Army Assesses Cyber Posture of Its Weapons, Control Systems Ahead of Zero Trust

As the U.S. Army looks to stand up a unified network based on zero trust principles, it will soon be assessing its weapons systems, control systems and the Mission Partner Environment to gain a clearer understanding of what cybersecurity implementation would look like on those systems in accordance with the zero trust framework.

The Defense Department’s weapons systems are more software-reliant and networked than ever, making them vulnerable to cyber attacks. Developing secure weapons systems is highly challenging due to new and legacy systems living side by side and also supply chain disruptions, among other factors.

“We’re going to have to partner on that effort to ensure that those assessments are also addressing zero trust principles. … We need to define what that looks like … not necessarily the capabilities that we’re implementing in enterprise, but as long as those weapon systems are going to have the zero trust principles,” Col. Michael Smith, director of the Zero Trust Functional Management Office, said at a May 24-25 Army technical exchange meeting in Philadelphia.

The Pentagon has also struggled with its Mission Partner Environment efforts as it looks for ways to effectively communicate with and fight alongside its foreign allies and partners.

The Air Force has been appointed as the executive agent for the secret and below releasable environment, or SABRE, a software tool designed for information sharing between the U.S. military and its partners. As the Army is working on deploying its variant of the Mission Partner Environment network, it will begin assessing what zero trust implementation will look like in that environment.

“We have to bring in the entire Mission Partner Environment. What does that look like? Still trying to understand that myself,” Smith said.

The Army has also been tasked with assessing its control systems responsible for managing critical infrastructure that supports the service’s mission.

“So many control systems, they are standalone legacy systems used for power, water. … Working through what cybersecurity implementation looks like on those systems with zero trust principles, not necessarily the capabilities that we’re implementing in the enterprise,” Smith said.

The Army has been conducting zero trust gap analysis to better understand its networking and security ecosystem. It recently completed an enterprise-level zero trust gap analysis and is currently using the methodology to expand the analysis into its classified environments and tactical spaces.

Data tagging, automation and ICAM solutions integration remain the biggest challenges in the service’s zero trust implementation efforts.

“Those … are very key to getting our tactical environment from a good zero trust solution to a great zero trust solution,” said Chief Warrant Officer 3 (CW3) Benjamin Koontz at the meeting.

Data-tagging solutions needed to connect all services for successful data exchange remain a challenge even as DOD moves ahead with efforts such as Joint All-Domain Command and Control (JADC2).

“DOD has left it up to each of the services and other organizations to create their own data tagging solutions. So what does that look like when I receive data from the Air Force? What does data look like that leaves the Army environment and it goes to another? So we’ve raised that as a significant concern, the last DOD Zero Trust Summit, which was a few weeks ago. So the DOD CIO leaders and Zero Trust Portfolio Management Office are going to take a swag and maybe how we can better align that across all the services,” Smith said.

“Joint Staff … is trying to address for all services from JADC2 perspective and a number of other initiatives is how they’re trying to get after that. So in terms of in the Army perspective, we realize there’s some challenges,” said Col. Evert Hawk, mission command lead for the Army’s Network Cross-Functional Team.