The Department of the Air Force thinks it’s made significant progress over the last several years in upping its game in the still-nascent field of weapons system cybersecurity — enough so that it’s ready to start expanding the approach it’s been using to the Space Force.
The Air Force first stood up its Cyber Resiliency Office for Weapons Systems (CROWS) in 2017, responding to then-increasing realizations that weapons platforms are vulnerable to cyber threats, but require different security approaches than traditional IT systems.
One of the main approaches the Air Force has taken over the past three-to-four years has been to embed teams of experts within its acquisition offices to help program managers build cyber considerations into their procurement and sustainment plans — both for new systems, and ones that have been in the field for decades.
Those cyber focus teams, as the Air Force calls them, now exist at Hanscom Air Force Base in Massachusetts, Wright-Patterson Air Force Base in Ohio, Hill Air Force Base in Utah, Eglin Air Force Base in Florida, Tinker Air Force Base in Oklahoma and Robins Air Force Base in Georgia.
“On our new systems, we have a clean sheet — we have the ability to design from the ground up,” Joe Bradley, the director of the CROWS program said in an interview for Federal News Network’s On DoD. “So we’re working with program managers, logisticians, testing and evaluation folks, systems engineers, and even our finance folks, because they have a vested interest. I can develop this really elaborate solution, but if it’s not financially feasible, then I’ve wasted time and money. So you require the entirety of the acquisition workforce to build it right from the onset… cyber is not just an engineering thing. It is the entire spectrum.”
In the case of fielded systems, CROWS has also been finding ways to “bolt-on” additional cyber resiliency to weapons platforms that were designed years or decades before cyber threats were a serious consideration.
“There is a cyber health assessment that CROWS facilitates through our cyber focus teams, which touches on a handful of different aspects like program protection plans, what kind of artifacts and documentation is provided from an authority-to-operate perspective, what pieces of that goes into the risk management framework, and how the evolution of threat is driving an understanding of how we respond,” said Lt. Col. Zach Lehmann, the CROWS materiel leader. “That information is both provided through annual reporting, and then also provided to program executive officers as well as their directors of engineering to say, ‘How can we hone our understanding of those acquisition practices to apply resources that improve those products over time?’”
Across the broader Defense Department, figuring out how to weave cyber considerations into the acquisition process, including specific contract language, has been a significant challenge. The Government Accountability Office reported in 2021 that most of the military services didn’t have guidance in place that addresses how to contract for cybersecurity requirements in weapons system acquisitions.
The Air Force, GAO noted, was the one exception. Since 2019, via the CROWS office, it has been publishing what it calls the Weapon System Program Protection and Systems Security Engineering Guidebook. The latest edition — a 5.0 version — is due for public release soon.
“In the tradespace that touched cyber, there was, I’d say, over 10,000 pages of policy and guidance in the different functional stovepipes where some direction was getting out to some pieces of the workforce,” Lehmann said. “The guidebook takes a broad view and asks, ‘How do we boil this down to sound system security engineering best practices? How do we streamline all that guidance where there is duplication or contradictions? How do we create a single document that can help backstop any blind spots? How do we bring together those functional perspectives to walk through the acquisition timeline, and where do we apply these best practices?”
But the guidebook is also targeted toward the Air Force’s vendor base, Lehmann said.
“It’s all about managing expectations. We can point to, say, a standard key performance parameter that talks to system survivability, and that parameter is something that gets pushed into requirements. But how those words get derived into contractual outcomes is up to the different program offices, and that can be interpreted in different ways,” he said. “This is about how we manage how a design gets reviewed and approved through the acquisition process and how we help streamline that for both the government acquirers and our industry partners, because we’re walking that acquisition timeline hand-in-hand.”
Most of the details of how CROWS will be extended into Space Force programs still need to be ironed out. Bradley said his office held initial discussions with Space Force officials in January, and the approach to space systems is likely to be similar to what the Air Force has already been doing: using multidisciplinary teams to help program offices make sure large, complex systems can improve their cyber resiliency over time.
“We’re working with the space community right now to identify what specific job series and categories and grades they want to work in their portfolios,” he said. “We’re discussing the template we’ve used that’s been historically proven to work within the non-space portfolios. So we’re in the infancy, but we’re starting to fill that construct out based on the work that we’ve done with the non-space folks.”