Army-Wide Capabilities Protection – Are You In The Know?

By Tim Kuhl, Office of the Assistant Secretary of the Army (Financial Management & Comptroller), with Denise Oberndorf and Kelsey Buchanan, cBEYONDataJune 4, 2024

(Photo Credit: U.S. Army) VIEW ORIGINAL

Imagine learning that your personal information, including your address, job role, compensation, and health records were available online for sale. Your stomach drops as you find out that your DoD email address is circulating in non-military chat groups. To make matters worse, your maternal grandmother’s middle name (the one you use to reset all your passwords) is floating around the dark web. These scenarios aren’t so farfetched and have occurred as recently as 2023. Even with the security classification system and personal identifiable information protections, data leaks are still possible.

The Army’s information environment consists of data, information, processes, and systems that can reveal sensitive intelligence and capabilities. As our financial data sets become increasingly connected and transparent, vulnerabilities can arise where least expected, providing bad actors with access to protected information. Maybe surprisingly, the financial data we work with each day can tell a story of Army strategies that would put the United States in danger if it were to fall into the wrong hands. Data aggregation can reveal patterns that separate data points do not reveal by themselves. Thus, the Army-Wide Capabilities Protection (AWCP) initiative was established to help mitigate data vulnerabilities.

Moreover, financial data protection is not occurring at just the Army level. Balancing audit transparency and data protection in financial statements is a primary function of the Sensitive Activities Working Group (SAWG), which is chaired by the Office of the Under Secretary of Defense – Comptroller, Deputy Chief Financial Officer.

In the past, one data breach into a single data lake exposed limited data. In today’s environment of data convergence, one data breach has the potential to expose exponentially more data. The work of the AWCP initiative is critical to the Army’s business community’s stewardship of government funds. Together, the AWCP initiative and SAWG’s efforts will better protect our data and prevent our adversaries from gaining leverage against the Army’s warfighting capabilities.

What are Army capabilities and how are they used? One could define Army capabilities as the ability to operate on the battlefield and in other contested environments. Capabilities are derived from available resources. These resources include the various assets the Army acquires and uses to achieve its mission -- assets like the Patriot Missile System, Apache helicopters, and highly trained Special Operations soldiers. However, the acquisition of assets alone is not sufficient for mission success. Mission success is also dependent on asset transportation, funding, asset maintenance, training, and strategic coordination across multiple communities and organizations in the Army. These activities are not executed solely by the Army operations and intelligence communities. It is the Army business community, including you, spanning from logistics to finance, that execute and support the success of the capabilities and mission.

How are our capabilities being made vulnerable and why do we need to protect them? A requisition order comes in for a new model helicopter: the order includes the type of helicopter and manufacturer. Someone on the purchasing team approves the contract award to acquire the helicopter and a logistics team member arranges for shipping to a warehouse. The Special Forces team sends a request for a helicopter to logistics: the request includes the unique features the helicopter must include, and where the helicopter should be shipped. Separately these bits of information will not mean much. However, when viewed holistically, you’d understand that the Army has a high-tech helicopter, where helicopter type vehicles are stored, which field operations are using helicopters, and how or when helicopters are being transported. If you understand how the Army organizes its capabilities, from finance to logistics, you may be able to infer the Army’s goals, intentions, and operational or tactical strategies. There is no doubt that this information is incredibly valuable to the Army, internally, as well as to countries and entities who intend to be hostile toward the United States. Therefore, even if a capability is not considered “sensitive” – meaning it is unclassified – it is in the country’s best interest that we protect the related information. Simultaneously, enhanced technologies and analytics are vital to an efficient and effective business community. Efforts to balance data protection with modernization have raised concerns that our unclassified initiatives and use of technology are unintentionally increasing the risk of peer or near-peer threats, thus making it easier to gain insight into the U.S. decision-making cycle.

For example, the Army has been modernizing its audit capabilities by organizing and standardizing data so that it can be shared externally with other organizations. These efforts have increased the accuracy and efficiency of audits, saving dollars, working hours, and headaches. Conversely, it also means that units, persons, and purchases best kept obscured for a variety of reasons are losing their ability to remain protected. Here you can see how modernization and protection mechanisms often do not evolve at the same pace.

While audit provides a good example, capability protection isn’t just an audit issue. The increase in data aggregation across the Army’s entire enterprise and legacy systems improves the Army’s analytic capabilities but also reveals important patterns. There are increasing concerns that the changing technological landscape reveals patterns, bridges classification levels, and leaves sensitive information exposed. [1]

Does this mean all data needs to be classified? As the technological landscape is changing and increasing data vulnerabilities, the most instinctual response may be to classify all data. Yet, that is not the best answer. The new landscape does not require all data to be classified. It does, however, require the Army to continuously update its approach to capabilities protection.

Who is responsible for the protection of Army capabilities? The Army’s internal world is highly complex, making it difficult to identify where capability insights can be obtained and how to control access. To manage such a vast mission, the Army fractures its internal world, spreading actions, plans, and processes across groups. While this makes organizational and managerial sense, it does not reflect the reality of the Army’s information environment. As a result, unauthorized access is increased at fracture points, and there is no single entity responsible for the identification of these fracture points and developing a solution. Everyone must play a role, including us in the business community.

