DoD Cyber Red Teams Will Assess Cyber Vulnerabilities of Systems Under Acquisitions

The Department of Defense (DoD) Office of Chief Information Officer (OCIO) recently released a policy document focused on more clearly defining the operations of DoD cyber assessment teams, which test for vulnerabilities on DoD networks.

The DoD Instruction (DoDI), released in January, establishes a DoD Cyber Assessment Program and provides governance, scope and authorities for the DoD Cyber Red Team (DCRT) community.

The DoDI also addresses gaps in existing guidance that were identified in a DoD Inspector General (IG) audit from 2020 as well as provisions in the fiscal year (FY) 2020 National Defense Authorization Act (NDAA) requiring an assessment of DCRT capabilities.

DoD Cyber Red Teams Roles

The instruction directs the DCRTs to perform three distinctive roles as part of the DoD defensive cyberspace forces, unless directed otherwise by the DoD CIO.

• Acquisition Tester (Tester) – Conduct adversarial cyber tests of a system, service, or enclave exploiting identified vulnerabilities and other weaknesses, to create operational effects through the identification and exploitation of vulnerabilities in systems under acquisition testing.
• Operational Vulnerability Assessor (Assessor) – Conduct assessments on live operational networks, either in support of mission assessments or specific acquisition testing, to assess the protective posture of operational networks, systems, and cybersecurity service providers as they emulate adversaries.
• Cyber Opposing Force (OPFOR) Aggressor (Aggressor) – Serve as the cyber opposing force (OPFOR) for exercises emulating and/or replicating a specific key cyber threat actor’s capability and tactics, techniques, and procedures (TTPs), with the objective of providing feedback on performance to units to maximize training.

FY 2024 Budget for Advanced Cyber Assessments

The DoD’s FY 2024 Operation and Maintenance (O&M) budget request for the Defense Threat Reduction Agency Cyber (DTRA-Cyber) includes $70.5M for their Mission Assurance program to fund an expansion of their Advanced Cyber Assessment capacity and capability, an increase of nearly $14.5M over FY 2023 and more than $33M above FY 2022.

The funding increase reflects nearly $12.9M for “the contracted procurement of technical specialists to expand the Mission Assurance program's Advanced Cyber Assessment capacity and capability” to increase from 35 advanced cyber assessments in FY 2023 to 65 advanced cyber assessments in FY 2024. This capacity incorporates both blue (defend) and red (attack) advanced cyber assessments. (This $12.9M increase is moderated by a $4M decrease due to “a one-time increase in FY 2023 for IT contract support services to expand advanced cyber operations.” The result is a net $8.9M increase for FY 2024.)  

The overall FY 2024 increase also includes $1.9M for expanding the civilian personnel full-time equivalents (FTEs) from 18 to 17 (+9) to support the increased assessment capacity for FY 2024. In addition, the FY 2024 increase includes $2.4M for cloud security related to agency information residing in the cloud; Supply Chain Risk Management (SCRM); and cybersecurity tool lifecycle maintenance and support. An additional $1.3M in budget increase covers price changes from FY 2023 to FY 2024.

Implications

The scope of DCRT activities covers all DoD components that are “involved in the development, acquisition, and sustainment of DoD digital infrastructure, systems, and system components … throughout the system’s lifecycle,” according to the latest DoDI.

Further, the Office Under Secretary of Defense for Acquisition and Sustainment (OUSD (A&S)) is directed under the policy to introduce the DCRTs “as early as possible in the acquisition of information technology and in an integrated manner across the information technology life cycle.” The PMOs …

Clearly, DCRT activities, and the threat-based capabilities and methodologies they use, will impact the systems, solutions and services which the DoD and its components select throughout the procurement and support lifecycle. Successful solutions and service providers will anticipate those realities and adjust their development activities accordingly, as well as build their own capacities to support DCRTs in their efforts.