Moving the Flock Into Cybersecurity
Air Force CROWS organization injects cyber resiliency into the service’s acquisition processes, training and weapons systems.
The three-year old Cyber Resiliency Office for Weapons Systems, known as CROWS, created by the National Defense Authorization Act of 2016, has set about making cyber resiliency a part of the U.S. Air Force. As a problem solver for the service, the organization is elevating the cybersecurity of weapons systems, improving the Air Force’s training in cyber and adding cyber resiliency components where uniquely needed, Joseph Bradley, SES, director of CROWS, told SIGNAL Magazine in an interview. Bradley also serves as the Air Force Life Cycle Management Center-Hanscom’s Engineering and Technical Management associate director.
Not quite two years on the job, the director integrates cyber activities across the service by pulling in expertise from various locations around the states. Part of a subsequent reorganization at CROWS brought together the entities to fulfill stipulations of the National Defense Authorization Act of 2016, Chapter 1647, which directed the Defense Department to assess the cyber resiliency of weapons systems, Bradley explained. The Air Force assigned CROWS to examine the cyber vulnerabilities of 50 weapons platforms, which could be any of the service’s weapons operating in space, air or even on the nuclear side—ranging anywhere from heavy ground radars to airborne sensors to ground command and control systems.
To conduct the mission threat analysis, CROWS merged with the group led by Col. Mike Clark, USAF, program director, Global Combat Support System-Air Force. “We took our Mission Threat Analysis team and merged it with Col. Clark’s team on 1647 so that the people actually looking at the platforms, looked at the platforms,” Bradley noted. “We looked at those systems in two ways. First, was a tabletop assessment of what assessments have been done to date and what vulnerabilities were found, and then working a little deeper with the 46th Test Squadron to look at how do we make changes to the systems so that they're more protected. And the thing that people have to realize is not everything is a material solution. We may have a non-material solution that overcomes that cyber vulnerability, so we are looking at both material and non-material solutions.”
As part of that mission threat analysis, Bradley wanted to make sure the CROWS cybersecurity efforts in the field were aligned with what is being taught at Air University. “We have an effort ongoing to look at that and how we make sure that we're doing the right thing,” he adds.
In addition to making sure weapons systems maintain effectiveness despite cyber attacks, confirming that systems are securely designed and applying cyber-related information technology security management, CROWS is standardizing cyber security in the acquisition process across the Air Force, which includes the development of an acquisition guidebook that standardized cyber-related language for contract evaluations. “I wanted to have standard acquisition language, standard cyber language,” Bradley said. “We worked closely with industry and then we took the guidebook and we distilled it down to eight, nine pages.”
That document went to the Air Force’s four center commanders in the Space and Missile Center (SMC), Nuclear Weapons Center, Lifecycle Management Center (LMC) and the Rapid Capabilities Office. The leaders all signed off on the document and directed their respective organizations to use the language in acquisition, including in statements of work, sections L and M in a request for proposal, and in sources sought notices and synopsis specifications. “So, we when we bake in cyber resiliency in a new program, we are all doing it in a similar fashion,” Bradley observed. “That's a big deal to me.”
CROWS also develops cyber security solutions, on the research, development, testing and evaluation (RDT&E) side of things. “The other thing we're doing is that I have a team that does mitigations,” Bradley continued. “We're involved in a lot of different cyber mitigations right now. And as we identify a mitigation solution, … I want to see a connection with the Program Executive Offices (PEOs). So, I'll do the nonrecurring engineering, and they'll pick up the recurring engineering and field the solution.”
Another key priority for CROWS is to embed cyber personnel, called cyber-focused teams (CFTs), within each Air Force PEO. As programs modernize through sustainment, the CFTs will add cyber resiliency and awareness to the programs. Moreover, the organization is pursuing key cyber resiliency-related training efforts to increase the cyber awareness and cyber posture of airmen. Here, CROWS works closely with the Air University and the Air Force Institute of Technology. For example, because cross training has been mandated for maintainers, “all 135,000 maintainers in the Air Force will take some form of cyber training that we've developed,” he noted.
The director emphasized that CROWS will continue to work closely with the SMC even though the center is now a command in the new U.S. Space Force. “We have had a productive working relationship with the Space and Missile Center and look forward to continuing our collaboration with them to advance our mutual cyber resiliency and acquisition related efforts,” Bradley said.
“And at the end of the day, if I do nothing else, I need to provide increased capability to the warfighter.”