Home' Army Acquisition Logistics and Technology Magazine : Army ALT April-June 2017 Contents conducted during fielding and possibly expand the current
4. Investigate and address current simulator shortfalls with
the Program Executive Office for Simulation, Training and
Instrumentation and all stakeholders, as incorporating the
radar simulator may improve training.
5. Engage all stakeholders to address recategorizing sensor
training tasks to series 1000 tasks, to enhance the Soldiers’
sensor training experience in AIT.
LL_540: Institute baseline cybersecurity requirements as a
condition of contract award for appropriate acquisitions.
Baseline cybersecurity refers to first-level information security
measures used to deter unauthorized disclosure and loss or com-
promise of information. Basic protections, such as updated virus
protection, multiple-factor logical access, methods to ensure
data confidentiality and current security software patches, are
broadly accepted across the government and the private sector as
ways to reduce a significant percentage of cyber risks. Ensuring
that the people, processes and technology with access to at-risk
assets are employing baseline requirements raises the level of
cybersecurity across the federal enterprise.
Often, cybersecurity requirements are expressed in terms of
compliance with broadly stated standards and are in a section of
the contract that is not part of the technical description of the
product or service. Doing so leaves too much ambiguity about
which cybersecurity measures are actually required in the deliv-
For acquisitions that present cyber risks, the government should
do business only with organizations that meet such baseline
requirements in both their own operations and the products and
services they deliver.
The government should express the baseline in the technical
requirements for the acquisition, and should include perfor-
mance measures to ensure that the contractor maintains the
baseline and identifies risks throughout the life span of the prod-
uct or service acquired.
Because of resource constraints and the varying risk profiles of
federal acquisitions, the government should take an incremental,
risk-based approach to increasing cybersecurity requirements
in its contracts beyond the baseline. As a preliminary matter,
cybersecurity requirements need to be clearly and specifically
articulated within the requirements of the contract. First-level
protective measures are typically employed as part of the routine
course of doing business. The cost of not using basic cybersecu-
rity measures would be a significant detriment to contractor and
federal business operations, resulting in reduced system perfor-
mance and the potential loss of valuable information.
LL_742: Per Army Regulation (AR) 25-2, information assur-
ance (IA) certification is a requirement for information
systems seeking to network in Army activities. Programs
need to develop IA strategies very early during the design
process to avoid cost and schedule impacts.
During the requirements development phase and subsequent
build of an electronic warfare system, the developer did not
address IA. Consequently, an IA assessment performed after
the system was developed determined that the system’s security
posture did not meet Army IA regulations or National Security
Agency (NSA) requirements. Had an IA subject matter expert
(SME) engaged with the developer from the start, the SME
would have determined that the operating system (OS) and the
hardware and processor being developed and integrated into the
system were not on the NSA preapproved list and lacked a vali-
dated encryption algorithm.
Not using the NSA preapproved OS or hardware does not
preclude obtaining certification; however, it does mean that
Establish clearly and in advance
the types and levels of experi-
ence that Soldier participants
will need to fully employ
the system in testing and
16 Army AL&T Magazine
Links Archive Army ALT January-March 2017 Army ALT July-September 2017 Navigation Previous Page Next Page