DETROIT ARSENAL, Mich. -- The Detroit Arsenal community passed a critical Command Cyber Readiness Inspection conducted during the week of Sept. 23-27, 2019.
The CCRI is a Department of Defense level inspection conducted by an inspection team from the Defense Information Systems Agency that focuses on network security and traditional security. Traditional security, according to Stephanie Tice, chief information officer for the Tank-automotive and Armaments Command, includes inspection of open storage rooms, checking video teleconference devices to ensure they are properly secured and encrypted and that all security guidelines have been followed.
The team also performs automated scans of the network to ensure there are no open vulnerabilities and otherwise works to determine whether or not a local network is up to DOD standards in terms of security.
"It was an installation, or arsenal-wide, inspection, not just a TACOM inspection," Tice explained. "Because it's a command inspection, the senior commander of the installation is the one who has the responsibility for it, so that's General (Maj. Gen.) Mitchell. So, even though General Mitchell does not have that kind of authority over the PEOs (Program Executive Offices), over GVSC (Ground Vehicle Systems Center), or over the garrison, he still has to take the lead to make sure that the mission partners were aware of the inspection, understood the requirements and worked to comply with all the requirements."
"That was one of the big challenges, making sure that everyone on the arsenal was engaged and aware because the inspection teams went to every area, every building, but TACOM was the lead and had the responsibility for communicating up the chain if there were any problems or failures."
Tice added that coordinating schedules may have been the biggest challenge that her team faced. Most of the Detroit Arsenal leadership, she said, had previous experience with the CCRI.
"We definitely did a good job and everyone -- our G2 (security), our G6 (information systems), and the NEC (Network Enterprise Center) -- partnered together and did very regular inspections of all the rooms and looked at all the security managers across the installation to get the rooms up to standard and keep them that way."
The NEC's involvement in the inspection, said Paul Gayan, NEC director for Detroit Arsenal, was primarily the technical aspect of the cyber security. The NEC's main concern was that computers, servers, switches and associated hardware were all in compliance with DOD guidelines and regulations.
"We had been preparing for this for almost a year," Gayan said. "The inspection teams are very, very thorough in what they look for. They have a huge checklist of standards to be in compliance with."
"We did really well compared to other installations," Gayan continued. "There were some aspects where we were hitting it out of the park. Had it not been for one hiccup in systems security, we were going on a perfect for traditional security. The inspector made a comment saying she has never seen an installation so clean from a security perspective. So, we're really doing a lot of things right. The security people did a really good job.
"Those individuals who aren't involved with security all the time, that's who DOD looks at the most now. It's countering that insider threat. If you have lax security internally, then cyber security can (also) be affected," he said.
"Overall," Tice continued, "we received very high marks from the inspection team on our traditional security which is the piece that TACOM and our mission partners have the biggest part in. Things like our open storage rooms and secure areas, making sure that those are properly secured and documentation is in order, making sure that there are no CACs (common access cards) found. We had one found, but I think that's pretty impressive. Out of all the people here, they found one CAC out of seven thousand people. So, people are really doing a good job. That was the only significant traditional security hit that we took that the general population had control over. Overall, documentation was fairly well secured, and media was stored properly for the most part."
Tice added that the one big take away from the process of preparing for the CCRI was the need to maintain the positive, security-culture changes implemented over the past year.
"The awareness has been raised, and we can keep it raised and do our part with marketing and reminders and that sort of thing, but the workforce needs to stay engaged and aware that it's not just the inspection, it's a way to do things going forward," she said.
"I'm proud of the efforts that everyone put into this thing. It was a community effort and we did really well as a community," Gayan said. "We know how to do better next time."
Gayan added that a similar inspection would occur again in two years.