Brilliant
at the Basics

Welcome to the "Brilliant at the Basics" campaign — the Department of War (DoW) Chief Information Officer (CIO) initiative dedicated to empowering our Defense Industrial Base (DIB) partners. Our mission is to help small, mid-sized, and non-traditional companies confidently secure their networks, protect sensitive DoW information, and deliver peace through technical strength!

Top 10

IT cybersecurity best practices

for Defense Industrial Base (DIB) Partners
Download PDF ↓

The "Brilliant at the Basics" Information Technology (IT) Top 10 empowers Defense Industrial Base (DIB) partners—especially innovative small and mid-sized businesses—to rapidly secure their networks and protect sensitive Department of War (DoW) information. By stripping away administrative complexity and compliance overhead, these foundational core practices help you fortify your enterprise, reduce technical debt, and ensure the secure, rapid delivery of superior technology directly to the warfighter at the tactical edge.

01
Phishing-Resistant Multi-Factor Authentication (MFA)

Upgrade your authentication mechanisms to require strong phishing-resistant MFA methods for user accounts. Moving away from legacy MFA methods such as SMS text messages or push notifications forms the foundation of a modern security stack. By combining explicit identity verification with least-privilege principles, you minimize the utility of compromised credentials and significantly reduce the risk of unauthorized access to sensitive systems.

02
Comprehensive Asset Inventory Management

Establish and maintain a dynamically updated inventory of enterprise assets, including hardware, software, identities, and data across your estate. An effective inventory goes beyond a simple static list by providing a highly contextualized understanding of every asset. By continuously tracking and validating authorized assets with deep context, you establish the operational visibility required to detect anomalies, manage complex vulnerabilities, maintain compliance, and build a truly resilient defense.

03
Strategic Technical Debt Reduction

Minimize your attack surface by aggressively identifying, modernizing, consolidating, or retiring unused legacy infrastructure, redundant data stores, unsupported software, and unnecessary interfaces. Unmanaged "shadow IT" represents prime targets for adversarial exploitation and undermines modern zero-trust controls. Decommissioning these outdated technologies directly hardens your enterprise resilience, lowers operational complexity, and allows you to securely deploy capabilities at the speed of the mission.

04
Flexible Technology Stack

Design and maintain a flexible, interoperable stack that supports modular integration of best-in-class commercial technologies. Prioritize open standards and solutions that facilitate interoperability and secure data exchange. Maintaining a modular architecture enables continuous operational agility and mitigates the strategic risk of being locked into a single proprietary vendor ecosystem.

05
Logical Segmentation to Limit Adversary Lateral Movement

Implement software-defined segmentation to divide your environment into secure, isolated logical zones. Because adversaries actively attempt to move laterally to high-value targets once they gain initial access, flat networks pose a severe risk to sensitive data. Restricting lateral pathways limits the “blast radius” of any compromise and isolates sensitive Department data even if an individual endpoint is breached.

06
Risk-Based Vulnerability Management

Establish a continuous, risk-based vulnerability management program driven by operational context and impact rather than generic severity scores. Replace flat patching cycles by prioritizing remediation actions based on the actual exploitability of a vulnerability given your specific system configurations, existing compensating controls, and current operational state. Focusing on real operational risk aligns your limited resources to address the issues that matter most to your operations, security posture, and the broader mission.

07
Integrate Security Early in the Development Lifecycle

Integrate secure coding standards and automated vulnerability scanning directly into the earliest phases of your engineering lifecycle. By shifting security left and testing software components, including all third-party dependencies, during the development phase, you are better positioned to deliver secure capabilities to the warfighter at speed and scale.

08
Secure AI Adoption and Data Protection

Establish clear policies and technical guardrails governing the use of artificial intelligence and automation tools across your workforce. Explicitly prohibit the input of sensitive Department data into public, commercial AI systems. By implementing content filtering, endpoint controls, and approved enterprise AI environments, you prevent accidental data exposure while enabling the safe adoption of advanced technologies.

09
Resilient Backup and Disaster Recovery Architecture

Protect critical data from adversarial destruction and ransomware by establishing a secure, immutable backup architecture. Maintain redundant copies of all intellectual property, proprietary data, and Department records within a logically vaulted or offline environment. Ensure these backups are secure using isolated credentials distinct from your primary network, and enforce strict protections to prevent unauthorized modification or deletion. Regularly conduct full-system restoration drills to validate that your recovery pipelines can meet operational timelines in the event of a catastrophic compromise.

