Sealing Technologies — a Parsons company — World Wide Technology and Omni Federal were tapped to develop prototypes for the Joint Cyber Hunt Kit, self-contained “fly away” technology that provides a security operations center in a box, according to DIU and budget documentation.

DIU is running the acquisition on behalf of Cybercom.

The effort is significant because the new kits will, for the first time, create a baseline standard for the gear cyber protection teams use for both the traditional defensive missions of the network as well as hunt-forward operations performed by the Cyber National Mission Force, Cybercom’s elite unit tasked with protecting the nation against significant digital threats. Hunt-forward operations, conceptualized over five years ago, involve physically sending defensively oriented CPTs to foreign countries to hunt for threats on their networks at the invitation of host nations.

Since Cybercom’s inception, there has never been a standardized defensive cyber kit for cyber protection teams — groups that hunt for malicious activity on Pentagon networks and respond to incidents — despite efforts in the past to create them. Those systems, referred to as Deployable Mission Support Systems (DMSS), varied across all the services.

Cybercom’s forces are constructed such that each of the services are responsible for providing a set number of offensive and defensive teams to the command to conduct operations. In many cases, the kits across each service varied despite cyber protection teams being largely trained to the same missions and standards, albeit with some variation.

As currently planned, the JCHK kits will provide a baseline of standardization across all the types of defensive CPTs, but offer a level of customization and tailoring for specific purposes and missions.

“The big thing is that flexibility and that modularity and the scalability, just to have the ability to tailor what they’re taking to the mission at hand. Whether that mission is going out and doing a vulnerability assessment or whether it’s a onboard mission where you’re looking for bad guys on an active network, being able to dial your kit into exactly what you’re going to do just makes things much easier and the outcomes from the missions are much better,” Brad Hatcher, chief product officer for SealingTech, said in an interview. “Sometimes what they need might be constrained by their space and how many people they can take to a location. Sometimes it will be more driven by the size and the volume of a network. And we build a kit that lets them tailor it specifically to each mission and take what they need and get there quick and do their mission and report back.”

According to budget documents, the forthcoming JCHK kits will be used by CPTs to secure and protect DOD networks and data centers by hunting, clearing and assessing in friendly, neutral and adversary cyberspace.

“Definitely a step forward in that it’s the latest and greatest technologies that we can put into a kit to run their missions faster to give them the ability to pull in more data, do more analytics — bigger, better everything than previous versions,” Hatcher said. “One of the bigger requirements and what can often be a limitation is the storage space that you’ve got. You’re hooking these kits up to networks and you’re trying to pull in all the traffic that’s flowing across that network to do analysis, to see what should be there, what looks odd. And those bigger storage capacities really allow the teams to really get in there and analyze as much as possible to find any anomaly on a network.”

Omni Federal’s offering, dubbed REDHOUND, provides proactive threat detection, comprehensive network analysis, threat intelligence integration, scalable investigation tools, incident response support and behavioral monitoring. The technology also boasts fast speeds leveraging a modular ARM processor architecture augmented with NVIDIA GPUs for low power for high compute in edge environments to provide flexibility, the company said in a statement.

The companies that were awarded deals will develop their prototypes between now and this summer. They’ll be tested in a lab-based environment with actual users for a period of time, and the government will eventually select one vendor to move on to the next phase of the program.

The post DIU awards prototype deals for next-generation defensive kits for Cybercom appeared first on DefenseScoop.

That effort will now also combine the equipment cyber protection teams use with the kit for hunt-forward operations performed by the Cyber National Mission Force, Cybercom’s elite unit tasked with defending the nation against significant digital threats. Hunt-forward operations, conceptualized over five years ago, involve physically sending defensively oriented cyber protection teams to foreign countries to hunt for threats on their networks at the invitation of host nations.

Since Cybercom’s inception, there has never been a standardized defensive cyber kit for cyber protection teams — the teams that hunt for malicious activity on Pentagon networks and respond to incidents — despite efforts in the past to create them. Those systems, referred to as Deployable Mission Support Systems (DMSS), varied across all the services. The way Cybercom’s forces are constructed, each of the services are responsible for providing a set number of offensive and defensive teams to the command to conduct operations.

Those DMSS kits are self-contained systems consisting of hardware and software capable of surveying, securing and protecting military networks as well as performing vulnerability analysis and incident response. They are designed to be taken to an incident with little to no notice to connect to the network in order to locate, contain and defeat malicious cyber activity that is either attempting to or has breached Department of Defense systems, according to budget documents.

