By Janet O’May
The Army acquisition process not only oversees the development or purchase of new systems but is responsible for the entire life cycle. Acquisition policies pertain to development, purchase, fielding, sustainment and disposal. Similarly, the responsibility for cybersecurity is also required throughout a system’s life cycle. Cyber risk management policies and procedures must be in place throughout all phases to ensure the safety of our warfighters as they employ systems that are increasingly reliant on communications and networks.
The Army Acquisition Lessons Learned Portal (ALLP) is a resource for members of the acquisition community to share lessons and best practices. The following are lessons from the ALLP that address the areas of training, requirements, financial management, testing and the information assurance (IA) process to help acquisition professionals as they work to increase cybersecurity in Army programs.
___________________________________________________________________________
TRAINING
LL_376: Programs should implement in-depth and unit-specific IA training so that stronger security safeguards and tactics for cyber defense can be implemented during tactical operations.
Background
During a Network Integration Evaluation (NIE) event, basic IA precautions—strong passwords, a secure configuration and updated security and antivirus patches, for example—were not implemented on a system, allowing exploitation by the Threat Computer Network Operations (TCNO) team from Army Research Laboratory. The team infiltrated as both an outsider and a near-sider threat. Because of an ad hoc operation fielding requirement for this new Army capability, there was very little time to place IA emphasis on the unit during training and before the unit attended NIE.
Recommendation
The following suggestions can be helpful:
- The program office (PO) must be staffed to properly monitor, manage and execute a rapidly growing IA mission. IA for a tactical system is different than for a typical enterprise network.
- Army units must have adequate IA personnel to support mobile troops on a tactical network.
- To develop the necessary IA skills, training should emphasize the IA threat and maintaining IA certification.
- Allow TCNO to conduct IA testing during the developmental test (DT) phase instead of the operational test (OT) phase to develop proficiency and repeatable training.
- Provide enhanced IA standard operating procedures for the user to ensure configurations are secure and patches are implemented.
- Training should be developed for legacy systems and implemented into new systems.
- Testing should occur upon completion of training and be performed as early as DT or prior to OT.
___________________________________________________________________________
ADVANCING BATTLEFIELD COMMS
A Soldier operates the mid-tier networking vehicular radio (MNVR) during the government integration test over-the-air event, which was completed in 2014 at the Army’s Electronic Proving Ground on Fort Huachuca, Arizona. Data from the Army Lessons Learned Portal indicate that cybersecurity issues for communication systems like the MNVR need to be addressed early and often, through all phases of the acquisition process. (U.S. Army photo)
REQUIREMENTS
LL_742: IA certification is a requirement for an information system seeking to network in Army activities (Army Regulation (AR) 25-2). Programs need to develop IA strategies at the earliest point in design to avoid cost and schedule impacts.
Background
During a system’s requirements development phase and its subsequent build, IA was not addressed. After development, an IA assessment determined that the system did not meet Army IA regulations or National Security Agency (NSA) requirements. If an IA subject matter expert (SME) was engaged with the developer from the start, the SME would have determined that the operating system (OS) and hardware being developed or implemented into the system was not on the NSA preapproved list and did not have a validated encryption algorithm. Not using NSA preapproved OS or hardware does not preclude certification. However, the system must go through NSA certification. The certification process adds to the schedule and could require re-engineering efforts to correct security issues. These efforts could result in hardware changes or software modifications. Either way, the program will experience schedule delays, and risk not meeting program objectives.
Recommendation
As soon as a networking requirement is determined, IA and computer security SMEs need to be active members of the design and development team. The IA SME will incorporate AR 25-2 requirements into the system design strategy and assist the program with determining certification and accreditation (C&A) timeline efforts. Validating IA controls during system development benefits the program by eliminating re-engineering efforts, completing the C&A efforts successfully and meeting timeline objectives.
LL_961: Cybersecurity requirements are evolving, often changing as a program progresses.
Background
DOD Information Assurance Certification and Accreditation Process (DIACAP) requirements were defined at the start of a program. As the DOD transitions to the new risk management framework (RMF), the program must also transition to the RMF requirements. The program’s statement of work had to be modified to include the new RMF requirements to ensure the program met the mandatory cybersecurity requirements.
Recommendation
It is difficult to anticipate new requirements (e.g., cybersecurity changes). Document any requirement changes after project execution starts and adjust contracts as necessary.
___________________________________________________________________________
MAXIMIZING TESTING
Soldiers from the 2nd Heavy Brigade Combat Team, 1st Armored Division prepare to move out at the Network Integration Evaluation 15.2, held in May 2015 at Fort Bliss, Texas. Operational tests for the Distributed Common Ground System-Army and the MNVR were conducted during the exercise. The ALLP indicates that by implementing in-depth and unit-specific information assurance training, stronger security safeguards and tactics for cyber defense can be implemented during tactical operations. (Photo courtesy of the Army Capabilities Integration Center)
TESTING
LL_206: For certain information systems, coordination is required with NSA for security certifications. Begin discussions early to gain advanced knowledge of necessary procedures and requirements.
