Page 310 | FedScoop

The votes are in for the 2025 FedScoop.

CISA directs civilian agencies to patch ‘critical’ VMware vulnerabilities

The Cybersecurity and Infrastructure Security Agency issued an emergency directive Wednesday requiring federal civilian agencies to patch vulnerable VMware products that could be chained together for full system control.

If agencies aren’t able to deploy necessary updates within five days by May 23 to the affected VMware services, they must take them off agency networks immediately until an update is possible, per the directive.

“These vulnerabilities pose an unacceptable risk to federal network security,” said CISA Director Jen Easterly in a press release. “CISA has issued this Emergency Directive to ensure that federal civilian agencies take urgent action to protect their networks. We also strongly urge every organization – large and small – to follow the federal government’s lead and take similar steps to safeguard their networks.”

Cloud computing and virtualization company VMware on Tuesday released an update for two identified vulnerabilities affecting its VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager applications. CISA expects this will lead to threat actors — “including likely advanced persistent threat (APT) actors” — developing new capabilities to exploit the new vulnerabilities.

VMware itself called the vulnerabilities “critical,” rating them 9.8 out of 10 in severity.

“CISA has determined that these vulnerabilities pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and require emergency action,” the directive says. “This determination is based on the confirmed exploitation of [prior vulnerabilities] by threat actors in the wild, the likelihood of future exploitation of [the new vulnerabilities], the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems.”

Bad actors have already done this with prior vulnerabilities in VMware software in April, reverse engineering updates the company made that month to begin exploiting instances of the products that went unpatched within 48 hours, CISA said.

In a related cybersecurity advisory published Tuesday, CISA said it has “deployed an incident response team to a large organization where the threat actors exploited” those vulnerabilities from April. The agency has also “received information—including indicators of compromise (IOCs)—about observed exploitation at multiple other large organizations from trusted third parties.”

The federal government’s lead cyber agency believes hackers could exploit the vulnerabilities to “trigger a server-side template injection that may result in remote code execution (CVE-2022-22954); escalate privileges to ‘root’ (CVE-2022-22960 and CVE-2022-22973); and obtain administrative access without the need to authenticate (CVE-2022-22972).” CISA also believes based on third-party reports that bad actors may chain the vulnerabilities for full system control.

For any federal instances of the VMware products connected to the internet, CISA directs agencies to immediately disconnect them, assume compromise and then continue threat hunting activities, reporting any anomalous activity immediately.

This emergency directive is the first since CISA in December ordered federal agencies to assess their internet-facing networks for the Apache Log4j vulnerability and immediately patch the systems. CISA Director Jen Easterly described the Log4j bug as perhaps “the most serious” she’d seen in her career.

Pentagon updates timeline for CMMC cybersecurity initiative

The Department of Defense hopes to begin implementing its Cybersecurity Maturity Model Certification (CMMC) program requirements in contracts in May 2023, as part of an effort to prod hundreds of thousands of defense contractors to better protect their networks and controlled unclassified information.

The requirements are currently going through the federal rulemaking process for the Code of Federal Regulations (CFR) and the Defense Federal Acquisition Regulation Supplement, which is required before they can be implemented.

“We’re hoping by March of 2023, they will give us an interim rule. Now that’s not guaranteed,” Stacy Bostjanick, the Pentagon’s director of CMMC policy, said Wednesday during an event hosted by the Potomac Officers Club. “They could come back and say, ‘No, we don’t see the urgency of this meeting to be an interim rule and you will not be allowed to implement until you go through final rule.’”

If granted an interim rule decision, the program will go through a 60-day public comment period, but the department would be able to implement CMMC in contracts and acquisitions by May 2023, Bostjanick said.

She noted that the DOD will take a phased approach to ensure the entire CMMC ecosystem — which includes cybersecurity assessor and instructor certification organizations, assessors and the Defense Industrial Base Cybersecurity Assessment Center, among others — will be capable of handling certifications requested for contractors.

