Report No. INSPECTOR GENERAL US Department of Defense November 24, 2015 Combat Mission Teams and Cyber Protection Teams Lacked Adequate Capabilities and Facilities to Perform Missions Classifiei?fB'y} Carol N.-Gorman, Assistant Inspector Gui eral - ?-rived From!L MUItip?ie Sources . . .., 0nINTEGRITY 1k EFFICIENCY ?k ACCOUNTABILITY EXCELLENCE Mission Our mission is to provide independent, relevant, and timely oversight of the Department of Defense that supports the warfigh ter; promotes accountability, integrity, and e??iciency; advises the Secretary of Defense and Congress; and informs the public. Vision Our vision is to be a model oversight organization in the Federal Government by leading change, speaking truth, and promoting excellence?a diverse organization, working together as one professional team, recognized as leaders in our field. Fraud, Waste 8: Abuse is.? HOTLINE Department of Defense dodig.mil/hotlinel300.424.9098 For more information about whistleblower protection, please see the inside back cover. I lhl? 1 I 1? Results in Brief Combat Mission Teams and Cyber Protection Teams Locked Adequate Capabilities and Facilities to Perform Missions November 24, 2015 (U) Fii?iding (cont?d) (U) Objective . Army Cyber Command did not provide adequate temporary CPT facilities (U) We determined whether Cyber Mission Force (CM teams had adequate facilities, equipment, and capabilities to effectively perform missions. (U) Finding USMC: Sec. 1.4(g) {on Sec. 1.4(g) (U) Management Actions Taken USMC: Sec. 1.4(g) Xi?viffNifv'Y; USMC: Sec. 1.4(g) (U) Recommendations (U) We recommend that the Chiefs of Staff, U.S. Army and US. Air Force; the Chief of Naval Operations; the Commandant of the Marine Corps; and the Commander, USCYBERCOM: Nii?x?r'?'?s?fuswlc: I Sec. - develop or update a doctrine, organization, training, materiel, leadership and education, personnel, facilities, and policy framework to document capability requirements and associated capability gaps to build the current force, grow and mature the full CMF, and develop and sustain CMF capabilities, and SEW Visit us at in: mm, I 1/;11 Results in Brief Combat Mission Teams and yber Protection Teams Lac/{ed Adequate Capabilities and Facilities to Perform Missions - (U) formalize an agreement to focus capability development on functional and mission areas consistent with the results of the CMF mission alignment board to begin identifying capability gaps and developing capabilities that affected these proposed missions. (U) We also recommend that the Commander, USCYBERCOM develop and specify the capability baseline and interoperability standards for CPTs. In addition, we recommend that the Commander, Army Cyber Command and Second Army develop a time-sensitive plan of actions and milestones to provide all Army CPTs with adequate workspace and consistent classi?ed network access. (U) Management Comments and Our Response (U) We did not receive comments from the Chief of Staff for the Air Force and the Commandant of the Marine Corps in response to the draft report. Comments from the Chief of Naval Operations; Deputy Chief of Staff for the U.S. Army; and Commander, Army Cyber Command and Second Army, addressed the speci?cs of the recommendations. Comments from the Commander, USCYBERCOM, partially addressed the speci?cs of the recommendations, but further comments are required. We request management comment on the ?nal report no later than December 24-, 2015. Please see'the Recommendations Table on the next page. Visit us at Hist. lizfiti Hum-lino] I ll (U) Recommendations Table Unclassified Recommendations Management . . Requiring Comments Chief of Staff, U.S. Army Chief of Naval Operations Chief of Staff, US. Air Force 1, 2 Commandant of the Marine Corps 1, 2 Commander, U.S. Cyber Command I 1 Command?er, U.S. Army ther 7 - Command and Second Army (TJ) lPlEase arenas Management Comments fie?later?than December 24: 2?0?15. No Additional Comments Required Unclassified u. SEW-RN- INSPECTOR GENERAL DEPARTMENT OF DEFENSE 4800 MARK CENTER DRIVE ALEXANDRIA, VIRGINIA 22350?1500 November 24, 2015 MEMORANDUM FOR DISTRIBUTION SUBIECT: Combat Mission Teams and Cyber Protection Teams Lacked Adequate Capabilities and Facilities to Perform Missions (Report No. DODIG-2016-026) We are providing this final report for review and comment. U.S. Cyber Command, the Service Components, and the Defense Information Systems Agency made progress in providing Cyber Mission Force Teams with facilities, equipment, and capabilities to perform missions but did not take sufficient steps to ensure all teams had adequate capabilities and facilities. Specifically, U.S. Cyber Command, the Service Components, and the Defense Information Systems Agencylacked a unified approach to ensure Combat Mission Teams and Cyber Protection Teams had adequate capabilities to perform offensive and defensive missions. Additionally, Army Cyber Command did not provide select Army Cyber Protection Teams with adequate workSpace or facilities to access needed networks. We conducted this audit in accordance With generally accepted government auditing standards. (U) We considered management comments on a draft of this report when preparing the final report. However, the Chief of Staff for the U.S. Air Force and the Commandant of the Marine Corps did not comment on Recommendations 1 and 2. Instruction 7650.03 requires that recommendations be resolved Therefore, we request the Chief of Staff and the Commandant provide comments on the recommendations no later than December 24, 2015. (U) Comments from the Commander, U.S. Cyber Command, ad dressed the specifics of Recommendation 2 and 3; however, the Commander partially addressed Recommendation 1. Comments from the Director, Warfare Integration, responding for the Chief of Naval Operations, and the Chief, Cyberspace and Information Operations Division, responding for the Chief of Staff for the U.S. Army, addressed the specifics of Recommendations 1 and 2. We request the Commander, U.S. Cyber Command, provide additional comments on the final report no later than December 24, 2015. Although not required to comment, the Commander, Marine Corps Forces Cyber Command and the Chief of Staff, Air Forces Cyber Command, generally agreed with the finding and recommendations. hum. SEW Please provide comments that conform to the requirements of DOD Instruction 7650.03. Classified comments must be sent electronically over the Secret Internet Protocol Router Network Please send a PDF ?le containing your comments @dodig.smil.mil Copies ofyour comments must have the actual signature of the authorizing official for your organization. We cannot accept the Signed symbol in place of the actual signature. Comments provided On the final report must be marked and portion-marked, as appropriate, in accordance with Manual 5200.01. Ifyou consider any matters to be exempt from public release, you Should mark them clearly for Inspector General consideration. (U) We appreciate the courtesies extended to the staff. Please direct questions to me at [703] 699W 499 Casi: 71/51 Ms Carol N. Gorman Assistant InSpector General Readiness and Cyber Operations (U) DISTRIBUTION: (U) DEPUTY ASSISTANT SECRETARY OF DEFENSE FOR CYBER POLICY CHIEF OF STAFF, U.S. ARMY CHIEF OF NAVAL OPERATIONS (U) CHIEF OF STAFF, U.S. AIR FORCE COMMANDANT OF THE MARINE CORPS (U) COMMANDER, U.S. CYBER COMMAND (U) COMMANDER, ARMY CYEER COMMAND AND SECOND ARMY COMMANDER, FLEET CYBER COMMAND AND 10TH FLEET COMMANDER, AIR FORCES CYBER COMMAND AND 24TH AIR FORCE COMMANDER, MARINE CORPS FORCES CYBER COMMAND (U) DIRECTOR, IOINT STAFF (U) DIRECTOR, DEFENSE INFORMATION SYSTEMS AGENCY II. II .. (111 C0 meats. (U) Introduction Objective 1 Background on DOD Cyberspace Operations 1 CMF Development 2 Cyberspace Responsibilities and Requirements 3 Review ofinternal 6 Finding Capabilities and Facilities for CMTS and CPTs Were Inadequate 7 CMF Teams Had Adequate Desktop Equipment 8 Unified Strategy and Approach for Offensive Capability Development Was Needed .9 Lacked a Unified Defensive Capability Development Process 17 CMTs Faced Challenges in Performing Missions 22 Temporary Army CPT Facilities Provided Inadequate Workspace and Network Access 25 Inadequate Capabilities and Facilities )eopardized CMF Mission Management Comments on the Finding and Our Response 31 Recommendations, Management Comments, and Our Response 32 Unsolicited Management Comments and Our Response 38 (U) Appendix Scepe and Methodology 41 Use of Computer-Processed Data43 Prior Coverage 44 (U) Management Comments U.S. Cyber Command 45 Chief of Naval Operations 47 U.S. Army Chief of Staff 50 U.S. Army Cyber Command and Second Army 54 US. Marine Corps Forces Cyber Command 55 US. Air Forces Cyber Command and 24th Air Force 58 (U) Source of Classified Informational (U) Acronyms and Abbreviations 64 I (U) Introduction (U) Objective (U) Our audit objective-was to determine whether Cyber Mission Force (CMF) teams had adequate facilities, equipment, and capabilities1 to effectively perform mission requirements. See Appendix A for the scope and methodology and prior audit c0verage related to the objective. (U) Background on DOD CyberSpace Operations uses cyberspace to enable its military, intelligence, and business operations. Cyberspace is one of the five domains; the other domains are air, land, maritime, and space. Cyberspace, unlike the other physical domains, is a global domain within the information environment that consists of interdependent networks of information technology infrastructures and resident data. Cyberspace operations ensure access and freedom of operations in, through, and from cyberspace to deliver effects2 in any of the five domains; to deny adversaries access and freedom of operations; and to sustain mission essential segments of cyberspace (networks) in the face of adversary action. Cyberspace operations are categorized under three lines of operations, based on their intent: 1. (U Offensive Cyberspace Operations. Project power by the application of force in and through cyberspace. 