“Cybersecurity is an area of tremendous concern within the department,” Hutchison said. “We do extensive testing of our systems in our environment to ensure that as they are developed, they don’t have built-in vulnerabilities. We try to find those and fix those before systems are deployed. Once they get in the hands of our operators, the operators are trained in terms of how to detect, react to and restore capabilities if there has been some sort of an exploit.”

Hutchison says his biggest piece of advice for corporate CIOs is to get security testing experts involved at the earliest possible stage of software development.

“We try to get the security tests involved right from the beginning,” Hutchison said. “We’re running the tests and finding and fixing problems very early on so we have a high degree of confidence when we can get the systems fielded.”

DISA includes information assurance in its Net-Ready Key Performance Parameters, which are written into the requirements of all of its major programs. “As we form the test plan, we always have a security test and evaluation professional on the team,” Hutchison said.

DISA also runs security testing on all commercial products before they are allowed to operate on a Defense Department network.