OCR of the Document

View the Document >>

Department of Defense Inspector General, "Combat Mission Teams and Cyber Protection Teams Lacked Adequate Capabilities and Facilities to Perform Missions", November 24 2015. Secret.

Report No INSPECTOR GENERAL US Department of Defense November 24 2015 Combat Mission Teams and Cyber Protection Teams Lacked Adequate Capabilities and Facilities to Perform Missions Classifiei fB'y Carol N -Gorman Assistant Inspector Gui eral - -rived From L MUItip ie Sources 0nINTEGRITY 1k EFFICIENCY k ACCOUNTABILITY EXCELLENCE Mission Our mission is to provide independent relevant and timely oversight of the Department of Defense that supports the warfigh ter promotes accountability integrity and e iciency advises the Secretary of Defense and Congress and informs the public Vision Our vision is to be a model oversight organization in the Federal Government by leading change speaking truth and promoting excellence a diverse organization working together as one professional team recognized as leaders in our field Fraud Waste 8 Abuse is HOTLINE Department of Defense dodig mil hotlinel300 424 9098 For more information about whistleblower protection please see the inside back cover I lhl 1 I 1 Results in Brief Combat Mission Teams and Cyber Protection Teams Locked Adequate Capabilities and Facilities to Perform Missions November 24 2015 U Fii iding cont d U Objective Army Cyber Command did not provide adequate temporary CPT facilities U We determined whether Cyber Mission Force CM teams had adequate facilities equipment and capabilities to effectively perform missions U Finding USMC Sec 1 4 g on Sec 1 4 g U Management Actions Taken USMC Sec 1 4 g Xi viffNifv'Y USMC Sec 1 4 g U Recommendations U We recommend that the Chiefs of Staff U S Army and US Air Force the Chief of Naval Operations the Commandant of the Marine Corps and the Commander USCYBERCOM Nii x r' ' s fuswlc I Sec - develop or update a doctrine organization training materiel leadership and education personnel facilities and policy framework to document capability requirements and associated capability gaps to build the current force grow and mature the full CMF and develop and sustain CMF capabilities and SEW Visit us at in mm I 1 11 Results in Brief Combat Mission Teams and yber Protection Teams Lac ed Adequate Capabilities and Facilities to Perform Missions - U formalize an agreement to focus capability development on functional and mission areas consistent with the results of the CMF mission alignment board to begin identifying capability gaps and developing capabilities that affected these proposed missions U We also recommend that the Commander USCYBERCOM develop and specify the capability baseline and interoperability standards for CPTs In addition we recommend that the Commander Army Cyber Command and Second Army develop a time-sensitive plan of actions and milestones to provide all Army CPTs with adequate workspace and consistent classi ed network access U Management Comments and Our Response U We did not receive comments from the Chief of Staff for the Air Force and the Commandant of the Marine Corps in response to the draft report Comments from the Chief of Naval Operations Deputy Chief of Staff for the U S Army and Commander Army Cyber Command and Second Army addressed the speci cs of the recommendations Comments from the Commander USCYBERCOM partially addressed the speci cs of the recommendations but further comments are required We request management comment on the nal report no later than December 24- 2015 Please see'the Recommendations Table on the next page Visit us at Hist lizfiti Hum-lino I ll U Recommendations Table Unclassified Recommendations Management Requiring Comments Chief of Staff U S Army Chief of Naval Operations Chief of Staff US Air Force 1 2 Commandant of the Marine Corps 1 2 Commander U S Cyber Command I 1 Command er U S Army ther 7 - Command and Second Army TJ lPlEase arenas Management Comments fie later than December 24 2 0 15 No Additional Comments Required Unclassified u SEW-RN- INSPECTOR GENERAL DEPARTMENT OF DEFENSE 4800 MARK CENTER DRIVE ALEXANDRIA VIRGINIA 22350 1500 November 24 2015 MEMORANDUM FOR DISTRIBUTION SUBIECT Combat Mission Teams and Cyber Protection Teams Lacked Adequate Capabilities and Facilities to Perform Missions Report No DODIG-2016-026 We are providing this final report for review and comment U S Cyber Command the Service Components and the Defense Information Systems Agency made progress in providing Cyber Mission Force Teams with facilities equipment and capabilities to perform missions but did not take sufficient steps to ensure all teams had adequate capabilities and facilities Specifically U S Cyber Command the Service Components and the Defense Information Systems Agencylacked a unified approach to ensure Combat Mission Teams and Cyber Protection Teams had adequate capabilities to perform offensive and defensive missions Additionally Army Cyber Command did not provide select Army Cyber Protection Teams with adequate workSpace or facilities to access needed networks We conducted this audit in accordance With generally accepted government auditing standards U We considered management comments on a draft of this report when preparing the final report However the Chief of Staff for the U S Air Force and the Commandant of the Marine Corps did not comment on Recommendations 1 and 2 Instruction 7650 03 requires that recommendations be resolved Therefore we request the Chief of Staff and the Commandant provide comments on the recommendations no later than December 24 2015 U Comments from the Commander U S Cyber Command ad dressed the specifics of Recommendation 2 and 3 however the Commander partially addressed Recommendation 1 Comments from the Director Warfare Integration responding for the Chief of Naval Operations and the Chief Cyberspace and Information Operations Division responding for the Chief of Staff for the U S Army addressed the specifics of Recommendations 1 and 2 We request the Commander U S Cyber Command provide additional comments on the final report no later than December 24 2015 Although not required to comment the Commander Marine Corps Forces Cyber Command and the Chief of Staff Air Forces Cyber Command generally agreed with the finding and recommendations hum SEW Please provide comments that conform to the requirements of DOD Instruction 7650 03 Classified comments must be sent electronically over the Secret Internet Protocol Router Network Please send a PDF le containing your comments @dodig smil mil Copies ofyour comments must have the actual signature of the authorizing official for your organization We cannot accept the Signed symbol in place of the actual signature Comments provided On the final report must be marked and portion-marked as appropriate in accordance with Manual 5200 01 Ifyou consider any matters to be exempt from public release you Should mark them clearly for Inspector General consideration U We appreciate the courtesies extended to the staff Please direct questions to me at 703 699W 499 Casi 71 51 Ms Carol N Gorman Assistant InSpector General Readiness and Cyber Operations U DISTRIBUTION U DEPUTY ASSISTANT SECRETARY OF DEFENSE FOR CYBER POLICY CHIEF OF STAFF U S ARMY CHIEF OF NAVAL OPERATIONS U CHIEF OF STAFF U S AIR FORCE COMMANDANT OF THE MARINE CORPS U COMMANDER U S CYBER COMMAND U COMMANDER ARMY CYEER COMMAND AND SECOND ARMY COMMANDER FLEET CYBER COMMAND AND 10TH FLEET COMMANDER AIR FORCES CYBER COMMAND AND 24TH AIR FORCE COMMANDER MARINE CORPS FORCES CYBER COMMAND U DIRECTOR IOINT STAFF U DIRECTOR DEFENSE INFORMATION SYSTEMS AGENCY II II 111 C0 meats U Introduction Objective 1 Background on DOD Cyberspace Operations 1 CMF Development 2 Cyberspace Responsibilities and Requirements 3 Review ofinternal 6 Finding Capabilities and Facilities for CMTS and CPTs Were Inadequate 7 CMF Teams Had Adequate Desktop Equipment 8 Unified Strategy and Approach for Offensive Capability Development Was Needed 9 Lacked a Unified Defensive Capability Development Process 17 CMTs Faced Challenges in Performing Missions 22 Temporary Army CPT Facilities Provided Inadequate Workspace and Network Access 25 Inadequate Capabilities and Facilities eopardized CMF Mission Management Comments on the Finding and Our Response 31 Recommendations Management Comments and Our Response 32 Unsolicited Management Comments and Our Response 38 U Appendix Scepe and Methodology 41 Use of Computer-Processed Data43 Prior Coverage 44 U Management Comments U S Cyber Command 45 Chief of Naval Operations 47 U S Army Chief of Staff 50 U S Army Cyber Command and Second Army 54 US Marine Corps Forces Cyber Command 55 US Air Forces Cyber Command and 24th Air Force 58 U Source of Classified Informational U Acronyms and Abbreviations 64 I U Introduction U Objective U Our audit objective-was to determine whether Cyber Mission Force CMF teams had adequate facilities equipment and capabilities1 to effectively perform mission requirements See Appendix A for the scope and methodology and prior audit c0verage related to the objective U Background on DOD CyberSpace Operations uses cyberspace to enable its military intelligence and business operations Cyberspace is one of the five domains the other domains are air land maritime and space Cyberspace unlike the other physical domains is a global domain within the information