2. Defensive Cyberspace Operations. Defend DOD or other friendly cyberspace. 3. Information Network Operations. Design, build, configure, secure, operate, maintain, and sustain communications systems and networks. 1 A cyber capability is a device, computer program, or technique?including any combination of software, ?rmware, and hardware?designed to create an effect in or through cyberspace. 2 Cyber effects include manipulating, disrupting, denying, degrading, or destroying information or communications systems, networks, physical or virtual infrastructure controlled by computers or information systems, or information resident on the infrastructure. l?l'lillil IJlr, {ll} (U) EMF Development USMC: Sec. 1.4(g) WW Table 1 ARMY: NAVY: USAF: USMC: Sec. r-Il'nl-a I'Ill-Il IV I USMC: Sec. 1.4(g) (SH-HEW (U) The Commander, Cyber National Mission Force, commands and controls National Mission Teams and National Support Teams to defend the nation in response to foreign hostile action or imminent threats in cyberspace. 3 (U) Figures presented in this report are rounded amounts. SEW :lJ liir't mini rinn A.) ARMY. USAF. W9 Table 2. 1-!!an Tn Ilrn rum-u Uf?l?l?I? Iv win, I USMC: (bill). Sec. 1.4(g) (U) Cyberspace Responsibilities and Requirements (U) Under the authority of the Secretary of Defense, DOD uses cyberspace capabilities to perform integrated offensive and defensive operations. The Deputy Assistant Secretary of Defense for Cyber Policy, Office of the Under Secretary of Defense for Policy: 0 integrates cyberspace operations into national and strategies; 0 develops policy related to cyber forces and employment of those forces; and 0 (U) ensures cyber capabilities are integrated into operation and contingency plans. 4 Additional information on the fielding of CMF teams is described in 016 Report and Military Services Need to Reassess Processes for Fielding CMF Teams,? April 30, 2015 l: ill lull will: Hm] (U) The Chairman of the Joint Chiefs of Staff ensures cyberspace plans and operations are compatible with other military plans. Although the Commander, U.S. Strategic Command is required to secure, operate, and defend the and critical cyberspace assets, systems, and functions against an intrusion or attack, the Commander delegated most cyberspace responsibilities to the Commander, USCYBERCOM. The Commander, - USCYBERCOM has three mission areas to counter threats to the and military operations and to enable offensive cyberspace operations: 0 defend the Nation,- 0 support Combatant Command contingency and operational planning; and 0 support the security, operation, and defense of the (U) Additionally, USCYBERCOM: 0 (U) develops a master implementation plan and schedule to accelerate the CMF build: 0 coordinates and prioritizes capability development across the Service Components and funds capabilities supporting joint requirements; I (U) maintains the reliability of the cyber capabilities registry and USMC: Sec. 1.4(g) I I . I?ll 5 USMC: I Sec. 1.4(g) 5 USMC: Sec. 1.4(g) .Il; - The other combatant commanders operate and defend their tactical and constructed networks and integrate cyberspace capabilities into all military operations. As such, combatant commanders are required to integrate cyberspace capabilities into their command plans and coordinate with other combatant commanders, the Service Components, and agencies to create fully integrated capabilities. To support combatant commanders, Service Components staff, train, and equip forces and secure and defend their global networks. Additionally, the Service Components: 0 (U) analyze missions and provide facilities for non-national - (U) coordinate with combatant commanders to locate combatant command - identify capability gaps and requirements through their Joint Force Headquarters-Cyber UFHQ-CJ7 and develop capabilities to support Service-specific and other joint capabilities when funded; 0 program, budget, maintain, and develop materiel solutions [for example, deployable toolkits) to meet CPT defensive capability needs; and 0 (U) assist USCYBERCOM to determine CMF mission alignment. NAVY: USMC: Sec. 1.4(g) 7 The components (ARCYBER, AFCYBER, and MARFORCYBER) command and control the CMTs that conduct offensive operations in direct support of the combatant commands. sews-Fema- {'lI ltlHI (U) The NSA: - (UHF-GHQ) provides workspace for NMTS, NSTS, CMTS, CSTs, and national CPTs through leased facilities, new construction, or renovations to existing NSA centers; . USMC: Sec. 1.4( - (U) develops or modifies capabilities to support CMTs. The Director, Defense Information Systems Agency (DISA), as the Commander, plans, directs, coordinates, integrates, and the execution of missions that defend DOD networks. The Commander, IFHQ-DODIN, develops agreements with Service Components to locate (provide facilities] and equip CPTs. (U) Review of Internal Controls (U) Instruction 5010.40, ?Managers? Internal Control Program Procedures," May 30, 2013, requires organizations to implement a comprehensive system of internal controls that provides reasonable assurance that programs are operating as intended and to evaluate the effectiveness of the controls. We identified internal controls weaknesses at USCYBERCOM. ARNIY: We will provide a copy of the report to the senior officials responsible for internal controls at USCYBERCOM, ARCYBER, AFCYBER, and MARFORCYBER. Hi] l?mrllim (U) Finding Capabilities and Facilities for CMTs and CPTs Were Inadequate mum-.5; USMC: 1 See. 1.4(g) USAF: USMC: Sec. 1.4(g) USMC: 1). Sec. 1.4(g) USMC: Sec. 1.4(g) DIG: ilJli'TllE - ARCYBER did not provide adequate temporary facilitie 3 Subject matter experts are responsible for tracking the progress of capability development throughout its lifecycle and completing operational testing and evaluation. USCYBERCOM refers to subject matter experts as tool champions. 1mm: un'nw [Iii USMC: Sec. 1.4(g) I A . II.-- l?n -2. I (U) CMF Teams Had Adequate Desktop Equipment USCYBERCOM, the Service Components, and DISA adequately equipped CMF teams with desktop equipment to perform administrative and mission requirements? with the exception of ARCYBER CPTs located in ARMY: (hil7)(E) ARNIY: ,11 and a CMT. USCYBERCOM, in coordination with the Service Components, developed desktop equipment baselines to support the Service Components and DISA in equipping the CMF teams. ARMY: ARMY: See Appendix A for the teams visited. Although only AF CYB ER developed a written implementation plan, ARCYBER, MARFORCYBER, and DISA established deliberate processes to equip CMF teams ARMY: used the USCYBERCOM baseline to equip teams or equipped teams with similar desktop . The Service Components and DISA either configurations based on established Component missions, internal collaboration with Service Component organizations, or a combination of the two approaches. In general, workstations included monitors and peripheral devices, classified and unclassified communication systems, and access to the Non-secure Internet Protocol Router 9 An integrated approach is based on a Doctrine, Organization, Training, Materiel, Leadership and Education, Personnel, Facilities, and Policy framework. ARMY: NAVY: USAF: USMC: Sec. Lille) 1? We discussed this issue further In the ?Temporary Army CPT Facilities Provided inadequate Workspace and Network Access? section of this report. ill} Sec. l.4(g) (U) Unified Strategy and Approach for Offensive Capability Development Was Needed Service Components continued to use Component-specific approaches and . strategies to develop offensive capabilities that aligned to traditional Component- specific mission areas rather than unify capability development to support the CMTs. This occurred because USCYBERCOM did not have appropriate authorities to effectively oversee and direct offensive capability development. Although USCYBERCOM developed the Cyber Force Concept of Operations and Employment12 and Integrated Master Plan and Schedule and established the Integrated Capabilities Requirements Working Group and the CCR, these initiatives left gaps in unifying offensive capability development. (U) The Government Accountability Of?ce (GAO) reported that the Service Components used separate, service-specific approaches to identify and meet capability requirements.13 Consequently, GAO concluded that capabilities may vary across the Service Components. GAO recommended develop and publish detailed policies and guidance that: (U) affect the categories of personnel who perform cyberspace operations; 0 (U) support command and control relationships between USCYBERCOM and combatant commanders; and 0 (U) address mission requirements and capabilities for the Service Components to meet to provide long~term operational support to USCYBERCOM. (U) As ofJuly 2015, two of the three recommendations were closed; the recommendation related to the categories of personnel remained open. Although GAO reported that the differences between the Components might be expected, it also :2 USCYBERCOM Cyber Force Concept of Operations and Employment, Version 4.1, July 22, 2014 TO USA, 13 (U) GAO-11421, "More Detailed Guidance Needed to Ensure Military Services Develop Appropriate CyberSpace Capabilities," May 2011. SEER-W tulr- tr. l'liitlililij: questioned whether these differences were beneficial and whether the Service Components would be able to meet long-term