Showing results for 
Search instead for 
Did you mean: 
Create Post

Assessing the Navy’s New Cybersecurity Program

Level 13

Omar Rafik, SolarWinds Senior Manager, Federal Sales Engineering

Here’s an interesting article from my colleague Jim Hansen about the Navy’s new cybersecurity program. There’s no doubt our troops rely on technology and cyberthreats are increasing.

The Navy’s new Combat to Connect in 24 Hours (C2C24) is an ambitious program with the potential to change naval warfare as we know it.

The program is designed to improve operational efficiency by automating the Navy’s risk management framework (RMF) efforts; providing sailors with near real-time access to critical data; and accelerating the Navy’s ability to deploy new applications in 24 hours rather than the typical 18 months.

C2C24 is using open-source technologies and a unique cloud infrastructure to reduce the network attack surface and vulnerabilities. The Navy is standardizing its network infrastructure and data on open-source code and using a combination of shore-based commercial cloud and on-ship “micro cloud” for information access and sharing.

But malicious nation states are continually seeking ways to compromise defense systems—and they tend to be able to react and adjust quickly. As Navy Rear Adm. Danelle Barrett said, “Our adversaries don’t operate on our POM (program objective memorandum) cycle.”

With its ship-to-shore infrastructure, C2C24 could provide an enticing target. To complete its C2C24 mission, the Navy should pay special attention to the final two phases of the RMF: information system authorization and security controls monitoring.

Knowing Who, When, and Where

With C2C24, roughly 80 percent of mission-critical data will be stored on the ship. This will allow personnel to make operational decisions in real time without having to go back to the shore-based cloud to get the information they need at a moment’s notice.

But what if someone were to compromise the onshore cloud environment? Could they then also gain access to the ship’s micro cloud and, by extension, the ship itself?

It’s important for personnel to be notified immediately of a possible problem and be able to pinpoint the source of the issue so it can be quickly remediated. They need to see precisely what’s happening on the network, whether the activity is happening onshore, onboard the ship, or over the Consolidated Afloat Networks and Enterprise Services (CANES) system, which the Navy intends to use to deliver C2C24.

They also need to be able to control and detect who’s accessing the network. This can be achieved through controls like single sign-on and access rights management. Security and event management strategies can be used to track suspicious activity and trace it back to internet protocol addresses, devices, and more.

In short, it’s not just about getting tools and information quickly, but about thinking of the entire RMF lifecycle, from end to end. In the beginning, it’s about understanding the type of information being processed, where it’s stored, and how it’s transmitted. In the end, it’s about controlling access to information and monitoring it.

This is particularly important on a shipboard environment where information means different things to different people. A person managing course corrections will need access to a particular data set, while someone managing weapons targeting may need different data altogether.

Controlling and monitoring the information flow is paramount to making sure data stays in the right hands. Further, ensuring the data is the expected data and not misinformation injected into the system by bad actors who have compromised the infrastructure is equally important.

Malicious attackers aren’t the only threat.

Security is not the only concern. One of the core goals of C2C24 is to make the Navy’s operations run more efficiently. Information and applications are to be obtained more quickly so warfighters have what they need in a more expedited manner.

But different incidents can undermine this effort. A commercial cloud failure or lost satellite connectivity could play havoc with a ship’s ability to receive and send information to and from shore. These issues can compromise commanders’ abilities to make decisions that can affect current and future operations.

Thus, it’s just as important to keep tabs on network performance as it is to check for potentially malicious activity. Commanders must be alerted to network slowdowns or failures immediately. Meanwhile, personnel must have visibility into the source of these issues so they can be quickly rectified and the network can be restored to an operational state.

Fortunately, the fact the Navy is basing C2C24 on a standardized infrastructure open source tool makes this easier. It’s simpler to monitor a single set of standardized network ports, for example, than it is to monitor non-standardized ports and access points. And an open source infrastructure lays the groundwork for any number of monitoring solutions to provide better visibility and network security.

This standardization makes C2C24 a visionary program with the potential to redefine the Navy’s ability to adapt quickly to any situation and significantly improve its security posture. Warfighters will have the right information and applications much faster than before, and data security will be greatly improved—particularly if a government network monitoring solution is made an instrumental part of the effort.

Find the full article on SIGNAL.

The SolarWinds trademarks, service marks, and logos are the exclusive property of SolarWinds Worldwide, LLC or its affiliates. All other trademarks are the property of their respective owners.

Level 12

An important consideration for military and intelligence is moles. I wonder how they are monitoring users, who is watching the watchers, to make sure nothing malicious is exploited internally.


Thanks for the article.

Level 16

Thanks for the post


the potential joys are in the opensource makes it easier to potentially find an exploit or even introduce one into the compiled product which from the article seems to indicate indicate it could be on a regular basis or something cobbled together in short order to meet a "need".  The opportunities for poor programming, testing, validation, standards and adherence to policy to be overlooked will abound. 

Level 14

Thanks for the article.

Level 14

Good read.  Pointing my tech leads towards this article.

Level 20

We're neck deep in RMF and I work with the Navy... it's been busy to say the least.  RMF has totally changed warfare.

Level 13

Just use dolphins


bring back the Navajo Code Talkers....

Level 13

Thanks for the article

Level 12

thanks for the article