environment that consists of interdependent networks of information technology infrastructures and resident data Cyberspace operations ensure access and freedom of operations in through and from cyberspace to deliver effects2 in any of the five domains to deny adversaries access and freedom of operations and to sustain mission essential segments of cyberspace networks in the face of adversary action Cyberspace operations are categorized under three lines of operations based on their intent 1 U Offensive Cyberspace Operations Project power by the application of force in and through cyberspace 2 Defensive Cyberspace Operations Defend DOD or other friendly cyberspace 3 Information Network Operations Design build configure secure operate maintain and sustain communications systems and networks 1 A cyber capability is a device computer program or technique including any combination of software rmware and hardware designed to create an effect in or through cyberspace 2 Cyber effects include manipulating disrupting denying degrading or destroying information or communications systems networks physical or virtual infrastructure controlled by computers or information systems or information resident on the infrastructure l l'lillil IJlr ll U EMF Development USMC Sec 1 4 g WW Table 1 ARMY NAVY USAF USMC Sec r-Il'nl-a I'Ill-Il IV I USMC Sec 1 4 g SH-HEW U The Commander Cyber National Mission Force commands and controls National Mission Teams and National Support Teams to defend the nation in response to foreign hostile action or imminent threats in cyberspace 3 U Figures presented in this report are rounded amounts SEW lJ liir't mini rinn A ARMY USAF W9 Table 2 1- an Tn Ilrn rum-u Uf l l I Iv win I USMC bill Sec 1 4 g U Cyberspace Responsibilities and Requirements U Under the authority of the Secretary of Defense DOD uses cyberspace capabilities to perform integrated offensive and defensive operations The Deputy Assistant Secretary of Defense for Cyber Policy Office of the Under Secretary of Defense for Policy 0 integrates cyberspace operations into national and strategies 0 develops policy related to cyber forces and employment of those forces and 0 U ensures cyber capabilities are integrated into operation and contingency plans 4 Additional information on the fielding of CMF teams is described in 016 Report and Military Services Need to Reassess Processes for Fielding CMF Teams April 30 2015 l ill lull will Hm U The Chairman of the Joint Chiefs of Staff ensures cyberspace plans and operations are compatible with other military plans Although the Commander U S Strategic Command is required to secure operate and defend the and critical cyberspace assets systems and functions against an intrusion or attack the Commander delegated most cyberspace responsibilities to the Commander USCYBERCOM The Commander - USCYBERCOM has three mission areas to counter threats to the and military operations and to enable offensive cyberspace operations 0 defend the Nation - 0 support Combatant Command contingency and operational planning and 0 support the security operation and defense of the U Additionally USCYBERCOM 0 U develops a master implementation plan and schedule to accelerate the CMF build 0 coordinates and prioritizes capability development across the Service Components and funds capabilities supporting joint requirements I U maintains the reliability of the cyber capabilities registry and USMC Sec 1 4 g I I I ll 5 USMC I Sec 1 4 g 5 USMC Sec 1 4 g Il - The other combatant commanders operate and defend their tactical and constructed networks and integrate cyberspace capabilities into all military operations As such combatant commanders are required to integrate cyberspace capabilities into their command plans and coordinate with other combatant commanders the Service Components and agencies to create fully integrated capabilities To support combatant commanders Service Components staff train and equip forces and secure and defend their global networks Additionally the Service Components 0 U analyze missions and provide facilities for non-national - U coordinate with combatant commanders to locate combatant command - identify capability gaps and requirements through their Joint Force Headquarters-Cyber UFHQ-CJ7 and develop capabilities to support Service-specific and other joint capabilities when funded 0 program budget maintain and develop materiel solutions for example deployable toolkits to meet CPT defensive capability needs and 0 U assist USCYBERCOM to determine CMF mission alignment NAVY USMC Sec 1 4 g 7 The components ARCYBER AFCYBER and MARFORCYBER command and control the CMTs that conduct offensive operations in direct support of the combatant commands sews-Fema- 'lI ltlHI U The NSA - UHF-GHQ provides workspace for NMTS NSTS CMTS CSTs and national CPTs through leased facilities new construction or renovations to existing NSA centers USMC Sec 1 4 - U develops or modifies capabilities to support CMTs The Director Defense Information Systems Agency DISA as the Commander plans directs coordinates integrates and the execution of missions that defend DOD networks The Commander IFHQ-DODIN develops agreements with Service Components to locate provide facilities and equip CPTs U Review of Internal Controls U Instruction 5010 40 Managers Internal Control Program Procedures May 30 2013 requires organizations to implement a comprehensive system of internal controls that provides reasonable assurance that programs are operating as intended and to evaluate the effectiveness of the controls We identified internal controls weaknesses at USCYBERCOM ARNIY We will provide a copy of the report to the senior officials responsible for internal controls at USCYBERCOM ARCYBER AFCYBER and MARFORCYBER Hi l mrllim U Finding Capabilities and Facilities for CMTs and CPTs Were Inadequate mum- 5 USMC 1 See 1 4 g USAF USMC Sec 1 4 g USMC 1 Sec 1 4 g USMC Sec 1 4 g DIG ilJli'TllE - ARCYBER did not provide adequate temporary facilitie 3 Subject matter experts are responsible for tracking the progress of capability development throughout its lifecycle and completing operational testing and evaluation USCYBERCOM refers to subject matter experts as tool champions 1mm un'nw Iii USMC Sec 1 4 g I A II -- l n -2 I U CMF Teams Had Adequate Desktop Equipment USCYBERCOM the Service Components and DISA adequately equipped CMF teams with desktop equipment to perform administrative and mission requirements with the exception of ARCYBER CPTs located in ARMY hil7 E ARNIY 11 and a CMT USCYBERCOM in coordination with the Service Components developed desktop equipment baselines to support the Service Components and DISA in equipping the CMF teams ARMY ARMY See Appendix A for the teams visited Although only AF CYB ER developed a written implementation plan ARCYBER MARFORCYBER and DISA established deliberate processes to equip CMF teams ARMY used the USCYBERCOM baseline to equip teams or equipped teams with similar desktop The Service Components and DISA either configurations based on established Component missions internal collaboration with Service Component organizations or a combination of the two approaches In general workstations included monitors and peripheral devices classified and unclassified communication systems and access to the Non-secure Internet Protocol Router 9 An integrated approach is based on a Doctrine Organization Training Materiel Leadership and Education Personnel Facilities and Policy framework ARMY NAVY USAF USMC Sec Lille 1 We discussed this issue further In the Temporary Army CPT Facilities Provided inadequate Workspace and Network Access section of this report ill Sec l 4 g U Unified Strategy and Approach for Offensive Capability Development Was Needed Service Components continued to use Component-specific approaches and strategies to develop offensive capabilities that aligned to traditional Component- specific mission areas rather than unify capability development to support the CMTs This occurred because USCYBERCOM did not have appropriate authorities to effectively oversee and direct offensive capability development Although USCYBERCOM developed the Cyber Force Concept of Operations and Employment12 and Integrated Master Plan and Schedule and established the Integrated Capabilities Requirements Working Group and the CCR these initiatives left gaps in unifying offensive capability development U The Government Accountability Of ce GAO reported that the Service Components used separate service-specific approaches to identify and meet capability requirements 13 Consequently GAO concluded that capabilities may vary across the Service Components GAO recommended develop and publish detailed policies and guidance that U affect the categories of personnel who perform cyberspace operations 0 U support command and control relationships between USCYBERCOM and combatant commanders and 0 U address mission requirements and capabilities for the Service Components to meet to provide long term operational support to USCYBERCOM U As ofJuly 2015 two of the three recommendations were closed the recommendation related to the categories of personnel remained open Although GAO reported that the differences between the Components might be expected it also 2 USCYBERCOM Cyber Force Concept of Operations and Employment Version 4 1 July 22 2014 TO USA 13 U GAO-11421 More Detailed Guidance Needed to Ensure