capability requirements. (U) Service-Specific Offensive Capability Development Processes Were Not Coordinated USMC: Sec. 1.4(g) USMC: I Sec. 1.4(g) ARMY: USMC: Sec. l.4(g) 1? (U) Concept of Operations for the JFHQ-C, Version 2.0, May 1, 2014 TO USA, FVEY). ?5 USMC: Sec. 1.4(g) 1" (U) ARCYBER and Second Army Strategy for Defining Operational Requirements and Acquiring Capabilities, Version 2.2, October 22, 2012 (updated November 20, 2012) .ivll, {1.2m Ill} USMC: Sec. 1.4(g) Sec. l.4(g) U) USCYBERCOM Actions Were Insufficient to Unify Capability Development (UHF-BUG) USCYBERCOM is the focal point for all cyberspace operations. Specifically, USCYBERCOM: - (U) identifies and prioritizes technical capability requirements 0 (U) monitors development of proposed technology solutions and architectural frameworks and associated interoperability standards; - (U) oversees development of advanced tactics, techniques, and procedures to employ capabilities; and a (U) oversees test and evaluation of cyberspace capabilities. To meet its responsibilities, USCYBERCOM developed the Integrated Master Plan and Schedule, the Cyber Force Concept of Operations and Employment, established processes and the Integrated Capabilities Requirements Working Group to facilitate capability development, and created the however, these initiatives did not ensure a unified and coordinated approach to CMF capability development. NAVY: USMC: Sec. 1.4(g) Ill] (U) Cyber Capability Was inc/ring Although DOD was more than 2 years into the (U) Components responsible for CMF build as of September 2015, the Components implementing the force did not have a comprehensive framework. responsible for implementing the force did not have a comprehensive doctrine, organization, training, materiel, leadership and education, personnel, facilities, and policy framework to guide CMF implementation. An integrated approach such as a framework was needed to document capability requirements and associated capability gaps to build the current force, grow and mature the full CMF, and develop and sustain CMF capabilities. Guidance from many sources, including a framework, in?uences military operations, intelligence activities, development and validation of capability requirements, acquisition activities affecting organization, training, and equipping forces, and the budget process to fund these activities. USCYBERCOM and the Ioint Staff developed the Integrated Master Plan and Schedule to describe how DOD would implement the cyber force model through FY 2016. Although the Integrated Master Plan and Schedule primarily focused on staffing the CMF, it also recognized other critical aspects of building a force using a framework, to include providing the CMF with capabilities to perform missions. However, USCYBERCOM did not develop a strategic roadmap for capability development. According to the Joint Staff, Command, Control, Communications and Computers (Cyber) Division, branch chief, the Integrated Master Plan and Schedule led to developing the Cyber Force Concept of Operations and Employment to continue addressing major cyberspace activities. USCYBERCOM developed the Cyber Force Concept of Operations and Employment to describe fundamental principles and supporting tactics, techniques, and procedures to support the CMF in conducting military objectives. Although the Cyber Force Concept of Operations and Employment also provided planning guidance and described way forward to build the CMF force model based on elements of a framework, the analysis was not comprehensive and did not include planning facts, assumptions, and constraints that fully addressed known capability gaps that affected the CMF. 1 Furthermore, the Services did not develop a framework that defined their strategies to build and field CMF teams. ARCYBER, AFCYBER, and MARFORCYBER officials acknowledged a strategic framework was needed; however, they stated that the Service Components were more concerned with staffing CMF teams than in establishing a strategy involving full consideration. A MARFO RCYBER official stated that the command took initiative to begin developing a in 2013 to support its ability to implement the CMF for elements within its control; however, MARFORCYBER did not complete the framework because the command prioritized building and fielding CMF teams. Additionally, AFCYBER created a strategic plan, but did not complete a framework.18 The cyber environment continues to rapidly evolve and is unconstrained by global boundaries that create unparalleled challenges to traditional military integration, coordination, and deconfliction processes. These challenges, coupled with the tempo of cyberspace operations, require an approach that is more centralized and comprehensive to ensure the CMF is provided with needed and timely capabilities to perform missions. The lack ofa joint framework will continue to affect DoD?s ability to implement an effective CMF. The Commander, Chiefs of Staff for the U.S. Army and US. Air Force; the Chief of Naval Operations: and the Commandant of the Marine Corps, in coordination with the Commanders, ARCYBER, AFCYBER, and MARFORCYBER should develop a framework to address strategies that build, grow, and sustain the CMF. Existing Cyliei? Capability Development Process Needed li'npi'ovemci'it process defined in USCYBERCOM Instruction 3700-0719 to anticipate joint cyber warfighter requirements and develop solutions to meet these requirements was ineffective. The process included using the Integrated Capability Requirement Working Group and the CCR to provide situational awareness of DoD's offensive cyberspace development efforts. The process described how USCYBERCOM would prioritize, invest, and oversee operational requirements and cyberspace capabilities funded by the command. Although USCYBERCOM established these processes, USCYBERCOM officials stated that they did not have assurance that all 1? USMC: Sec. 1.4(g) USCYBERCOM Instruction 3700-07, "Cyber Capability Development Policy? February 20, 2014, Section 2.1, ?cyberspace Capability Development Process.? semi-Geese Iiil'uiint', Service Component cyber capability development efforts were vetted through the Integrated Capabilities Requirements Working Group or included in the CCR. The Integrated Capabilities Requirements Working Group was established to assess capability gaps and prioritize, and decon?ict capability requirements and development. The Integrated Capability Requirements Working Group was intended to: - review operational cyberspace requirements provided by the for the Service Components, CMFs, combatant commands, and the - assist in documenting operational, functional, and technical requirements; and (UH-FEES) recommend material and non-material solutions. to USCYBERCOM, the The CCR was unreliable CCR was intended to improve information for providing situational . . . at a - - - - exchange, prov1de Sltuatlonal awareness of "355 and "m ?limo? tool developers, operators, and to reduce the 0f planners because it only included developed capabilities. developing duplicative capabilities, and identify national offensive and defensive cyber capability gaps. However, the CCR was unreliable for providing situational awareness and did not support tool developers, operators, and planners because it only included developed capabilities. Specifically, officials from the Service Components responsible for capability development did not consider the CCR to be reliable because existing capabilities in the CCR did not fully describe the function or use of the capability and did not include capabilities under development. An extract from March 2015 showed incomplete or missing information and did not thoroughly describe the functions of the capabilities?? Without including all capabilities in the CCR and relevant information about each capability, the CCR was not effective and could not support developers and planners as intended. 7? We did not further describe the content of the CCR or identify the number and type of capabilities included in the database because the information is classi?ed TOP SECRET. - i'li'r'i I i' lii'mling; Based on USCYBERCOM revisions to the CCR and its direction to include all offensive and defensive capabilities in the database, and the Deputy Secretary?s required actions to make the CCR more reliable, we did not recommend further corrective actions. (U) U.S. Cyber Command Lacked Authorities to Lead CMF Implementation, Development, and Sustainment ARMY: NAVY: USAF: USMC: I). Sun: (I I Ihr?l rrUSMC: Sec. 1.4(g) 2? USCYBERCOM Task Order 15-0087, ?Directive to Enter or Update Cyber Capabilities into the Version 2.7, Mai;r 28, 2015 22 (U) Deputy Secretary of Defense memorandum, "Follow-on Guidance from the April 18, 2015, Cyber Deep Dive," '1 - June 3, 2015 T0 USA, FVEY). 