Strategy 1: Consolidate CND Under One Organization

The first strategy: consolidate functions of CND (Computer Network Defense) under one organization. As discussed in Section 2.8, SOCs must be able to respond to the actions of the adversary. As a result, elements of CND must be tightly coupled.

Five elements of unified CND command structure:

  1. Real-time monitoring and triage (Tier 1)
  2. Incident analysis, coordination, and response (Tier 2 and above)
  3. Cyber intel collection and analysis
  4. Sensor tuning and management and SOC infrastructure O&M
  5. SOC tool engineering and deployment.


  1. Operations of CND are synchronized
  2. Detection and response are efficient, accurate, relevant.
  3. Resources maximized.
  4. Cyber SA (Situational Awareness) and incident data, operations and tools in a closed loop.
  5. Consolidated, unified SA is provided to the director of incident response and management.

Do not break apart the five atomic SOC functions into separate organizations; this is bad for the CND mission.

SOC Org Chart