How do we protect these capabilities? Modernization and protection are not competing goals. Both are important for the Army to achieve its mission, which is why the creation and implementation of the AWCP initiative was pivotal. The AWCP initiative is a multi-disciplinary team of people collaborating to support the Army in operating and innovating while safeguarding data. The AWCP initiative evaluates information, processes, data, and systems from multiple perspectives, such as national security, business operations, and access requirements or “need to know.” The goal of the AWCP initiative is to provide data protection while continuing to advance the Army’s technological and analytical capabilities.

The Army’s financial domain has taken a leadership role within the AWCP initiative to identify and mitigate data and information vulnerabilities that could reveal information about Army capabilities. As part of the AWCP initiative, the Office of the Assistant Secretary of the Army for Financial Management and Comptroller (OASA FM&C) is working with financial divisions throughout the Army to support data protection, transparency, and aggregation. OASA FM&C’s proactive approach to identifying risk areas and bringing together the business and intelligence communities to mitigate risk of capability exposure is important in our evolving environment.

How is the finance community supporting the AWCP initiative? OASA FM&C’s Deputy Assistant Secretary of the Army for Financial Operations and Information has established a Sensitive Activities Secure Financials (SASF) division whose focus is addressing these evolving concerns. SASF’s mission is to create a secure, data-centric, and auditable financial domain that is operable within the Army’s dynamic environments and sufficiently resources the Army against all threats. The SASF team is currently upskilling and deploying resources who assess and generate visibility into the potential risks stemming from the Army’s embrace of new technology. SASF is also providing leadership with comprehensive risk mitigation actions and support in the implementation of those actions.

Secure financials means having the ability to identify and address risks of exposure to our capabilities through financial information or processes. There are two major teams that support securing the financials:

1.    Capability Protection, which focuses on creating enterprise financial capabilities within the Army’s current environment and laying the foundation for the future, and

2.    Security Cross-Value Chain, which determines system requirements for future, modernized technologies. They work to ensure that the Army’s new systems incorporate past lessons learned and evolve to address multi-domain warfare.

Both teams work deeply across business, warfighting, and defense intelligence communities to understand needs at the strategic, operational, and tactical levels.

SASF’s newly developed Continuous Transition method and Minimum Viable Information framework have already resulted in tangible benefits for the Army’s finance community.

Continuous Transition is a methodology for moving organizations from unclassified to classified systems, while limiting disruption, on a continuous as needed basis. The creation and implementation of this method has resulted in the first sustainable service to transition organizations seamlessly and quickly from an unclassified system into a protected environment. After 30 training sessions, the results were increased protection of over 100 fund centers, 20 commands, and 700 users.

Likewise, SASF developed the Army’s Minimum Viable Information framework which prevents data spillage when the systems communicate across classification levels in Army systems like Enterprise Business Systems – Convergence, General Fund Enterprise Business System, Project Management Resource Tool, Global Combat Support System – Army, Integrated Personnel and Pay System - Army, ADVANA/Analytics and Reporting Enterprise System, and VANTAGE.

The SASF team has also conducted cross-classification and cross-business system process reengineering to allow for auditable financial processes while protecting valuable operational insights. The team focuses on preventing aggregated data from being used for purposes not authorized by data owners.

These three initiatives are just the beginning of how the SASF team plans to protect Army capabilities while supporting modernization!

Are the AWCP initiative and the SASF team cybersecurity? Many people ask, “Isn’t data and capabilities protection a task for the cybersecurity team?” The answer is, not exclusively. While cybersecurity helps protect our networks, it does not evaluate the aggregation of data and information to identify and mitigate vulnerabilities. Cybersecurity is a key part in preventing security threats at the network entry point. However, beyond the entry point, it is important to assess the classification level of aggregated data, which is where the AWCP initiative and SASF become significant.

Go back to the gut wrenching feeling you had while considering your personal information and work emails being leaked. Now imagine how the Army, and the United States would be affected if strategic insights made it into the wrong hands. The results could be dire, which is why these data protection initiatives are extremely important. The Army-Wide Capabilities Protection initiative and the Sensitive Activities Secure Financials division are leading the charge in preserving our national security, not by merely grasping onto traditional methods, but by adapting to the changing digital landscape. Our personal information, and indeed, the critical capabilities of our Army and United States, are too valuable to leave exposed. While the world of data protection may initially appear complex, the mission is simple – preserve, protect, and perform. So, we encourage you to join the critical work of safeguarding our nation's capabilities and intelligence. This isn't a cinematic spy thriller; it's our real-world mission with real-world consequences. Are you ready to step-up and secure the safety of our warfighters and the nation?


Note: This article was originally published in the Society of Defense Financial Management's Armed Forces Comptroller Journal, and is reprinted with permission of the SDFM.

[1] Michelle Rossevelt, “How Come Data Aggregation Is a Threat to Privacy? - Blog.”, 27 Oct. 2023, Accessed Feb. 7, 2024.