23 (U) USCYBERCOM Operational Directive 12?001, April 5, 2012 TO USA, FVEY). l?iru'lil'lg The Commanding General, ARCYBER, and Resources, the Second Army stated that resources, appropriate appropriate authorities, organizations, and capabilities, which could be in could be in time and space with a time and space with a singular authorities, organizations, and capabilities, which singular purpose to accomplish directed missions, purpose F0 accompliSh direaed were needed were needed.25 In April 2015, USCYBERCOM, the Services, and DISA completed the ?mission alignment board? to finalize proposed mission objectives for the remaining CMF teams to be fielded in FY 2015 and FY 2016. The outcome of the mission alignment board enabled USCYBERCOM and the Services to begin identifying capability gaps and developing capabilities that affected these proposed missions. However, USCYBERCOM officials acknowledged that the command lacked appropriate acquisition authorities and the ability to direct, when needed, Service capability development. The proposed National Defense Authorization Act for FY 2016 includes language to provide the Commander, USCYBERCOM limited acquisition authority to develop and acquire cyberspace-specific capabilities, equipment, and services. Proposed legislation recognizes the limitations of the USCYBERCOM Commander to ensure adequate capabilities are available to support CMF mission requirements; however, it does not USMC: Sec. 1.4(g) 25 Statement by the Commanding General, ARCYBER and Second Army Before the House Armed Services Committee, Subcommittee on Emerging Threats and Capabilities, March 4, 2015. ii"; If. I imiim (U) address other limitations that affect ability to effectively oversee and, when needed, direct capability development. Although the Commander?s April 2012 Directive did not further unify Service cyber capability development because the Services did not agree with the approach, his goal was still valid based on the Services continued approach to independently develop capabilities that affected the CMF. The Commander, the Chiefs of Staff for the U.S. Army and U.S. Air Force; the Chief of Naval Operations; and the Commandant of the Marine Corps should formalize an agreement to focus capability development on functional and mission areas consistent with results of the mission alignment board. (U) tacked a Unified Defensive Capability Development Process The Service Components and DISA were independently developing Component-specific CPT toolkits26 based on internal coordination, CPT personnel experience, and their individual interpretations of CPT capability needs. As of June 2015, the Service Components and DISA were not developing unified defensive capabilities. (U) Service Component Efforts to Develop Defensive Capabilities USMC: Sec. 1.4(g) The Army identified capabilities to include in the deployable toolkit through collaboration with a DISA CPT and ARCYBER and U.S. Army Network Enterprise 2" A toolkit includes hardware and software that enables CPTs to conduct missions. Wesson Il? mulling-1 . map specific operational environments; 0 (UH-13639) identify and prioritize potential security instances; I (UHFQ-U-Q) perform hunt missions; and - monitor a network or system. As ofMarch 2015, AFCYBER was modifying and providing additional capabilities to the Cyber Vulnerability Assessment-Hunter at an estimated cost of $10.7 million to support CPTs. USMC: Sec. 1.4(g) ill} USMC: Sec. 1.4(g) USMC: Sec. 1.4(g) USMC: Sec. 1.4(g) (U) DISA Efforts to Develop Defensive Capabilities USMC: Soc. 1.4(g) 2? (U) A rootkit is a collection of files installed on a system to alter the standard functionality of the system in a malicious and stealthy way. USMC: Sec. 1.4(g) USMC: I Sec. 1.4(g) (U) CPT Capability Baseline Was Needed The Service Components and DISA independently developed CPT toolkits based on their understanding of needed capabilities. This occurred because USCYBERCOM didnot provide the Components guidance or standard CPT baseline requirements and interoperability standards to ensure each CPT could perform core defensive capabilities. USMC: (b Sec. 1.4(g) USAF: lb)? 1. Sec WW mm .m mm, The Chief of Staff stated that different Components provided CPT support to DISA and the combatant commands. OIG: DOD 01G: USCYBERCOM officials stated that they planned to use the recommended requirements to deve10p a baseline for all CPTs by October 2015. Although USCYBERCOM initiated steps to provide a CPT baseline, the baseline was not approved or developed. The Commander. USCYBERCOM, in coordination with the Service Components and DISA. should develop and specify a capability baseline and interoperability standards for CPTs. ?n'imimtg (UH-Fable) CMTs Faced Challenges in Performing Missions USMC: Sec. 1.4(g) - (U) cyberspace intelligence, surveillance, and reconnaissance; - (U) operational preparation of the environment;29 0 defensive cyberspace operations response actions;30 and a (U) offensive cyberspace operations. . USMC: Sec. 1.4(g) 2" USMC: I Sec. 1.4(g) 29 (U) Operational preparation of the environment includes activities in likely or potential areas of operations to prepare and shape the operational environment. 3" (U) Defensive cyberspace operations?response actions are deliberate, authorized defensive measures or activities taken outside of the defended network to protect and defend cyberspace capabilities or designated systems. 31 (U) Section 403-5, title 50, United States Code (2011) authorizes intelligence activities in response to national intelligence requirements. {ewe-Femi- I?lm'iilugg USAF: USMC: USMC: I Sec. 1.4(2) L. USMC: Sec. 1.4(g) NA VY: USAF: USMC: I Sec. I my} USMC: 1-4(g) [Iilatllii'lgf? (U) Figure 1. Actions in Red, Blue, and Grey Cyberspace Legend: DCCI-RA ls Defensive Cyberspace Operations? Response Actions ISR Is Intelligence. Surveillance. and Reconnalssance Cy bers pa ce internal Defensive Measures pe ra tI ilita ry 0 De ratio ns I ..t_3yburspace Ops I 4? DB Defenslve Cyberspalce Ops Cyber ISR I Cyber OPE Fyber?defense Cyb? (U) Source: USCYBERCOIVI Cyber Force Concept of Operations and Employment USMC: I Sec. u. USMC: Sec. 1.4(g) USMC: Sec. 1.4m) Inn-2:. [ll] USMC: Sec. 1.4(g) USMC: Sec. 1.4(g) Temporary Army CPT Facilities Provided inadequate Workspace and Network Access TC USA 1 Sec. I.4(g) 32 (U) Sections 111, 164, and 167, title 10, United States Code, establish authorities and responsibilities for the Services and combatant commands to conduct military operations, including offensive cyberspace operations. 3'i?iiAI'il'VIY; USMC: I Sec. 1.4(g) 3" USCYBERCOM Cyber Force Concept of Operations and Employment, version 4.1, July 22, 2014 TO USA, I Il'jl- (ll ARMY: ARMY: (HUME) ARMY: ARIVIY: 35% 3? (U) The Cyber Protection Brigade is subordinate to the 7th Signal Command. 3? (U) The 513th Military Intelligence Brigade is a subordinate command to the US. Army Intelligence and Security Command. We? MHz-u [ll] ARIVIY: ARMY: (U) See Table 3 on the next page for the locations temporary CPT facilities ARMY: this. [Hi W) Table 3 NAVY: USMC: Sec. 1-405} 1"!!an w-n Ill-In run-It 1v van, I vu. USMC: Sec. 1.4(g) USMC: Lb)( Sec. 1.4(g) USAF: USMC: Sec. il' RH Ill} USMC: Sec. 1.4(g) ARMY: USAF: LiSh-ll??: (lJll 1. Sec. 1.4m) (s I To 951.9215? USMC: (be . ?643. I.4(g) (W) USMC: Sec. 1.4(g) 3? (U) Cyber key terrain is any physical or logical elements of a domain that enable mission-essential warfighting functions. semen-N- ill": inadequate Capabilities and Facilities Jeopardized (EMF Mission Success USMC: Sec. 1.4(g) [iv/?ees) The Service Components were responsible for providing adequate facilities for non?national however, ARCYB ER temporary solutions did not provide up to -with adequate workspace and network access to perform missions and complete required training. ARMY: (MWXE) To continue to progress in cyberspace operatlons, To continue to progress in needs to close the capability gaps we identified and Cyberspace operations, needs to close the capability prov1de CMF teams apprOpriate and adequate gaps we identified and capabilities, facilities, and network access to maintain its provide CMF tea ms with warfighting advantage. A cyber force, when resourced am! flqequate capabilities, faculties, and with the appropriate infrastructure, platforms, and tools, network access to maintain is the key to dominance in cyberspace. - its warfighting advantage' '11. I uL?i'. (U) Management Comments on the. Finding and Our Response (U) Chief of Staff for the us. Army Comments ?ma-m USMC: Sec. 1.4(g) (U) Our Response We commend the Army for starting the study to identify funding to restore and modernize existing facilities. We recognize and did not intend to imply that the Army did not use a deliberate decision-making process ARMY: Although we asked on several occasions whether the Army conducted assessment-ARNIY ?we were not provided the cost-benefit analysis. ARMY: USAF: USMC: Sec. 1.4(9) all I As previously reported, the Army did not conduct a detailed assessment to conclude whethe-had sufficient SCIF workspace until August 2013. Therefore, we did not revise the report based on the additional documentation provided by the Army. (U) Recommendations, Management Comments, and Our Response (U) Recommendation 1 We recommend the Commander, U.S. Cyber Command, and the Chiefs of Staff for the U.S. Army and U.S. Air Force, the Chief of Naval Operations, and the Commandant of the Marine Corps develop a doctrine, organization, training, materiel, leadership and education, personnel, facilities, and policy framework that address strategies to build, grow, and sustain the Cyber Mission Force. (U) Commander, U.S. Cyber'Command Comments USMC: Sec. 1.4(g) (U) Our Response Comments from the Commander partially addressed the recommendation. Although the Commander agreed with the recommendation to build and mature its existing framework, he did not state the specific actions USCYBERCOM would take to provide a comprehensive strategy across all elements of the framework. Therefore, we request that the Commander, USCYBERCOM, provide comments on the final report no later than December 24, 2015. II- In ll. I'lli (U) Chief of Naval Operations Comments PEG-HG) The Director, Warfare Integration, responding for the Chief of Naval Operations, (U) Our Response Comments from the Director addressed the recommendation, and no further comments are required. (U) Chief of Staff for the U.S. Army Comments The Chief, Cyberspace and Information Operations Division, responding for the Chief of Staff for the U.S. Army, agreed, stating that the Army was in the process of developing a