The Defense Information Systems Agency is applying a piecemeal approach to training cyber protection teams stood up by Cyber Command.

"We produce pipeline training for the cyber protection teams that are stood up under U.S. Cyber Command. Part of what they go through are developing the individuals and then the team action is DISA prepared training," DISA Vice Director Maj. Gen. Sarah Zabel explained at a (ISC)2 hosted event in Washington May 11.

One of four teams within Cyber Command, the cyber protection teams are responsible for defending DoD networks. Each service provides a proportional number of CPTs to the joint effort at Cyber Command while retaining their own set to perform service-specific missions.

As part of their training, these CPTs come into a cybersecurity range, Zabel explained, a sandbox separate from operational networks but made to replicate them. The teams train, undergo an assessment, are certified in a particular action and then sent away, said Zabel. In a couple of months, she said, these teams will come back through and do the same cycle again to take another piece of knowledge.

That is what seems to build the expertise over time, she added.

DISA has its own operational component that feeds into Cyber Command for network defense called Joint Force Headquarters-DoDIN.

Initially stood up in 2015, JFHQ-DoDIN exercises command and control of so-called DoDIN operations globally and synchronizes the protection of DoD component capabilities. They are still growing and figuring out their structure.

"What we realized is we need a lot more intelligence support, so we need more intelligence people, so we're figuring out what kind of people we need," Lt. Gen. Alan Lynn, DISA's and JFHQ-DoDIN's commander, said May 3 at the annual C4ISRNET Conference.

Lynn added that the command is still only initially operationally capable and won't hit full operational capability until around December.

He explained that there are a few upcoming training exercises along with larger combatant command exercises JFHQ-DoDIN is looking to participate in to test themselves. These events will play a critical role in achieving FOC status, as FOC has always been conditions based for JFHQ-DoDIN.

While in the fight everyday, Lynn said they want to stress themselves in these exercises to see how much they can take.

From an operational and real world perspective, he offered that if a combatant command has a heightened concern or fight in cyber and they don't have forces to put into the fight, that's where JFHQ-DoDIN comes in. If their resources are taxed, JFHQ-DoDIN will provide more forces to that combatant command if they need it.

Persistent training

Zabel also hit on the need for a persistent training environment. Many cyber officials have stressed the importance of such a capability relating it to a rifle range for infantrymen to practice marksmanship.

The Army is currently in charge of the persistent cyber training environment for DoD. The PTE will provide scenarios event management and access for both individual and collective training, as well as mission capabilities for the cyber mission.

The military writ large has "the ability … to do high-fidelity, highly realistic training where our teams, our tactical forces, can be immersed in a simulated environment that looks real to them," Lt. Gen. Kevin McLaughlin, Cyber Command deputy commander, told the House Armed Services Committee last summer. However, "The issue that we have is we cannot do that at scale … [the] persistent training environment is a focused effort in the Department of Defense to allow us to actually do that type of training routinely – every week, every day – so that the men and women that are on our teams have the ability to [get] the level of training that we're doing down in Suffolk [Virginia] right now. We only do that a few times a year."

The Joint Staff facility located in Suffolk, VA is home to the annual Cyber Guard exercise, a whole-of-government simulation with participation from several additional governmental agencies and private sector organizations that replicates a large-scale cyber incident. The Joint Staff facility also is involved in the Cyber Flag exercise that simulates military-only cyber operations.

The PTE "really is about individual training, collective training and mission rehearsal," said Ron Pontius, deputy to the commanding general of Army Cyber Command. "So being able to provide training for the team members, for a whole team – because when you really talk about a … really large exercise ... we need to be able to do training more often and at a lower level."

Not only do these systems provide the opportunity for cyber warriors to remain current in their skill sets, but, Zabel said, they allow for experimentation.

"What if they just tried something new," she said, "find a new way not to do something."

Adm. Michael Rogers, commander of Cyber Command and director of the NSA, explained in congressional testimony last week that when the cyber mission force reaches full operational capability, slated for the end of September 2018, training, development and sustainment of the cyber mission force will transition to a service structure.

At the initial build of the CMF, Rogers said, the NSA signed up to allow Cyber Command to use much of NSA's infrastructure – national cryptologic school, for example – to do much of the training of the initial build out of the mission force.