The Biden administration’s revamp of the program, known as CMMC 2.0 — which began last year after contractors raised concerns about the original CMMC framework developed by the Trump administration — set the schedule back.

“Based on this shift and administrations and the relook of the program, it has elongated our timeline from the perspective that we are having to do additional rulemaking activities,” Bostjanick said. “Having said that, though, I don’t think that it is a bad thing. I think having CMMC codified as a program and 32 CFR rule makes it a stronger program and gives it more lifespan, quite frankly.”

Prioritized versus non-prioritized controlled unclassified information

Bostjanick also provided insights regarding the requirements of the cybersecurity framework pertaining to prioritized and non-prioritized controlled unclassified information (CUI).

“For those companies that would handle non-prioritized CUI, the thinking is that they could merely do a self-assessment, an annual affirmation that they meet the requirements of the NIST 800-171 to handle the non-prioritized CUI … From our analysis, the non-prioritized CUI is going to be a smaller subset of the CUI that we deal with,” she said.

“Since companies don’t ever normally just do one contract with the DOD, they bid on multiple contracts, eventually, anybody who handles CUI and bids on more than one contract will most likely have to have a third-party assessment, because it’s only ever going to take one contract that you bid on that requires that third-party assessment to drive you to that level,” she added.

She noted that a contract will indicate whether the procurement includes prioritized CUI, non-prioritized CUI or Level 3 CUI as a factor. Level 3 requires an assessment from the Defense Industrial Base Cybersecurity Assessment Center.

Right now, Pentagon officials are working on several exercises to ensure the definitions between these levels of controlled unclassified information are clearly delineated.

The rough definitions they are working through right now, which could be refined in the next few months, is that non-prioritized CUI involves information that wouldn’t cause much of an issue if it were to be released — such as the material of a military uniform. Prioritized CUI is information that would cause some loss of capability or advantage if adversaries, hackers or others got hold off of it. And Level 3 advanced CUI is information associated with critical programs and technologies.

Additionally, the Pentagon is putting together an acquisition guide for program managers and contracting officers to make the decision whether or not CUI is prioritized or non-prioritized as they move into a request for proposals, Bostjanick said.

Pentagon working with allies on secretive autonomous drone project

The Department of Defense is working with allies on a highly classified project to demonstrate the capabilities of artificial intelligence-enabled drones that are designed to operate in highly contested environments.

Undersecretary of Defense for Research and Engineering Heidi Shyu offered a few details about the secretive effort on Wednesday

“There’s so much stuff going on … [with] AI and autonomy in particular,” Shyu said at the Special Operations Forces Industry Conference (SOFIC). “What can I say that’s unclassified? Let’s just say we’re working to do some demonstration of pretty exquisite capabilities, OK? I want to be able to fly autonomously in a heavily contested area … We’re working with allies on that right now.”

Shyu was tight-lipped and didn’t offer additional details about the project, including which specific systems are involved.

“I’ll just leave it at that since this is an unclassified forum,” she said.

U.S. Special Operations Command officials see autonomous drones as the wave of the future.

The command acquired a slew of remotely piloted unmanned aerial vehicles (UAVs) for Special Operations Forces (SOF) during the Iraq and Afghanistan wars, but now it’s looking for technology that’s more advanced.

“Unmanned systems have shown great value to SOF operations and will continue to show great value. The issue for us is, we have a small formation and everyone in that formation is dedicated to a certain task. And if I’ve got to pull an operator to have them go one-on-one to operate that unmanned system, I’ve just pulled them away from the tasks that they’re … supposed to be doing,” SOCOM Acquisition Executive Jim Smith said at the conference on Tuesday.

He continued: “That’s why we’re really interested in autonomy to be able to get the operator off of the Xbox controlling the unmanned system, and back over their rifle sights and doing what they were paid to do. And so that’s where I think unmanned systems will go in the future.”

