Sponsored by Spectra Group
https://tacs.at/Spectra
————————————————————————
02 Apr 20. Cubic Announces Availability of Enhanced M3X Tactical Edge Solution. Cubic Mission Solutions’ M3X provides scalable compute and networking modularity to support operations in the most challenging environments.
Cubic Corporation (NYSE: CUB) today announced its Cubic Mission Solutions (CMS) business division is now shipping the enhanced M3X networking, compute and power modules. Ideal for users that need to deploy fast and connect faster, the M3X product line offers customers a modular high performance, low size, weight and power (SWaP) solution. The M3X features Intel Xeon processing, the latest in Cisco networking, storage and smart battery backup power management.
“Guided by continuous customer collaboration, we have made some key enhancements to compute performance and power management in the product line that we believe will better meet and exceed the current and future requirements of an emerging internet of battlefield things,” said Mike Barthlow, senior vice president and general manager of Rugged Internet of Things, Cubic Mission Solutions.
Created in close collaboration with Cubic Mission Solutions’ customers, the M3X is a solution that was developed in response to customer-driven innovations. These innovations include enhancements to support the rigorous EMI requirements of tactical users, a hardened case rated up to IP67 for water and dust resistance and a patented modular rail system. The modular rail system allows users to interconnect modules vertically and horizontally without the need for a chassis, for increased mission flexibility and platform integration. The result is a solution that is more modular, scalable and capable than any other in its class and on the market today.
M3X core modules are now being delivered to customers, with additional servers, radio gateways and cross-domain modules being released later this year. For additional information about the M3X and full range of tactical edge solutions, please visit www.dtechlabs.com. (Source: BUSINESS WIRE)
02 Apr 20. Pentagon announces final 5G prototype proposal. The DoD is looking for 5G prototypes to test at Hill Air Force Base in Utah. The Department of Defense released its fourth and final request for prototype proposals for 5G technology development on April 1, according to a news release from the National Spectrum Consortium. In the request for the next-generation network, the DoD asks for industry input on a three-pronged 5G prototype project at Hill Air Force Base and Utah Test and Training Range, both in Utah. Like previous solicitations, the request is divided into three categories: the 5G network itself, enhancements to the network, and applications for a deployable spectrum-coexistence and -sharing system.
Here are the projects that the DoD wants, as described by the consortium:
- 5G prototype test bed to design, construct and operate a localized, private, full-scale 5G mobile cellular network to evaluate the impact of the 5G network on airborne radio systems.
- 5G prototype enhancements specifically to improve dynamic spectrum-sharing and spectrum coexistence capabilities.
- 5G prototype applications to design, construct and deploy a spectrum coexistence and sharing (SCS) system to identify and demonstrate deployable SCS.
“This effort will demonstrate mid-band spectrum sharing critical to our national 5G plan. Sharing technology can bring spectrum to market while protecting and enhancing future military capabilities,” said Joseph Dyer, the National Spectrum Consortium’s chief strategy officer and a retired vice admiral. “We strongly encourage our members to collaborate and respond to these important RPPs to support innovation and make sure that the United States remains a global technology leader on 5G.”
The release follows a March 12 RPP for development of smart warehouses using 5G technology at the Marine Corps Logistics Base in Albany, Georgia. (Source: Defense News)
31 Mar 20. Small Waves. Space-constrained platforms like armoured vehicles could benefit from the small antenna sizes offered by MMW radios, although several technological hurdles must be overcome before these communications systems enter widespread use with the military.
L3Harris has told Armada International that it is forging ahead with the development of Millimetre Wave communications technology.
MMW Frequencies
Millimetre Wave (MMW) frequencies, so called because of the short distance of their wavelengths, inhabit the radio portion of the electromagnetic spectrum from frequencies of 30 gigahertz/GHz up to 300GHz. Such short wavelengths measure between 9.9mm for 30GHz down to 0.9mm for 300GHz.
MMW frequencies boast several benefits compared to conventional Very High Frequency and Ultra High Frequency (V/UHF: 30 megahertz/MHz to three gigahertz) wavebands traditionally used for tactical communications.
Security
Richard Gallindez, a systems engineer with L3Harris, says that MMW frequencies provide “less congested bands with greater bandwidth allocations than currently available in lower bands.” As such MMW frequencies are far less cluttered that their V/UHF counterparts.