comprehensive cyberspace strategy that presented the Army?s vision to have cyberspace operational forces, capabilities, facilities, and partnerships ready and able to effectively provide support to regional, global, joint, and Army operations. The Chief stated that the strategy would drive investment, workforce, facility, and doctrinal changes. Additionally, the Chief stated that the U.S. Army Training and Doctrine Command established a Cyber Center of Excellence in January 2014: to serve as the Army's lead organization for Force Modernization. Since the Cyber Center of Excellence was established, the Chief stated it developed a framework and a strategy to build, grow, and sustain soldiers under a new Career Management Field to meet Army CMF requirements. However, the Chief stated a need also existed for a Joint Services assessment across the entire that focused on integrating efforts and strategies to further support building, growing, and sustaining the CMF. Specifically, the Chiefstated that a Joint Services assessment would allow the Services to share independent strategies, identify cross-cutting capabilities, and foster innovative approaches. (U) Our Response . Comments from the Chief addressed the recommendation, and no further comments are required. We agree anoverarching, Joint Services assessment is needed and would benefit DoD?s ability to build, grow, and sustain the CMF. Our intent was for USCYBERCOM, as the cyberspace focal point, to lead efforts to develop a comprehensive framework based on its assessment and the individual assessments and strategies developed by the Service Components. (U) Management Comments Required (U) The Chief of Staff for the U.S. Air Force and the Commandant of the Marine Corps did not reSpond to the recommendation. The Chief of Staff, AFCYBER, provided comments on the draft report; however, Air Force officials stated that comments from the Chief of Staff for the U.S. Air Force would be provided only in response to the final report. The Commander, MARFORCYBER, also provided comments on the draft report, but documentation from Headquarters, Marine Corps clearly stated that the comments represented position. Although we attempted to clarify whether MARFORCYBER was responding on behalf of the Commandant, we did not receive a further response from the Marine Corps. We request the Chief of Staff for the U.S. Air Force and the Commandant of the Marine Corps provide comments on the final report no later than December 24, 2015. (U) Recommendation 2 We recommend the Commander, U.S. Cyber Command, and the Chiefs of Staff for the U.S. Army and U.S. Air Force, the Chief of Naval Operations, and the Commandant of the Marine Corps formalize an agreement to focus capability development on functional and mission areas consistent with results of the mission alignment board. (U) Commander, USCYBERCOM Comments The Commander, USCYBE RCOM, agreed, stating that it was important for the cyber force to have an integrated approach for capability development. The 656% Hum. i_1"r. fill-Milli; Commander stated that USCYBERCOM needed to engage with the Office of Secretary of Defense and Service Chiefs to coordinate and begin developing formal agreements to focus capability development and facilitate integrated development approaches. The Commander also stated that limited acquisition authority described in the draft FY 2016 National Defense Authorization Act, if received, would support increased capability development of functional and mission areas consistent with the results of the mission alignment board. (U) Our Response (U) Comments from the Commander addressed the recommendation, and no further comments are required. (U) Chief of Naval Operations Comments USMC. Sec. l.4(g) (U) Our Response (U) Comments from the Director addressed the recommendation, and no further comments are required. (U) Chief of Staff for the Army Comments The Chief, Cyberspace and Information Operations Division, responding for the Chief of Staff for the US. Army, agreed, stating that a formal memorandum of understanding for capability development that focused on the CMF mission alignment board for CMTs and CPTs was needed between the Services. The Chief stated that the Army's recently established Cyber Acquisition, Requirements, and Resourcing working group shaped the Army?s efforts by providing requirements and acquisition support needed to rapidly develop and deliver new Army cyberspace capabilities to its force. 1H1 ARMY: (U) Our Response Comments from the Chief addressed the recommendation, and no further comments are required. (U) ManagementComments Required (U) The Chief of Staff for the U.S. Air Force and the Commandant of the Marine Corps did not reSpond to the recommendation. The Chief of Staff, AFCYBER, provided comments on the draft report; however, Air Force officials stated that comments from the Chief of Staff for the U.S. Air Force would be provided only in response to the final report. The Commander, MARFORCYBER, also provided comments on the draft report, but documentation from Headquarters, Marine Corps clearly stated that the comments represented position. Although we attempted to clarify whether MARFORCYBER was responding on behalf of the Commandant, we did not receive a further response from the Marine Corps. We request the Chief of Staff for the U.S. Air Force and the Commandant of the Marine Corps provide comments on the final report no later than December 24, 2015. (U) Recommendation 3 (U) We recommend that the Commander, U.S. Cyber Command, in coordination with the Service Components and the Defense Information Systems Agency, develop and specify a capability baseline and interoperability standards for all Cyber Protection Teams. . I (U) Commander, USCYBERCOM Comments USMC: Sec. 1.4m) L-izlxli. USAF: USMC. Sec. 1.4(g) (U) Our Response Comments from the Commander addressed the recommendation, and no further comments are required. (U) Chief of Naval Operations Comments USAF: USMC: (b Sec (U) Our Response USMC: Sec. l.4(g) (U) Recommendation 4 We recommend the Commander, Army Cyber Command and Second Army develop a time-sensitive plan of action and milestones to provide all Army Cyber Protection Teams with adequate workspace ARMY: (U) Commander, U.S. Army Cyber Command and Second Army Comments The Commander, ARCYBER, agreed, stating that the U.S. Army Network Enterprise Technology Command was working with the Cyber Protection Brigade to assist in resourcing facilities and network improvements. The Commander stated that ARCYBER and the U.S. Army Network Enterprise Technology Command completed a full facility sewer-eme- and network analysis of capabilities needed and developed a plan ofaction and (U) Our Response Comments from the Commander addressed the recommendation, and no further comments are required. (U) Unsolicited Management Comments and Our Response (U) Commander, MARFORCYBER Comments W) USMC: Sec. 1.4(g) Additionally, the Commander stated that a formal capability development agreement was not needed. Instead, the Commander stated that the issuance of a task order, operational order, or fragmentary order would be more appropriate. The Commander noted that the mission alignment board process was relevant to only CMTs and NMTs, not CPTs. Further, the Commander stated that a capability baseline and interoperability standard for CPTs was needed. However, the Commander noted that the baseline should not restrict CPTs from adapting their tools and methodologies to meet emerging threats. The Commander stated that the baseline should be established using functional and mission analysis of CPT operations that considered the current seesaw-mesons- [ll] operating environment as well as the expected future Joint Information Environment. The Commander stated that an acceptable tools list with a universal authority to operate on the or portions of the was also needed to provide CPTs with ?exible options to enable them to rapidly implement and respond to incidents. (U) Our Response We commend MARFORCYBER for developing a strategy to incrementally complete a framework to build, grow, and sustain the CMF and for recently completing its first assessment as part of the strategy. MARFORCYBER recognized that the CPT baseline capability should be based on functional and mission analysis and be approved to operate on the or portions of it to increase the ability to and effectively perform incident response missions. We acknowledge that the CPT capability baseline should not restrict CPTs from adapting their tools and methodology to meet emerging threats. We recognize and agree that capability development to support the CMF should be a joint effort. We understand other types of written direction could meet our intent. However, as stated in this report, similar efforts by the Commander, USCYBERCOM, to specifically direct capability development efforts in Operational Directive 12-001 were not successful because agreement between the Services and USCYBERCOM had not been reached. As the Services and DOD continue to develop a broad range of cyberSpace tools and capabilities, an agreement and collaboration among the Services and USCYBERCOM to align multiple capability development efforts and reduce potential redundancy while meeting combatant command and Service requirements is needed. The lack ofbroader agreement to and leverage Service-led capability development efforts could result in developing redundant capabilities and, therefore, not using limited resources efficiently. (U) AFCYBER and 24th Air Force Comments Although not required to comment, the Chief of Staff, AFCYBER, stated that AFCYBER would continue to work with Headquarters, U.S. Air Force and USCYBERCOM to