Since 1999 the Common Access Card (CAC) has been the norm for service members. They use this to get onto the base, use military computers, access the chow hall, and do various other activities. The CAC works by inserting the card into a reader and entering the user’s PIN between six and eight digits long. This, in turn, unlocks the privacy key used for attestation, simultaneously authenticating and identifying the user. Granted, there are a few fail-safes, such as the card locking after three incorrect PIN entries, but at the end of the day, the CAC is on the verge of not meeting DoD or federal standards.

Issues with the CAC

The CAC is an example of basic two-factor authentication, but as the industry works towards multi-factor authentication, the CAC has clearly fallen behind the times. While adding an extra authenticator to the CAC might work for people in day-to-day office settings, it creates a longer authentication process for those in the tactical domain, a process we are, in the end, trying to simplify.

The CAC has been the standard for so long that the industry has now created technology that far surpasses the CAC. The industry is moving from a net-centric to a data-centric approach. This shift is part of the call to “Kill the CAC.” This new approach emphasizes protecting data, rather than just the network that it lives on. With cyber adversaries advancing their technology as well, protecting the network is no longer enough. Zero Trust has become front and center for authentication by always acting as though the network has been hacked. As technology continues to advance, issues with the CAC are becoming more evident:

• The card can be lost
• The card can be stolen
• Not true multi-factor authentication
• Personal information is at risk of being stored on the card
• CAC not fulfilling DoD requirements for authentication
• Is an all or nothing authenticator, “yes” it’s correct, or “no”, it’s not
• Malware exists that can compromise card-based authentication

How REDCOM Can Solve These Problems

REDCOM’s new disruptive authentication technology, ZKX, offers seamless and frictionless multi-factor authentication designed to embody the foundational principles of zero trust. ZKX is designed atop a foundation of zero-knowledge proofs — longstanding mathematical functions which are used to prove one’s knowledge of secret information without revealing what that secret information is. REDCOM has taken these functions and applied them to the complex issue of multi-factor authentication in zero-trust regimes and has created a ZTA-friendly authentication solution that eliminates the network’s need to trust its users and also the users’ need to inherently trust the host network.

ZKX relies primarily on public data to authenticate users, enabling dynamic and rigid authentication even in environments surveilled by the adversary. Secret authenticating information is stored neither on the user’s endpoint nor a network’s data storage system, making ZKX impervious to endpoint breaches, data theft, or information leaks. ZKX solves the issues of the CAC in the following ways:

• Protects personal data by not storing personal information
• No data is at risk if the endpoint device is compromised
• Interoperable with various network mediums such as satellite, RF radio frequency, and IP networks
• Can adapt to policy requirements
• Deployed following policies already outlined
• Confidence levels can be enhanced simply by continued challenging of a user’s identity, it is not all or nothing
• Authenticates user and their device simultaneously

Air Force Lt. Gen. Robert Skinner said, “We have to have something better. The industry has been, I’ll say, using other authentication mechanisms — other things for leveraging identity management, access control. I want to leverage that. We want to leverage that technology to be able to provide greater options, so it’s not just two-factor authentication, but it’s truly multi-factor — and it’s with the individual, it’s with the device.”

REDCOM’s ZKX is the new technology that can be leveraged to authenticate the user and the device. We are ready to work with the industry to solve current authentication problems and continue to improve the technology. If you would like to talk about ZKX, reach out to sales@redcom.com

Communications at the tactical edge are constantly evolving. During OIF, OEF, OIR, and OND, chat grew exponentially as a primary form of communication, proving its place as an essential component of the Command and Control toolkit.

Key Challenges

Chat is a vital form of communication; however, it is not without its challenges. Chat takes time away from the mission to type out the message, and while this might only take a minute, that minute could matter at the tactical edge. Issues with chat include:

• Not efficient in all environments.
• The urgency of messages. When a message is urgent or needs an immediate response, there is no current way to flag it so the recipient knows it needs to be handled ASAP.
• Cognitive overload. Operators must be watching multiple chat rooms at once, creating a high-stress work environment. They should be focused on the job instead of managing software.
• Slow. Taking the time to stop moving and type out a message is ultimately slower than jumping on a radio net and communicating via voice.