10
Continuous Technical Workforce Readiness

Continuously develop your technical and security personnel on modern enterprise architecture, data protection, and defensive security operations. Operational resilience is directly bottlenecked by workforce capability. Prioritizing targeted technical training across your entire environment equips your team with the essential skills to defend sensitive information and counter evolving threats at the speed of the mission.

Top 10

OT cybersecurity best practices

for Defense Industrial Base (DIB) Partners
Download PDF ↓

Securing Operational Technology (OT) presents fundamentally different challenges than standard IT networks, as protecting physical assets—from robotic arms on assembly lines to critical SCADA systems and weapon systems—requires defending unique cyber vulnerabilities and downtime is often not an option. As part of the "Brilliant at the Basics" campaign, this streamlined Top 10 list distills critical cybersecurity principles into practical, actionable steps tailored specifically for OT environments. By implementing these foundational practices, Defense Industrial Base (DIB) partners can confidently secure their physical operations, reduce compliance overhead, and ensure the resilient, uninterrupted delivery of capabilities to the tactical edge.

01
Identity and Access Control

Manage who has access to your OT by enforcing strict identity and access control. Ensure your system verifies the identity of every user via stringent authentication methods before allowing access to your network. Enforce strong access controls and require multi-factor authentication (MFA) for sensitive systems. Under Zero Trust, users should only be granted the "least privilege" needed to do their specific job, nothing more. Adopt a "never trust, always verify" mindset to protect your business.

02
Validated Asset Inventory

The first step for any business is to create and maintain a rigorous, "as-operated" inventory of all physical and logical components within your OT environment. This includes tracking high-criticality assets such as Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), Human-Machine Interfaces (HMIs), Engineering Workstations, Distributed Control Systems (DCS), and Safety Instrumented Systems (SIS). To ensure a comprehensive baseline for risk management and threat detection, the inventory must catalog not only hardware but also firmware/software versions, active communication protocols, process logic/OT programs, transient assets, and external remote-access connection points. Ensure that all systems have clear ownership, accountability, and secure configuration baseline. Finally, validate this inventory through passive network monitoring and periodic physical walk-downs to eliminate shadow systems and map critical operational dependencies without disrupting live processes.

03
Strict Network Segmentation

A key architectural step is to logically separate your business IT network from your critical operational systems. By creating strict partitions, or segments, you make it much harder for an intruder who gains access to one part of your network to move laterally and disrupt your core functions. This containment is a powerful defensive

04
OT-Specific Incident Response and Recovery Plan

A well-rehearsed, OT-specific Incident Response Plan (IRP) is critical for safeguarding mission assurance and maintaining operational resilience against cyber-physical disruptions. Unlike enterprise IT, OT incident response prioritizes life safety, environmental protection, and physical availability, meaning abrupt system shutdowns are rarely a viable containment strategy.

A robust plan requires maintaining offline backups, segregating Safety Instrumented Systems (SIS), and coordinating closely with external vendors to validate embedded firmware. During an event, response teams must quickly correlate network anomalies with physical process deviations and safely transition to manual control. Finally, recovery demands scrubbing malicious logic, executing localized and phased physical restarts with joint sign-off from both cybersecurity and process engineering leads, and integrating lessons learned into regular cross-functional tabletop exercises.

05
Manage Known Vulnerabilities

To protect critical infrastructure, prioritize compensating controls when you cannot immediately patch operational equipment. Because taking machinery offline for patching is often impossible due to mission-critical availability requirements, compensating controls act as essential, temporary safeguards. These measures—including strict firewall rules, network isolation/micro-segmentation, and application allowlisting—effectively isolate vulnerable devices from exploitation until they can be safely updated during a scheduled maintenance window.

06
Remote Access Pathways

Grant remote access to your OT only when needed, for the shortest time possible, and with strong authentication. Eliminate "always-on" connections to reduce your exposure to external threats, particularly cellular gateways and other direct internet-exposed assets. Many businesses rely on vendors or remote employees for support, but every remote connection is a potential door to your network.

07
Continuous Monitoring

Extend basic monitoring to the production floor to detect unusual traffic or unauthorized access to machinery. Many firewall and antivirus solutions include logging features that can provide visibility. Regularly reviewing these logs helps you spot and respond to threats before they cause damage. Remember, you can't stop what you can't see!