Military Services Develop Appropriate CyberSpace Capabilities May 2011 SEER-W tulr- tr l'liitlililij questioned whether these differences were beneficial and whether the Service Components would be able to meet long-term capability requirements U Service-Specific Offensive Capability Development Processes Were Not Coordinated USMC Sec 1 4 g USMC I Sec 1 4 g ARMY USMC Sec l 4 g 1 U Concept of Operations for the JFHQ-C Version 2 0 May 1 2014 TO USA FVEY 5 USMC Sec 1 4 g 1 U ARCYBER and Second Army Strategy for Defining Operational Requirements and Acquiring Capabilities Version 2 2 October 22 2012 updated November 20 2012 ivll 1 2m Ill USMC Sec 1 4 g Sec l 4 g U USCYBERCOM Actions Were Insufficient to Unify Capability Development UHF-BUG USCYBERCOM is the focal point for all cyberspace operations Specifically USCYBERCOM - U identifies and prioritizes technical capability requirements 0 U monitors development of proposed technology solutions and architectural frameworks and associated interoperability standards - U oversees development of advanced tactics techniques and procedures to employ capabilities and a U oversees test and evaluation of cyberspace capabilities To meet its responsibilities USCYBERCOM developed the Integrated Master Plan and Schedule the Cyber Force Concept of Operations and Employment established processes and the Integrated Capabilities Requirements Working Group to facilitate capability development and created the however these initiatives did not ensure a unified and coordinated approach to CMF capability development NAVY USMC Sec 1 4 g Ill U Cyber Capability Was inc ring Although DOD was more than 2 years into the U Components responsible for CMF build as of September 2015 the Components implementing the force did not have a comprehensive framework responsible for implementing the force did not have a comprehensive doctrine organization training materiel leadership and education personnel facilities and policy framework to guide CMF implementation An integrated approach such as a framework was needed to document capability requirements and associated capability gaps to build the current force grow and mature the full CMF and develop and sustain CMF capabilities Guidance from many sources including a framework in uences military operations intelligence activities development and validation of capability requirements acquisition activities affecting organization training and equipping forces and the budget process to fund these activities USCYBERCOM and the Ioint Staff developed the Integrated Master Plan and Schedule to describe how DOD would implement the cyber force model through FY 2016 Although the Integrated Master Plan and Schedule primarily focused on staffing the CMF it also recognized other critical aspects of building a force using a framework to include providing the CMF with capabilities to perform missions However USCYBERCOM did not develop a strategic roadmap for capability development According to the Joint Staff Command Control Communications and Computers Cyber Division branch chief the Integrated Master Plan and Schedule led to developing the Cyber Force Concept of Operations and Employment to continue addressing major cyberspace activities USCYBERCOM developed the Cyber Force Concept of Operations and Employment to describe fundamental principles and supporting tactics techniques and procedures to support the CMF in conducting military objectives Although the Cyber Force Concept of Operations and Employment also provided planning guidance and described way forward to build the CMF force model based on elements of a framework the analysis was not comprehensive and did not include planning facts assumptions and constraints that fully addressed known capability gaps that affected the CMF 1 Furthermore the Services did not develop a framework that defined their strategies to build and field CMF teams ARCYBER AFCYBER and MARFORCYBER officials acknowledged a strategic framework was needed however they stated that the Service Components were more concerned with staffing CMF teams than in establishing a strategy involving full consideration A MARFO RCYBER official stated that the command took initiative to begin developing a in 2013 to support its ability to implement the CMF for elements within its control however MARFORCYBER did not complete the framework because the command prioritized building and fielding CMF teams Additionally AFCYBER created a strategic plan but did not complete a framework 18 The cyber environment continues to rapidly evolve and is unconstrained by global boundaries that create unparalleled challenges to traditional military integration coordination and deconfliction processes These challenges coupled with the tempo of cyberspace operations require an approach that is more centralized and comprehensive to ensure the CMF is provided with needed and timely capabilities to perform missions The lack ofa joint framework will continue to affect DoD s ability to implement an effective CMF The Commander Chiefs of Staff for the U S Army and US Air Force the Chief of Naval Operations and the Commandant of the Marine Corps in coordination with the Commanders ARCYBER AFCYBER and MARFORCYBER should develop a framework to address strategies that build grow and sustain the CMF Existing Cyliei Capability Development Process Needed li'npi'ovemci'it process defined in USCYBERCOM Instruction 3700-0719 to anticipate joint cyber warfighter requirements and develop solutions to meet these requirements was ineffective The process included using the Integrated Capability Requirement Working Group and the CCR to provide situational awareness of DoD's offensive cyberspace development efforts The process described how USCYBERCOM would prioritize invest and oversee operational requirements and cyberspace capabilities funded by the command Although USCYBERCOM established these processes USCYBERCOM officials stated that they did not have assurance that all 1 USMC Sec 1 4 g USCYBERCOM Instruction 3700-07 Cyber Capability Development Policy February 20 2014 Section 2 1 cyberspace Capability Development Process semi-Geese Iiil'uiint' Service Component cyber capability development efforts were vetted through the Integrated Capabilities Requirements Working Group or included in the CCR The Integrated Capabilities Requirements Working Group was established to assess capability gaps and prioritize and decon ict capability requirements and development The Integrated Capability Requirements Working Group was intended to - review operational cyberspace requirements provided by the for the Service Components CMFs combatant commands and the - assist in documenting operational functional and technical requirements and UH-FEES recommend material and non-material solutions to USCYBERCOM the The CCR was unreliable CCR was intended to improve information for providing situational at a - - - - exchange prov1de Sltuatlonal awareness of 355 and m limo tool developers operators and to reduce the 0f planners because it only included developed capabilities developing duplicative capabilities and identify national offensive and defensive cyber capability gaps However the CCR was unreliable for providing situational awareness and did not support tool developers operators and planners because it only included developed capabilities Specifically officials from the Service Components responsible for capability development did not consider the CCR to be reliable because existing capabilities in the CCR did not fully describe the function or use of the capability and did not include capabilities under development An extract from March 2015 showed incomplete or missing information and did not thoroughly describe the functions of the capabilities Without including all capabilities in the CCR and relevant information about each capability the CCR was not effective and could not support developers and planners as intended 7 We did not further describe the content of the CCR or identify the number and type of capabilities included in the database because the information is classi ed TOP SECRET - i'li'r'i I i' lii'mling Based on USCYBERCOM revisions to the CCR and its direction to include all offensive and defensive capabilities in the database and the Deputy Secretary s required actions to make the CCR more reliable we did not recommend further corrective actions U U S Cyber Command Lacked Authorities to Lead CMF Implementation Development and Sustainment ARMY NAVY USAF USMC I Sun I I Ihr l rrUSMC Sec 1 4 g 2 USCYBERCOM Task Order 15-0087 Directive to Enter or Update Cyber Capabilities into the Version 2 7 Mai r 28 2015 22 U Deputy Secretary of Defense memorandum Follow-on Guidance from the April 18 2015 Cyber Deep Dive '1 - June 3 2015 T0 USA FVEY 23 U USCYBERCOM Operational Directive 12 001 April 5 2012 TO USA FVEY l iru'lil'lg The Commanding General ARCYBER and Resources the Second Army stated that resources appropriate appropriate authorities organizations and capabilities which could be in could be in time and space with a time and space with a singular authorities organizations and capabilities which singular purpose to accomplish directed missions purpose F0 accompliSh direaed were needed were needed 25 In April 2015 USCYBERCOM the Services and DISA completed the mission alignment board to finalize proposed mission objectives for the remaining CMF