Benefits of Chat

While we all agree chat is not as quick as radio transmissions, it makes up for this by the fact that it frees up radio nets and can get the message out to multiple personnel simultaneously, essentially cutting out the “middle man” of relaying voice messages through the radios. Other vital benefits of chat include:

• Increase the amount of space on radio networks. Chat reduces the volume of communication over radio networks, keeping them open for more critical and time-sensitive requirements.
• Improved situational awareness. By relaying information to warfighters at all levels of the mission, everyone is on the same page. There is no need for a support aircraft to transmit a radio message.
• Improved speed of communications. Users are receiving, sending, and requesting real-time information. Not only is this information transmitted quickly, but it reaches a wider audience than most radio communications.

How REDCOM handles chat at the tactical edge

Tactical chat has been proven in multiple missions, and its usage is projected to increase in future engagements. In chaotic and contested environments, enterprise-level chat programs have demonstrated they are overly complex, inefficient, slow, and hard to use. That’s why REDCOM built the Secure Client from the ground up specifically for the tactical edge.

The REDCOM Secure Client is our universal C2 application that supports voice, video, and chat in a single pane of glass. The software is available for both Windows and Android devices, and REDCOM’s Windows client is the only softphone on the DISA Approved Products List (APL). Other benefits include:

• Built on open standards
• Intuitive user interface
• Discussions are color-coded by the user
• Integrated push-to-talk (PTT)
• Modular design – can undock unused or unnecessary features
  • Can hide the phone feature if only using chat
  • Reduces cognitive overload — empowers the end-user to focus on the communication method most beneficial for the current mission or job function

REDCOM is always focused on building solutions that are highly flexible, easy to use, and interoperable. We are currently hard at work on the next generation of our Secure Client and Sigma software that will vastly improve the speed and user experience for tactical chat. For example, the REDCOM Secure Client currently supports the XMPP chat protocol, but we understand the importance of interoperability with other protocols such as IRC. Numerous other enhancements are currently in development, and we’ll be excited to share these with you soon.

Command. Control. Communications.

Command and Control systems are fundamental to all military operations, delivering the critical information necessary to plan, coordinate, and control forces and operations across the full range of Department of Defense (DoD) missions. In late 2020, the U.S. Department of Defense released a document outlining the strategy to modernize Command, control, and communications (C3) systems. In this document, the DoD describes the current architecture as one with “multiple data formats, non-interoperable system interfaces, serial and stove-piped data flows that limit data discovery and analytics, and incompatible data-links requiring complicated relays to communicate between platforms, mission types, and operational domains.” The effort of translating decisions rapidly into action while leveraging capabilities across all domains is an attempt to fix this current architecture. It is referred to as Joint All-Domain Command and Control (JADC2).

JADC2 objectives

In the C3 modernization effort, the concept of Joint All Domain Command and Control (JADC2) has become front and center. JADC2 is the DoD’s proposal to connect sensors from all the military services — Air Force, Army, Marine Corps, Navy, and Space Force — into a single network. The overall benefits of JADC2 are ease of use and interoperability.

According to David L. Norquist, the Deputy Secretary of Defense, “future conflicts could well be decided by information advantage, success going to the side that transforms vast amounts of data from distributed sensors and weapons systems across multiple domains into actionable information for better, faster decision making and precision effects.” While this is true, this level of interoperability runs the risk of increased complexity and friction from multiple vendors involved in the operation.

Effective force employment begins with effective C2

This idealized concept of JADC2 as envisioned by the DoD is highly ambitious and may still be years away from actualization. REDCOM is already meeting many of the JADC2 goals today within the tactical environment. Our product, Sigma, is the chosen C2 platform of the United States Army for this reason.

At the tactical edge, we are seeing a shift towards RF and blended RF/IP networks. REDCOM Sigma XRI can pull that RF traffic directly into the IP network, even when connectivity to the larger IP networks or higher headquarters is not established. REDCOM’s C2 Console app provides a single pane of glass for monitoring, controlling, and patching together multiple radio nets and SIP endpoints. This allows warfighters to rapidly tie into other networks, such as a coalition radio network, to maintain Command and Control at all times. Thus, JADC2 can be accomplished at the most basic level through voice communications without all of the complexity introduced by sensor-to-shooter technology.

