The Air Force Cyber Resiliency Office for Weapons Systems (CROWS), established by a provision in a 2016 law charging the Department of Defense to identify and mitigate cybersecurity vulnerabilities of weapon systems, initially focused on legacy systems. However, its director says now it’s also taking aim at new ones.
“We’re actually embedding cyber professionals within the program executive offices … [because] we want to explain to them what cyber is; we wanted them to spread that ‘cyber’ word in new acquisitions,” Joe Bradley, the director of CROWS, told Fifth Domain in a December interview.
As part of that effort, CROWS worked to distill the systems engineering handbook to eight or nine actionable pages to make it easier for officials and contractors to find quick solutions.
“They can go in there and they find language in the statements of work or for the request for proposals or the specs,” Bradley said, adding that this is really important to the industrial base because when the government makes changes from one program to another, they are scrambling to find out why that change was made.
“If we can use standardized language, then we can communicate to our industry partners, ‘hey, this is the same type of resiliency, the same posture we’re looking for as we did in the last acquisition,’” Bradley said.
This was done in conjunction with the commanders of the Life Cycle Management Center, Rapid Capabilities Office, Nuclear Weapons Center and the Space and Missile Center.
Bradley said he wants Will Roper, the service’s chief acquisition executive, to sign the language out, making it official.
“Down the road, I believe that if we do this right, by putting the emphasis on cyber right now today, it’s going to become in the mindset of every engineer — it’s in their toolkit; it just becomes another system engineering requirement,” Bradley added.
This is the reason, Bradley said, they’ve embedded officials within the PEOs to help engineers and commanders better understand the cyber portions of the programs. Though there are only three officials per PEO, Bradley said he hopes eventually there are cyber experts for each program within the PEO’s purview.
The biggest challenge, however, Bradley said, involves baking in cyber versus bolting it on later — a situation that will come down mostly to changing the culture.