teams to be fielded in FY 2015 and FY 2016 The outcome of the mission alignment board enabled USCYBERCOM and the Services to begin identifying capability gaps and developing capabilities that affected these proposed missions However USCYBERCOM officials acknowledged that the command lacked appropriate acquisition authorities and the ability to direct when needed Service capability development The proposed National Defense Authorization Act for FY 2016 includes language to provide the Commander USCYBERCOM limited acquisition authority to develop and acquire cyberspace-specific capabilities equipment and services Proposed legislation recognizes the limitations of the USCYBERCOM Commander to ensure adequate capabilities are available to support CMF mission requirements however it does not USMC Sec 1 4 g 25 Statement by the Commanding General ARCYBER and Second Army Before the House Armed Services Committee Subcommittee on Emerging Threats and Capabilities March 4 2015 ii If I imiim U address other limitations that affect ability to effectively oversee and when needed direct capability development Although the Commander s April 2012 Directive did not further unify Service cyber capability development because the Services did not agree with the approach his goal was still valid based on the Services continued approach to independently develop capabilities that affected the CMF The Commander the Chiefs of Staff for the U S Army and U S Air Force the Chief of Naval Operations and the Commandant of the Marine Corps should formalize an agreement to focus capability development on functional and mission areas consistent with results of the mission alignment board U tacked a Unified Defensive Capability Development Process The Service Components and DISA were independently developing Component-specific CPT toolkits26 based on internal coordination CPT personnel experience and their individual interpretations of CPT capability needs As of June 2015 the Service Components and DISA were not developing unified defensive capabilities U Service Component Efforts to Develop Defensive Capabilities USMC Sec 1 4 g The Army identified capabilities to include in the deployable toolkit through collaboration with a DISA CPT and ARCYBER and U S Army Network Enterprise 2 A toolkit includes hardware and software that enables CPTs to conduct missions Wesson Il mulling-1 map specific operational environments 0 UH-13639 identify and prioritize potential security instances I UHFQ-U-Q perform hunt missions and - monitor a network or system As ofMarch 2015 AFCYBER was modifying and providing additional capabilities to the Cyber Vulnerability Assessment-Hunter at an estimated cost of $10 7 million to support CPTs USMC Sec 1 4 g ill USMC Sec 1 4 g USMC Sec 1 4 g USMC Sec 1 4 g U DISA Efforts to Develop Defensive Capabilities USMC Soc 1 4 g 2 U A rootkit is a collection of files installed on a system to alter the standard functionality of the system in a malicious and stealthy way USMC Sec 1 4 g USMC I Sec 1 4 g U CPT Capability Baseline Was Needed The Service Components and DISA independently developed CPT toolkits based on their understanding of needed capabilities This occurred because USCYBERCOM didnot provide the Components guidance or standard CPT baseline requirements and interoperability standards to ensure each CPT could perform core defensive capabilities USMC b Sec 1 4 g USAF lb 1 Sec WW mm m mm The Chief of Staff stated that different Components provided CPT support to DISA and the combatant commands OIG DOD 01G USCYBERCOM officials stated that they planned to use the recommended requirements to deve10p a baseline for all CPTs by October 2015 Although USCYBERCOM initiated steps to provide a CPT baseline the baseline was not approved or developed The Commander USCYBERCOM in coordination with the Service Components and DISA should develop and specify a capability baseline and interoperability standards for CPTs n'imimtg UH-Fable CMTs Faced Challenges in Performing Missions USMC Sec 1 4 g - U cyberspace intelligence surveillance and reconnaissance - U operational preparation of the environment 29 0 defensive cyberspace operations response actions 30 and a U offensive cyberspace operations USMC Sec 1 4 g 2 USMC I Sec 1 4 g 29 U Operational preparation of the environment includes activities in likely or potential areas of operations to prepare and shape the operational environment 3 U Defensive cyberspace operations response actions are deliberate authorized defensive measures or activities taken outside of the defended network to protect and defend cyberspace capabilities or designated systems 31 U Section 403-5 title 50 United States Code 2011 authorizes intelligence activities in response to national intelligence requirements ewe-Femi- I lm'iilugg USAF USMC USMC I Sec 1 4 2 L USMC Sec 1 4 g NA VY USAF USMC I Sec I my USMC 1-4 g Iilatllii'lgf U Figure 1 Actions in Red Blue and Grey Cyberspace Legend DCCI-RA ls Defensive Cyberspace Operations Response Actions ISR Is Intelligence Surveillance and Reconnalssance Cy bers pa ce internal Defensive Measures pe ra tI ilita ry 0 De ratio ns I t_3yburspace Ops I 4 DB Defenslve Cyberspalce Ops Cyber ISR I Cyber OPE Fyber defense Cyb U Source USCYBERCOIVI Cyber Force Concept of Operations and Employment USMC I Sec u USMC Sec 1 4 g USMC Sec 1 4m Inn-2 ll USMC Sec 1 4 g USMC Sec 1 4 g Temporary Army CPT Facilities Provided inadequate Workspace and Network Access TC USA 1 Sec I 4 g 32 U Sections 111 164 and 167 title 10 United States Code establish authorities and responsibilities for the Services and combatant commands to conduct military operations including offensive cyberspace operations 3'i iiAI'il'VIY USMC I Sec 1 4 g 3 USCYBERCOM Cyber Force Concept of Operations and Employment version 4 1 July 22 2014 TO USA I Il'jl- ll ARMY ARMY HUME ARMY ARIVIY 35% 3 U The Cyber Protection Brigade is subordinate to the 7th Signal Command 3 U The 513th Military Intelligence Brigade is a subordinate command to the US Army Intelligence and Security Command We MHz-u ll ARIVIY ARMY U See Table 3 on the next page for the locations temporary CPT facilities ARMY this Hi W Table 3 NAVY USMC Sec 1-405 1 an w-n Ill-In run-It 1v van I vu USMC Sec 1 4 g USMC Lb Sec 1 4 g USAF USMC Sec il' RH Ill USMC Sec 1 4 g ARMY USAF LiSh-ll lJll 1 Sec 1 4m s I To 951 9215 USMC be 643 I 4 g W USMC Sec 1 4 g 3 U Cyber key terrain is any physical or logical elements of a domain that enable mission-essential warfighting functions semen-N- ill inadequate Capabilities and Facilities Jeopardized EMF Mission Success USMC Sec 1 4 g iv ees The Service Components were responsible for providing adequate facilities for non national however ARCYB ER temporary solutions did not provide up to -with adequate workspace and network access to perform missions and complete required training ARMY MWXE To continue to progress in cyberspace operatlons To continue to progress in needs to close the capability gaps we identified and Cyberspace operations needs to close the capability prov1de CMF teams apprOpriate and adequate gaps we identified and capabilities facilities and network access to maintain its provide CMF tea ms with warfighting advantage A cyber force when resourced am flqequate capabilities faculties and with the appropriate infrastructure platforms and tools network access to maintain is the key to dominance in cyberspace - its warfighting advantage' '11 I uL i' U Management Comments on the Finding and Our Response U Chief of Staff for the us Army Comments ma-m USMC Sec 1 4 g U Our Response We commend the Army for starting the study to identify funding to restore and modernize existing facilities We recognize and did not intend to imply that the Army did not use a deliberate decision-making process ARMY Although we asked on several occasions whether the Army conducted assessment-ARNIY we were not provided the cost-benefit analysis ARMY USAF USMC Sec 1 4 9 all I As previously reported the Army did not conduct a detailed assessment to conclude whethe-had sufficient SCIF workspace until August 2013 Therefore we did not revise the report based on the additional documentation provided by the Army U Recommendations Management Comments and Our Response U Recommendation 1 We recommend the Commander U S Cyber Command and the Chiefs of Staff for the U S Army and U S Air Force the Chief of Naval Operations and the Commandant of the Marine Corps develop a doctrine organization training materiel leadership and education personnel facilities and policy framework that address strategies to build grow and sustain the Cyber Mission Force U Commander U S Cyber'Command Comments USMC Sec 1 4 g U Our Response Comments from the Commander partially addressed the recommendation Although the Commander agreed with the recommendation to build and mature its existing framework he did not state the specific actions USCYBERCOM would take to provide a comprehensive strategy across all elements of the framework Therefore we request that the Commander USCYBERCOM provide comments on the final report no later than December 24 2015 II- In ll I'lli U Chief of Naval Operations Comments PEG-HG The Director Warfare Integration responding for the Chief of Naval Operations U Our Response Comments from the Director addressed the recommendation and no further comments are required U Chief of Staff for the U S Army Comments