Army Cyber Policy Focuses on Warfighters
Cyber policy traditionally has focused more on enterprise networks than tactical systems, according to Nancy Kreidler, the Army’s new leader for the Cybersecurity and Information Assurance Directorate within the Office of the Chief Information Officer/G-6. But new initiatives emphasize cybersecurity in the tactical environment, including networks, weaponry and any other systems used by warfighters.
Kreidler’s office, for example, is partnering with the Program Executive Office for Command, Control and Communications-Tactical (PEO C3T) to gain efficiencies on behalf of warfighters. “The cybersecurity policies have always leaned a little toward enterprise, so that’s been a challenge. We’re working closely with PEO C3T to define the appropriate cybersecurity requirements for continued streamlined processes on the tactical side,” Kreidler says. “We will continue to work with the tactical community as our first line of effort. Cybersecurity all comes down to the warfighter and enabling them to make decisions faster across a multidomain environment.”
She started in the position in March and brings nearly 20 years of experience with PEO C3T. Her entire career has been in the cybersecurity and information assurance domain, predominantly on the tactical side. She supports identity, credential and acts of management, commonly referred to as ICAM, along with cybersecurity training, policy impact assessments, encryption modernization and cross-domain solutions, among other priorities. Everything she does as the director of the Cybersecurity and Information Assurance Directorate, she asserts, is in support of Army readiness, modernization, reform, and alliances and partnerships, as described in the service’s strategy document. “We do that by assuring that the network and the Army data is secure wherever it resides,” she says.
Kreidler wears a second hat as the Army senior information security officer. In that position, she is responsible for directing and coordinating the Army Cybersecurity Program, which includes cybersecurity policy, implementation and enforcement of the risk management framework (RMF) process. She also oversees authorizations and assessments for all Army information systems. For example, under the Federal Information Security Modernization Act, she reports to the Defense Department quarterly, and the department reports to Congress annually.
In addition to those duties, she represents the Army on a number of forums, including the Defense Department forum for chief information security officers and the authorizing official forum. She serves on the RMF executive technical advisory board, the department’s special access program executive board, and an array of other organizations. “This gives me a tremendous opportunity to represent the Army’s unique challenges for both enterprise and tactical perspectives,” she says.
The service’s streamlining efforts include tailoring the RMF, which integrates security and risk management activities into the system development process. The RMF is used to certify, accredit and authorize systems to operate on military networks. The process can be labor intensive, but the framework itself is built to be tailored so that organizations can use the most appropriate controls to evaluate systems, including networks, applications and tactical systems. “When we looked at the risk management framework … we first looked at our tactical efforts because this is what will support the Army Futures Command and the cross-functional teams,” Kreidler notes.
The Army leadership first published an interim “authority to test” process that allows systems to test on the network through an abbreviated process, she explains. “This allowed experimental testing to occur since fielding decisions had yet to be made. So, instead of having to do the whole RMF process, it was an abbreviated procedure just looking at the authority to test.”
Service officials from the CIO/G-6 office, PEO C3T, Army Materiel Command, the Communications-Electronics Command Software Engineering Center and the Army’s intelligence staff are now working to streamline RMF at the enterprise level as well, she adds.
Her team also is working on a “tactical rapid capability process,” including multiple pilot efforts, in support of urgent operational needs statements and joint urgent operational needs statements, both of which are used to more rapidly field cutting-edge technologies to warfighters. The change also will benefit the Army’s newly created cross-functional teams as they “move through their testing and fielding time lines” and will help modernize the network more quickly.
“We’ve concentrated on the technical controls, and in addition to security control validation, we’ve also brought in a blue team, which really deepens the cybersecurity analysis for the system,” she offers. “For the pilots we conducted, we were able to obtain an authority to operate, which usually takes about 10 months, on an average of 10 weeks. We want to support our soldiers, and this was a way to get after that.”
Other important projects include the development of a mobile app to provide multifactor authentication and a pilot program to adopt the YubiKey, a commercial hardware authentication device. The app being developed is designed to allow greater interoperability and cooperation between various departments and agencies. “For example, now I can go from Defense Department to the State Department to Homeland Security with transparency. We’re working on a prototype right now that provides a second authentication factor beyond just username and password and allows users to access Army sites without their common access card,” she reports.
The YubiKey also will provide another level of authentication for access to Army sites. It can be registered along with the common access card to allow secure use of nongovernmental laptops on the network. The U.S. Army Training and Doctrine Command and ROTC cadets are among the first to receive the devices. “This is like the application you use when your bank sends you a code to verify who you are for authentication,” she explains.
One of Kreidler’s early accomplishments was to help conduct a cybersecurity review to address systems that weren’t meeting the standard for potential risk. Working with Lt. Gen. Bruce Crawford, USA, the Army CIO/G-6 and Lt. Gen. Stephen Fogarty, USA, commander of Army Cyber Command, she helped identify a number of systems that needed authority to connect to the network. They had 90 days to achieve an authority to operate or take their systems off the network. They met the goal, which helped the Army to maintain readiness. The service now has a quarterly process in place to review and address systems operating without an authority on the network and ensure compliance with the Federal Information Security Modernization Act.
Kreidler emphasizes the need for cooperation and coordination to improve cybersecurity. In June, the service held its first of what is expected to be many program information security manager forums. “What we found in this forum is that so many people have the same issues, and more often than not, someone in the group has found a solution to that issue,” she notes. “We found great value in this forum in sharing information across the Army that maybe we haven’t shared as much before. We’re really looking to the entire Army cybersecurity community to work together to identify and drive down risk.”
To foster greater collaboration, she also initiated weekly “community calls” with the cybersecurity community so that participants can ask questions and share information. In addition, she serves on a number of quarterly working groups on such topics as encryption modernization and team management. “One of my priorities in this job is … to bring a community together to collaborate on cybersecurity issues. There’s too much commonality across all the organizations to not be taking advantage of our collective intellect,” she states.
Service leaders recently updated Army Regulation 25-2, a cybersecurity policy and guidance document. Greater collaboration likely will help inform future updates. “As we go through the next iteration, the idea is to bring in the subject matter experts in these different areas and let them all talk together. My experience has been that when we do this, the community feels more engaged, the participation is higher, and the relationships and the networking continue to drive great benefits to the Army overall,” Kreidler says.
She lists artificial intelligence (AI), machine learning and cloud computing as the emerging technologies most likely to impact cybersecurity. “Cybersecurity continues to evolve at an accelerated rate. We have a lot of work to do to determine the implications of AI and machine learning with regard to cybersecurity. Soldiers and commanders will soon be using AI to make more informed decisions on the battlefield,” she suggests. She adds that cloud computing will surely enhance cybersecurity but will also present new challenges.
Kreidler also cites the Army’s need for software development security operations, commonly referred to as DevSecOps, a process for including security during the development of technology systems. “The Defense Department in the future years is going to provide an enterprise DevSecOps for all services. We’re going to see what that looks like. In the meantime, we’re going to start doing some pilots in the Army,” she says.
She emphasizes that under the leadership, including Gen. Crawford and Gen. Fogarty, the Army has made rapid progress on cybersecurity. “I’ve been in cybersecurity for about 19 years, and what I’ve seen in the last five months has been unbelievable,” she declares.
And with that leadership and progress, the Army is at the top of its game, she asserts. “Our challenge is always to stay ahead of our adversaries. Cybersecurity is a team sport, and right now I see us playing at the highest levels.”