Cybercom looking to combine and standardize defensive cyber kits; solicitation issued
U.S. Cyber Command, through the Defense Innovation Unit, has begun the process to standardize the gear that defensive cyber teams use to perform their missions.
That effort will now also combine the equipment cyber protection teams use with the kit for hunt-forward operations performed by the Cyber National Mission Force, Cybercom’s elite unit tasked with defending the nation against significant digital threats. Hunt-forward operations, conceptualized over five years ago, involve physically sending defensively oriented cyber protection teams to foreign countries to hunt for threats on their networks at the invitation of host nations.
Since Cybercom’s inception, there has never been a standardized defensive cyber kit for cyber protection teams — the teams that hunt for malicious activity on Pentagon networks and respond to incidents — despite efforts in the past to create them. Those systems, referred to as Deployable Mission Support Systems (DMSS), varied across all the services. The way Cybercom’s forces are constructed, each of the services are responsible for providing a set number of offensive and defensive teams to the command to conduct operations.
Those DMSS kits are self-contained systems consisting of hardware and software capable of surveying, securing and protecting military networks as well as performing vulnerability analysis and incident response. They are designed to be taken to an incident with little to no notice to connect to the network in order to locate, contain and defeat malicious cyber activity that is either attempting to or has breached Department of Defense systems, according to budget documents.
Despite being designed to be joint in nature with the same training and equipment to operate on the DOD Information Network for defensive teams and the same training for offensive teams, each service provided slightly different DMSS systems to their respective cyber protection teams — creating incongruencies with equipment and forces as well as interoperability issues.
The closest the DOD came was a few years ago, requiring a set of basic tools be included across all DMSS kits provided by the services.
Now, there is an effort to standardize those efforts.
A solicitation from DIU issued Monday aims to combine the DMSS kit with the hunt-forward equipment, to create a singular standardized defensive cyber hunt system across the entire force.
The new Joint Cyber Hunt Kit (JCHK), as it is known, will be a mobile “security operations center (SOC) in a box,” DIU said. It must be portable by a nine-person team anywhere in the world and fit in a suitcase for easy air travel.
“Like the DMSS and HFO kits, the JCHK will be a self-contained flyaway capability utilized by the Cyber Protection Team (CPT) Mission Elements to secure and protect military networks and data centers by conducting Hunt, Clear, Enable Hardening, and Assess missions in blue, gray, and red cyberspace,” fiscal 2025 budget documents state. “The dynamic nature of CPT defensive cyberspace operations driven by the adversary’s rapidly evolving offensive cyber tactics, techniques and procedures require the [Budget Activity-8] flexibility as JCHK evolves. The merging of capabilities will facilitate the standardization of training, maintenance logistics, and force protection and will promote efficient execution of resources based on economy of scale.”
For hunt-forward operations, national cyber protection teams travel to other nations and plug into their network. Most prominent were the ops that took place in Ukraine ahead of Russia’s 2022 invasion, which both governments credit for helping harden Ukraine from potential Russian cyber onslaught. These differ from the tasks that cyber protection teams perform on the DOD’s network.
The new system must be flexible in order to perform standalone operations, given it will most often operate in an environment where it’s not permissible to connect to the internet or send data offsite for analysis.
The solicitation said the kits must to be able to perform any and all activities related to discovering advanced persistent threat activities and analyzing their tactics, techniques and procedures.
DIU has been working to equip Cybercom for many years. Additionally, the commmand awarded a contract worth almost $60 million in 2022 to provide equipment for hunt-forward operations.
Previewing the idea of standardizing the DMSS kits, Cybercom’s top acquisition executive noted that the services will have two years to maintain their separate service kits while the competition is underway.
“We’re going to go out with an RFP and a way of contracting for a common kit, at a minimum at the hardware level and then some layer of software, common software, that will be common across all the services. Then services’ unique needs can be added on top of that,” Khoi Nguyen, who is also the director of the cyber acquisition and technology directorate (J9) at Cybercom, said at a conference in January.
At the time, he said the command wants feedback from industry in a collaborative effort to deliver the best system possible.
“The goal is to get this industry day out there and then we’re looking to do aggressive prototyping. We’re probably going to award two or three more prototyping contracts, give the team [some] amount of time to do the prototyping and then deliver the hardware. Then three months for us [and] the force to play around with it. And then we’ll pick a winner,” he said. “My intent is to, like truly do a competition, allow competition, and that’s why we’re going to give … a decent amount of time for a new vendor or new team of vendors to build a new kit, versus having a prototype period very small, where the incumbent has a higher chance of winning. That’s the goal. We’re going to lay that out as an RFP or RFI. Please come back and tell us if I’m unrealistic or whatever else. We need to know that. But the goal is to get the best kits for the users that we can.”
According to fiscal 2025 budget documents, Cybercom and DIU will be relying on other transactional authority to award a prototype agreement to support the rapid development of a JCHK prototype, with the objective of transitioning cyber protection teams to the new system at the beginning of fiscal 2026.