Other Defense Department components, including the Air Force, are also pursuing autonomous drones and networked weapon systems. DOD organizations like the Air Force Research Lab and the Defense Advanced Research Projects Agency have been working on AI-enabled capabilities. Australia, a close U.S. ally, also has a Loyal Wingman program aimed at acquiring robotic fighter jets.

Officials at U.S. Indo-Pacific Command have been banging the drum about the need for new UAVs that could be employed in a war against China, which has advanced air defenses.

Shyu did not disclose which allies the Pentagon is collaborating with on the autonomous drone project that she mentioned, but in her opening remarks at the SOFIC conference, she noted that the R&E directorate is working closely with AUKUS partners Australia and the United Kingdom. AUKUS is a trilateral partnership between the U.S., U.K. and Australia that is focused on advanced military technology.

Last month, the White House said AUKUS has made “strong progress” in the capability areas that leaders of the three nations identified as priorities last year, which includes AI and autonomy.

Another top priority for Shyu is integrating cyber capabilities with multifunctional sensors.

“I’m pushing very much towards integrated sensing and cyber,” she said. “What does that mean? I am interested in pushing the technology towards developing a single sensor that has the ability to listen, the ability to do jamming, ability to communicate, the ability to do [cyberattack] injects all in one, OK? So we’re working on that as well.”

CISA expects most agencies to be deploying endpoint detection by FY23

The Cybersecurity and Infrastructure Security Agency is helping 26 agencies deploy endpoint detection and response technologies, affording them greater network visibility, and expects that number to reach 53 by the end of fiscal 2022, according to its executive assistant director for cybersecurity.

Testifying before subcommittee of the House Homeland Security Committee Tuesday, Eric Goldstein said CISA has made “tremendous” progress as the cyber operational lead for civilian agencies and wants to work with Congress to annualize American Rescue Plan Act investments in its efforts — starting with the fiscal 2023 budget.

Deploying endpoint detection and response (EDR) tools is one such effort, part of a broader push begun by the Cybersecurity Executive Order (EO) issued one year ago to move agencies from perimeter-based to zero-trust security.

“Not even a year-and-a-half after execution of the executive order, we will have EDR deployments in place and underway at over half of the federal government with more rolling out in the months to come,” Goldstein said. “We have seen great uptake across federal civilian agencies, but the work needs to continue.”

A cross-agency review team with representatives from CISA, the Office of the National Cyber Director and Office of Management and Budget is currently reviewing the zero-trust implementation plans agencies submitted in accordance with the EO.

Among other things, CISA wants to ensure agencies are making the right funding requests to continue the work.

“That’s how we’re going to track progress,” said Chris DeRusha, deputy national cyber director and federal chief information security officer. “We’re going to get specific with each of these agencies and hold them accountable to those plans over multi-year.”

CISA met all of its deadlines under the executive order and continues to bring its Continuous Diagnostics and Mitigation (CDM) program Dashboard 2 and new cyber shared services to agencies.

Other CISA efforts include fully implementing relatively new authorities to conduct persistent threat hunting across agencies’ networks and encouraging adoption of software bills of materials (SBOMs) to provide a granular view into third-party supply chain risks. But all of that requires sustained funding.

“In order to get where we need to be, we need continued focus and continued investment in both cybersecurity and IT modernization across the entire federal civilian executive branch,” Goldstein said.

Pentagon’s autonomous weapon rules might be in for a revamp

The Pentagon’s governance of autonomous weapon systems could be poised for a refresh.

This year marks a decade since the adoption of the Department of Defense Directive 3000.09, which establishes definitions and a policy framework for making and procuring weapons with autonomous features — or those that allow for functions without human control. A lot has changed since its release, so now, senior officials are considering updates to better suit modern capabilities.

“I think certainly there are conversations that are ongoing about the directive,” DOD’s new and first-ever Director of Emerging Capabilities Policy Michael Horowitz said on Tuesday. “For those that are not extremely well-versed in DOD bureaucracy, directives are required to have a certain relook every 10 years. So this is actually an opportune time for the department now, given all that’s happened over the last decade in the AI space, to take a look at that directive and figure out what should be done to reflect sort of where we are now, compared to where we were a decade ago.”