Solutions that function in remote, highly contested locations or denied environments — with equipment that is device agnostic and able to switch among several transmission types — are critical to the JADC2 mission. The true power of REDCOM solutions comes from the ability to easily conference together any combination of devices or waveforms simultaneously.

Jump-start the transition to JADC2 today with REDCOM technology

Deploying REDCOM Sigma or REDCOM Sigma XRI today instantly delivers the following benefits that are directly aligned with JADC2 concepts:

Ease of use: REDCOM systems are so intuitive that new users can be trained and up to speed in minutes or hours — not days or weeks.

Interoperability with coalition partners: REDCOM technology bridges the gap between multiple disparate SIP and RF networks.

No rip and replace: REDCOM technology works with the existing deployed base of handsets and endpoints. Inserting REDCOM Sigma or Sigma XRI into existing architectures is seamless while enabling an upgrade path to future technology.

Improved tooth-to-tail ratio: REDCOM greatly reduces the complexity and bulk at the tactical edge and reduces the need for IT experts. This allows the military to further improve its force design by allowing for smaller geographically dispersed teams without extra field service representatives.

Continuity of ops in DIL environments: REDCOM enables command and control across all echelons, even in the denied environment. This enables warfighters to sustain communications at all times, regardless of transport medium.

Built for mobility: REDCOM systems thrive in the shoot, move, communicate environment. Our low SWaP platforms are resilient to hard shutdowns and power up extremely fast. Communications can be fully operational within minutes, enabling warfighters to secure a tactical advantage by maintaining mobility at all times.

Conclusion

JADC2 is a complex future operating concept, however, REDCOM has the ability to address the key goals today at the tactical edge. REDCOM’s current products can provide a clear path to these future operating concepts by placing powerful and easy-to-use C2 solutions in the hands of the warfighter.

In today’s technological climate, cybersecurity is becoming more important to mission success by the day. As our near-peer adversaries continue to invest in cyber capabilities for protection as well as aggression, it is critical that we secure our technological assets across all echelons. Such security is equally important to both the strategic decision-maker and tactical warfighter. REDCOM Sigma XRI is designed with these considerations in mind and is rigidly purpose-built for even the most intense cyber operations.

REDCOM Sigma® XRI is a small form factor C2 platform designed for all echelons of the tactical environment. Sigma XRI delivers voice, video, chat, and Radio over IP (RoIP) in a single ruggedized, low-SWaP box.

Sigma XRI is powered by REDCOM’s flagship software, REDCOM Sigma. Because Sigma XRI is a full-featured C2 platform, radio users can communicate directly with users on any SIP endpoint, and can be controlled and patched together on-the-fly via the REDCOM C2 Console app.

Even the most disparate parts of your radio network can be bridged together with the XRI to facilitate encompassing and effective command and control. The XRI also integrates with analog technologies for interoperability between cutting-edge and legacy architectures. With its modular and flexible design, Sigma XRI can drop into any network architecture. Multiple XRI configurations are available to match your deployment scenario such as the XRI-M4K module specifically designed for the Klas Voyager.

The CIA Triad

The CIA Triad is a fundamental concept in the field of modern cybersecurity. As a cornerstone of current cybersecurity practice, adherence to the CIA Triad guides security practitioners to consider the practical safety of the design and use of critical mission resources. Security of your mission is of critical importance, which is why the XRI is built to encompass and execute these defining cybersecurity principles both at home and in the field.

Availability – When your system architectures become staggeringly complex, availability of your critical C2 becomes a game of interoperability. XRI is all about interoperability. In fact, it is what the “I” stands for. There is a reason why this concept is the foundation of the CIA triad; without availability, nothing else matters. The XRI is constructed to reflect this. Its agnosticism to host radios, enhanced and versatile C2 platform driven by REDCOM Sigma software, and ability to thrive in latent or disconnected environments make the XRI a critical tool for communication availability. Similarly, XRI capabilities are available in other domains, most notably the Combined Joint All Domain Command & Control (CJADC2) theatre. With an easy-to-learn and easy-to-use interface, complete with rapid startup and teardown times, the availability of your command, control, and critical communication capabilities to your necessary recipients is fluid, rapid, and assured, even in contested battlefronts.

