Army to defend small businesses against hackers with NCODE secure cloud enclave pilot

AUSA 2024 — Army undersecretary Gabe Camarillo announced here Tuesday that the service would create a secure online enclave where small businesses can work with sensitive information under the Army’s protection — a potential lifeline for smaller firms struggling to meet Pentagon cybersecurity requirements and defend themselves against high-end threats like China.

Known as NCODE — an acronym for Next-gen Commercial Operations in Defended Enclaves — the program will begin with a two-year, $26 million pilot project in 2025-2027, Camarillo said. Further details, including how small businesses can apply to join the NCODE pilot, will start coming out in “days,” he told a packed conference room.

“This essentially provides … a secure environment for small businesses to participate in, where they can collaborate, share information, and most importantly, do their own work … that would otherwise present a threat vector,” Camarillo said. “What’s great about it is that it’s compliant with CMMC [Cybersecurity Maturity Model Certification], so all of the department’s requirements would be met by operating in this environment.”

What’s more, the undersecretary said, since the enclave will be operated by Army cybersecurity experts but not actually part of the Army network, companies can run their usual software in it, without having to go through the cumbersome Authority To Operate process required to install new programs on DoD computers.

Some context: For at least a decade, the Defense Department has worried about China and other adversaries stealing sensitive or even classified data — most famously, details of the F-35 stealth fighter — from the networks of its numerous contractors. But the Pentagon’s official process for vetting vendors’ digital defenses is ponderous and often painfully expensive.

Contractors’ internal networks must achieve Cybersecurity Maturity Model Certification (CMMC), which was recently revised and strengthened, while government offices that want to buy commercial software must get an official Authority To Operate (ATO) before they can install it on DoD networks. These CMMC and ATO processes are especially burdensome for smaller firms, which might be more likely to come up with precisely the kind of innovations, especially in software, that adversaries are most eager to steal.

“We really do need the innovation support of our industrial base, and a key font of that innovation is all in our small businesses,” Camarillo said. “But…another thing that we hear a lot about, it’s the concerns that small businesses face in dealing with the Department’s requirements.”

The Army estimates “about half” of the 12,000 small firms it does business with are exposed to “medium- or high-risk” cybersecurity threats, he said, and defending against such sophisticated adversaries often requires more talent and technology than most small firms can spare.

“Across the Department of Defense, there’s a number of efforts underway … to provide opportunities for small businesses to meet cybersecurity requirements without having to incur all of the fixed costs,” Camarillo continued. “We’ve called it, notionally, before, ‘cybersecurity as a service,’ but really what it is, it’s a pilot for us to create the environment that these small businesses can operate in without having to pay for the infrastructure themselves.”

“It’s not tied to Army networks,” he said. “It is really … a network enclave that we lend to them while they’re doing the work of the Army and provide security protections for.”