On Oct. 1st, Aberdeen Proving Ground’s Software Engineering Center took an important step to protect Soldier-centric C5ISR systems from new cybersecurity threats by consolidating several web locations into one online repository for patch updates and downloads.
Shortens the Inventory Management Process
CECOM relies on mailing physical disks to bases around the world to patch software. Unfortunately, this process can take months and it can be challenging ensuring each base receives exactly the right code. Rapid code patching can prevent data breaches or system disruptions but requires adequate bandwidth from units for downloads; by creating a repository instead, CECOM shortens this timeline while decreasing risks from adversaries exploiting vulnerabilities in software.
The repository consolidates several web locations into one central place, making inventory management simpler for users who typically operate in low-bandwidth environments. A prototype was tested by the 101st Airborne Division prior to becoming Army-wide in 2020; and now, SEC is working on integrating more Soldier-centric C5ISR systems into it.
Reduces the Risk of Malware Entering DoD Networks at Work
Even with its investments in cyber hygiene initiatives and practices, DOD remains at risk from successful attacks due to inconsistency in its implementation of critical cyber hygiene practices required to secure information systems against common attack techniques. GAO has proposed several recommendations designed to assist DOD better implement these initiatives and practices.
DOD Security Technical Implementation Guides (STIGs) help reduce vulnerabilities by decreasing the ways an adversary could exploit a system. These tailored guidelines cover cloud, mobility, and operating system components of DOD’s information networks.
DOD has identified numerous commonly-utilized adversary techniques and countermeasures; however, no component within DOD has the responsibility for monitoring implementation.
The Army Communications-Electronics Command Software Engineering Center is taking steps to address these concerns by creating a software repository, which will allow active Department of Defense military and civilian employees to download antivirus software for home use on their PC systems and potentially lessening risk that malware enters work systems, potentially impacting DOD networks and increasing risk. However, this repository only caters to active military and civilian employees of DOD; contractors cannot use it at home.
As well as creating the patch repository, DOD is developing additional tools to improve its cyber hygiene. One such initiative is its Defense Digital Service Strategic Resource Group implementation which allows components of DoD to record configurations and conduct assessments while efficiently testing ESS functionality without impacting operational environments while adhering to rigid standards that reduce vulnerability exposure risk. DOD uses SRG authorization of commercial off-the-shelf software on its networks by documenting security requirements formally using FedRAMP moderate ratings that provide all information impact levels coverage.
Shortens the Time to Patch
Effective patch management is critical to businesses of all sizes; otherwise cybercriminals have more time to exploit software vulnerabilities and cause disruptions. Without an efficient process and appropriate technology in place, IT teams could fall behind. Luckily there are tools on the market which can reduce patch time for endpoints significantly.
Establish a patch management policy. This will make it much simpler for IT staff to detect and address vulnerabilities as they occur.
Once your patch management policy is in place, it is vital that updates be tested on a small percentage of assets before rolling them out to all. This ensures the patch works as advertised without causing any performance or functionality issues in production. In addition, it’s advisable to implement a least privilege policy which limits end user access in order to prevent them from installing their own patches or downloading malware from external sources that could compromise systems and networks.
Reviewing and revising your patch management policy at least every quarter is an ideal way to keep the process fresh and efficient.
Software vulnerabilities won’t go away anytime soon, but businesses can improve their patch management processes with increased transparency in SBOMs, more robust bug bounty programs, and efficient patching tools that reduce deployment times significantly.
Increases Security
On Oct. 1st, the Army Communications-Electronics Command Software Engineering Center unveiled a central online repository to protect Soldiers’ command, control, communication, cyber intelligence surveillance and reconnaissance (C5ISR) systems against emerging cyber threats. This makes finding updates and patches for over 70 C5ISR systems much simpler; previously this information could only be found scattered over 10 web locations – this one-stop site makes access easier!
SEC’s online repository also helps it rapidly distribute security updates to units. The user-friendly site requires just two or three clicks to obtain information that’s required, while SEC has increased e-patching of C5ISR systems as part of a larger effort to make Army units fit for 21st century warfare.
Patching reduces vulnerabilities by decreasing attack surfaces, while STIGs (Security Technical Implementation Guides) make it harder for adversaries to exploit vulnerabilities.
SEC has taken additional measures to increase security by reaching an agreement with antivirus vendors that allows active DOD military and civilian employees to download antivirus software for personal computers they use at home, potentially decreasing the risk of individuals bringing malware back into work and endangering DOD networks. Furthermore, this repository has enabled SEC to save money as they now rely on one enterprise solution to manage RMF documentation for IT systems.
Reduces the Cost of Maintaining RMF Documentation
DoD can save money and efficiencies by minimizing the number of duplicative information technology repositories that the Department maintains. This will include the use of a single enterprise solution that manages Risk Management Framework (RMF) documentation for information technology systems. The solution will also address statutory requirements for reporting.
Currently, the Army Communications-Electronics Command Software Engineering Center provides updates and cyber patches to the service’s Soldier-centric C5ISR systems via physical disks sent to bases worldwide. This process takes on average 90 days, and the code may not always be updated properly at each site. CECOM is working to improve this process, Maj. Gen. Mitchell Kilgo, the commander of CECOM, said recently during AFCEA’s Signal Conference.
The service uses eMASS and commercial RMF tools Xacta and Archer to maintain the RMF assessment and authorization data necessary to obtain an authorization to operate information systems on DoD networks. But SITR and DITPR require input of the same information that is already entered into eMASS, Xacta, and Archer, creating a significant duplication of effort and expense.
The Marine Corps and USINDOPACOM use the commercial RMF tool Archer to maintain assessment and authorization RMF data for information systems, and it also contains information technology system inventory and data that supports FISMA reporting requirements. It costs USINDOPACOM about $100,000 per year to use the tool. Using a single, DoD-wide solution for RMF management could decrease this cost to about $50,000. It would also increase the speed of obtaining an authorization to operate by eliminating the time to send physical disks from the Pentagon to bases around the world.