The Chief Cyberspace and Information Operations Division responding for the Chief of Staff for the U S Army agreed stating that the Army was in the process of developing a comprehensive cyberspace strategy that presented the Army s vision to have cyberspace operational forces capabilities facilities and partnerships ready and able to effectively provide support to regional global joint and Army operations The Chief stated that the strategy would drive investment workforce facility and doctrinal changes Additionally the Chief stated that the U S Army Training and Doctrine Command established a Cyber Center of Excellence in January 2014 to serve as the Army's lead organization for Force Modernization Since the Cyber Center of Excellence was established the Chief stated it developed a framework and a strategy to build grow and sustain soldiers under a new Career Management Field to meet Army CMF requirements However the Chief stated a need also existed for a Joint Services assessment across the entire that focused on integrating efforts and strategies to further support building growing and sustaining the CMF Specifically the Chiefstated that a Joint Services assessment would allow the Services to share independent strategies identify cross-cutting capabilities and foster innovative approaches U Our Response Comments from the Chief addressed the recommendation and no further comments are required We agree anoverarching Joint Services assessment is needed and would benefit DoD s ability to build grow and sustain the CMF Our intent was for USCYBERCOM as the cyberspace focal point to lead efforts to develop a comprehensive framework based on its assessment and the individual assessments and strategies developed by the Service Components U Management Comments Required U The Chief of Staff for the U S Air Force and the Commandant of the Marine Corps did not reSpond to the recommendation The Chief of Staff AFCYBER provided comments on the draft report however Air Force officials stated that comments from the Chief of Staff for the U S Air Force would be provided only in response to the final report The Commander MARFORCYBER also provided comments on the draft report but documentation from Headquarters Marine Corps clearly stated that the comments represented position Although we attempted to clarify whether MARFORCYBER was responding on behalf of the Commandant we did not receive a further response from the Marine Corps We request the Chief of Staff for the U S Air Force and the Commandant of the Marine Corps provide comments on the final report no later than December 24 2015 U Recommendation 2 We recommend the Commander U S Cyber Command and the Chiefs of Staff for the U S Army and U S Air Force the Chief of Naval Operations and the Commandant of the Marine Corps formalize an agreement to focus capability development on functional and mission areas consistent with results of the mission alignment board U Commander USCYBERCOM Comments The Commander USCYBE RCOM agreed stating that it was important for the cyber force to have an integrated approach for capability development The 656% Hum i_1 r fill-Milli Commander stated that USCYBERCOM needed to engage with the Office of Secretary of Defense and Service Chiefs to coordinate and begin developing formal agreements to focus capability development and facilitate integrated development approaches The Commander also stated that limited acquisition authority described in the draft FY 2016 National Defense Authorization Act if received would support increased capability development of functional and mission areas consistent with the results of the mission alignment board U Our Response U Comments from the Commander addressed the recommendation and no further comments are required U Chief of Naval Operations Comments USMC Sec l 4 g U Our Response U Comments from the Director addressed the recommendation and no further comments are required U Chief of Staff for the Army Comments The Chief Cyberspace and Information Operations Division responding for the Chief of Staff for the US Army agreed stating that a formal memorandum of understanding for capability development that focused on the CMF mission alignment board for CMTs and CPTs was needed between the Services The Chief stated that the Army's recently established Cyber Acquisition Requirements and Resourcing working group shaped the Army s efforts by providing requirements and acquisition support needed to rapidly develop and deliver new Army cyberspace capabilities to its force 1H1 ARMY U Our Response Comments from the Chief addressed the recommendation and no further comments are required U ManagementComments Required U The Chief of Staff for the U S Air Force and the Commandant of the Marine Corps did not reSpond to the recommendation The Chief of Staff AFCYBER provided comments on the draft report however Air Force officials stated that comments from the Chief of Staff for the U S Air Force would be provided only in response to the final report The Commander MARFORCYBER also provided comments on the draft report but documentation from Headquarters Marine Corps clearly stated that the comments represented position Although we attempted to clarify whether MARFORCYBER was responding on behalf of the Commandant we did not receive a further response from the Marine Corps We request the Chief of Staff for the U S Air Force and the Commandant of the Marine Corps provide comments on the final report no later than December 24 2015 U Recommendation 3 U We recommend that the Commander U S Cyber Command in coordination with the Service Components and the Defense Information Systems Agency develop and specify a capability baseline and interoperability standards for all Cyber Protection Teams I U Commander USCYBERCOM Comments USMC Sec 1 4m L-izlxli USAF USMC Sec 1 4 g U Our Response Comments from the Commander addressed the recommendation and no further comments are required U Chief of Naval Operations Comments USAF USMC b Sec U Our Response USMC Sec l 4 g U Recommendation 4 We recommend the Commander Army Cyber Command and Second Army develop a time-sensitive plan of action and milestones to provide all Army Cyber Protection Teams with adequate workspace ARMY U Commander U S Army Cyber Command and Second Army Comments The Commander ARCYBER agreed stating that the U S Army Network Enterprise Technology Command was working with the Cyber Protection Brigade to assist in resourcing facilities and network improvements The Commander stated that ARCYBER and the U S Army Network Enterprise Technology Command completed a full facility sewer-eme- and network analysis of capabilities needed and developed a plan ofaction and U Our Response Comments from the Commander addressed the recommendation and no further comments are required U Unsolicited Management Comments and Our Response U Commander MARFORCYBER Comments W USMC Sec 1 4 g Additionally the Commander stated that a formal capability development agreement was not needed Instead the Commander stated that the issuance of a task order operational order or fragmentary order would be more appropriate The Commander noted that the mission alignment board process was relevant to only CMTs and NMTs not CPTs Further the Commander stated that a capability baseline and interoperability standard for CPTs was needed However the Commander noted that the baseline should not restrict CPTs from adapting their tools and methodologies to meet emerging threats The Commander stated that the baseline should be established using functional and mission analysis of CPT operations that considered the current seesaw-mesons- ll operating environment as well as the expected future Joint Information Environment The Commander stated that an acceptable tools list with a universal authority to operate on the or portions of the was also needed to provide CPTs with exible options to enable them to rapidly implement and respond to incidents U Our Response We commend MARFORCYBER for developing a strategy to incrementally complete a framework to build grow and sustain the CMF and for recently completing its first assessment as part of the strategy MARFORCYBER recognized that the CPT baseline capability should be based on functional and mission analysis and be approved to operate on the or portions of it to increase the ability to and effectively perform incident response missions We acknowledge that the CPT capability baseline should not restrict CPTs from adapting their tools and methodology to meet emerging threats We recognize and agree that capability development to support the CMF should be a joint effort We understand other types of written direction could meet our intent However as stated in this report similar efforts by the Commander USCYBERCOM to specifically direct capability development efforts in Operational Directive 12-001 were not successful because agreement between the Services and USCYBERCOM had not been reached As the Services and DOD continue to develop a broad range of cyberSpace tools and capabilities an agreement and collaboration among the Services and USCYBERCOM to align multiple capability development efforts and reduce potential redundancy while meeting combatant command and Service requirements is needed The lack ofbroader agreement to and leverage Service-led capability development efforts could result in developing redundant capabilities