSI 4009, DoW Directive 8830.01, AND OMB Circular A-130), I will refer to this definition just as ‘the OMB definition.’

OMB Circular A-130, page 28:

‘Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and non-repudiation.’

Yes, this definition may require use of a glossary to explain some of the words, but it is still extremely useful as a potential STANDARD DEFINITION.

I searched FISMA, CIS and SANS, only to discover they all differ. CIS and SANS (as of 23 September 2025) do not have formal definitions but address cybersecurity from a “framework” perspective. However, CIS suggested we think of “controls” as “best practices” to make the concept more understandable. FISMA uses an approach that is found in A-130 but from more of a programmatic way of doing business. Remember that word (programmatic) when I get to the end of this blog.

Because the definition differs slightly from my original LinkedIn proposal, I went back to my Generative AI tool, substituted this different definition, and asked if this would change any of the aspects. Based on how I asked the question, I got two different responses, both adding new aspects. It also said that the “new” definition, while more formal and infrastructure-centric, would NOT fundamentally change the core cybersecurity domains, but it would shift the emphasis and expand the scope in a few key ways.

The two new aspects based on the OMB definition are Security Architecture (includes resilience) and Security Awareness and Training. I was then asked if I wanted the aspects prioritized, and after some adjustments, I was provided the following list with explanations.

1 - Identity and Access Management (IAM)
  • Controls who gets in, what they can do, and how their actions are verified.
  • Foundation for trust, accountability, and containment.
2 - Security Architecture
  • Designs the blueprint for how all security controls fit together across systems, data, and users.
  • Aligns with frameworks like NIST, Zero Trust, and enterprise models (TAFIM, UAF).
  • Ensures systems are built to withstand attacks and recover without chaos.
3 - Network Security
  • Protects the pathways that connect systems and users.
  • Prevents unauthorized access and limits attacker movement.
4 - Data Security
  • Shields sensitive information from theft or tampering.
  • Keeps data usable and recoverable even under threat.
5 - Application Security
  • Secures software from design to deployment.
  • Prevents attackers from exploiting weak code or APIs.
6 - Endpoint Security
  • Defends devices like laptops and phones from becoming entry points.
  • Helps maintain control even if one device is compromised.
7 - Incident Response
  • Provides a playbook for reacting to breaches or failures.
  • Helps contain damage and restore operations quickly.
8 - Cloud Security
  • Protects systems and data hosted online.
  • Ensures access, visibility, and control across cloud platforms.
9 - Information Security
  • Governs how data is handled, classified, and protected.
  • Supports compliance and internal policy enforcement.
10 - Operational Security
  • Manages day-to-day decisions that affect system safety.
  • Includes risk assessments, change control, and secure workflows.
11 - Security Awareness and Training
  • Educates users to avoid mistakes and recognize threats.
  • Strengthens the human layer of defense.

The list can be tailored to suit specific user environments, plus more than one aspect can be addressed concurrently. BUT I recognized the pattern of prioritization from various PROJECT MANAGEMENT and other analytical efforts I have made over the past four decades.

So, I asked two of my favorite Generative AI tools: Would PROJECT MANAGEMENT be the best way to address Cybersecurity, supported by risk management?

Both responded with almost the same verbiage:

“That’s a sharp observation and one that aligns with how mature organizations operationalize cybersecurity. Treating cybersecurity as a project management discipline, with risk management as its analytical backbone, shifts it from reactive firefighting to proactive governance.

 

🧭 Cybersecurity as a Project Management Discipline

Why it works:

  • Structured Planning: Cybersecurity initiatives—whether deploying IAM, Zero Trust, or incident response—benefit from clear scope, timelines, and deliverables.
  • Stakeholder Alignment: PM frameworks ensure buy-in across IT, legal, compliance, and executive leadership.
  • Resource Allocation: Budgeting, staffing, and tooling are managed efficiently when treated as projects or programs.
  • Lifecycle Management: From threat modeling to post-incident reviews, PM ensures continuity and accountability.

