IIG - Defining Cyber Survivability

Original broadcast 6/4/25

Presented by Carahsoft

Steve Pitcher, Senior Cyber Survivability Analyst at the Joint Staff, has spent decades thinking about how to build systems that can survive and thrive in contested environments. His approach to cybersecurity goes beyond compliance—it’s about integrating resilience into the core performance requirements of every system from day one.

Pitcher explains that cyber survivability means ensuring that systems continue to function in the face of cyber threats. This requires moving beyond security as an afterthought and embedding it into design and acquisition processes. Since 2015, Pitcher has been working to help the Department of Defense redefine its expectations, advocating for the inclusion of cyber resilience in performance trade-offs alongside cost and schedule.

While traditional guidance has often focused on compliance and technical controls, Pitcher believes this approach has failed to hold program managers accountable. By tying cyber performance directly to mission outcomes, he argues, it becomes possible to measure and improve resilience over time.

What’s remarkable, Pitcher says, is how much progress the services have made even in the absence of unified top-down mandates. The Army, Air Force, Navy, and Marines have each developed their own cyber survivability guidance, embedding security into acquisition workflows, program protection plans, and system requirements.

Pitcher also emphasizes the importance of bottom-up innovation. While general officers set strategy, it’s action officers and emerging leaders who often have the best ideas for transformation. He advocates for tapping into those insights early—before policy is finalized—to ensure that innovation doesn’t get stifled by outdated assumptions.

One of the biggest shifts he’s seen is the recognition that cyber survivability is essential not just for warfighting systems, but for business and logistics platforms as well. Every component of the DOD’s digital ecosystem must be resilient—from enterprise resource planning to tactical command-and-control networks.

To stay on track, Pitcher calls for more coordination across DOD guidance, greater emphasis on up-front design, and continued support for service-level innovation. He’s encouraged by how far the department has come, but believes there’s still work to do to fully institutionalize survivability thinking across the enterprise.

Key Takeaways:

• Cyber survivability must be embedded in performance requirements from the outset.

• All services are advancing independently but need better coordination at the DOD level.

• Bottom-up input and cross-functional collaboration are essential for transformation.

This interview was recorded on location at TechNet Cyber 2025 and included as part of the TV show Innovation in Government from TechNet Cyber.