Speaking at the National Press Club for the Nexus 22 national security symposium, Horowitz reflected on the impact of — and gaps in — directive 3000.09.

That 2012 document “was in many ways the world’s first policy statement on autonomous weapon systems,” he noted. The original version was updated in 2017, but the overall language hasn’t really evolved to match today’s technologies, despite repeated calls for updates.

At this point, the complete review process that is required by the directive to evaluate autonomous weapons before use has yet to be triggered by a DOD component, Horowitz confirmed. But he said the policy has succeeded, at least so far, at setting a strong foundational commitment to human judgment and responsible behavior when it comes to the military’s development and deployment of autonomous weapons.

Still, he also sees where there’s room for revamps.

“Looking at 3000.09 today, certainly that was written before the DOD’s [Joint Artificial Intelligence Center] existed,” Horowitz said. It was also produced before the Pentagon crafted ethical AI principles, or restructured certain components to underpin the newly established Chief Digital AI Office, he added.

“There’s a lot that wasn’t in that document — and to be fair, there’s a lot that shouldn’t be in that document,” he said. “But I think that the department is committed to taking seriously being responsible about autonomous weapon systems, and having guidance concerning them that incorporates all that has happened over the last decade.”

The ultimate challenge of the next decade, in his view, is figuring out how to sustain the strong elements of the directive and other policies DOD has established around automation and AI, while also accelerating the pace of adoption of the technology. Officials and other experts believe artificial intelligence can be leveraged across the U.S. military, from the back office to the battlefield.

“The phrase I like to use is that the U.S. needs to act with responsible speed,” Horowitz said.

Horowitz did not offer a time frame for when a formal review process for directive 3000.09 might be completed.

NASA picks Booz Allen for $622.5M cybersecurity and privacy enterprise contract

NASA has awarded a cybersecurity and privacy enterprise solutions contract with a total potential value of $622.5 million to Booz Allen Hamilton.

The contractor will start work on May 31 and provide services to the agency’s Office of the Chief Information Officer. The contract initially runs until Sept. 30, 2023, and has four option periods that run through Sept. 30, 2030.

The contract, known as CyPrESS, is a cost-plus award fee core and hybrid indefinite-delivery, indefinite-quantity contract. It is the first enterprise cybersecurity and privacy service contract to be struck by the agency, consolidating cybersecurity and privacy work from various center and enterprise IT contracts.

Cybersecurity remains a top priority for executives at NASA, following multiple recent audits from federal security agencies highlighting concerns over IT security.

In March, a watchdog report revealed that NASA management has agreed to conduct a risk assessment of its unclassified systems to determine if its insider threat program should be expanded to include them.

Based on that report, the agency plans to assemble a cross-discipline team with representatives from the offices of Protective Services and the Chief Information Officer, as well as the OIG Cyber Crimes Division by Dec. 1, 2023.

Army secretary looks to hiring flexibilities to boost cyber talent recruitment

The Army’s top civilian official wants to focus on using the U.S. military’s Cyber Excepted Service authorities to attract cybersecurity talent into the force.

Secretary Christine Wormuth told lawmakers on the House Appropriations Committee on Tuesday the Army is exploring ways to use the authorities, which Congress granted the Department of Defense in 2016 to be more flexible in compensating and hiring cybersecurity talent.

Nearly six years later, Wormuth said the Army still faces a challenge in competing with other organizations for cyber experts.

“One of our challenges frankly is competing with the private sector,” she testified. “Everyone is looking for cyber experts, and in the private sector, they’re obviously well compensated. So that’s something I want to see us explore.”

