Air Force program managers all over the country will be able to call in hackers-for-hire to conduct security testing of their computer systems under a recently signed umbrella contract. It’s part of a push across the service to modernize its cumbersome, paper-based process for certifying new IT assets.
The blanket purchase agreement, with a $75 million ceiling, was signed late last month with Chantilly, Va.-based Dark Wolf, a small business providing cybersecurity services. The new contract “will allow … different authorizing officials across the Air Force to leverage a broader stable of penetration testing services,” Lauren Knausberger, U.S Air Force director of cybersecurity innovation, said during a March 12 Armed Forces Communications & Electronics Association luncheon.
Penetration testing involves paying “white hat” hackers to try to break into a system, and Knausberg said it was much more effective than the kind of “checklist-based compliance” the military services had traditionally carried out to ensure the security of their IT.
“We need them to help keep us honest,” she told Air Force Magazine after her presentation, “because hackers don’t follow the NIST security controls catalogue.”
The services available under the BPA will help Air Force leaders take advantage of the service’s recent efforts to modernize the way it certifies the security of new IT assets. The traditional Authority To Operate (ATO) process requires voluminous documentation of the security controls implemented, before new equipment or software can be installed—and can delay the introduction of new capabilities by weeks or even months.
The process is designed to manage the risk that new IT will provide a way for hackers to break into Air Force systems, but the delay carries its own risks, as Knausberger explained: “We’ve tried to do a much better job of looking at this from the perspective of what happens if the warfighter doesn’t get this capability … What’s the risk there?”
Last year, to help reduce delays, the Air Force Deputy CIO Bill Marion authorized a Fast Track ATO procedure, in which new IT can be authorized within a matter of days, after being penetration tested and developing a method for continuous monitoring of security issues in the future.
The new process, explained Knausberger, replaces a “static, compliance-based” ATO that has to be repeated every couple of years, with one that’s “ongoing, automated, and transparent.”
“It’s the difference between, on the one hand, checking all the boxes and collecting all the paperwork; and, on the other hand, putting it in a [specially isolated computer system called a] sandbox, switching it on, and letting the hackers try to break in,” added Winston Beauchamp, the CIO for Air Force Headquarters.
Dark Wolf can help with both pen testing and continuous monitoring, Cyber Practice Lead Bo Slaughter told Air Force Magazine. “When we finish an engagement, we can leave behind various kinds of automated software auditing tools” for continuous monitoring, he said, comparing them to an automatic car wash, “You run your [software] code through it and it comes out clean.”
Penetration testing involves a small team of operatives from the company’s approximately 100-strong staff, who will “try to discover every possible weakness” in new software or equipment, Slaughter said. “What we are looking for is access to a system we shouldn’t be able to get, access to data we shouldn’t have, or some way to impact the mission of the system owner.”
The exact parameters of the testing are worked out with the client in advance, Slaughter explained. “If it’s a system connected to the internet, we might try to break in over the internet. For classified or air-gapped systems, we might go on site, perhaps to replicate some kind of insider threat scenario,” he said.
The company has already been issued two task orders, he said, one for $5 million from the F-35 program office, and another for $7 million. Slaughter said the Air Force had not disclosed the source of that second order.
And the BPA means that smaller program offices or network owners can also order in engagements, Knausberger explained. “We will bundle those smaller requests up into a task order,” she said.