and therefore not using limited resources efficiently U AFCYBER and 24th Air Force Comments Although not required to comment the Chief of Staff AFCYBER stated that AFCYBER would continue to work with Headquarters U S Air Force and USCYBERCOM to develop or update a framework The Chief of Staff stated that AFCYBER would also continue to document capability requirements and associated capability gaps to build the current force grow and mature the full CMF and develop and sustain CMF capabilities However the Chief of Staff stated that an Air Force Space Command Project Task Force already made progress towards institutionalizing a framework and developed a strategic level doctrinal framework in the CMF Program Action Directive January 15 2014 The Chief of Staff stated that the CMF Program Action Directive established guidance that included planning actions focused on training budget facilities equipment and personnel across the total force for the Air Force CMF build The Chief of Staff stated that the framework supported the Air Force in building OIG - The Chief of Staff also stated that the current strategic guidance enabled AFCYBER to successfully field train organize equip and develop capabilities to meet iluig'fg Air Force CMF needs across the entire Air Force presentation of forces ESE-9 Additionally the Chief of Staff stated AFCYBER would continue to work with Headquarters US Air Force USCYBERCOM and other CMF oversight organizations in accordance with the Cyber Force Concept of Operations and Employment to formalize agreements that allow combatant commanders to direct capability development that supports their mission requirements and priorities U Our Response We commend AFCYBER for developing a strategic roadmap to build grow and sustain the CMF We recognize the Air Force Space Command strategy provides the foundation for AFCYBER to develop and update its framework Additionally we commend AFCYB ER for acknowledging the need existed to formalize agreements to develop capabilities that support Service and combatant commander mission requirements and priorities ill H ijthi'tV' U Appendix U Scope and Methodology U We conducted this performance audit from November 2014 through September 2015 in accordance with Generally Accepted Government Auditing Standards Those standards require that we plan and perform the audit to obtain sufficient apprOpriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives We visited Headquarters USCYBERCOM and Headquarters NSA Fort Meade Maryland Specifically we interviewed officials from the USCYBERCOM Operations Directorate Logistics Directorate 04- Capability and Resource Integration Directorate and Advanced Concepts and Technology Directorate to determine their processes for identifying requirements developing implementation plans and strategies to locate CMF teams in appropriate workspaces with access to needed networks and planning and funding facilities equipment and capabilities to support CMF teams We also interviewed USCYBERCOM officials to determine processes for coordinating and facilitating capability development across the Service Components Additionally we met with the Commander Cyber National Mission Force to discuss his vision for pooling CMF tool developers assigning CMF missions and targets and We reviewed three task and two fragmentary orders issued by USCYBERCOM and the implementation plan for fielding the CMF teams standard equipment con gurations based on CMF team work roles to identify desktop equipment I ll 1398-9 We visited Headquarters ARCYB ER Fort Meade Maryland Headquarters Fort Meade Maryland Headquarters AFCYBER Joint Base San Antonio-Lackland Texas and Headquarters MARFORCYBER Columbia Maryland We interviewed officials from ARCYBER AFCYBER and MARFORCYBER responsible for staffing equipping assessing locations and providing facilities and identifying capability gaps and developing capabilities to support Service-fielded CMF teams Additionally we interviewed of cials from ARCYBER AFCYBER and MARFORCYBER to identify responsibilities for providing administrative and operational control of the CMF We reviewed agreements to identify facilities and reSponsibilities for locating Army Navy and Marine Corps CMF teams ARCYBER AFCYBER and assessments to identify processes and criteria for locating CMF teams plans for locating CMF teams to identify temporary and permanent CPT facilities initial and full operational capability designations to identify the missions of CMF teams and operational needs capability gaps and CPT yaway kit configurations to identify offensive and defensive capabilities used or needed by CMTs and CPTs U In addition we interviewed officials from Joint Staff Operations Directorate 13 Command Control Communications and Computer Directorate Joint Force Development Directorate and Force Structure Resource and Assessment Directorate US to determine oversight responsibilities for implementing the CMF build and to identify their involvement in identifying CMF facility equipment and capability requirements We also interviewed officials from the US Pacific Command and U S European Command joint cyber centers responsible for developing missions and targets integrating cyberspace into command plans and operations and coordinating facility and capability gaps with their respective IFHQ-Cs We reviewed integrated priority lists identifying cyberspace priorities and capability gaps mission and target assignments for and unfunded CPT facility requirements It NSA 10 USC 3605 Component-designated facilities and Headquarters DISA Fort Meade Maryland We interviewed CMF team leads deputy team leads and non-commissioned officers in charge responsible for assessing equipment and capability needs and planning implementing and leading team missions to review the adequacy of their facilities equipment and capabilities See Table A 1 for the Service Component that fielded the teams the specific CMF team visited and the location of each team NAVY usar usmc- in 577 NEE 36 TableA-l- 'l'l'l llf l l-Iu-u' Iv I Ill l USMC Sec 1 4 g U We also reviewed USCYBERCOM NSA Central Security Service U S Pacific Command and U S European Command security classification guides to appropriately classify information and portion mark the report U Use of Comouter-Processed Data We did not use computer-processed data to perform this audit same-Fema- I out -I- 'f l 1 ill U Prior Coverage U During the last 5 years the GAO and the Department of Defense Inspector General 1G issued six reports discussing DoD s ability to resource and conduct cyberspace operations Unrestricted GAO reports can be accessed over the Internet at U GAO -53 USMC Sec 1 4 g Report No GAO-11-75 Defense Department Cyber Efforts Faces Challenges in its Cyber Activities July 25 2011 Report No Defense Department Cyber Efforts More Detailed Guidance Needed to Ensure Military Services Develop Appropriate Cyberspace Capabilities May 20 2011 USMC Sec 1 4 g U OIG Report No DODIG-2015-117 and Military Services Need to Reassess Processesfor Fielding CMF Teams April 30 2015 Report No Joint Cyber Centers 01G Cyberspace0perationsr December 8 20 14 i U Management Comments U Cyher Command DEPARTMENT OF DEFENSE UNITED STATES CYBER COMMAND sane SAVAGE ROAD SUITE at FORT GEORGE a means MARYLAND earns OCT 1 l Z l'i Reply to Commander MEMORANDUM FOR THE INSPECTOR GENERAL DEPARTMENT OF DEFENSE Through DIRECTOR OF THE JOINT STAFF SUBJECT WES-HO Response to report Combat Mission Teams and Cyber Protection Teams Leoked Adequate Capabilities and Facilities to Perform Missions Report No DODIG-2015-0059 l U United States Cyber Command USCYBERCOM appreciates the opportunity to respond to the subject report and provides the following response to recommendations one two and three 2 U Recommendation One The 00016 report recommends that Chiefs of Staf t for the US Army and U S Air Force Chief of Naval Operations the Commandant of the Marine Corps and the Commander U S Cyber Command develop or update a doctrine organization training materiel leadership and education1 personnel facilities and policy framework to document capability requirements and associated capability gaps to build the current force grow and mature the full Cyber Mission Force CMF and develop and sustain CMF capabilities USMC Sec 1 4m USMC Sec b_ USMC Sec 1 4 g USMC I Sec I3 l i ii U U S Cybor Command con ict 3 UIIFOUO Recommendatiou Two The Commander Chiefs of Stall for the U S Army and Air Force the Chief of Naval Operations and the Commandant of the Marine Corps should formalize an agreemenl to focus capability development on functional and mission areas consistent with the results of the mission alignment hoard mm USCYBERCOM agrees with Recommendation Two It is important for the cyber force to have an integmmd approach for capability development would need to engage with 05D and Service Chiefs to coordinate and begin developing formal agreements to focus capability development and facilitate integrated development approaches Limited acquisition authority as described in the draft FYI6 National Defense Authorization Act if received would also support increased coordination of capability development on functional and mission areas consistent with the results of the mission alignment board 4 or sens Recommendation Three The Commander USCYBERCOM in coordination with the Service Components and should develop and specify