Assessments and Evaluations Cyber Vulnerabilities

Abstract

The National Defense Authorization Acts (NDAA), Fiscal Years (FY) 16 Section 1647, and FY 17 Section 1650, directs the office of the Secretary of Defense (OSD) to complete an evaluation of cyberspace vulnerabilities of select DoD weapon systems and critical infrastructures. For NDAA 1647, the Army was directed to assess and mitigate twenty-four weapon systems NLT December 31, 2019. For NDAA 1650, the Army was directed to assess and submit a mitigation strategy for twenty-five installations, NLT 31 December, 2020. To support this mandate, the HQDA G-3 directed DAMO-CY to evolve the two congressional mandates into two enduring Army programs: the Cyber Operational Resiliency Assessment-Platforms (CORA-P) to replace NDAA 1647, and the Cyber Operational Resiliency Assessment-Installations (CORA-I) to replace NDAA 1650. The aim of CORA-P/I is to reduce the Army's risk to adversarial cyber intrusions or attacks that compromises the Army weapon and installation systems. In compliance with the congressional mandates, DAMO-CY's performance objectives is to provide governance oversight over the execution of CORA-P/I phased vulnerability assessments to support o the Planning, Programming, Budgeting and Execution (PPBE) cycle. These deliverables include identifying the means to mitigate CORA-P/I vulnerabilities. This Program Element (PE) funds cyber vulnerabilities evaluations of major weapon systems in alignment with Section 1647 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2016, and of critical infrastructure in alignment with Section 1650 of NDAA 2017. Efforts in this PE will: 1) identify, assess, and develop and identify non-recurring engineering (NRE) to mitigate operational risks from cyber vulnerabilities to critical Army weapon systems in an operational configuration; and 2) assure the confidentiality, availability, and integrity of the information and control systems that underpin Army facilities and critical infrastructure by inventorying and assessing Facility-Related Control Systems (FRCS). Weapon systems evaluations will assess and provide NRE recommendations to mitigate operational risks emanating from a peer or near-peer adversary profile in accordance with existing test/lab requirements of through acquisition cycle. Where applicable, these evaluations will include tabletop exercises, lab assessments, and exercise/operational assessments of Program Executive Officer Command, Control, Communications-Tactical (PEO C3T) and ground weapon systems. Cyber hardening efforts will be informed by the vulnerability assessments reports (VAR) generated through the assessment and prioritization process. Prioritization will be based on mission criticality, impact to readiness, and threat. When applicable, this PE also provides for Red Team enhancement to support Combatant Command mission-level cyber vulnerability assessments. Evaluations of cyber vulnerabilities to critical infrastructure will focus on Task Critical Assets, Defense Critical Assets, and on units with high priority Quadrennial Defense Review missions and their supporting infrastructure. When necessary, this PE will provide for the training of teams to conduct cyber vulnerability evaluations on critical infrastructure. Once trained, these teams will conduct cooperative vulnerability and penetration assessments (Blue Teaming), adversarial assessments (Red Teaming), and assist with conducting assessments of cyber dependencies, vulnerabilities and threats in accordance with DoDI 8501.1 "Risk Management Framework." Funding will also provide for Contractor subject matter expertise to conduct Security Control Assessments and Deep Cyber Resiliency Assessments.

Document Details

Document Type

R2 Budgetary Justification

Publication Date

Oct 01, 2021

Source ID

0606942A_6_2040_PB_2021

Change Summary Explanation

Service Agency Name

Army

Entities

Tags

Related Documents

• Child Project: Cyber Vulnerabilities Assessments and Evaluations
• Child Accomplishment: Cyberspace Operational Resiliency Assessment ? Platform (CORA-P)
• Child Accomplishment: Cyberspace Operational Resiliency Assessment ? Installation (CORA-I)
• Child Accomplishment: Fiscal Year 2019 (FY19) Pending Recission