Background
Significant coordination with NSA was required during development of a program’s security verification testing (SVT) plan and procedures (P&P). Advance knowledge of NSA formal and informal procedures and requirements proved invaluable to successful planning and development of the SVT P&P and SVT execution.
Recommendation
- NSA requires 60 days for the first review. Additional reviews of updated procedures may take up to 60 days each. Expect at least three to five submissions of each set of procedures.
- Automated test scripts or tools require NSA review and must allow for ad hoc insertion by NSA.
- Incremental submission of SVT P&Ps may be necessary, and should be coordinated with both the industry P&P team and the NSA review team.
- Be prepared for quick turnaround of procedures. Procedures submitted by industry before testing begins are approved by NSA almost immediately, and the PO must officially approve them (via letter) prior to testing on the next business day.
LL_207: Plan ahead for information system testing.
Background
There are many things to complete when preparing for information system testing. The P&P reviewers are not necessarily the SVT witnesses. Incremental testing may be necessary to accommodate SVT P&P review cycles so NSA can allocate resources to witness testing. Be prepared to make source code, software design descriptions and software requirement specifications available during testing. The test fixtures must be working and durable. Expect multiple start or restart, intrusive probing and extended break point pauses. Plan ahead to ensure availability of test support resources. Additional government-furnished equipment may be necessary. Provide one SME from the program office to observe each test alongside the NSA witness. Extra personnel may be needed to support multiple test stations.
Recommendation
1. An enterprise SVT standard is recommended as a way to minimize variances due to personnel or policy changes
2. Hold one or two technical interchange meetings (TIMs) early in the procedures development phase between industry, the NSA evaluator and possible witnesses to review architecture, test tools and the testing process. Monthly TIMs are useful.
3. Allow and assist industry to establish a secure electronic means of transferring large files between industry, NSA, the PO and other partners.
___________________________________________________________________________
FINANCIAL MANAGEMENT
LL_643: If not properly included in the program objective memorandum (POM), critical emerging IA and security requirements can impact schedule, cost and performance.
Background
Upon entering the production and deployment phase, various critical emerging IA and security requirements were addressed by the program. Although the PO allocated funding for IA or security requirements, it was observed that the allocated funding was not sufficient to properly address the emerging requirements. Numerous reviews were required to attain the proper accreditation paperwork to validate and field the system to support warfighter exercises.
Recommendation
Although the program office estimate identified the costs associated with security accreditation, it would benefit a program to apply the risk factor to these costs in the POM cycle based on the historical trend of emerging requirements.
IA PROCESS
LL_211: To prevent low-quality or late submissions of IA documentation, award fees must incentivize early and frequent communication with NSA.
Background
Programs in one office had difficulty obtaining NSA approval of IA and SVT documentation. Industry’s initial submissions were sometimes poor quality or late and multiple iterations of review and comment adjudication were often needed before NSA approval was obtained.
Recommendation
In order to prevent low-quality or late submissions of documentation, award fees must incentivize early and frequent communication with NSA, initial document quality and NSA due dates, the number of days in which industry adjudicates NSA comments and the quality of the updated documents.
LL_890: Early coordination with cybersecurity stakeholders led to excellent ratings on the Command Cyber Readiness Inspection (CCRI) and Blue Team Assessment.
Background
One PO reported successes with program IA events after establishing several rules and operating procedures.
Recommendation
1. Be familiar with DIACAP and CCRI processes.
2. Employ knowledgeable IA and working-level personnel.
3. Involve PO, system engineering, software and senior leadership.
4. Ensure regular IA vulnerability alert (IAVA) patching, compliance oversight and maintaining records from the configuration control board or the IAVA board process.
5. Start the DIACAP authority to operate process as early as possible, and allow for at least six months for that process.
6. Coordinate early and continuously with the program executive office’s IA program manager and certification authority representative.
7. Check the inspection schedule regularly and be prepared for upcoming events. The U.S. Cyber Command schedules 6 to 12 months in advance.
8. Understand and comply with computer network defense directives.
More information on these and other Army lessons learned may be found on the ALLP at https://allp.amsaa.army.mil.
ENSURING INFORMATION SECURITY
The Warfighter Information Network – Tactical (WIN-T) network enables battle command on the move, keeping dispersed forces connected to one another and to the Army’s global information network. As warfighters employ systems that are increasingly reliant on communications and networks, cyber risk management policies and procedures must be in place throughout all phases of the acquisition process to ensure system and Soldier safety. (Image courtesy of General Dynamics Mission Systems)
MS. JANET O’MAY is an operations research analyst with the U.S. Army Materiel Systems Analysis Activity at Aberdeen Proving Ground, Md. She holds an M.S. in systems management and information systems from Florida Institute of Technology and a B.A. in sociology and social work from University of Maryland Baltimore County. She is Level III certified in engineering and test and evaluation and Level I certified in information technology and program management, and is a member of the Army Acquisition Corps since 2008.