Despite being designed to be joint in nature with the same training and equipment to operate on the DOD Information Network for defensive teams and the same training for offensive teams, each service provided slightly different DMSS systems to their respective cyber protection teams — creating incongruencies with equipment and forces as well as interoperability issues.

The closest the DOD came was a few years ago, requiring a set of basic tools be included across all DMSS kits provided by the services.

Now, there is an effort to standardize those efforts.

A solicitation from DIU issued Monday aims to combine the DMSS kit with the hunt-forward equipment, to create a singular standardized defensive cyber hunt system across the entire force.

The new Joint Cyber Hunt Kit (JCHK), as it is known, will be a mobile “security operations center (SOC) in a box,” DIU said. It must be portable by a nine-person team anywhere in the world and fit in a suitcase for easy air travel.

“Like the DMSS and HFO kits, the JCHK will be a self-contained flyaway capability utilized by the Cyber Protection Team (CPT) Mission Elements to secure and protect military networks and data centers by conducting Hunt, Clear, Enable Hardening, and Assess missions in blue, gray, and red cyberspace,” fiscal 2025 budget documents state. “The dynamic nature of CPT defensive cyberspace operations driven by the adversary’s rapidly evolving offensive cyber tactics, techniques and procedures require the [Budget Activity-8] flexibility as JCHK evolves. The merging of capabilities will facilitate the standardization of training, maintenance logistics, and force protection and will promote efficient execution of resources based on economy of scale.”

For hunt-forward operations, national cyber protection teams travel to other nations and plug into their network. Most prominent were the ops that took place in Ukraine ahead of Russia’s 2022 invasion, which both governments credit for helping harden Ukraine from potential Russian cyber onslaught. These differ from the tasks that cyber protection teams perform on the DOD’s network.

The new system must be flexible in order to perform standalone operations, given it will most often operate in an environment where it’s not permissible to connect to the internet or send data offsite for analysis.

The solicitation said the kits must to be able to perform any and all activities related to discovering advanced persistent threat activities and analyzing their tactics, techniques and procedures.

DIU has been working to equip Cybercom for many years. Additionally, the commmand awarded a contract worth almost $60 million in 2022 to provide equipment for hunt-forward operations.

Previewing the idea of standardizing the DMSS kits, Cybercom’s top acquisition executive noted that the services will have two years to maintain their separate service kits while the competition is underway.

“We’re going to go out with an RFP and a way of contracting for a common kit, at a minimum at the hardware level and then some layer of software, common software, that will be common across all the services. Then services’ unique needs can be added on top of that,” Khoi Nguyen, who is also the director of the cyber acquisition and technology directorate (J9) at Cybercom, said at a conference in January.

At the time, he said the command wants feedback from industry in a collaborative effort to deliver the best system possible.

“The goal is to get this industry day out there and then we’re looking to do aggressive prototyping. We’re probably going to award two or three more prototyping contracts, give the team [some] amount of time to do the prototyping and then deliver the hardware. Then three months for us [and] the force to play around with it. And then we’ll pick a winner,” he said. “My intent is to, like truly do a competition, allow competition, and that’s why we’re going to give … a decent amount of time for a new vendor or new team of vendors to build a new kit, versus having a prototype period very small, where the incumbent has a higher chance of winning. That’s the goal. We’re going to lay that out as an RFP or RFI. Please come back and tell us if I’m unrealistic or whatever else. We need to know that. But the goal is to get the best kits for the users that we can.”

According to fiscal 2025 budget documents, Cybercom and DIU will be relying on other transactional authority to award a prototype agreement to support the rapid development of a JCHK prototype, with the objective of transitioning cyber protection teams to the new system at the beginning of fiscal 2026.

The post Cybercom looking to combine and standardize defensive cyber kits; solicitation issued appeared first on DefenseScoop.

The move is part of a larger push to consolidate all network functions and capabilities under a single PEO. As the Army is executing its vision for a unified network, which involves reducing the silos between its tactical and enterprise systems across the globe, the decision was made to transition elements of the enterprise network from PEO Enterprise Information Systems to PEO Command, Control, Communications-Tactical.

Within this larger effort, the project manager for defensive cyber operations at PEO EIS is moving to PEO Intelligence, Electronic Warfare and Sensors on Oct. 1.