From a tactical communications perspective this provides more frequencies which transmissions can ‘hop’ over improving transmission security.
Antennas
Regarding the physical layer MMW radios can use very small antennas. Antennas are typically one quarter the size of the wavelength they carry, hence an MMW radio using frequencies of 30GHz could have an antenna as small as 2.5mm.
The attractions for space-constrained platforms and troops using MMW radios are obvious. As Mr. Gallindez notes, this results in “more integration opportunities in different platforms.
Trade-offs
Yet MMW has disadvantages. Transmissions can suffer attenuation by which particles in the atmosphere such as water droplets impede range by absorbing some of the transmission’s energy.
Secondly, MMW transmissions have very narrow beam widths requiring antennas to be very closely aligned if one is to receive transmissions from another. With such small-sized antennas one can get the measure of how difficult this becomes in practice.
Nonetheless advances in precise antenna alignment technology, as witnessed in the mobile satellite communications domain; could help in this regard as could active electronically scanned arrays which electronically ‘steer’ transmission to ensure they reach the receiving antenna.
Despite the limited range of MMW transmissions which can be as low as six kilometres (3.7 miles) they could provide a good mechanism to handle high volumes of data across line-of-sight ranges on the battlefield.
Future of MMW
The widescale uptake of MMW frequencies for communications is still someway off. Mr. Gallindez says that this results from the paucity of RF (Radio Frequency) products handling such wavebands. This increases design times and hence costs. This may well change in the future.
MMW frequencies are being mooted for fifth-generation cellular networks and the uptake of MMW technology in the civilian sector could have a direct downstream benefit for the military customer.
For the time being the military will continue its reliance on V/UHF for tactical communications: “Currently many communication requirements can be met without having to resort to MMW frequencies,” says Mr. Gallindez.
“Traditionally as frequency bands have become crowded the military has moved up in frequency,” adding that as congestion increases elsewhere in the radio spectrum, and as demands for data carriage show no signs of abating, both factors could become drivers for the increased uptake of MMW communications in the future. (Source: Armada)
31 Mar 20. The most resilient organizations follow outcome-based cybersecurity. As the cyber landscape changes, new threats arise, old threats evolve, and vulnerabilities are constantly putting companies and agencies at risk. The concept of “cybersecurity” has evolved from total defense, to layered defense, to cyber resiliency, based on risk analysis and a cold calculus of our own risk profiles. One way to approach this is through outcome-based cyber, an emergent practice I have helped shape.
Outcome-based cyber is a more holistic approach to cyber security than compliance-based cyber. Compliance-based cyber is a comforting checklist of determining a risk profile, setting controls, and measuring compliance to controls. That’s become foundational to cyber security programs, but it’s obviously not sufficient. Outcome-based cyber occurs when an organization is actively and continuously assessing their network and systems and reacting proactively and responsively to what is discovered. The U.S. government is now recognizing this in the Department of Defense’s mandate to suppliers to transition to the new Cybersecurity Maturity Model Certification (CMMC).
This evolution doesn’t remove the need for classical cyber security controls. If an organization is not following some of the NIST SP 800-53 compliant standards, including configuration and privilege management, then that organization will not be secure, and won’t meet CMMC guidance.
Outcome-based cyber measures the value and validity of an organization’s cyber defenses and enterprise based on active analysis against the organization’s total risk profile. Because each organization is different, outcome-based cyber is an organization’s independent and strategic decision to implement. Most organizations with security operations centers already determine what they need to measure and what they need to react to, but those measures must evolve continuously.
Risks are discovered through analysis and red teams, a group from outside a network who come in as “friendly” adversarial insiders. They use hacking tools, social engineering, and physical access evaluations to assess targets’ security profiles. Red teams deploy cyber scenarios and hopefully find vulnerabilities before they become issues.
True outcome-based cybersecurity requires organizations to stay dynamic and reactive. The controls put in place on Day X may not apply on Day X+180, and must be re-examined to ensure they’re addressing major new threat vectors. For instance, when data centers started deploying virtualization, threats started attacking hypervisors, and new policies and technologies appeared to defend against these attacks. The same is true with the latest Intel and AMD processor vulnerabilities, wired into the very hardware of the CPUs in our systems.
As researchers discover new vulnerabilities, leadership has to determine the risk these pose to the organization. If a CPU vulnerability can be accessed through a Web page drive-by attack, it’s high priority and has to be patched; if a hypervisor vulnerability can only be executed by people with access to certain enterprise resources, adding monitoring to those resources may be the appropriate response.
