ABERDEEN PROVING GROUND, Md. — The Army is preparing to make software a key readiness metric for units.

In the past when units reported their level of readiness, it was mostly hardware-based with zero considerations of software.

“Readiness was like, ‘Hey, do I have my parts and do I have spares and all the hardware stuff?’ But if your software isn’t working, are you ready? Probably not. It wasn’t part of the calculation,” Jennifer Swanson, director of Communications-Electronics Command’s Software Engineering Center, told C4ISRNET in a Nov. 2 interview.

Her center worked with the Army G-3/5/7 to define software readiness metrics, such as operating an approved software version and having installed the most up-to-date software within 30 days of it being posted. As a result, the G-3/5/7 issued an execute order and conducted pilots last year to test its software readiness reporting. It’s now expected that a final order will be issued in Fiscal Year 2022 that will require units to report their software readiness.

“If you’re not updating your software, then you will need to report as non-mission capable,” Swanson said.

Software has proven to have immense strategic and tactical importance as a threat vector. Outdated software can be exploited by adversaries or cause systems to not work properly. Some software patches are so critical, they need to be downloaded immediately.

Swanson provided the example of the SolarWinds compromise, attributed by the U.S. government to the Russian foreign intelligence service.

“We had SolarWinds out there … The beauty of it was for SolarWinds, we had the [software repository] available and we were able to post that stuff up on a Friday night and watch units start pulling it down immediately, which as you said, that wouldn’t have been the case prior to that,” she said.

The Army is planning to update its software repository so it can tell which units downloaded which software patches, and when they did so. The software repository is a portal created in October 2020 that allows units anywhere in the world to download updates — much like commercial cell phones. Previously, the Army would have to mail hard disks to units to get their updates. This meant updates might not arrive in a timely fashion, creating certain vulnerabilities.

While the current version of the software repository allows for some level of oversight to see what units are downloading updates, officials can’t see who is downloading what. The software repository 2.0, expected this spring, gives the oversight of exactly who downloaded what when.

That type of capability would have proved important during SolarWinds.

“For SolarWinds as an example, you’ve got spreadsheets that are being emailed all over the SIPR[Net] side of the house … trying to figure out here’s a list of units and this one got it and this one loaded it,” Swanson said. “What the Repo 2.0 will allow you is you don’t have to do all of that. You will know who got the patch.”

It also allows the Army to have greater insight on units’ readiness when it comes to software.

There could be an issue with a unit that isn’t updating to the latest version. Maybe they have connectivity issues or are just ignoring it, Swanson said. But having that level of fidelity allows the Army to contact those units to see what problems might exist. It allows the Army to be proactive instead of reactive.

The software repository is currently being migrated to the Army cloud from the Defense Information Systems Agency, which hosts it. Swanson said her organization is partnering with the Army chief information officer and its set of DevSecOps tools to build out the updated repository.

About Mark Pomerleau

Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.

Share:
More In IT and Networks