“Having organizations responsible for the network across different PEOs just logically didn’t make sense … Why should we look at enterprise separate from tactical? Previously, it made sense, because they were separate. Technology now has allowed us to converge those efforts. We said, ‘Hey, the Army’s moving to a unified network, we should look at how do we organize,’” Young Bang, principal deputy assistant secretary of the Army for acquisition, logistics and technology, said at the Army’s Technical Exchange Meeting X in Philadelphia Wednesday.

“That’s what initially started that. Now we’re looking at the enterprise and the tactical together, we’re looking at other things beyond just the network when we had that discussion and talked about … why do we have cyber separately, why would we do defense and offense separately from a cyber perspective?” he added.

Officials said the move will create greater synergy between the offensive and defensive teams which, at least on the operations side, feed each other.

“I think it’s relatively obvious this synergy between defensive and offensive cyber operations. Having offensive and defensive functionals within one organization is a relatively obvious conclusion,” Mark Kitz, program executive officer for IEW&S, said at the conference.

Kitz explained that given the direction Congress is pushing U.S. Cyber Command to more tightly integrate the elements of its Joint Cyber Warfighting Architecture (JCWA) — piecemeal parts and programs that make up the command’s cyber operations platform — the move to consolidate within the Army makes sense.

“I did want to highlight that in the last two NDAAs [annual defense policy bills], with Cyber Command, there’s been a focus on integrating the Joint Cyber Warfighting Architecture and establishing at Cyber Command acquisition authority around the integration of cyber and functional components,” Kitz said.

“Because of this enterprise focus on integrating across the cyber architecture, the Army naturally is going to focus on that same integration. There’s synergy of our optimization of the organization here. It’s really important for us as a cyber enterprise to make sure that Cyber Command and ARCYBER — that we’re able to integrate across the cyber warfighting functions, whether that’s defensive, offensive, rapid response, cybersecurity,” he added.

PEO IEW&S will be creating a new offensive cyber and space program office to help handle the workload regarding programs it is developing for Cybercom on behalf of the joint force, with a commander officially taking over in June. They include the Joint Common Access Platform for executing offensive operations and the Joint Development Environment, a space to rapidly develop and test cyber tools.

“The Army is a significant contributor on the offensive side to that Joint Cyber Warfighting Architecture with our JCAP and [Rapid Cyber Development Network] programs,” Kitz said, referring to the Army’s name for the Joint Development Environment program.

Kitz told DefenseScoop on the sidelines of the conference that the defensive cyber office will essentially remain the same and be separate from the offensive cyber and space office within PEO IEW&S. Over the next two years, the PEO will make an assessment on how to build synergies between the two over the long term.

“Anytime you bring on a workforce that’s not co-located with another, we want to give them stability and make sure that they remain a valuable part of the organization before we make any changes or an assessment. I think it’d be about a two-year assessment and we’ll go from there,” he said.

While the defensive cyber office doesn’t provide any capabilities to the joint cyber force, it has been in joint discussions and is now being folded under IEW&S, which will allow it to leverage that close relationship with Cybercom and JCWA.

“They’ve been doing that for a long time and they’ve been identified as JWCA programs [with] JCAP. It will make that coordination much more streamlined,” Col. Mark Taylor, project manager for Defensive Cyber Operations at PEO EIS, told DefenseScoop and another reporter at the conference.

“Having those functionals and the interaction with those functionals unified with in one side of it under one PEO, it will make the stakeholder community group much tighter and communications much more synthesized and able to put out capability quicker … You got your acquisition and your operations, the users of that equipment, the operations are a lot more currently tightly coupled today, so where they can do some cross-cueing from the defensive side to the [offensive cyber operations] OCO side. There will be some intersections of the Venn diagram of OCO and [defensive cyber operations] DCO, and we’ll look to further flush those out what are common capabilities that we can use on both sides of the line?”

Kitz said while Cybercom is building out its PEO, it is looking to the services and their acquisition expertise to help.

“I think Cyber Command standing up this PEO, they need help in terms of acquisition experience. They’ve come to the Army to help with that and I think at the PEO level, we can drive a lot of that core talent management there because one of the things I talked to Cyber Command a lot about is we’re going after the same talent,” he said. “How do we build talent, workforce development activities across our cyber domains — whether it’s defensive, offensive, core infrastructure, you name it — so that if I’m a cyber professional, I can go from Cyber Command from Army to Air Force and still be a part of the mission and still deliver to one architecture.”

