Tobyhanna Army Depot, the Department of Defense's leading provider in C4ISR systems, is undertaking a new mission: software sustainment.
One of the problems befalling the Army's software sustainment community is maintaining information assurance vulnerability alert (IAVA) compliance. This involves disseminating a message through the force to identify a vulnerability in a piece of software, which in turn directs certain activities to be taken to mitigate the risks the vulnerability might pose.
Compliance with this effort, which also includes strict timelines as it relates to identifying the criticality of the vulnerability risks, was overwhelming software engineers in the Software Engineering Center located at Aberdeen Proving Ground. Skilled engineers were burdened with simple patching functions as opposed to conducting other critical tasks.
Tobyhanna, in partnership with the Software Engineering Center, is now pursuing an organic capability to tackle this IAVA compliance issue associated with software sustainment across the various mission systems. By using an organic workforce on software sustainment — a government workforce as opposed to contractor support — it provides a lot more flexibility, officials at Tobyhanna told C4ISRNET.
"What we're trying to achieve through this flexibility is instead of having a security analyst dedicated to supporting system A and another for system B and the same thing with testers, [we are] pooling resources," said Daniel Soderberg, chief software systemic division and director of production engineering at Tobyhanna. "I might have a pool of testers and one tester can support two, three, four, five systems. Now you can reduce overall support cost for these systems in the future."
Tobyhanna is taking the IAVA messages provided to them from Cyber Command to develop a corrective process, taking action for the current supporter software baseline, packaging it up and sending it back to the Software Engineering Center to disseminate to the larger force.
What this component of Tobyhanna’s new software support undertaking does is twofold: It releases the burden on engineers so they can focus on other aspects of software support. They are also accelerating the effort, which typically was released on a quarterly basis. These vulnerability alerts come out as often as every month to every week, and if it takes a quarter to develop the update. Meanwhile, those assets are vulnerable in the field, which is a big risk. Tobyhanna is shortening that time to one month.
Another big effort Tobyhanna is undertaking involves automated testing of software fixes. They have automated systems capable of conducting tests of software systems in less than an hour, meaning these can be released in the same day to the Software Engineering Center. The center will then replicate that how it sees fit and release it to the field. This capability is huge, officials said, especially in terms of shrinking the time it takes to get these updates to the field.
While from a technical standpoint, patches can be implemented in a matter of hours to fix critical vulnerabilities, the difficulty in disseminating software vulnerability patches in mission systems or other systems used by war fighters is that some systems are not interconnected, some systems are tactical and injecting software patches into a larger system might adversely affect the larger system.
Software patches must somehow be delivered to the system, either through a connected system or a USB drive. For some tactical systems — which might be in extremely austere environments that are hard to get to — delivering a software patch to them is a challenge. Additionally, for larger mission systems, the patch that fixes a small, isolated portion must be tested to ensure it does not break the larger system or connected systems. By virtue of the disparate nature of some of these networked systems, Soderberg said a zero-day vulnerability exploited tomorrow won’t hit all the systems in the force.
These collective efforts at Tobyhanna will also contribute to reducing support costs. "As we get more dependent on software in our systems, the costs are growing exponentially and we have to find ways to do things efficiently to reduce those costs," Soderberg said. "If you just look at the software cost — so you’ve had this growth in software, now there is a growth in software costs that accompany this. The cost to provide that software support is growing at a rate we can’t support." This can be in the way of manpower, software licensing costs or labor costs, among others, he said.
In addition to work being done at the depot in northern Pennsylvania, it's beneficial to provide field software engineers in person at posts stretching from Korea to Germany as well as Iraq, Afghanistan and Kuwait, Tobyhanna’s commander, Col. Gregory Peterson, told C4ISRNET.
"As a part of that, too, we have a worldwide footprint that provides software support to the field stretching all the way from Korea across the Pacific … over into Europe, and we have folks deployed to Iraq, Afghanistan and Kuwait to help provide that support as well," he said. "So that is an area example that the technology is changing with cyber concerns about cyber and patching and making sure software is current and able to not be modified and messed with. That is an opportunity for the depot that we are beginning to provide that support-to-support readiness."
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.