develop or update a framework. The Chief of Staff stated that AFCYBER would also continue to document capability requirements and associated capability gaps to build the current force, grow and mature the full CMF, and develop and sustain CMF capabilities. However, the Chief of Staff stated that an Air Force Space Command Project Task Force already made progress towards institutionalizing a framework and developed a strategic level doctrinal framework in the CMF Program Action Directive, January 15, 2014. The Chief of Staff stated that the CMF Program Action Directive established guidance that included planning actions focused on training, budget, facilities, equipment, and personnel across the total force for the Air Force CMF build. The Chief of Staff stated that the framework supported the Air Force in building .. OIG: -. The Chief of Staff also stated that the current strategic guidance enabled AFCYBER to successfully field, train, organize, equip, and develop capabilities to meet iluig'fg; . Air Force CMF needs across the entire Air Force presentation of forces. ESE-9) Additionally, the Chief of Staff stated AFCYBER would continue to work with Headquarters, US. Air Force, USCYBERCOM, and other CMF oversight organizations, in accordance with the Cyber Force Concept of Operations and Employment, to formalize agreements that allow combatant commanders to direct capability development that supports their mission requirements and priorities. (U) Our Response We commend AFCYBER for developing a strategic roadmap to build, grow, and sustain the CMF. We recognize the Air Force Space Command strategy provides the foundation for AFCYBER to develop and update its framework. Additionally, we commend AFCYB ER for acknowledging the need existed to formalize agreements to develop capabilities that support Service and combatant commander mission requirements and priorities. ill} H?ijthi'tV'. (U) Appendix (U) Scope and Methodology (U) We conducted this performance audit from November 2014 through September 2015 in accordance with Generally Accepted Government Auditing Standards. Those standards require that we plan and perform the audit to obtain sufficient, apprOpriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. We visited Headquarters, USCYBERCOM, and Headquarters, NSA, Fort Meade, Maryland. Specifically, we interviewed officials from the USCYBERCOM Operations Directorate Logistics Directorate 04-), Capability and Resource Integration Directorate and Advanced Concepts and Technology Directorate to determine their processes for identifying requirements, developing implementation plans and strategies to locate CMF teams in appropriate workspaces with access to needed networks, and planning and funding facilities, equipment, and capabilities to support CMF teams. We also interviewed USCYBERCOM officials to determine processes for coordinating and facilitating capability development across the Service Components. Additionally, we met with the Commander, Cyber National Mission Force, to discuss his vision for pooling CMF tool developers, assigning CMF missions and targets, and We reviewed three task and two fragmentary orders issued by USCYBERCOM and the implementation plan for fielding the CMF teams; standard equipment con?gurations based on CMF team work roles to identify desktop equipment {I?ll} ?1398-9) We visited Headquarters, ARCYB ER, Fort Meade, Maryland; Headquarters, Fort Meade, Maryland; Headquarters, AFCYBER, Joint Base San Antonio-Lackland, Texas; and Headquarters, MARFORCYBER, Columbia, Maryland. We interviewed officials from ARCYBER, AFCYBER, and MARFORCYBER responsible for staffing, equipping, assessing locations and providing facilities, and identifying capability gaps and developing capabilities to support Service-fielded CMF teams. Additionally, we interviewed of?cials from ARCYBER, AFCYBER, and MARFORCYBER to identify responsibilities for providing administrative and operational control of the CMF. We reviewed agreements to identify facilities and reSponsibilities for locating Army, Navy, and Marine Corps CMF teams; ARCYBER, AFCYBER, and assessments to identify processes and criteria for locating CMF teams; plans for locating CMF teams to identify temporary and permanent CPT facilities; initial and full operational capability designations to identify the missions of CMF teams; and operational needs, capability gaps, and CPT ?yaway kit configurations to identify offensive and defensive capabilities used or needed by CMTs and CPTs. (U) In addition, we interviewed officials from Joint Staff Operations Directorate (13), Command, Control, Communications and Computer Directorate Joint Force Development Directorate and Force Structure, Resource and Assessment Directorate US) to determine oversight responsibilities for implementing the CMF build and to identify their involvement in identifying CMF facility, equipment, and capability requirements. We also interviewed officials from the US. Pacific Command and U.S. European Command joint cyber centers responsible for developing missions and targets, integrating cyberspace into command plans and operations, and coordinating facility and capability gaps with their respective IFHQ-Cs. We reviewed integrated priority lists identifying cyberspace priorities and capability gaps; mission and target assignments for and unfunded CPT facility requirements. [It] NSA: 10 USC 3605 Component-designated facilities; and Headquarters, DISA, Fort Meade, Maryland. We interviewed CMF team leads, deputy team leads, and non-commissioned officers in charge responsible for assessing equipment and capability needs and planning, implementing, and leading team missions to review the adequacy of their facilities, equipment, and capabilities. See Table A.1 for the Service Component that fielded the teams, the specific CMF team visited, and the location of each team. NAVY: usar; usmc- in) (577 NEE 36 TableA-l- 'l'l'l llf?l l-Iu-u' Iv I Ill?l USMC: Sec. 1.4(g) (U) We also reviewed USCYBERCOM, NSA Central Security Service, U.S. Pacific Command, and U.S. European Command security classification guides to appropriately classify information and portion mark the report. (U) Use of Comouter-Processed Data We did not use computer-processed data to perform this audit. same-Fema- I out! -I-: 'f l] 1 ill: (U) Prior Coverage (U) During the last 5 years, the GAO and the Department of Defense Inspector General 1G) issued six reports discussing DoD?s ability to resource and conduct cyberspace operations. Unrestricted GAO reports can be accessed over the Internet at (U) GAO [-53 USMC: Sec. 1.4(g) Report No. GAO-11-75, ?Defense Department Cyber Efforts: Faces Challenges in its Cyber Activities," July 25, 2011 Report No. "Defense Department Cyber Efforts: More Detailed Guidance Needed to Ensure Military Services Develop Appropriate Cyberspace Capabilities,? May 20, 2011 USMC: Sec. 1.4(g) (U) OIG Report No. DODIG-2015-117, and Military Services Need to Reassess Processesfor Fielding CMF Teams,? April 30, 2015 Report No. ?Joint Cyber Centers 01G ?Cyberspace0perationsr December 8, 20 14 i (U) Management Comments (U) Cyher Command DEPARTMENT OF DEFENSE UNITED STATES CYBER COMMAND sane SAVAGE ROAD, SUITE at FORT GEORGE a means, MARYLAND earns OCT 1 ?l Z?l'i Reply to: Commander MEMORANDUM FOR THE INSPECTOR GENERAL. DEPARTMENT OF DEFENSE Through: DIRECTOR OF THE JOINT STAFF SUBJECT: (WES-HO) Response to report: Combat Mission Teams and Cyber Protection Teams Leoked Adequate Capabilities and Facilities to Perform Missions (Report No. DODIG-2015-0059) l. (U) United States Cyber Command (USCYBERCOM) appreciates the opportunity to respond to the subject report and provides the following response to recommendations one. two, and three. 2. (U) Recommendation One. The 00016 report recommends that Chiefs of Staf?t?for the, US. Army and U.S Air Force; Chief of Naval Operations; the Commandant of the Marine Corps; and the Commander, U.S. Cyber Command develop or update a doctrine, organization, training, materiel. leadership and education1 personnel, facilities, and policy framework to document capability requirements and associated capability gaps to build the current force, grow and mature the full Cyber Mission Force (CMF). and develop and sustain CMF capabilities. USMC: Sec. 1.4m) USMC: Sec. b_ USMC: Sec. 1.4(g) USMC: I Sec. .I3 l" i ii (U) U.S. Cybor Command (con?ict) 3. (UIIFOUO) Recommendatiou Two. The Commander, Chiefs of Stall? for the U.S. Army and Air Force; the Chief of Naval Operations; and the Commandant of the Marine Corps should formalize an agreemenl to focus capability development on functional and mission areas consistent with the results of the mission alignment hoard. (mm) USCYBERCOM agrees with Recommendation Two. It is important for the cyber force to have an integmmd approach for capability development; would need to engage with 05D and Service Chiefs to coordinate and begin developing formal agreements to focus capability development and facilitate integrated development approaches. Limited acquisition authority as described in the draft FYI6 National Defense Authorization Act. if received, would also support increased coordination of capability development on functional and mission areas consistent with the results of the mission alignment board. 4. (or/sens) Recommendation Three. The Commander, USCYBERCOM, in coordination with the Service Components and should develop and specify a capability baseline and interoperability standards for Cyber Protection earns USMC: 1.40;) i ., USMC: (w I Sec. 1.4(g) The USCYBERCOM soc for this action is OIG: {bum 5. D00 0le (bub) MICHAEL 3. ROGERS Admiral. Navy Commander Copy to: . Commander, USSTRATCDM 2 room. Li!? riff. SEER-SW (U) Chief of Naval Operations l?Nt Hl?l UI- liNt'llhl'Kl' 1h l? IHI: NAUV (I n1!