SEC Command and Staff

Presented By:Ms. Jennifer Zbozny, SES, Software Engineering Center (SEC) Director- AMC CECOMMr. Chad Claussen, SEC Chief Technical Officer- AMC CECOMMs. Xiomara Ford, SEC Cybersecurity Division Chief, AMC CECOM

Measures Towards Defensible Cyber Operations

Approved for Public Release- Distribution Unlimited

SEC Mission and Core Competencies

Core Competencies

MISSIONEnsure operational readiness by

developing, providing, integrating andmaintaining Army C4ISR, logistics and

business software

Software Acquisition

Support

Software Field

Support

Independent Verification & Validation

CybersecuritySoftware Testing

Software Development

Electronic Warfare Software Reprogramming

Who We Are & What We Do• The Communications Electronics Command Software

Engineering Center (CECOM SEC) • SEC sustains C4ISR system software• Software sustainment includes but is not limited to:

• Resolving software anomalies• Modifying software to meet new operational needs• Maintaining software interoperability• Responding to new threats• Incorporating fixes to protect systems from cyber

threats


• Business & Logistics Systems• Strategic Satellite Communication Systems

• Intelligence Systems• Sensor Systems

• Electronic Warfare Systems

CECOM SEC Customer & System Support

• Communications Systems• Command & Control Systems


Why Care about Cybersecurity?

Anything that is networked can be hacked


Cybersecurity Improvements

Objective: Improving measures for protecting Army information systems, networks and operations from disruption, unauthorized access, use, disclosure, modification, and destruction.

SECURE OPERATIONS

Hire/Retain Cybersecurity Professionals

Secure Army

Software

Enable Electronic Patching

• Leveraging Government-wide Direct Hire Authority 5 U.S.C. 3304(a)(3), 5 CFR part 337 to address talent shortage.

• Cyber Workforce Program identifies cyber functions of all personnel across SEC and provides training resources and current threat reports from the G-2.

• Assess Army and Enterprise software for security deficiencies.

• Provide electronic delivery and automated installation of software patches.

• Gauge security issues with software while in development.


PURPOSE: To transform our workforce focus from solely informationassurance to a more inclusive cybersecurity focus comprised ofpersonnel who build, secure, operate, defend, and protect DoD and U.S.operations.

BACKGROUND: The Federal Cybersecurity Workforce Assessment Act of 2015(FCWAA’15)

CURRENT STATE:• Cyber specialties coded for SEC Personnel in Army

Training and Certification Tracking System (ATCTS)• SEC Cyber Workforce SharePoint Portal

END STATE:• Innovated recruitment strategy• Qualified Cyber workforce retention strategy• Expansion of Threat Knowledge• Promote greater sense of cybersecurity

responsibilities amongst the workforce.

Cyber Workforce Program


Software Assurance Program

BACKGROUND: The implications of software security defects are not well-knownthrough the Acquisition Lifecycle and difficult to detect through the Risk ManagementFramework and Program Protection processes.

PURPOSE: To “build-in” security requirements for software in development or enteringinto sustainment.

CURRENT STATE:• Customized tools for conducting static and dynamic code

analysis.• Unique personnel skillsets whom specialize in software

engineering and cyber,• Developer-capability tools to assess software security

deficiencies as they develop.

END STATE:• Develop robust and secure software applications to enable a

defense-in-depth approach• Influence the procurement of secure applications from

industry.


Electronic Patching

Purpose: Improve the software security posture by expediting thedelivery and process of applying software updates

Background: The Army continually faces a challenged network todeliver information safely and efficiently. Software security updatesare needed to prevent cyber attacks on Army systems

Current State: With a manual process, the soldier has to:• Wait 2-3 weeks for security updates to reach CONUS and OCONUS

sites• Manually upload security updates via CDs to each system• Manually create reports based on system compliance (~2 week effort)

End State: With an electronic process, the soldier is enabled to:• Leverage one website to obtain security updates• Automate the manual process of updating multiple systems• Create a quick report based on system compliance (~2 minute

effort)


EPI Scope & Lines of Effort

LoE 1: Baseline Tagging

LoE 2: Compliance Reporting

LoE 3: ePatching

LoE 4: Patch Portal

Embed standardized data fields for asset and baseline identification

Provide actionable reporting for network defenders and commanders

Automate the manual process of applying software security updates

Centralize content distribution as a one-stop-shop for the warfighter to improve patch availability

Desired End-State Allows us to see

ourselves Identify system

vulnerabilities of our systems

Reduces complexity of unit patch management processes

EXORD 013-18: Program of Record Electronic Patching and Compliance Reporting for PORs in a high-bandwidth environment or Installation as a Docking Station (IaaDS) connected state

Purpose: Improve Program of Record (POR) security posture through an expedited electronic process for patching security vulnerabilities and enhanced vulnerability management


Stakeholders

AMC• CECOM

ASA(ALT)• PEOs• Cyber Focal

ARCYBER• G35• NETCOM

TRADOC • TCM N&S

FORSCOM• Operating Units• G6

POR Tagging and ePatching

Compliance Reporting Process and Tool

Patch Portal and Governance

Requirements Integration

Schoolhouse training development

Unit Implementation

POR Tagging and ePatching

Identify long-term patching solution

EXORD 013-18 WG: Army-wide team enabling systems on high-bandwidth networks


Questions?


SEC Command and Staff

Documents

Transcript of SEC Command and Staff