Abstract
The threats facing DoD’s unclassified information have dramatically increased as we provide more services online, digitally store data and rely on contractors for a variety of information technology services. It is absolutely critical to establish effective cybersecurity measures while developing, testing, and transitioning new innovations within the DoD. However, it is also extremely important that the DoD community not allow cybersecurity requirements to restrict or hinder innovation. This forum will discuss DoD enterprise best practices to meet this challenge and share some experiences on how proper cybersecurity measures can be employed to defend DoD networks and information without creating barriers to innovation.
Agenda
1300-1309: Welcome and Overview – Greg Kilchenstein (OSD-MR)
1309-1310: Administrative Notes – Debbie Lilu (NCMS)
1310-1320: Cybersecurity Challenges to Technology Insertion Project: Marine Corps Depot Workflow Modeling – Bill Baker (USMC)
1320-1340: Cybersecurity Challenges – Dan Green (NAVAIR) Presentation
1340-1400: Cybersecurity Lessons Learned – Frank Zahiri (AFSC)
1400-1420: “Hack the Machine” Event – CDR Tom Parker (NAVSEA)
1420-1440 Continuous ATO – Carl Coryell-Martin (Pivotal Labs)
1440-1500: Adapting Blockchain Technology for AM – Tim Abbott (Moog)
1500: Wrap-Up
Minutes
Event: On 29 October 2019, the Joint Technology Exchange Group (JTEG), in coordination with the National Center for Manufacturing Sciences (NCMS), hosted a virtual forum on “Big Data Analytics”.
Purpose: The purpose of this forum was to discuss DoD enterprise best practices to establish effective cybersecurity measures while developing, testing, and transitioning new innovations within the DoD, and share some experiences on how proper cybersecurity measures can be employed to defend DoD networks and information without creating barriers to innovation.
Welcome: Greg Kilchenstein OSD(MR) welcomed everyone to the forum and thanked the presenters and all the listeners for their attendance. He also stated how important it is that the DoD community not allow cybersecurity requirements to restrict or hinder innovation, and then briefly previewed the agenda.
Administrative: This was an open forum. The presentations, along with questions and answers, were conducted through the Defense Collaboration Services (DCS) and Adobe Connect. A separate audio line was used. Approximately 80 participants from across DOD, industry, and academia joined in the forum.
Cybersecurity Challenges to Technology Insertion Project: Marine Corps Depot Workflow Modeling: – Bill Baker (USMC) discussed a technology insertion project involving the Applied Research Lab at Penn State and the Marine Corps Logistics Command who partnered to develop and deploy a simulation-based Workflow Analysis and Resource Planning System. He explained how the project has been delayed due to software compliance issues and difficulty obtaining authorizations. He suggested the creation of a methodology where the process time for the software approval, procurement, and installation is significantly decreased.
Cybersecurity Challenges: – Dan Green (NAVAIR) briefed “Checks and Balances” by first depicting how U.S. acquisition is being outpaced by the threat, and then describing the balance between innovation and security, with “speed” the number one key performance parameter. He stated the importance of metrics and measurability, and the importance to automate, monitor, and apply security at all phases of the software lifecycle plan. Lastly, he described new mandates for DoD in 2020.
Cybersecurity Lessons Learned: – Frank Zahiri (AFSC) discussed the six steps of a risk management framework: Categorize, Select, Implement, Assess, Authorize, and Monitor, and then listed some key cybersecurity lessons learned to include identifying a cybersecurity team upfront, allowing appropriate time periods for approvals, and conducting conditional risk assessment determinations. Additionally, he recommended formal training, using industry partnerships, a more streamlined cybersecurity approval process, and including systems engineering.
“Hack the Machine” Event: – CDR Tom Parker (NAVSEA) described the Navy digital event as a maritime “capture-the-flag” experience that provided a chance to hack navigation, engineering and IT systems found aboard a ship, including a newly developed cyber defense and a 3D printer bug bounty. The event was designed to: 1) Inspire a new generation of tech talent, 2) Generate insights that move quickly from the game environment into militarily relevant outcomes, and 3) Educate Navy leaders on emerging technology challenges and how elements of the solution space can come together in rapid prototypes. The event was a huge success and numerous lessons learned are detailed in the presentation slides.
Continuous Authority to Operate (ATO): – Carl Coryell-Martin (Pivotal Labs) described the risk management framework that Frank Zahiri had briefed earlier and compared the legacy assessment and authorization process with a new streamlined process that separates application control requirements, automates best practices, continuous development and operational testing, and automated and accredited security benchmarks at the application layer. He also briefly described secure lean agile software development.