Across the DOD, despite the enhanced hiring authorities, officials have struggled to improve the recruitment and hiring of technical talent. Part of that has been attributed to a lack of supporting infrastructure for the Cyber Excepted Service. And others contend the added flexibilities still aren’t enough for the Pentagon to get the talent at the scale that it will need to compete as the nature of defense becomes increasingly cyber-driven.

The Department of Homeland Security similarly created a Cybersecurity Service in 2021 akin to DOD’s Cyber Excepted Service.

The Army is seeing success in identifying that talent, or training for it, within its existing ranks, said Wormuth and Gen. James McConville, Army chief of staff.

Among different organizations like the Army Cybersecurity Center of Excellence at Fort Gordon in Georgia and the Army Software Factory in Texas, the service is “finding, frankly, cyber and coding expertise all over the Army in places you wouldn’t expect and training those people and giving us the capability to really have Army soldiers at the tactical edge who can code and develop applications for us,” Wormuth said.

“We’re blessed that we have a lot of young men and women who want to go into cyber,” McConville said, pointing out that at West Point and in the Army ROTC, “that is one of the most competitive branches.”

McConville said once the Army does identify talent or train soldiers to become cyber warriors, it must find ways to keep them around. He told the story of a young medical specialist who works with the Army Software Factory.

“He codes at a Ph.D. level” with no formal training, he said. “And what we want to be able to do is be able to credential that capability … but because of his [highly sought after] skill set, how do we keep that person in the Army, how do we credential that person and then incentivize him to stay?”

Wormuth said what’s going on in Ukraine and the lessons learned there have demonstrated why cyber talent is so critical.

“The information domain is incredibly important,” she said. “The force that can dominate in the information space, I think, will have the advantage in future conflicts, so there’s a lot of a cyber dimension there.”

And while the U.S. has evaded major cyberattacks on its critical infrastructure of late, “I think that is something we can expect in the future,” Wormuth said. “So we’re looking a lot at how we can shore up vulnerabilities, whether it’s with our suppliers or in our own networks, to make sure that we’re not vulnerable to cyberattacks.”

Special Operations Command looking to ditch some of its drones, buy new ISR capabilities

Special Operations Command wants better intelligence collection and intel fusion capabilities, and officials plan to take a hard look at their drone portfolio to determine which systems are no longer needed.

SOCOM acquired a slew of unmanned aerial vehicles (UAVs) to meet requirements for the wars in Iraq and Afghanistan. But some of those might no longer be needed as the command pivots to new technologies and great power competition with China.

“We need to look hard at all those systems and go, which ones within our enterprise are the biggest bang for the buck? And which ones do we need to retain? And which ones do we actually need to cut away?” SOCOM Commander Gen. Richard Clarke said Tuesday at the SOFIC conference.

Systems will be reviewed as the command undertakes long-term planning for capabilities development and resource allocation.

“We need to take a comprehensive look at all of our programs,” he said. “As we’re going into some specific discussions about future POM [program objective memorandum] cycles, there are some things that we need to look at hard and go, ‘Is this really what we still need within our formations?’ We’ve got to take a whole full-throated effort towards that because we’ve got to point towards China, but we still have other missions we’ve got to do.”

The command is less interested in remotely piloted drones and is looking for UAVs that can operate more autonomously and reduce the manpower burden for Special Operations Forces (SOF).

UAVs are just one tool for intelligence, surveillance and reconnaissance (ISR). SOCOM wants to leverage more space-based sensors — including commercial satellite imagery — cyber tools, and other technologies.

“We have focused for the last 20 years on airborne ISR overhead capabilities that allow us to look down and see [and] sense the enemy with multiple pods on top of them,” Clarke noted. “We’ve got to layer in the space capabilities with that, we have to layer open-source data with that. And we have to be able to pull that all together. And those things that are flying above, we need to make sure we have the best capabilities on top of them. So, as I look at next-generation ISR I think that’s something that still needs further development, because … just buying overhead UAVs — that is not going to be the solution in the long run.”

Special Operations Command wants technologies that enable “collaborative autonomy” and AI for small unit maneuver.

