Pentagon’s cyber red teams get clearer roles, governance

A recently issued Department of Defense policy document established a Pentagon cyber assessment program and closed previously identified gaps in the governance of DOD cyber red teams — or DCRTs — that assess and expose vulnerabilities on internal networks.

The DOD instruction, issued by the department’s chief information officer on Jan. 11, addresses “the governance, prioritization, operations, deconfliction and reporting of DCRT activities” and outlines the responsibilities of various agencies and officials in overseeing the work and risk mitigation activities of the cyber red teams.

The new instruction seeks to “address gaps in existing guidance” that were previously identified in a March 2020 audit conducted by the DOD Office of Inspector General and in an assessment of DCRTs’ “capabilities, capacity, demand, and future requirements” mandated by the fiscal year 2020 National Defense Authorization Act. 

The partially-redacted OIG audit found, in part, that the Pentagon “did not have an organization responsible for ensuring that DOD components took action to manage vulnerabilities identified by DOD cyber red teams.”

“We determined that the DOD did not establish a unified approach to support and prioritize DOD Cyber Red Team missions,” the OIG said in its report. “Instead, the DOD components implemented component-specific approaches to staff, train and develop tools for DOD cyber red teams and prioritize DOD cyber red team missions.”

Unless otherwise notified, the document said DCRTs must perform three distinctive roles as part of DOD’s defensive cyberspace forces, including conducting “adversarial cyber tests” of acquisitions, assessing “live operational networks” and serving as opposing force aggressors “for exercises emulating and, if possible, replicating a specific key cyber threat actor’s capability and [tactics, techniques and procedures].”