Adapting Blockchain Technology for Additive Manufacturing (AM): – Tim Abbott (Moog) and Dana Ellis (NCMS) described a CTMA project that utilized a Moog VeriPartTM solution to provide a point of use, time of need, smart digital supply chain, that essentially utilizes Blockchain technology to provide end to end trusted, verifiable assets in the digital and physical space. The benefits to DoD include a reduced risk for unplanned needs and a chain of custody for digital to physical assets.
Q&A – A Q&A occurred after each briefer finished their presentation. Questions and answers will be posted on the JTEG website with these minutes.
Closing Comments: Greg Kilchenstein thanked the presenters for their contributions and all the work being done to support cybersecurity efforts within DoD sustainment. He suggested continuing the information exchange beyond the forum and the importance of collaboration within the DoD maintenance community.
Action Items:
- Work to get the briefing slides cleared for “public release”, and then post them on the JTEG website at https://jteg.ncms.org/ .
Next JTEG Meeting: The next scheduled JTEG virtual forum is 3 December, 1:00 – 3:00 pm EST. The topic is “Automation and Robotics in Maintenance”.
POC this action is Ray Langlais, rlanglais@lmi.org , (571) 633-8019
Q&A
Marine Corps Workflow Monitoring – Bill Baker (USMC)
————————–
Q1. Do you feel this is a USMC issue or systemic?
A1. I was part of the Navy-USMC effort, prior to breaking off. It appears to me that it seemed to affect the USMC side more. (Note: a couple audience members said they experienced similar issues outside the USMC, so it may be a systemic issue).
Q2. Is there any technical justification for the slowness of the approval process?
A2. No. We never had a question or concern over the software.
Cyber Challenges – Dan Green (NAVAIR)
————————–
Q1. Would like to know the timeline for these activities with classified networks. In my experience, the unclassified networks have much longer timelines than the classified networks.
A1. That is not always the case. There are many things involved. A big factor will depends on whether we go to the cloud or not. The cloud should accelerate the timeline and enables full transparency and constant monitoring.
Q2. Will CMMC requirements be grandfathered for commercial industry already on contract?
A2. I don’t think so. The guidelines are not out yet and are tied to the RFPs.
Q3. Microsoft was just awarded a $10B cloud services contract. Do you have any insight on how soon we will be able to fully utilize Azure and how/if that ties into the NCS 5G effort?
A3. Navy can already access Azure. If JEDI will be the production, once funding flows you will be able to use Azure cloud and all the cyber security capability they have in the cloud.
Cyber Lessons Learned – Frank Zahiri (AFSC)
————————–
Q1. What has changed in the USAF in the last 3 years that has streamlined the ATO process?
A1. Trained cybersecurity individuals have saved us.
Q2. Can you give us an idea of the support staff needed to support this work? How many people do you have working as system administrators, on configuration management, and for how many users or devices?
A2. As an example, for my project, 2 from my stakeholder, 1 system administrator, 1 program manager, 1 SCAR and OEM. About 4-5 people total.
Q3. For a small business attempting to bring a software product online, is the approval process driven by the USAF customer, the business, or both? What can the business do to streamline this process? What proactive measures can help one get “ahead of the curve” in this process?
A3. You can accelerate the process if you have a CAC card. We are looking at access with a CAC.
Q4. Does the USAF have a “help desk” like function for folks that are new to the IATT/ATO process?
A4. Here at WRAFB, yes. They also provide training.
Q5. What do you think would be required to accelerate the IATT/ATO process faster than 5 months?
A5. Experience and the ability to learn more.
Q6. Thanks so much for this Cyber perspective as well as your concern for supply chain members! Those of us in the defense supply chain are focusing on upcoming DCAA audits regarding how we comply with CMMI and NIST 800 series requirements. We hope these investments help you to examine our supply chain against USAF cyber requirements.
A6.
Hack the Machine Event – CDR Parker (NAVSEA)
————————–
Q1. How is the data sent to shore?
A1. That is part of what we are working out now. Securing the pipeline is one of the things we have identified as a vulnerability.
Q2. Was the “damage” obtained through the network or the firmware?
A2. It was with the Firmware update. It was not connected to the network.
Q3. Based on event results, where should we focus our cybersecurity efforts?
A3. It was more about the entry points. All the data after that point is trusted.
Continuous ATO – Carl Coryell-Martin (Pivotal Labs)
No Questions
Adapting Blockchain Technology for AM – Tim Abbott (Moog)
No Questions