“We are going to use a lot of sensors — whether they’re unmanned aerial systems, unmanned ground systems, unmanned maritime systems, unattended sensors — all working together,” Smith said. “Our goal is to have those working together collaboratively and autonomously.”

SOCOM aims to take ISR data collected by a variety of unmanned systems, fuse it with data collected from satellites and cyberspace, and provide it to SOF at the tactical edge to improve their situational awareness. Artificial intelligence and machine learning could help SOCOM sort through the sensor data and separate the wheat from the chaff, and give commandos the information they need to accomplish their missions.

“That’s what we think next-generation ISR looks like,” Smith said, adding that a lot of AI and data transfer will be required to enable that.

DIA awards spot on $370M workplace analytics contract to Golden Key Group

The Defense Intelligence Agency has awarded a workplace analytics and talent management services contract to Golden Key Group as part of a $370 million contract vehicle.

The indefinite-delivery, indefinite-quantity prime contract has a five-year base period with an additional three-year option. It was awarded through a contract vehicle used by the agency’s Office of Human Resources Operations and Services, and the performance period is expected to start on June 30.

As part of the contract, Golden Key will provide the office with assistance across a range of areas, including workforce analytics, records management, and hiring and staffing.

Golden Key provides HR and human capital management services to civilian and military departments including the Departments of the Army, Air Force and the U.S. Agency for International Development (USAID).

The company last year hired federal acquisition specialists including former Health and Human Services modernization advisor JD Walter, and former General Services Administration chief acquisition officer Jessica Salmoiraghi.

The Army’s unified network concept is gaining momentum in 2023 capability builds

The Army is expecting to see progress in linking its enterprise network to tactical formations in upcoming tactical network capability sets.

The Army has adopted a multiyear strategy involving the incremental development and delivery of new capabilities to its integrated tactical network, involving a combination of program-of-record systems and commercial off-the-shelf tools. Those “capability sets” now provide technologies to units every two years, each building upon the previous delivery.

Capability Set 21 was primarily designed for infantry brigades, Capability Set 23 is focused on Stryker brigades, and Capability Set 25 is focused on armored brigades.

In October 2021, the Army released its unified network plan, which set forward a path for linking its enterprise and tactical network.

This is now beginning to materialize in the Capability Sets 23 and 25 builds, Army officials said during the Army’s eighth Technical Exchange Meeting in Philadelphia on May 10.

For the “unified network … I will submit to you that we are now actually executing along that line. Capability Sets 23 and 25 are really where you see that transition to go vertical,” Lt. Gen. John Morrison, the Army’s G-6, said a the meeting. “It is just a natural state of play as we mature the capabilities set construct.”

These meetings gather members of industry, the Army acquisition community, Army Futures Command and the operational community to outline priorities and capabilities to modernize the service’s tactical network.

Currently, there are too many tools on the network that aren’t integrated, interoperable or sustainable between the enterprise strategic network and the tactical network at the very edge. Leaders want to better connect these disparate systems to get to a truly singular unified network across the globe that will be centered around data and allow forces to have greater insights and visibility from theater to theater.

In previous examples, officials have cited issues in which units were not able to join the network immediately upon entering a theater — most recently during the withdrawal operations in Afghanistan —which creates big problems for the Army as it is trying to be more expeditionary.

Moreover, the Army is moving away from the brigade combat team-centric fight during the war on terror years that saw the brigade as the primary unit of action. Top nation-state powers that are more technologically sophisticated and transnational are forcing the Army to shift to higher echelons with the division as the unit of action.

“In a multi-domain fight, where our Army is heading, it will be a division and corps fight. Brigades will be maneuver elements,” Morrison said. “How do you maneuver a division network? How do you maneuver a corps network? How is it linked back to the enterprise so you can get to a strategic and operational effect at the point in time that a maneuver commander needs it anywhere on the battlefield.”

To this end, Morrison described moving network complexity higher up the chain, which will take the burden off those at the tactical edge and closer to the fight.