Example: Implementing a new endpoint detection system becomes a scoped project with milestones: vendor selection → pilot deployment → full rollout → training → metrics review.

 

📉 Risk Management as the Analytical Engine

Why it is essential:

  • Threat Prioritization: Not all risks are equal—risk management helps focus on what matters most.
  • Control Validation: Maps controls (best practices) to actual risk reduction, not just checkbox compliance.
  • Continuous Monitoring: Supports adaptive strategies as threats evolve.
  • Regulatory Mapping: Aligns with NIST RMF, ISO 31000, and FISMA.

One of the tools identified a paper in the January 2025 edition of Project Management World Journal that goes into excruciating detail on Integrating Cybersecurity into Project Management. The document can be found at Integrating Cybersecurity into Project Management: Best Practices, Emerging Trends, and Strategic Approaches.

So, the burning questions I feel MUST be asked are:

  1. Why are we taking so long to implement Cybersecurity?
  2. Why do so many stakeholders still complain of not knowing what it is all about?

Perhaps it is because Risk Management and Project management TOGETHER provide the key but neither tool alone does it completely.

 

Why Project Management + Risk Management = Stronger Cybersecurity

1 - Structure and Accountability
  • Project management brings clear goals, timelines, and ownership to cybersecurity initiatives.
  • Risk management ensures those goals are prioritized based on actual threat exposure, not guesswork or vendor hype.
2 - Cross-Domain Coordination
  • Cybersecurity spans identity, data, cloud, network, and more.
  • PM frameworks (like PMBOK or Agile) help coordinate across silos, while risk registers track dependencies and impact.
3 - Continuous Improvement
  • Risk management feeds lessons learned into future planning.
  • Project management ensures those lessons are operationalized, not just documented.
4 - Executive Communication
  • PM artifacts (dashboards, Gantt charts, KPIs) translate technical progress into business language.
  • Risk scoring helps justify budget, staffing, and control selection.
5 - Compliance and Audit Readiness
  • FISMA, NIST RMF, and CMMC all require documented risk-based planning.
  • Project management ensures traceability from control selection to implementation and monitoring.


🧭 Strategic Flow: How It All Connects

  1. Initiate – Define cybersecurity goals aligned with mission and architecture.
  2. Plan – Build workstreams around domains (IAM, data, cloud, etc.) with embedded risk assessments.
  3. Execute – Deploy controls, train teams, and monitor progress.
  4. Monitor & Control – Use risk metrics, dashboards, and incident data to adjust course.
  5. Close & Improve – Feed outcomes into future cycles, strengthening posture over time.

A Risk Identification Template that specifically links each risk to a Performance Work Statement (PWS) might look like this (subject to a LOT of editing):

Risk Identification Template with PWS Linkage

Risk ID

Risk Description

Linked PWS Task/Section

Impact Area

Likelihood

Impact

Risk Score

Mitigation Strategy

Responsible Party

Status

R-001

Legacy system lacks multi-factor authentication

PWS §3.2.1 – Identity Management Modernization

Access Control

High

High

9

Deploy federated IAM with MFA

IAM Lead

In Progress

R-002

Flat network architecture allows lateral movement

PWS §3.3.4 – Network Segmentation

Network Security

Medium

High

7

Implement VLANs and micro-segmentation

Network Architect

Planned

R-003

Sensitive data stored without encryption

PWS §3.4.2 – Data Protection Requirements

Data Confidentiality

High

High

9

Apply AES-256 encryption and key rotation

Data Steward

In Progress

 

Conclusion

I recommend we begin to evaluate and consider Cybersecurity using the OMB definition - and address Cybersecurity as an integrated project management/risk management effort.

P.S. If you use a generative AI tool and ask if CIS and SANS support project management, you will get an excellent discussion as to how both implicitly support the project management discipline along with a mapping of their respective approaches.
View full post