A good friend of mine’s by the name of Sean P brought a pretty good point about DiD that I would like to share.

There has been misunderstanding concerning this statement…

The Navy CA meant: providing a generic statement like “Defense in Depth” is not a mitigation. However, if you can show/ list/ detail the defense in depth protections and how they relate/ prevent/ protect your vulnerability in your Risk Assessment, then a defense in depth strategy is an acceptable mitigation approach.

The difference is one is just words. The other is provable.

Sean P.