The key to outcome-based cyber is the process of risk analysis. For example, what are the odds that a malicious actor can get to one server that houses critical business information? It might be low. Add 500 people with electronic access to that same server and the risk goes up significantly. Organizations must assess the cost of mitigating the risk against the cost and impact of the outcome if not responding to a vulnerability.
Outcome-based cyber is about continuously evaluating an organizations’ status and the risk environment. Last January, the U.S. Cybersecurity and Infrastructure Security Agency sent a notification about Mozilla’s Firefox zero-day vulnerability that included the severity, commonality, and the fact it was already used in the wild by malicious actors. Through threat intelligence and information sharing, companies were able to identify the flaw, understand it as they assessed risk, and install patches.
Vulnerabilities, like that Firefox bug, must be patched, while other issues might be accepted, temporarily, as part of a risk analysis, and still others are addressed through installing compensating controls around them.
Security operations centers are responsible for analyzing new and emerging threats and building more powerful rules. Companies should be taking that information and sharing it both for internal and external partner organization use, including the Department of Defense Cyber Crime Center (DC3) and IT-ISAC. This will lead to increased global cyber resiliency, a topic that the Cyberspace Solarium Commission’s report addresses.
The Department of Defense’s CMMC will be the new standard for doing work with the Pentagon, and it mandates an outcome-based cyber approach. Beyond the basic levels, and entity must be capable of identifying and intercepting advanced per-system threat level cyberattacks, and assessing risks to emergent and anticipated threats. This is one of the purposes of outcome-based cyber. It’s a philosophy, not a toolset – a philosophy that balances risk to the enterprise, the company, and the community. (Source: Fifth Domain)
31 Mar 20. Pentagon seeks to classify future year defense spending plans. The Pentagon has asked Congress to allow it to classify its Future Year Defense Program spending projections, new documents have revealed. The FYDP numbers, which project five years into the future, are considered essential information for the public to see where the Department of Defense expects to invest in the future, and to hold the department accountable when those spending plans change.
Information on the request was published Monday by Steven Aftergood of the Federation of American Scientists. Aftergood wrote that the proposal would “make it even harder for Congress and the public to refocus and reconstruct the defense budget.”
In its request to Congress, the Pentagon wrote that an unclassified FYDP “might inadvertently reveal sensitive information,” despite the fact the numbers have been unclassified since 1989.
“With the ready availability of data mining tools and techniques, and the large volume of data on the Department’s operations and resources already available in the public domain, additional unclassified FYDP data, if it were released, potentially allows adversaries to derive sensitive information by compilation about the Department’s weapons development, force structure, and strategic plans,” the DoD wrote.
It added that there is a commercial concern with the FYDP providing too much information to industry.
“The Department is also concerned about the potential harm to its interactions with commercial interests by release of FYDP information prior to the budget year. Exposing resources allocated to future acquisition plans may encourage bids and other development activities not beneficial to the Government,” the proposal read.
Seamus Daniels, a budget analyst with the Center for Strategic and International Studies, said in a tweet that “DoD’s proposal to eliminate the unclassified FYDP severely limits the public’s ability to track how strategy aligns with budgets and how program plans change over time. Serious step backwards in transparency from the department.”
Earlier this year, the No. 2 uniformed officer in the Pentagon railed against the department’s tendency toward over classification, calling it “unbelievably ridiculous.”
The Pentagon has requested a number of legislative changes this year, in addition to the FYDP classification attempt. (Source: Fifth Domain)
29 Mar 20. How businesses can view the Pentagon’s new cybersecurity standards. What is Cybersecurity Maturity Model Certification?
The Cybersecurity Maturity Model Certification (CMMC) is the latest Department of Defense-mandated security framework for those seeking to provide services to the agency. Once fully rolled out, all DoD-contracting organizations must be compliant with CMMC standards and those who are not may find themselves shut out of DoD business.
The first version of the CMMC requirements was released in late January. The gist of the program is that an organization can get certified at one of five levels from level 1: basic cyber hygiene to level 5: advanced/progressive. Each of the five levels has an increasing number of practices and processes that an organization must implement to be considered in compliance with that level.
What are the different levels of CMMC and the approximate time it will take to achieve each level?