- -ll . ?wn' ?l KIT I (L Dul') {Hu- (huh) Realm. and (?3?le .1301) Math C'cutul Imu- VA 23 nun om- (Mm) (IVA-Stilt: L-uclL-wn- I n. [he Nm In Ihc llcpanmunl n] Inxpn l-u nllull .mdlt Icpurl Ill] >u 1 ccl 'nmhul Mlumrl IL?Jll'h and ('3th I'mlunml hum]- acknl A?cqunl- t'upuhihlin mull In Mmtunx" Il'mml Nn 5 IJIIKIIU I1 '1 Flu: upplucmlr" Hm In leipuml In Illc ?Ir-all 111m" pulnl ul' {hilt-l mm.- ?7 {(225.53 ?:12 7/ Nanu Nu-Iluln Ru.? .\dllmul. L- 5 Nu} Illn?clml Wan-arc lutqum-m I'm lu-mu' In INJUIU I?lnmt IHH-uummnl l-?Srp Ii Dunnl hum Sum.? Ihuhwm nn I IUCMUVAI. Ul?~ I -I (U) Chief of Naval Operations (cont?d) DEPARTMENT OF THE NAVY Gnu - In: - I [Ln-'2 N.- Pi . Wax: nulxv?I?DC Illu Spy Uduhu All, .?nl'x I?llml DiIcquI. U. .lrl.lu' cl'll?NAV In Dq-uly ?cm'ml ftrudlm'n ,uul {'j?lwr Uln-Inlmn?. win. um: NAVY Khan mm: mum; NH IMMI-M I?m UH M: Mnl? InumRt' nuw nun: UM H) Jun lh.-h-n-m-u i Dull Mum Rclmu I I ?wp 5 rm IUI Nmal (Bumml Amhr .Iunun Manual ?e Ilil-l Datum; m?mn I ll?a_ h'qumw Iu In] .mnl In :Iu?cuhlum'r uiul my lull-mm}: Input pnnidud tn \uhwcl lu-t'mmuunllulInn I IUD llu? ?hich HS. An Furcc: 1hr ("hirl ul hm ?L'Vch'p a ?nanny. (NRJIHIJIHIIL Malcunl. I unlu'nlnp .nul Indumhuu l'uulmcx un-l l?nllu, Ihul .lIIdlI?an ?Ildt?flrx hulld atlleIll 'hL' L?jhcr I?nlu? Nun l'millun: 0 ll 2 IUI ?y-Ilcr mu! Ihc (?quh 0! Slull' Iur Army and Air Full-:8. Ihc l?hlvl nl Naval .m-I ul "Il? Marim- (?mlu Iummlih- .m .?ngluum?m In dmclulnucm nu um! unusual .muu Willi (uulh n! [1cm Cd Ilum USCCI lhxlamll} 2.1m} Mir} (U) Chief of Naval Operations (mnt?d) HARNIYI USMC: (bu I Sec. 1.4m) - ll'I Run"mnvudullnn 3 Icmumluml 'umm-unln. ILS I In Ilh Ilh- SCH Ice .md 1110 llciensc lnh?vunutinn Agency. nicminp .m-l \pn Mandalds lm all ("Hm l'mm'unn I'mms USMC: {bu I 3w mg] ?7 Jay Rout 1?5 NM l-w (U) US. Army Chief 01" Staff DEPARTMENT OF THE ARMY OFFICE OF THE DEPUTY CHIEF OF STAFF. ears" mu ARMY PENTAGDN . wnsmuemu. DC 20310-3200 DAMO-ODCI 16 October 2015 MEMORANDUM FOR De arlment of Defense Inspector General (IGJ. ATTN: Readiness and Cyber Operations. 4800 Mark Center Drive. Alexandria. Virginia 22350-1500 SUBJECT: (UHFOUGJ Army Comments in Dra? Report: Combei Mission Teams and Cyber Proleclion Teams (CPTs) Lacked Adequate Capabilities and Facililies lo Perform Missions? dated 17 Seplemher 2015 (SHNOFORN) 1. General Comments: 3. comment ARKIYL I b_ Arm Res . onge: USAF: (1?11 1 SEC. 1 Mg) CJCS Mcmutendurn. 5 December 2012. 30 Nov JCS Tank on CYBERCOM Mission Manpower ?Hi-il' "I'li- (131'. .u SEW {Lil (U) US. Army Chief of Staff lcont?d) USMC: Sec. 1.4(g) 2. DODIG Recommendations: a. (U) Recommendation 1: We recommend the Chiefs of Staff for the U.S. Amy and US. Air Force: the Chief of Naval Operations: the Commandant of the Marine Corps; and the Commander. U.S. Cyber Command develop a doctrine. organization. training. materiel. leadership and education, personnel. facilities. and policy framework that address strategies to build. grow. and sustain the Cyber Mission Force. b. Army Response: Concur. There is a need to conduct a collaborative Joint Services assessment across the entire that focuses on Integrating efforts and strategies to support building. growing. and sustaining the Cyber Mission Force This approach would allow Services to share their independent assessments. help determine cross-cutting capabilities and foster innovative approaches. The Army is developing a comprehensive Cyberspace Strategy that presents the Army vision for cyberspace, and states. and major objectives to Integrate all Army activities and operations In cyberspace and the iniormation environment. This strategy . El {ll} (.?mumr?nti; ARMY: c. (U) Recommendation 2: We recommend the Commander. U.S. Cyher Command, and the Chiefs of Staff for the U5. Army and US. Air Force, the Chief of Naval Operations. and the Commandant of the Marine Corps formalize an agreement to focus capability development on functional and mission areas consistent with results of the mission aiignment board. d. (UHFBHO) Army Response: Conour. The Army requlres a proactive . er ca a abilities with overnance and management construct to rank" deliver 0 bl ARMY: (MIME) . 55W {ii} (U) US. Army Chief of Staff (cont?d) ARMY: i. The Ha?diua?ersl Deianmani of the Armil ODCI G-39l ioini of contact is- 4 45,74? . RMINE CICALESE COL. GS Chief. Cyberspace and lnfarmalion Operalions Division I'm (ll: (U) U..S. Army Cyber Command and Second Army UNCLASSIFIEDIW DEPARTMENT OF THE ARMY LLB. ARMY CVEER COMMAND AND SECOND cum FORT 221150-5218 I 6 OCT 2015 MEMORANDUM FUR De artment 01 Defense Inspector General (I6). Readiness and Cyber Operations. 4300 Mark Center Drive, Alexandria. Virginia 22350-1500 SUBJECT: (urea-e99 Command Comments to Draft Report: Combat Mission Teams and Cyber Protection Teams Locked Adequate Capabilities and Facilities to Perform Missions? dated 17 September 2015 1. (U) U.S. Army Cyber Command (ARCYBER) reviewed the subject dra? report and your recommendation: 1U) RECOMMENDATION 4: (U) We recommend the Commander. Anny Cyber Command and Second Army develop a time-sensitive plan of action and milestones to ?rovide all Anni Cier Protection Teams with adiuate workaiace and 2. (U) We concur. The Network Enterprise Technology Command (NETCOM) stall are currently wetting with the Cyber Protection Brigade (CPB) to assist in resourcing iacillttes and network Improvements. During the course of the audit, ARCYBER and NETCOM completed the full facility and network analysis on capabilities needed for the OPE and developed a plan election and mliestonas to rovide all Arm Protection Teams CPTs with ads uate works ace 3. It ou have an ouesiions. -lease contact UlGitbil?i 0le (blur?aw-x EDWARD C. CARBON Lieutenant General, USA Commanding CF: HQDA HQDA guru-um (Tomlin-m}; (U) U.S. Marine Corps Forces Cyber Command NC UNITED Starla MARIN: CORPS u. n. "all": nouns! exalniracl SAVAGE 5950 Ion: 20155 CUR ocrzo 2015 t'ruln: Cnrunandeu, 13.5. Harlue Curps Fumes Cyberspace Connumd :Imnmnu?rasm To: Inspector d?naldl, U.S. of Defense Via: Director. Hatinu Corps Staff Sub]: :Uffi?H?4 JHAFF DODIG REPORT PEAMS AND CYBER PRGTECTIOH IEAMS LACKHD FACILITIES PO PEREUMH HATED SEPIERHER If, Bulb RESPONSES SECURITY KBVIEH 1. EUBPOSE. rn transnir approved Lu the DrazL 03013 tupurr ?Comhar Hissian reams and Cyne] Protection Fuams bucked Adequate Capabilities and FaciliLius Lu Puxluzm HIREiana." H. BACKGROUND. The attic: o! the Inspector General, DapartmenL of Detenae, pluvidud diart report ?Combat H135Lun teams and Cybui Protection Teams anhed adequate Capabilities and Facilities Cu Perturm Missions" dated if, 2015 Lo int review and unnmenL. are for Lu prnviae uunmean un whuLhe: leadership aurees {concurs} u: aiaagrees inch-concurs} with the findings and rucummenddtio?s in the report. HARFOHCYBER way ln?truuted Lu upeuiliually answer recummandatxons ono, two, and L: awaited three. additionally. the nonmand hd? been directnd to rnv1?u all cLassirIEatiau ul Lhe repurL and our response. 3. n1 summary A. IUI Recgmmendatinn 1. HHEFORCYBER concurs: see enclosure [11. b. 2. HARIUHCYBER nun-concurs: as: enuiusuxu tli. c. (U) Recommendation 3. concurs: sue enclosure d. Marking Ruvicw. rumpler?d: sen enclnaure m: Point 01 cunLact (or this mdzLei 13 Tnihlu-Zulrpuz? 5 ill! 1? (U) US. Marine Corps; Forces Cyber Command (cont?d) DOING DRAFT AUDIT SEPTEMBER 17. 2015 PROJECT N0. MISSION TEAMS AND PROTECTION LACKED ADEQUATE AND 1'0 PERFORM MARIN I-I CORPS COMMENTS TO THE DODIG a l: DUIJIG recommends that the Chiefs ul'Stuli?t'or the 11.8. Army and LLS. Air Force; the Chief Operations: the Commandant of the Mnritte Cams: and the Commander. U.H. (?yher develop it doctrine. urgunimlinn. trnining. materiel. leadership [IllLi personnel? I'tteililies. and policy framework strategies In littild. gum, and sustain the Cyber Mission l-?oree. MARINE CORP ARMY: USAF: USMC: (hi! I l. Sec. 2: DODIG recommends that the Chiefs ol'Sttn?l'l'or the US. Army and Air Force; the Cltiel'tll' Naval Operations; the Commandant of the Marine Corps: and the Commander. (?yher Command fomtullze on agreement to focus capability development m1 functional and mission uretts consistent with results of the mission alignment board. FTII .M ?5 (mm Non?concur. 'Iite ability to focus development is ttjoint objective and should he led by the Commander. IISSTIM or tlclegtlteti representative No l'ommliecd agreement is required: the npprupriute mechanism would he the oftm order li.e. FRAUD. 'llte Mission Dunn! process is only relevant to Combat Mission l'eams and National Mission Tennis and does not provide appropriate criteria for capability det'elnpment ol'the Cyher Protection l?orcc lL'Ilu'yl I HIHI Ilnit'ti lit-t Mull) I'm ENCLOSURE (I 1 I'Hint' 1.:th zit, (U) US. Marine Corps Forces Cyber Command (cont?d) 3: DODIG recommends Iltat Commander. L?yber Command. in coordination with the Service Components and the Defense lni'omtatiott Systems Agency. develop and specify a capability baseline and interoperability standards For all Cyber Protection 'l?eams. OF THE MARINE CORPS RESPONSE: (WM) Coneur. MARFORCYBER agrees that there should he a capability baseline and interoperability standard for the CPI-1 standard should consider today's operating environment and the future Joint Int'omration Environment tJllit and should he codi?ed in the Cyber Force ol' Employment (CFCUEI or other directive documents. the standard should be established using a functional and mission analysis ol'Clrl' operations. It should specify a minimum capability. but not limit CPi?s t?rom exceeding the standard when neecsrerry and Where possible. Given the evolutionary nature ol'lhe operating environment. the baseline standard must not restrict Cl?Ts I'rotn adapting their tools and methodology to meet emerging threats. 