“If you buy into data centricity, and we all should, where do you place that complexity? You don’t place it at the lowest possible level. That’s not how industry does it; it’s not how the United States Army should do it,” he said. “We’ve got to work our way through how do we raise that complexity up to the appropriate echelon where people can deal with it, hence, this division- and corps-centric approach. We do need to be able to plug into whatever infrastructure is available, whether it’s commercial or military, do so securely and then reach back into that broader enterprise so that we can apply those strategic and operational effects to the point of need.”

Those effects could be long-range precision fires, cyber effects, some electronic warfare effects or deep sensing, Morrison said, adding that the Army of the future must be able to see something, feed it into the network and act on it in a timely manner.

These efforts are also about reducing complexity and allowing greater visibility into the network, both from a tactical level all the way up to the strategic perspective.

“From my perspective, at the operational level, I just want to be able to see my network, both the upper tactical and the lower tactical,” Maj. Todd Donaldson, the communications officer at 2nd Armored Brigade Combat Team, 3rd Infantry Division, said at the same conference. “I want to be able to see what’s on the network, what’s not on the network, if something starts to drift be able to pull it back in, see how much data we’re using and how congested that network might be at that time and how many users we have up on it.”

He added that as more capabilities are added to the network, such as radios and expanded mesh networking capabilities, he needs to be able to see everything to facilitate those capabilities and maneuver the network for the commander.

One area the Army is working on is trying to establish end-to-end capabilities for endpoint management from the highest strategic levels down to those tactical nodes. This will allow defenders and high-end cyber specialists to be able to see directly down into the tactical network from operations centers in the United States — or theoretically, anywhere in the world — and provide assistance and visibility like never before.

“It goes after this notion of unified net ops. The S6 at the edge, the person sitting in the regional cyber center and then all the way back to the Information Warfare Operations Center at [Army Cyber command] — common capabilities, common view. Now we can really work through who’s got to handle the most complex tasks,” Morrison told reporters on the sidelines of the conference. “We’ll be able to defend it much more effectively and that notion of being able to maneuver it because we have a common look and feel and we’ll be able to put that complexity where we want it to be. That way, folks that need to be able to do the higher-end DoDIN ops can concentrate on it. Communicators down at the edge that need to focus on maneuvering their formations and supporting those operations will be able to do that.”

Ahead of the efforts planned for Capability Set 23, the Army has begun moving personnel and resources to regional cyber centers, division headquarters and corps headquarters to enable a DoDIN operations framework from the enterprise to the tactical level, Morrison said.

This includes empowering newly created Expeditionary Signal Battalions-Enhanced, which support units that don’t have organic communications capabilities.

Morrison has also explained the need for local cyber defenders to up their game of securing, defending and operating the network to keep the high-end cyber protection teams doing what they do best, which is hunting on networks and being threat-focused.

Networking at the tactical edge

Ultimately, in the tactical sphere, the Army wants to reduce the network complexity and training burden for personnel.

In the immediate term, it is focusing on the lower tactical tier, for which the Army Requirements Oversight Council will sign out a requirements definition package later this year.

“We can focus on what planning, management, configuration, initialization, control and monitoring tools exist today, where can we gain some opportunities for optimization, what building blocks can we set the stage with for radio management,” Matt Maier, project manager for Interoperability, Integration and Services at Program Executive Office Command, Control, Communications-Tactical, said at the Technical Exchange Meeting. “Then we can start to migrate those capabilities up into the upper tactical tier and emerge and replace capabilities as capabilities come online.”

Capabilities in the lower and upper tactical tier aren’t well integrated like they are in the enterprise, he said. Notions such as identity management and zero trust don’t exist in the tactical space, which is something the Army is beginning to address.

The plan right now is to put several requests for information out to industry. Then, a draft request for proposals will be released in the third quarter of 2023 with contract awards scheduled for the second quarter of 2024, Maier said.