08
System Resiliency

Build your systems to be resilient from the start by mandating secure, composable architecture. Design your industrial networks to fail safely. When upgrading control systems, prioritize resilience by grouping assets by physical location and sensitivity. A secure, modular approach ensures that critical machinery incorporates fault tolerance, physical redundancy, and localized manual overrides, meaning a cyber disruption to one component won’t stop your entire production line.

09
Supply Chain Security

Knowing your suppliers is critical to mitigating vulnerabilities. This is accomplished thought things like proactive procurement, lifecycle management, and supply chain illumination. Your company's security is connected to the security of your suppliers. It is crucial to understand the entirety of your organization’s supply chain and to hold external suppliers to the same security standards as that of the organization to maintain the overall level of security. Requiring vendors to engineer systems and system components to DoW standards ensures built-in security features before purchase. For legacy OT, programs need to set a hard schedule to replace undefendable hardware.

10
Review Processes

For businesses with physical operations, safety and security go hand-in-hand. Before making any significant changes to your systems, including security updates, it's crucial to have a formal review process. This engineers safety and mission assurance into all changes in order to ensure that a security change doesn't accidentally create an unsafe condition for your employees or your operations.

Keep going

Additional resources

19 resources
DoW Zero Trust Strategy
Sets the Zero Trust strategy and implementation standards for the Department of Defense.
Open →
CISA Guide: Why OT Authentication is a Challenge
The Cybersecurity and Infrastructure Security Agency is the nation's lead agency for cyber defense, providing free tools and guidance.
Open →
NIST Cybersecurity Framework 2.0: Small Business Quick-Start Guide
Provides small-to-medium sized businesses (SMB), specifically those who have modest or no cybersecurity plans in place, with considerations to kick-start their cybersecurity risk management strategy by using the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0.
Open →
NIST: Guide to OT Security (SP 800-82)
The National Institute of Standards and Technology SP 800-82 is the federal government's foundational guide for securing Operational Technology (OT) and Industrial Control Systems (ICS), providing small businesses and defense partners with detailed, practical blueprints for protecting critical physical operations from cyber threats.
Open →
Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators
Open →
DoW Control Systems/OT Security Requirements Guide (SRG)
The DoW’s official guide outlining OT security requirements for partners.
Open →
NIST Operational Technology Security Resources
Open →
NSA CCC Attack Surface Management Tools
The National Security Agency’s Collaboration Center works directly with industry partners to share threat intelligence and provide security tools.
Open →
CISA Cybersecurity Best Practices
The Cybersecurity and Infrastructure Security Agency is the nation's lead agency for cyber defense, providing free tools and guidance.
Open →
DC3 DCISE Cybersecurity Capability Support
The Defense Cyber Crime Center’s DIB Collaborative Information Sharing Environment is a hub offering support to help defense partners build and maintain safe, secure cybersecurity capabilities and share threat information.
Open →
Project Spectrum (Cybersecurity Resources for DIB)
A DoW-supported initiative providing no-cost tools, training, and guidance to help small businesses improve their cybersecurity posture.
Open →
CISA Industrial Control Systems (ICS) Resources
The Cybersecurity and Infrastructure Security Agency is the nation's lead agency for cyber defense, providing free tools and guidance.
Open →
CISA All Resources & Tools
The Cybersecurity and Infrastructure Security Agency is the nation's lead agency for cyber defense, providing free tools and guidance.
Open →
NSA CCC Software Supply Chain Security Resources
The National Security Agency’s Collaboration Center works directly with industry partners to share threat intelligence and provide security tools.
Open →
For information on workforce partnership opportunities check out the Department’s Cyber Workforce Rotation Program
Open →
Cyber Academic Engagement Office
Information on partnering with academia, including the National Centers of Academic Excellence – Cyber.
Open →
DoW Software Modernization Strategy
Information on the Department’s approach to software.
Open →
DoW’s Enterprise DevSecOps Fundamentals
Additional information on the Department’s approach to DevSecOps.
Open →
DevSecOps Activities and Tools Guidebook
Additional information on the Department’s approach to DevSecOps.
Open →
Disclosure

The information and best practices provided in this post are for educational and informational purposes only. Under no circumstances shall the Department of War be held liable for any loss, damage, or security incidents arising from the use of, or reliance upon, the information provided in this post. Implementing the suggestions outlined herein does not guarantee immunity from cyber threats, data breaches, or system compromises. Security practices must be tailored to the specific technical, operational, and regulatory requirements of your organization.