a capability baseline and interoperability standards for Cyber Protection earns USMC 1 40 i USMC w I Sec 1 4 g The USCYBERCOM soc for this action is OIG bum 5 D00 0le bub MICHAEL 3 ROGERS Admiral Navy Commander Copy to Commander USSTRATCDM 2 room Li riff SEER-SW U Chief of Naval Operations l Nt Hl l UI- liNt'llhl'Kl' 1h l IHI NAUV I n1 - -ll wn' l KIT I L Dul' Hu- huh Realm and 3 le 1301 Math C'cutul Imu- VA 23 nun om- Mm IVA-Stilt L-uclL-wn- I n he Nm In Ihc llcpanmunl n Inxpn l-u nllull mdlt Icpurl Ill u 1 ccl 'nmhul Mlumrl IL Jll'h and '3th I'mlunml hum - acknl A cqunl- t'upuhihlin mull In Mmtunx Il'mml Nn 5 IJIIKIIU I1 '1 Flu upplucmlr Hm In leipuml In Illc Ir-all 111m pulnl ul' hilt-l mm - 7 225 53 12 7 Nanu Nu-Iluln Ru dllmul L- 5 Nu Illn clml Wan-arc lutqum-m I'm lu-mu' In INJUIU I lnmt IHH-uummnl l- Srp Ii Dunnl hum Sum Ihuhwm nn I IUCMUVAI Ul I -I U Chief of Naval Operations cont d DEPARTMENT OF THE NAVY Gnu - In - I Ln-'2 N - Pi Wax nulxv I DC Illu Spy Uduhu All nl'x I llml DiIcquI U lrl lu' cl'll NAV In Dq-uly cm'ml ftrudlm'n uul 'j lwr Uln-Inlmn win um NAVY Khan mm mum NH IMMI-M I m UH M Mnl InumRt' nuw nun UM H Jun lh -h-n-m-u i Dull Mum Rclmu I I wp 5 rm IUI Nmal Bumml Amhr Iunun Manual e Ilil-l Datum m mn I ll a_ h'qumw Iu In mnl In Iu cuhlum'r uiul my lull-mm Input pnnidud tn uhwcl lu-t'mmuunllulInn I IUD llu hich HS An Furcc 1hr hirl ul hm L'Vch'p a nanny NRJIHIJIHIIL Malcunl I unlu'nlnp nul Indumhuu l'uulmcx un-l l nllu Ihul lIIdlI an Ildt flrx hulld atlleIll 'hL' L jhcr I nlu Nun l'millun 0 ll 2 IUI y-Ilcr mu Ihc quh 0 Slull' Iur Army and Air Full- 8 Ihc l hlvl nl Naval m-I ul Il Marim- mlu Iummlih- m ngluum m In dmclulnucm nu um unusual muu Willi uulh n 1cm Cd Ilum USCCI lhxlamll 2 1m Mir U Chief of Naval Operations mnt d HARNIYI USMC bu I Sec 1 4m - ll'I Run mnvudullnn 3 Icmumluml 'umm-unln ILS I In Ilh Ilh- SCH Ice md 1110 llciensc lnh vunutinn Agency nicminp m-l pn Mandalds lm all Hm l'mm'unn I'mms USMC bu I 3w mg 7 Jay Rout 1 5 NM l-w U US Army Chief 01 Staff DEPARTMENT OF THE ARMY OFFICE OF THE DEPUTY CHIEF OF STAFF ears mu ARMY PENTAGDN wnsmuemu DC 20310-3200 DAMO-ODCI 16 October 2015 MEMORANDUM FOR De arlment of Defense Inspector General IGJ ATTN Readiness and Cyber Operations 4800 Mark Center Drive Alexandria Virginia 22350-1500 SUBJECT UHFOUGJ Army Comments in Dra Report Combei Mission Teams and Cyber Proleclion Teams CPTs Lacked Adequate Capabilities and Facililies lo Perform Missions dated 17 Seplemher 2015 SHNOFORN 1 General Comments 3 comment ARKIYL I b_ Arm Res onge USAF 1 11 1 SEC 1 Mg CJCS Mcmutendurn 5 December 2012 30 Nov JCS Tank on CYBERCOM Mission Manpower Hi-il' I'li- 131' u SEW Lil U US Army Chief of Staff lcont d USMC Sec 1 4 g 2 DODIG Recommendations a U Recommendation 1 We recommend the Chiefs of Staff for the U S Amy and US Air Force the Chief of Naval Operations the Commandant of the Marine Corps and the Commander U S Cyber Command develop a doctrine organization training materiel leadership and education personnel facilities and policy framework that address strategies to build grow and sustain the Cyber Mission Force b Army Response Concur There is a need to conduct a collaborative Joint Services assessment across the entire that focuses on Integrating efforts and strategies to support building growing and sustaining the Cyber Mission Force This approach would allow Services to share their independent assessments help determine cross-cutting capabilities and foster innovative approaches The Army is developing a comprehensive Cyberspace Strategy that presents the Army vision for cyberspace and states and major objectives to Integrate all Army activities and operations In cyberspace and the iniormation environment This strategy El ll mumr nti ARMY c U Recommendation 2 We recommend the Commander U S Cyher Command and the Chiefs of Staff for the U5 Army and US Air Force the Chief of Naval Operations and the Commandant of the Marine Corps formalize an agreement to focus capability development on functional and mission areas consistent with results of the mission aiignment board d UHFBHO Army Response Conour The Army requlres a proactive er ca a abilities with overnance and management construct to rank deliver 0 bl ARMY MIME 55W ii U US Army Chief of Staff cont d ARMY i The Ha diua ersl Deianmani of the Armil ODCI G-39l ioini of contact is- 4 45 74 RMINE CICALESE COL GS Chief Cyberspace and lnfarmalion Operalions Division I'm ll U U S Army Cyber Command and Second Army UNCLASSIFIEDIW DEPARTMENT OF THE ARMY LLB ARMY CVEER COMMAND AND SECOND cum FORT 221150-5218 I 6 OCT 2015 MEMORANDUM FUR De artment 01 Defense Inspector General I6 Readiness and Cyber Operations 4300 Mark Center Drive Alexandria Virginia 22350-1500 SUBJECT urea-e99 Command Comments to Draft Report Combat Mission Teams and Cyber Protection Teams Locked Adequate Capabilities and Facilities to Perform Missions dated 17 September 2015 1 U U S Army Cyber Command ARCYBER reviewed the subject dra report and your recommendation 1U RECOMMENDATION 4 U We recommend the Commander Anny Cyber Command and Second Army develop a time-sensitive plan of action and milestones to rovide all Anni Cier Protection Teams with adiuate workaiace and 2 U We concur The Network Enterprise Technology Command NETCOM stall are currently wetting with the Cyber Protection Brigade CPB to assist in resourcing iacillttes and network Improvements During the course of the audit ARCYBER and NETCOM completed the full facility and network analysis on capabilities needed for the OPE and developed a plan election and mliestonas to rovide all Arm Protection Teams CPTs with ads uate works ace 3 It ou have an ouesiions -lease contact UlGitbil i 0le blur aw-x EDWARD C CARBON Lieutenant General USA Commanding CF HQDA HQDA guru-um Tomlin-m U U S Marine Corps Forces Cyber Command NC UNITED Starla MARIN CORPS u n all nouns exalniracl SAVAGE 5950 Ion 20155 CUR ocrzo 2015 t'ruln Cnrunandeu 13 5 Harlue Curps Fumes Cyberspace Connumd Imnmnu rasm To Inspector d naldl U S of Defense Via Director Hatinu Corps Staff Sub Uffi H 4 JHAFF DODIG REPORT PEAMS AND CYBER PRGTECTIOH IEAMS LACKHD FACILITIES PO PEREUMH HATED SEPIERHER If Bulb RESPONSES SECURITY KBVIEH 1 EUBPOSE rn transnir approved Lu the DrazL 03013 tupurr Comhar Hissian reams and Cyne Protection Fuams bucked Adequate Capabilities and FaciliLius Lu Puxluzm HIREiana H BACKGROUND The attic o the Inspector General DapartmenL of Detenae pluvidud diart report Combat H135Lun teams and Cybui Protection Teams anhed adequate Capabilities and Facilities Cu Perturm Missions dated if 2015 Lo int review and unnmenL are for Lu prnviae uunmean un whuLhe leadership aurees concurs u aiaagrees inch-concurs with the findings and rucummenddtio s in the report HARFOHCYBER way ln truuted Lu upeuiliually answer recummandatxons ono two and L awaited three additionally the nonmand hd been directnd to rnv1 u all cLassirIEatiau ul Lhe repurL and our response 3 n1 summary A IUI Recgmmendatinn 1 HHEFORCYBER concurs see enclosure 11 b 2 HARIUHCYBER nun-concurs as enuiusuxu tli c U Recommendation 3 concurs sue enclosure d Marking Ruvicw rumpler d sen enclnaure m Point 01 cunLact or this mdzLei 13 Tnihlu-Zulrpuz 5 ill 1 U US Marine Corps Forces Cyber Command cont d DOING DRAFT AUDIT SEPTEMBER 17 2015 PROJECT N0 MISSION TEAMS AND PROTECTION LACKED ADEQUATE AND 1'0 PERFORM MARIN I-I CORPS COMMENTS TO THE DODIG a l DUIJIG recommends that the Chiefs ul'Stuli t'or the 11 8 Army and LLS Air Force the Chief Operations the Commandant of the Mnritte Cams and the Commander U H yher develop it doctrine urgunimlinn trnining materiel leadership IllLi personnel I'tteililies and policy framework strategies In littild gum and sustain the Cyber Mission l- oree MARINE CORP ARMY USAF USMC hi I l Sec 2 DODIG recommends that the Chiefs ol'Sttn l'l'or the US Army and Air Force the Cltiel'tll' Naval Operations the Commandant of the Marine Corps and the Commander yher Command fomtullze on agreement to focus capability development m1 functional and mission uretts consistent with results of the mission alignment board FTII M 5 mm Non concur 'Iite ability to focus development is ttjoint objective and should he led by the Commander IISSTIM or tlclegtlteti representative No l'ommliecd agreement is required the npprupriute mechanism would he the oftm order li e FRAUD 'llte Mission Dunn process is only relevant to Combat Mission l'eams and National Mission Tennis and does not provide appropriate criteria for capability det'elnpment ol'the Cyher Protection l orcc lL'Ilu'yl I HIHI Ilnit'ti lit-t Mull I'm ENCLOSURE I 1 I'Hint' 1 th zit U US Marine Corps Forces Cyber Command cont d 3 DODIG recommends Iltat Commander L yber Command in coordination with the Service Components and the Defense lni'omtatiott Systems Agency develop and specify a capability baseline and interoperability standards For all Cyber Protection 'l eams OF THE MARINE CORPS RESPONSE WM Coneur MARFORCYBER agrees that there should he a capability baseline and interoperability standard for the CPI-1 standard should consider today's operating environment and the future Joint Int'omration Environment tJllit and should he codi ed in the Cyber Force ol' Employment CFCUEI or other directive documents the standard should be established using a functional and mission analysis ol'Clrl' operations It should specify a minimum capability but not limit