UNCLASSIFIED

LTC Scott Helmore

Defensive Cyber Operations Industry Overview

3 APR 18

Introduction

• Welcome • Transforming I3C2 to DCO• Themes:

• Innovation• Secure Communications• Collaboration

4/23/2018 UNCLASSIFIED 2

• WWII was won with American manufacturing • Cold War was won with military industrial complex 

• How will we win the cyber war?

Defensive Cyber Overview

3

Operational ForceU.S. Army Cyber Command (ARCYBER)

41 Army CPTs•20 Active Duty•21 USAR / ARNG

CPTs

TRADOC Capability Manager ‐ Cyber

Cyber Center of Excellence

DCO ONSs

PdM ‐ DCO

Materiel Developers

U.S. Army Cyber Protection BrigadeFT Gordon, GA

*11 Requirements Definition Packages

USAR

ARNG

DCO IS ICD

PM MC**TDI Only

PdM TCNO**TDI ONS Only

ARCYBER**Limited Acquisition Authority

UNCLASSIFIED / FOUO11

 Program

s

Tailored Acquisition

UNCLASSIFIED 4

1. Single Material Development Decision for suite of capabilities

2. Reduced Documentation

3. Empower Leaders (0‐6 Level Decision Makers) ACAT IVs

4. Flexible Resourcing ‐ allocated to Suite of Capabilities instead of specific programs

5. Continual Test Environment – “Forge”

MDD

From Formal Acquisition

To Evolutionary Acquisition

Capability Release DecisionsPrototyping

Providing Acquisition Capabilities at the Speed of Relevance

Focused on Capability drop decisions vs traditional milestone decisions

DCO Evolutionary Acquisition

Other Transactional Agreements

Emerging

 Techn

ologies • Build our Cyber Industrial Bench

• Connect with Industry/Government ranges• Pre‐emptive Risk Management Assistance• Industry Recommends new Technology• “Shark Tank” Rapid Pitches• “Crucible” Assessment Events• “Constellation” Tiered Industry Experts”

30 Day Prototype ProcessC‐RAPID

Innovation

System Integrator Contracts 

Integration Sustaining

• Programs of Record (Multiple)• Five Year Efforts• Integrate OTA Innovation• Modularity• Focused on Open Source and Open Architecture

• 30 Day Integration

Fielding Stability

Forge Armory• Assess/Develop Technology• Integrate Capabilities• Anytime Training

• Forward Deployed Support• Latest Integrated Capabilities• Mission Focused Training

Evolutionary Acquisition

Securing Acquisitions

• Screening Questions• Facility Clearance• Experienced Integration capabilities• No Foreign Supply Chain/Control Issues• SIPR capabilities (communication)

• Monitoring• Scanning of Equipment and Code

UNCLASSIFIED 6

• Lead Members are given direct access to Operational Data and problems; Have weekly sync with PM and ARCYBER

• Must have TS/SCI facility clearance• Multiple Leads (No more than eight per topic)• Recommend Technologies• Can be rotated if not productive

• Cleared Advisors have security Clearances and are selected by Lead Member• Innovative Firms do not require clearances andare selected by Cleared Advisors or Lead Members

Constellation

Industry Subject Matter Expert sub-consortiums

UNCLASSIFIED 7

Constellation (example)

(1) Lead

(20) Cleared Advisors

(50) Innovative firms

Constellation Leads may include: (1) Government, (1) Academia, (1) FFRDC, and (4) Industry

Get Ahead of Threats; Building the Cyber Bench

Acquisition Steps

• April - Request for Proposal – Garrison DCO Platform; Deployable DCO System

• April – Consortium Management Firm selection• April – Forge Stand-up• June – Request for Proposal – Analytics• July – Request for Proposal – Mission Planning• September – User Activity Monitoring &

Forensics/Malware

UNCLASSIFIED 8

Continual Technology Reviews using C‐RAPID and Forge

User Activity Monitoring

UNCLASSIFIED 9

Program Description

User Activity Monitoring (UAM) is the primary capability within the Army’s overall Insider Threat program. UAM will mitigate gaps that inhibit the Army’s ability to identify anomalous or malicious user activity that may pose a threat to the Joint Worldwide Intelligence Communications System (JWICS) and Secure Internet Protocol Router Network (SIPRNet) networks. UAM is a software‐based, scalable solution that proactively identifies and mitigates internal risks associated with the theft or misuse of critical, mission essential data. It utilizes an integrated approach with a centralized UAM cell sending data to a core Insider Threat Hub. 

Capabilities

• Endpoint activity monitoring and control, capture and analysis of user actions (with the ability to replay), investigations, and the adaptation of an organization’s Insider Threat countermeasures

• Identify individuals who are at higher risk for being targeted by foreign intelligence or more likely to misuse access privileges 

• Provides audit and trigger data to designated cyber forces based on predefined policies

• The Army will implement UAM for all Soldiers, civilians, and contractors with access to JWICS and SIPRNet 

• 2017 ‐ Assess Data Analytics Services to attach to Raytheon Innerview™

• 2018 – Employment of Securonix‐ Big Data Platform Assessment

• 2019 – Program of Record 

Forensics and Malware

UNCLASSIFIED 10

Program Description

The Forensics and Malware Analysis (F&MA) capability will be composed of a set of applications used to provide the enterprise‐level function to detect, analyze, mitigate and eradicate malicious IT threats (malware) on defended networks. F&MA will hunt for malware residing on processing components, including, clients, servers and network components. It will also provide information support on assessment of damages, and restoration. The applications will examine the operation of malware, isolate, and extract it from the contaminated network to a controlled environment. 

Capabilities

• Rapidly triage an incident and place the impacted system back in service

• Quickly review information stored on deployed computers in real‐time – without altering or damaging it

• Assist in determining subsequent actions in order to collect, process, search, and analyze evidence from portable electronic devices, removable media, system hard drives, and random access memory

• Automated and dynamic malware decomposition and behavior analysis to determine impacts

• 2017 – Deployed as part of Tool Suite

• 2018 – Enterprise Pilot

• 2019 – Program of Record 

Discussion

UNCLASSIFIED 11

‐ How should technologies be recommended?‐ How can we make a better partnership?‐ How can we be Open but Secure?‐ How many Constellations?  ‐ Can we buy solutions?‐ Can we build a Cyber Coliseum?

UNCLASSIFIED

LTC Scott HelmoreScott.e.Helmore.mil@mail.mil

Thank-youAnh NguyenExecutive Assistant to PdM and DPdMDefensive Cyber Operations (DCO)(O) 703.806.8549anh.t.nguyen83.ctr@mail.mil