1 recommend the baseline identify liatetions or capabilities rather than specific tools. l?inaliy. the creation ot'an acceptable tools list with a universal authority to operate tA'l'O} on any network. or portion thereof. would provide teams ?exible options. enabling rapid and increasing operational tempo for incident response forces. ENCLOSURE (a lint tit; - i L: 4.12:) (U) U.S. Air Forces Cyber Command and 24th Air Force 55W {Ll} ("jtnm'imtt'z? DEPARTMENT OF THE AIR FORCE Hm L-?tos 2? AIR t'URt?t: IAIR L?t'BEnr tum Bast: AN mmo I9 October 2015 MEMORANDUM FOR Office of the Inspector General Department of Defense FROM: 35 l5 5. General McMullcn I'Jrive Joint Base San Antonio - ankiand TX 78226-9853 sumac-r: one Report for Project No. DZOIS-DDODRC-OOSD.OOD l. (UIAFBUIO) PURPOSE. Obtain 24 coordination and approval of24 AF comments pertaining to the Draft Report for Project No. D201 2. (mm) BACKU ROUND. The Of?ce of the Inspector General Department of Defense. issued the draft report For Project No. "Combat Mission Teams and Cyber Protection Teams Locked Adequate Capabilities and Facilities to Perform Missions" dated September I7, 2015 for 24 AF review and comment. instructions are for 24 AF to provide comments on whether management agrees or disagrees with the ?nding and in the report. if in agreement 21! AF is instructed to describe what actions have been taken or planned to accomplish the recommendations including the completion dates. If in disagreement. 224 AF is instructed to give speci?c reasons for disagreement and propose altemativc action if appropriate. 3. DISCUSSION. 2d AF concurs with comments. a. (D) Do!) 16' Recommendation I (U) We recommend the Chiefs of Stolfl'or the Army and U.S. Air Force; the Chief'ot? Naval Operations: the Commandant of the Marine Corps; and the Commander. U.S. Command develop a doctrine. organization. training. materiel. leadership and education. personnel. facilities. and policy framework that address strategies to build, grow. and sustain the Cyber Mission Force. (II) 24 AFIAFCYBER response: The 2-1 AFIAFCYBER will continue to work with HQ USAF. and USCYBERCOM to develop or update a framework. The orgauirnlions will continue to document capability requirements and associated capability gaps to build the current force. grow and mature the full CMF, and develop and sustain CMF capabilities. The AFSPC Project Task Force (PROTAF) has already made progress towards institutionalizing the framework and has produced strategic level doctrinal framework including: CMF Program Action Directive dated 15 Jan 20?, established guidance for the AF CMF build. The PM) established planning actlons across training. budget. facilities. equipment. personnel and total force [Air Force Reserves (AFR) and Air National Guard lines of'elTort. The execution arm of our effort and PAD guidance is the Project Task Force (PROTAFJ which consists of membership front AFCYBER. Air Force Space Command. Headquarters Air Force (HAP). tuttijt'. ll}: (U) US. Air Forces Cybor Command and 24th Air Force (cont?d) Air National Guard, and the Air Force Reserves. DOD 016: 7 Date 01' Co mpletion: Multiple. ongoing actions until in" FCC build. (U) Dot) Reeamtend'ation 2 (U) We recommend the Commander. Command. and the Chiefs of Staff for the us. Army and US. Air Force. the Chief of Naval Operations. and the Commandant of the Marine Corps formalize an agreement to focus capability development on functional and mission areas consistent with results of the mission alignment board. 24 AFIAFCYBER response: (WW) The 24 will continue to work with USAF. and other CMF oversight bodies such as the CMF Technical Oversight Council. in accordance with the Cyber Force Concept of Employment directive. to formalize agreements that allow Combatant Commanders. guided by the Mission Alignment Buanl. to direct capability development that support the Combatant Commander's mission requirements and priorities. (U) Date oI'Completion: Orr-going activity 4. (U) VIEWS OF OTHERS. NA ll'll'lal ilki'. Milnugermmt' Comments (U) U.S. Air Forces Cyber Command and 24th Air Force (cont?d) uncussmanuion-W 5. U) RECOMMENDATION. AFCYBER concurs wilh comments to Dm? Repon for Project No. (Tab 1). I1 is DOD (JIG: Stephen T. Ling. Colonel, 7 L'hiel?nl?Sta?'?? CC 1 Tabs Tab 1 Dm? Regan for Project No. 6U ml". wl H1m (U) Source of Classified Information Sourcel: (U) Deputy Secretary of Defense Memorandum, ?Resource Management Decisions for FY 2014 Budget Request? Declassification Date: April 10, 2038 Generated Date: April 10, 2013 Source 2: (U) USCYBERCOM Cyber Force Concept of Operations and Employment, Version 4.1: TO USA, FVEY Declassification Date: August 1, 2039 Generated Date: July 22, 2014 Source 3: USCYBERCOM Task Order 13-0244, "Establishment and Presentation of CMF Teams in FY 2013:? TO USA, FVEY Declassification Date: March 6, 2038 Generated Date: March 6, 2013 Source 4: (W USMC: Sec. 1.4( Declassification Date: October 11, 2038 Generated Date: October 11, 2013 Source 5: USMC: Sec. Declassification Date: May 13, 2038 Generated Date: May 13, 2013 Source 6: USMC: Sec. 1.4(g Declassification Date: April 5, 2037 Generated Date: April 5, 2012 Source 7: USMC: Sec. 1.4(g) Declassification Date: May 19, 2038 Generated Date: May 19, 2013 Source B: USMC: Sec. 1.4(g) Declassification Date: June 30,2038 Generated Date: March 30, 2015 g) g) i'.l I'll ?iwl lulu: Inc-11w: Declassi?cation Date: August 1, 2039 Generated Date: August 14, 2014 Source 10:657l7l-N-Fa USMC: Sec. 1.4(e) Declassification Date: November 1, 2039 Generated Date: November 20, 2014 Source 11: Deputy Secretary of Defense Memorandum, "Resource Management Decisions for FY 2016 Budget Request? Declassification Date: December 10, 2039 Generated Date: December 10, 2014 Source USMC: Sec. 1.4(g) Declassification Date: June 25, 2040 Generated Date: June 25, 2015 Source USMC: Sec. 1.4(g) Declassification Date: July 19, 2038 Generated Date: May 1, 2014 Source USMC: Sec. 1.4 Declassification Date: August 1, 2039 Generated Date: October 22, 2012 (updated November 20, 2012) Source 15: WOW ARMY USMC: See. I Declassification Date: December 19, 2039 Generated Date: Ianuary 9, 2015 Source 16: Request for Initial Operational Capability Designation TO USA, FVEY Declassification Date: September 13, 2038 Generated Date: September 13, 2013 Source 17: 400 CMT Initial Operational Capability Designation: TO USA, FVEY Declassification Date: October 9, 2039 Generated Date: October 9, 2014 il'J.? ?iIrI Source 600 CMT Initial Operational Capability Declaration: TO USA, FVEY Declassification Date: April 18, 2039 Generated Date: April 18, 2014 Source 19: (U) 102 CMT Initial Operational Capability Declaration: TO USA, FVEY Declassification Date: July 1, 2039 Generated Date: April 1, 2014 Source 20: (U) OSD Cost Assessment and Program Evaluation, ?Cyber Issue Team Deputy?s Management Advisory Group Comebackz? Declassification Date: August 31, 2033 Generated Date: December 11, 2012 Source 21: (U) USCYBERCOM Presentation on CMF Concept of Operations: TO USA, FVEY Declassification Date: December 11,2037 Generated Date: January 16, 2014 Source USMC: Sec. 1.4(g) Declassification Date: January 12, 2040 Generated Date: January 12, 2015 Source USMC: Sec. 1.4(g) Declassification Date: February 1, 2039 Generated Date: Ianuary 8, 2007 Source USCYBERCOM Presentation on CMF Funding: Declassification Date: April 1, 2037 Generated Date: November 20, 2014 Source 25: (U) Memorandum of Agreement Between US. Army Intelligence and Security Command and 24th Air Force for Totem Stone Infrastructure and Advanced Cyberspace Operations Concepts, Tools, Techniques, and Technologies: 3/ Declassification Date: November 21, 2038 Generated Date: December 9, 2013 Source 26: (U) Deputy Secretary of Defense Memorandum, ?Follow-on Guidance from the April 18, 2015, Cyber Deep Dive:" TO USA, FVEY Declassification Date: June 3, 2040 Generated Date: June 3, 2015 r'mrymu (U) Acronyms and Abbreviations AFCYBER ARCYBER CCR CMF CMT CPT CST DISA DODIN GAO JFHQ MARFORCYBER NMT NST SCIF 5M0 USCYBERCOM Air Forces Cyber Command Army Cyber Command Cyber Capabilities Registry Cyber Mission Force Combat Mission Team Cyber Protection Team Combat Support Team Defense Information Systems Agency Information Network Doctrine, Organization, Training, Materiel, Leadership and Education, Personnel, Facilities, and Policy Fleet Cyber Command Government Accountability Office Joint Force Headquarters Joint Worldwide Intelligence Communications System Marine Corps Forces Cyber Command National Mission Team National Support Team Non?Secure Internet Protocol Router Network Sensitive Compartmented Information Facility Secret Internet Protocol Router Network Support to Military Operations U.S. Cyber Command I) I Whistleblower Protection US. DEPARTMENT OF DEFENSE The Whistleblower Protection Enhancement Act of 2012 requires the Inspector General to designate a Whistleblower Protection Ombudsman to educate agency employees about prohibitions on retaliation, and rights and remedies against retaliation for protected disclosures. The designated ombudsman is the DOD Hotline Director. For more information on your rights and remedies against retaliation, visit For more information about IG reports or activities, please contact us: Congressional Liaison 703.604.8324 Media Contact public.affairs@dodig.mil; 703.604.8324 Update Reports Mailing List Twitter Hotline dodigmil/hotline DEPARTMENT OF DEFENSE I INSPECTOR GENERAL 4800 Mark Center Drive Alexandria, VA 22350-1500 Defense Hotline 1.800.424.9098 I