Cybercom, under its enhanced budget authority that activates in October and gives it oversight over spending and programs, for the short term is still having the services run its programs as executive agents. The short term change is Cybercom is reimbursing the services with its money instead of that money coming from the services. In fact, the Air Force is actually building out Cybercom’s acquisition office under a reimbursable basis.

Kitz believes the services, with their acquisition expertise, can help accelerate Cybercom’s PEO, for which they are congressionally mandated to complete in five years.

“I think we can accelerate a lot of that by starting with people, right, and then looking at the architecture and how we build synergies in the architecture. I think that will be really helpful,” he said, also referring to a synergistic offensive and defensive program office under a single PEO.

The post Army putting offensive and defensive cyber portfolios under a single office appeared first on DefenseScoop.

The Marine Expeditionary Force Information Groups (MIGs), which were created in 2017 and support each MEF within the Corps, integrate electronic warfare with intelligence, communications, military information support operations, space, cyber and communication strategy to provide MEF commanders with an information advantage.

Each of these units incorporates what is known as a defensive cyber operations-internal defense measures (DCO-IDM) company, which protect networks and hunt adversaries on friendly systems at the tactical edge.

II MIG is the lead within the MIGs for experimenting with reconnaissance and counter reconnaissance, its commander Col. Brian Russell said in a podcast hosted by the Brute Krulak Center for Innovation & Future Warfare at Marine Corps University, Wednesday.

Through that experimentation, Russell said they are looking to use their DCO-IDM companies as a reconnaissance force.

“As we lay out our network terrain and determine what’s critical from a reverse targeting methodology, certainly, malicious cyber actors are coming after our kill chains,” he said. “We draw essentially named areas of interest around those critical nodes and that’s where we apply our resource with a sensor [that] I call the electronic version of binoculars to look and confirm that adversary presence so we can do something about it. That to me is a form of cyber reconnaissance that we’re experimenting here at II MEF.”

Russell has previously discussed the need to reimagine how these defensive cyber teams can be used in the gray zone against adversaries, or the competition space that exists below the threshold of armed conflict.

“We can employ this capability to influence adversary decision-making by combining DCO-IDM operations with any other element of the Fleet Marine Force,” he said in 2020. “These operations, below the level of armed conflict (gray zone), enable us to understand the adversary, condition their behavior in advance of conflict, and even impose costs on their operations and strategic intent.”

These DCO-IDM teams are trained to the same standards as U.S. Cyber Command’s high end defensive cyber protection teams that respond to and defend against malicious activity on enterprise networks, Russell said, adding they are essentially interoperable.

This interoperability “opens some doors that lets you work on other people’s networks with allies and partners who trust you because you’re trained to a certain standard,” he said, noting this is the same approach they’ll take with offensive teams abiding by Cyber Command standards.  

II MIG primarily supports European Command but also services as the Marines’ global response MEF. They have previously conducted exercises and experiments in the theater, learning that building and winning narratives before a conflict is important and everything takes place in the information environment.

Officials have long maintained that the MIGs would not be built overnight. Exercises and experimentation help the Marine Corps shape the direction of these forces and better understand what needs to be tweaked.

In fact, based upon lessons learned from exercises and experimentation, the Marine Corps made alterations to the MIGs three years after they were formed.

Additionally, officials noted that despite the tactical nature of these teams and a lot of what the Marine Corps does, units must also be tied into the operational and strategic trends to be successful.

“In order for you to be tactically successful, you have to be aware of strategic and operational level effects, usually non lethal, that shape the environment to allow your tactical action to occur,” Col. Ray Gerber, commander of III MIG, said on the same podcast. “I would say that the Marine Corps is struggling with this because we have grown up in a world where the tactical action is the thing that everything centers around.”

This force, however, can project power globally from one location, a departure from the traditional domains that is unique to the information environment.

“I’ve got Marines in this building right now supporting operations in the USEUCOM AOR, supporting the conflict in USEUCOM AOR from either analysis or capability provision perspective,” Russell said. “I think that is a growth industry. [Continental U.S.] base operational support … I don’t need to deploy forward to provide the operational value. I can do that from home station or other locations that aren’t necessarily quote unquote, in the conflict zone. That’s what this modern information environment enables us to do.”

The post Marines experimenting with defensive cyber teams for reconnaissance appeared first on DefenseScoop.