The CCRI is not only about security – it’s about attitude

By Scott WakefieldOctober 5, 2021

A local Detroit shred company employee assists during the Detroit Arsenal, Michigan mass shred event in preparation for their upcoming Command Cybersecurity Readiness Inspection.  (Courtesy Photo)
A local Detroit shred company employee assists during the Detroit Arsenal, Michigan mass shred event in preparation for their upcoming Command Cybersecurity Readiness Inspection. (Courtesy Photo) (Photo Credit: U.S. Army) VIEW ORIGINAL

DETROIT ARSENAL, Mich. — Command inspections are a way for an organization to see how their day-to-day operations align with a specific set of standards and objectives.

A Command Cyber Readiness Inspection, or CCRI, is a Department of Defense led formal inspection to increase accountability and the security posture of DoD Information Networks according to DoD standards, specifically in the areas of Command, Mission, Threat, and Vulnerability.

According to Darren Lisow, U.S. Army Tank-automotive and Armaments Command’s Chief Information Security Officer, this inspection will review the overall security posture of the Detroit Arsenal and all tenant activities including Headquarters TACOM. This graded inspection aims to improve cyber operational readiness across DoD’s cyberspace.

“We want to make sure everyone at the Detroit Arsenal is operating within DoD standards,” Lisow said. “This CCRI focuses in on the mission side where people are generally the weakest link and evaluate their conduct, capability and culture toward day-to-day operational and data driven cybersecurity.”

Attitude and posture toward security are the biggest areas where the workforce can contribute to a better rating for the command, according to Michelle McCarthy, TACOM G-2’s Security Manager and Operations Security Officer.

“At the end of the day, we can look good on the simple stuff,” said McCarthy. “However, what the inspectors are looking for is the overall attitude and culture toward security. By asking questions, reviewing procedures and ensuring people are adhering to those procedures, the inspectors gage how serious our people are about their day-to-day control of government information they are responsible to protect.”

McCarthy continued and said that DoD is serious about getting control over things like Controlled Unclassified Information, which is now an official data classification and must be shredded just like any other classified material when you dispose of it.

“Adversaries are now gaining access and control of our CUI, so we can’t just continue to leave it out unprotected,” said McCarthy. “The insider threat is where the DoD’s focus is and it’s easier for our adversaries to gain access to CUI when it’s easily accessible to them.”

Detroit Arsenal underwent their last CCRI in 2019. Although the compliance rating was sufficient to keep the networks up and running, there was still room for improvement.

“Traditional security, basically physical and cyber security on how our people do things is where we are looking at our workforce for improvement,” said Lisow. “These are things like leaving your Common Access Card in your computer and walking away or leaving Controlled Unclassified Information and Personally Identifiable Information on your desk unattended and not secured or without a cover sheet.”

Sometimes individuals don’t think these common mistakes present a threat, but they offer opportunities for insider threats to take advantage.

“It has the potential to allow an insider threat to gain elevated access to a system or network,” Lisow said.

Typically, if a unit scores below 70% on an inspection, their network connection goes before Army Cyber Command’s Quarantine Review Board and a decision will be made to shut down the network until minimum standards are met. Depending on how well an organization does, future inspections can take place anywhere from one to three years. A unit can also undergo a no-notice inspection so they should always strive to follow the standards.

Over the past several months, Lisow and McCarthy, in coordination with the local Network Enterprise Center, senior leadership, and other tenant activities have been posting tips, sending out reminder emails, and conducting inspections on ways to help improve the security culture and posture throughout the command.

Detroit Arsenal will undergo its next CCRI Oct. 18-22. If you have any questions concerning the CCRI or any Cyber Security related questions, please email the TACOM G-6 at