The five levels are: level 1: basic cyber hygiene, level 2: intermediate cyber hygiene, level 3: good cyber hygiene, level 4: proactive, and level 5: advanced/progressive. Each level builds on the level below it, adding processes and practices to make each level successively more secure. Each level has the same 17 practices; level 2 adds 55 practices, level 3 adds 58 practices to that, and so on.
Level 1 is relatively easy to achieve. It requires the initial 17 practices and only has limited documentation requirements. A small organization should be able to implement these practices in a matter of weeks, and an assessment at this level would probably only take two to three weeks. Although currently no independent auditors have been licensed/accredited to provide assessment services within the CMMC framework, guidelines for auditors are in the works.
A level 3 certification is far more complex. It has 130 practices to be implemented and requires organizations to have policies and procedures in place and prepare a resource plan for the 17 CMMC domains and between three and 10 additional plans, such as a system security plan, contingency plan, incident response plan, etc. The amount of effort it will take an organization to achieve level 3 certification depends on whether it is starting from scratch—it has no documentation, little to no IT security—or if it is somewhat mature and already has documented policies and procedures, implemented security requirements, and other framework certifications among other initiatives. Another thing to note is that level 3 includes all 110 NIST 800-171 requirements. If an organization stores, processes, or transmits Controlled Unclassified Information (CUI), it is already mandated to have all NIST 800-171 requirements implemented and all policy and procedures documented, so it already has met 85 percent of the level 3 compliance requirements. If that’s the case, getting to a level 3 readiness might only take a few weeks to a month. However, if an organization is starting from the beginning, it should allot conservatively four to six months. And in reality, it could take upwards of one year to be fully ready.
Levels 4 and 5 are meant for highly mature organizations. One of the deal breakers that will prevent many small organizations from achieving this level of certification is the requirement to have a 24/7 system monitoring, such as a Security Operations Center. This can be cost prohibitive for many small organizations. However, for organizations that already have 24/7 monitoring, they will also likely be fairly mature in their documentation and other aspects, so it may not take them very long to achieve this level.
The difference between a level 4 and level 5 certification is only a single additional process and 15 additional practices, so I would suggest going the distance and achieving a level 5 certification. However, the same can’t be said for the differences in technological requirements between levels 3 and 4; level 4 requirements are much greater than those for level 3.
How do businesses know which level of CMMC compliance they should prepare for?
It depends on whether organizations want to do certain types of business with the government. If your organization processes, stores, or transmits control of unclassified information (CUI), we recommend you prepare for level 3, because you already have to implement 800-171 requirements. CMMC level 3 includes all 110 requirements of 800-171, plus an additional 20 practices.
Unlike level 3, levels 1 and 2 do not include all of 800-171’s requirements. So, businesses that only process federal contract information and don’t expect to deal with CUI could aim for these levels.
At the Holland & Knight CMMC Impact on GovCon Summit conference on January 28, Chief Information Security Officer for Assistant Secretary for Defense Acquisition Katie Arrington alluded to level 2 as serving as a stepping stone for organizations to get to a level 3 certification and stated that she does not expect to see many solicitations that require a level 2 certification.
In light of this, organizations should consider level 2 to be basically a temporary step on their way to achieving level 3, as level 2 doesn’t offer sufficient CUI protections and doesn’t meet the current 800-171 requirements. (Source: Fifth Domain)
————————————————————————-
Spectra Group Plc
Spectra Group (UK) Ltd, internationally renowned award-winning information security and communications specialist with a proven record of accomplishment.
Spectra is a dynamic, agile and security-accredited organisation that offers secure Hosted and Managed Solutions and Cyber Advisory Services with a track record of delivering on time, to spec and on budget.
With over 15 years of experience in delivering solutions for governments around the globe, elite militaries and private enterprises of all sizes, Spectra’s platinum and gold-level partnerships with third-party vendors ensure the supply of best value leading-edge technology.
Spectra was awarded the prestigious Queen’s Award for Enterprise (Innovation) in 2019 for SlingShot.
In November 2017, Spectra Group (UK) Ltd announced its listing as a Top 100 Government SME Supplier by the UK Crown Commercial Services.
Spectra’s CEO, Simon Davies, was awarded 2017 Businessman of the Year by Battlespace magazine.
Founded in 2002, the Company is based in Hereford, UK and holds ISO 9001:2015, ISO 27001:2013 and Cyber Essentials Plus accreditation.
————————————————————————-