CPi s t rom exceeding the standard when neecsrerry and Where possible Given the evolutionary nature ol'lhe operating environment the baseline standard must not restrict Cl Ts I'rotn adapting their tools and methodology to meet emerging threats 1 recommend the baseline identify liatetions or capabilities rather than specific tools l inaliy the creation ot'an acceptable tools list with a universal authority to operate tA'l'O on any network or portion thereof would provide teams exible options enabling rapid and increasing operational tempo for incident response forces ENCLOSURE a lint tit - i L 4 12 U U S Air Forces Cyber Command and 24th Air Force 55W Ll jtnm'imtt'z DEPARTMENT OF THE AIR FORCE Hm L- tos 2 AIR t'URt t IAIR L t'BEnr tum Bast AN mmo I9 October 2015 MEMORANDUM FOR Office of the Inspector General Department of Defense FROM 35 l5 5 General McMullcn I'Jrive Joint Base San Antonio - ankiand TX 78226-9853 sumac-r one Report for Project No DZOIS-DDODRC-OOSD OOD l UIAFBUIO PURPOSE Obtain 24 coordination and approval of24 AF comments pertaining to the Draft Report for Project No D201 2 mm BACKU ROUND The Of ce of the Inspector General Department of Defense issued the draft report For Project No Combat Mission Teams and Cyber Protection Teams Locked Adequate Capabilities and Facilities to Perform Missions dated September I7 2015 for 24 AF review and comment instructions are for 24 AF to provide comments on whether management agrees or disagrees with the nding and in the report if in agreement 21 AF is instructed to describe what actions have been taken or planned to accomplish the recommendations including the completion dates If in disagreement 224 AF is instructed to give speci c reasons for disagreement and propose altemativc action if appropriate 3 DISCUSSION 2d AF concurs with comments a D Do 16' Recommendation I U We recommend the Chiefs of Stolfl'or the Army and U S Air Force the Chief'ot Naval Operations the Commandant of the Marine Corps and the Commander U S Command develop a doctrine organization training materiel leadership and education personnel facilities and policy framework that address strategies to build grow and sustain the Cyber Mission Force II 24 AFIAFCYBER response The 2-1 AFIAFCYBER will continue to work with HQ USAF and USCYBERCOM to develop or update a framework The orgauirnlions will continue to document capability requirements and associated capability gaps to build the current force grow and mature the full CMF and develop and sustain CMF capabilities The AFSPC Project Task Force PROTAF has already made progress towards institutionalizing the framework and has produced strategic level doctrinal framework including CMF Program Action Directive dated 15 Jan 20 established guidance for the AF CMF build The PM established planning actlons across training budget facilities equipment personnel and total force Air Force Reserves AFR and Air National Guard lines of'elTort The execution arm of our effort and PAD guidance is the Project Task Force PROTAFJ which consists of membership front AFCYBER Air Force Space Command Headquarters Air Force HAP tuttijt' ll U US Air Forces Cybor Command and 24th Air Force cont d Air National Guard and the Air Force Reserves DOD 016 7 Date 01' Co mpletion Multiple ongoing actions until in FCC build U Dot Reeamtend'ation 2 U We recommend the Commander Command and the Chiefs of Staff for the us Army and US Air Force the Chief of Naval Operations and the Commandant of the Marine Corps formalize an agreement to focus capability development on functional and mission areas consistent with results of the mission alignment board 24 AFIAFCYBER response WW The 24 will continue to work with USAF and other CMF oversight bodies such as the CMF Technical Oversight Council in accordance with the Cyber Force Concept of Employment directive to formalize agreements that allow Combatant Commanders guided by the Mission Alignment Buanl to direct capability development that support the Combatant Commander's mission requirements and priorities U Date oI'Completion Orr-going activity 4 U VIEWS OF OTHERS NA ll'll'lal ilki' Milnugermmt' Comments U U S Air Forces Cyber Command and 24th Air Force cont d uncussmanuion-W 5 U RECOMMENDATION AFCYBER concurs wilh comments to Dm Repon for Project No Tab 1 I1 is DOD JIG Stephen T Ling Colonel 7 L'hiel nl Sta ' CC 1 Tabs Tab 1 Dm Regan for Project No 6U ml wl H1m U Source of Classified Information Sourcel U Deputy Secretary of Defense Memorandum Resource Management Decisions for FY 2014 Budget Request Declassification Date April 10 2038 Generated Date April 10 2013 Source 2 U USCYBERCOM Cyber Force Concept of Operations and Employment Version 4 1 TO USA FVEY Declassification Date August 1 2039 Generated Date July 22 2014 Source 3 USCYBERCOM Task Order 13-0244 Establishment and Presentation of CMF Teams in FY 2013 TO USA FVEY Declassification Date March 6 2038 Generated Date March 6 2013 Source 4 W USMC Sec 1 4 Declassification Date October 11 2038 Generated Date October 11 2013 Source 5 USMC Sec Declassification Date May 13 2038 Generated Date May 13 2013 Source 6 USMC Sec 1 4 g Declassification Date April 5 2037 Generated Date April 5 2012 Source 7 USMC Sec 1 4 g Declassification Date May 19 2038 Generated Date May 19 2013 Source B USMC Sec 1 4 g Declassification Date June 30 2038 Generated Date March 30 2015 g g i' l I'll iwl lulu Inc-11w Declassi cation Date August 1 2039 Generated Date August 14 2014 Source 10 657l7l-N-Fa USMC Sec 1 4 e Declassification Date November 1 2039 Generated Date November 20 2014 Source 11 Deputy Secretary of Defense Memorandum Resource Management Decisions for FY 2016 Budget Request Declassification Date December 10 2039 Generated Date December 10 2014 Source USMC Sec 1 4 g Declassification Date June 25 2040 Generated Date June 25 2015 Source USMC Sec 1 4 g Declassification Date July 19 2038 Generated Date May 1 2014 Source USMC Sec 1 4 Declassification Date August 1 2039 Generated Date October 22 2012 updated November 20 2012 Source 15 WOW ARMY USMC See I Declassification Date December 19 2039 Generated Date Ianuary 9 2015 Source 16 Request for Initial Operational Capability Designation TO USA FVEY Declassification Date September 13 2038 Generated Date September 13 2013 Source 17 400 CMT Initial Operational Capability Designation TO USA FVEY Declassification Date October 9 2039 Generated Date October 9 2014 il'J iIrI Source 600 CMT Initial Operational Capability Declaration TO USA FVEY Declassification Date April 18 2039 Generated Date April 18 2014 Source 19 U 102 CMT Initial Operational Capability Declaration TO USA FVEY Declassification Date July 1 2039 Generated Date April 1 2014 Source 20 U OSD Cost Assessment and Program Evaluation Cyber Issue Team Deputy s Management Advisory Group Comebackz Declassification Date August 31 2033 Generated Date December 11 2012 Source 21 U USCYBERCOM Presentation on CMF Concept of Operations TO USA FVEY Declassification Date December 11 2037 Generated Date January 16 2014 Source USMC Sec 1 4 g Declassification Date January 12 2040 Generated Date January 12 2015 Source USMC Sec 1 4 g Declassification Date February 1 2039 Generated Date Ianuary 8 2007 Source USCYBERCOM Presentation on CMF Funding Declassification Date April 1 2037 Generated Date November 20 2014 Source 25 U Memorandum of Agreement Between US Army Intelligence and Security Command and 24th Air Force for Totem Stone Infrastructure and Advanced Cyberspace Operations Concepts Tools Techniques and Technologies 3 Declassification Date November 21 2038 Generated Date December 9 2013 Source 26 U Deputy Secretary of Defense Memorandum Follow-on Guidance from the April 18 2015 Cyber Deep Dive TO USA FVEY Declassification Date June 3 2040 Generated Date June 3 2015 r'mrymu U Acronyms and Abbreviations AFCYBER ARCYBER CCR CMF CMT CPT CST DISA DODIN GAO JFHQ MARFORCYBER NMT NST SCIF 5M0 USCYBERCOM Air Forces Cyber Command Army Cyber Command Cyber Capabilities Registry Cyber Mission Force Combat Mission Team Cyber Protection Team Combat Support Team Defense Information Systems Agency Information Network Doctrine Organization Training Materiel Leadership and Education Personnel Facilities and Policy Fleet Cyber Command Government Accountability Office Joint Force Headquarters Joint Worldwide Intelligence Communications System Marine Corps Forces Cyber Command National Mission Team National Support Team Non Secure Internet Protocol Router Network Sensitive Compartmented Information Facility Secret Internet Protocol Router Network Support to Military Operations U S Cyber Command I I Whistleblower Protection US DEPARTMENT OF DEFENSE The Whistleblower Protection Enhancement Act of 2012 requires the Inspector General to designate a Whistleblower Protection Ombudsman to educate agency employees about prohibitions on retaliation and rights and remedies against retaliation for protected disclosures The designated ombudsman is the DOD Hotline Director For more information on your rights and remedies against retaliation visit For more information about IG reports or activities please contact us Congressional Liaison 703 604 8324 Media Contact public affairs@dodig mil 703 604 8324 Update Reports Mailing List Twitter Hotline dodigmil hotline DEPARTMENT OF DEFENSE I INSPECTOR GENERAL 4800 Mark Center Drive Alexandria VA 22350-1500 Defense Hotline 1 800 424 9098 I