Objective

The current cybersecurity environment is a barrier to the timely proof of concept projects that allow for installation modernization. A policy and implementation review will shed light on how the Department of Defense (DoD) can improve cybersecurity policies to support installation modernization. The most effective way to modernize DoD installations is to field timely proof of concept projects to quickly test new technologies to determine their costs, benefits and potential risks. A significant challenge in executing these demonstrations in a timely manner is the current cybersecurity environment and acquiring an authority to operate (ATO) via the risk management framework, which can often take up to two or more years. This project will start by creating an "ideal" workflow diagram showing how a hypothetical demonstration could go from zero to ATO with maximum efficiency by reviewing all of the cyber-related policies and procedures that impact proof of concept demonstration projects and working with DoD cyber stakeholders to outline the process. The next step will be to determine where the failure points and bottlenecks happen in the process by reviewing projects that have been implemented across installations. With this information the project delivery team will suggest areas of policy and organizational improvements that would allow the DoD to demonstrate technologies in a rapid manner to support cost-effective and secure installation modernization strategy.

Technology Description

This project will use the following technical approach:

a. Compile and review all of the relevant information technology and cybersecurity policies, regulations, and procedures that have direct impact on a demonstration project. (including Army, Air Force, Navy).

b. Determine ideal ATO timeline (U.S. Army Aviation and Missile Lifecycle Command/U.S. Army Network Enterprise Technology Command coordination for Army perspective).

c. Review (up to 5) demonstration projects requiring an ATO that have been implemented across installations and document lessons learned and challenges encountered.

d. Map out and record failure points and bottlenecks in past ATO attempts.

e. Determine potential policy and organizational areas of improvement if implemented could create efficiencies in the cybersecurity approval and governance processes.

f. Create ideal ATO workflow(s) diagram using the data gathered from research and using current policies and procedures and recommendations/proposed improvements to those polices and procedures.

g. Publish a DoD-focused technical report outlining the findings of the research and proposed courses of action to refine the current state to better accommodate proof of concept demonstrations in the DoD. The report will include an Army-specific recommendations.

Benefits

Installations must modernize to outpace capabilities of near-peer competitors, perform multi-domain operations, and ensure services expected from the all-volunteer force are provided. In order to cost-effectively modernize installations technology proof of concept projects must be able to be fielded and tested in a timely manner while maintaining a secure cyber posture. After extensive engagement with the installation community, it has become clear that the major roadblock to successfully adopting new technologies, programs, or processes that are required to modernize installations is going through the risk management framework in order to obtain an ATO or an interim ATO. These are not primarily technical problems, but policy and process problems. By completing this project and delivering a comprehensive technical report, the project team’s findings will shed light on how the DoD can improve cybersecurity policies to support installation modernization in a secure manner via timely and effective technology demonstration and proof of principle projects.