One of the Army‘s IT support commands still sends out physical disks on a quarterly basis to patch its software. But the hope is in the next year, it can build out a common repository to improve its software patching.
The Army’s Communications-Electronics Command (CECOM) relies on sending out physical disks with updated code to bases, a process that takes on average 90 days just to get the disk to the right soldier. And who knows if the disks are uploaded right when they arrive.
But now CECOM is working with the Defense Information Systems Agency (DISA) to push forward with work to host a common software repository that will allow for regular updates and patching to be done on the DOD’s internal networks.
CECOM oversees the Army’s command and control and reconnaissance systems and the supporting software. Typically, that code is custom-developed and requires longer patching cycles than commercial off-the-shelf applications. But even still, that’s taking too long, Maj. Gen. Mitchell Kilgo, head of CECOM, said recently during AFCEA’s Signal Conference.
“One of the things that frustrated me was the software preparedness of our operating systems and our combat systems,” Kilgo said. “We were typically well behind where we should have been.”
Rapid patching of software is proven to be one of the best ways to maintain quality cyber hygiene. Patches help fix errors in code that cause malfunctions in operation systems or provide gateways adversaries can exploit. Cyber leaders commonly call on users to update software and patch systems to avoid the exfiltration of data.
Tests are underway within some Army units. The goal is to have the software repository up and running for the whole service by mid-2021. The true test of the system’s effectiveness will be working in low-bandwidth environments, whether they are remote outposts or hostile battlefields, the general added.
The command is also developing a software scorecard to have Army units track the status of their software readiness. The scorecard will help units keep track of software patches and overall cyber readiness, Kilgo said.
The Army’s challenges with code extend beyond its outdated system of shipping disks around the world. Getting an authority to operate (ATO) for software updates can take months, time that is often wasted while new updates are iterated in the private sector.