U.S. Cyber Command members work in the Integrated Cyber Center, Joint Operations Center at Fort George G. Meade, Md., April. 2, 2021. (Photo by Josef Cole)

WASHINGTON — Using its new “service-like” acquisition authorities, US Cyber Command announced Wednesday its plans to consolidate at least some of the Army and Air Force’s software factories within the Joint Cyber Warfighting Architecture (JCWA) and create an interservice program executive office overseeing them.

There are currently six program offices within JCWA: Two are in the Army, two are in the Air Force, one is being set up in CYBERCOM, and another is jointly operated by the Army and CYBERCOM.

The six program offices each have their own DevSecOps platforms, which CYBERCOM plans to consolidate to reduce both duplication of effort and cybersecurity vulnerabilities that come with redundant platforms, said Khoi Nguyen, command acquisition executive and director of the cyber acquisition and technology directorate (J9) at CYBERCOM, during a C4ISRNet conference Wednesday. 

In January, Nguyen said that JCWA is made up of “disparate program shops, not really well synchronized together,” per reporting from DefenseScoop, and that within “the next six months, these six components will play around, we’ll be a little bit better, interoperable in these specific areas.”

This move to consolidate the six programs should not only cut down costs of running duplicate systems but also strengthen JCWA’s security, because there would be fewer factories with various systems that create different vulnerabilities for an attacker to exploit. 

“Think of Solar wind. Solar Wind was an attack on [a] software factory. We’ll have a much better ability to defend our supply chain [for] software development,” Nguyen said Wednesday. 

Another redundancy Nguyen said CYBERCOM wants to eliminate is the numerous individual technologies that each program office uses to do its work. Instead, he wants them using the same “technology stack,” from the physical computers all the way to the software. 

“In the effort to reduce redundancy, we’re looking to combine or develop a singular platform that then we would GFE [provide as Government-Furnished Equipment] to all the program shops and say, ‘Hey, this is a common platform, [like a] Kubernetes environment, that we’re going to define, and you will just deliver your applications as containers or as virtual machines onto this common platform,” Nguyen said. 

This common platform should be versatile enough that it can be deployed in different environments, Nguyen added.

“We can deploy within the cloud, we can deploy on an edge processing or we can deploy to our hunt kit, and so on with a common platform. Then the variances will be based on the application set that are delivered on top of that,” he said Wednesday.

In other words, there will be one common platform for everyone to use which will be customizable with different applications and software dependent on the type of mission. 

How Will the Consolidation Process Work? 

CYBERCOM can go forth with this consolidation process because Congress granted it new acquisition authorities to create two software development programs in-house and exercise authority over the existing cyber software development programs in the Army and Air Force. The combatant command is using these new acquisition authorities to rev up JCWA. 

The concept of JCWA emerged in 2019 as a means to enhance understanding and management of the capabilities, platforms and programs being developed by the Department of Defense and its industry partners. Its goal is to establish clearer priorities for both design and implementation.

The six programs within JCWA are: the Air Force’s Unified Platform, the Air Force’s Joint Cyber Command and Control, the Army’s Persistent Cyber Training Environment, the Army’s Joint Common Access Program (JCAP), CyberCom’s sensors, and the Joint Development Environment — where cyber tools are rapidly developed — run by the Army, but the majority of the program office is overseen by CYBERCOM . 

The JCWA PEO, mandated by Congress to be created by 2027, will be comprised of all six program managers from each program office listed above. 

Historically, the services developed cyber technology using their own funds and then handed it over to Cyber Command to use. As CYBERCOM becomes more “service-like” in its legal authorities, however, it has gained control of the funding, the technical standards and the acquisition process. However, the services often still execute the programs on its behalf.

Not all these new authorities are coming from Congress: The Pentagon undersecretariat for Acquisition & Sustainment (A&S), led by Bill LaPlante, has been a “great partner,” Nyugen explained.

“One of the things they did this last year, in ’23, was to give us system engineering and integration authority over all of JCWA,” he said. “So, what that means is we now have the authority to define the interoperability standards between the different components [i.e. Army, Air Force, and Navy Departments] to help better drive better integration and better interoperability between the different systems.”

Nguyen said he hopes CYBERCOM’s authorities continue to grow.

“The next thing that we’re working on as part of this establishment of the PEO-JCWA is to try to get more acquisition authority over those those PM shops [the four Program Managers] that belong to the services…[I’m] talking about approving those programs of records’ acquisition strategies or contracting strategies.”