Confidentiality – No matter the make, model, settings, or configurations of your tactical radios, the XRI can accommodate them and facilitate communication to other radio nets. This extends to the radios’ waveforms and encryption packages, ensuring that communication traffic is shielded from prying eyes, no matter its destination. This reduces the need to communicate “in the clear” between two parties who might be inconsistent on any one of these fronts, let alone multiple. Similarly, with the XRI’s minimized attack surface, it boasts operational security even in the face of sophisticated cyber adversaries. Combined with Sigma software, which is validated in accordance with FIPS 140-2 and certified through JITC, confidential communications passed through the XRI will remain confidential.

Integrity – When emergencies arise, the integrity of your communications is of utmost importance. With XRI, the integrity of your communications stays intact between different radio networks or when radio networks communicate with the rest of the C2 network. This is possible due to the XRI’s ability to retain the use of radio waveforms and encryption, even between two radio systems that utilize different packages. XRI also affords added integrity to the less technical aspects of completing the mission through the use of REDCOM Sigma, which enables powerful and complex operations through an intuitive and easy-to-learn interface. When seconds matter, consulting the manual is not an option. Features like Audio Monitoring provide higher assurance that communication ports are being used legitimately and communicating accurately.

What does this mean for you?

By incorporating the CIA Triad into the fundamental construction of the XRI, a platform for rigid, accessible, and expansive C2 capability becomes available at the tactical edge. Coupled with its simple and easy-to-use interface, the execution of complex operations is performed with a logical GUI and easily learned commands. This ease of use combined with the XRI’s core principle of interoperability allows even the most disparate communication structures to successfully communicate.

As cyber threats increase in frequency and complexity, cybersecurity becomes less of a feature and more of a necessity. To those on the strategic and tactical edges of defending the United States, it is clear that the next significant conflicts will take place on two fronts: kinetic and cyber. Despite these fronts being physically separate, they are one and the same for those actualizing the mission out in the field. REDCOM recognizes these emerging trends in our national defense and is working to produce equipment, solutions, and services which reflect these evolving factors. We understand that success of the mission begins and ends with the warfighter. By incorporating fundamental tenets of cybersecurity into REDCOM Sigma XRI, REDCOM brings enhanced C2, voice, video, and chat to even the most latent and disconnected tactical environments.

As our continued dedication to strategic and tactical goals focusing on cybersecurity, REDCOM has developed a cybersecurity business unit, ZKX Solutions.

What is Command and Control?

Command and Control is one of REDCOM’s core tenets. From REDCOM’s perspective, Command and Control (C2) refers to the strategic, operational, and tactical communications systems used to manage the mission and synchronize situational awareness. Our C2 solutions include the core functionality — voice, video, and chat — required in all environments, from the network operations center out to the tactical edge. These C2 solutions enable warfighters to sustain communications across the echelons, including in denied environments.

Command and Control: the foundation

Command and Control is the foundation upon which expanded C4ISR and C5ISR functions are built. C4ISR adds Computers, Communications, Intelligence, Surveillance, and Reconnaissance, while C5ISR adds extremely important Cyber considerations into the equation. Together, C5ISR capabilities “enable information dominance and decisive lethality for the networked Soldier”, according to the United States Army. Read more about C5ISR on our blog.

Before commanders add additional technology, features, and functions into the mix, it’s essential that they first have a strong C2 platform as a baseline. This is where REDCOM excels.

Command and Control solutions from REDCOM

Unit leaders need access to a command and control suite that provides consistent access to mission-critical information in order to maintain continuity of operations, maneuverability, and superiority within the battlespace.

REDCOM’s C2 solutions enable warfighters and commanders to sustain communications, regardless of endpoint, environment, or technology used.

REDCOM Sigma

At the heart of REDCOM’s C2 product family is REDCOM Sigma, a lightweight but powerful command and control software platform.

REDCOM Sigma was selected by the United States Army Program Executive Office Command, Control, Communications-Tactical and is being deployed to multiple programs within the U.S. Army at the battalion level and below.

Sigma benefits:

• Improves operational flexibility – Low-SWaP software can be deployed on any Intel-based appliance
• Endpoint agnostic – enables just about any endpoint to talk to each other (IP, RF, TSM, analog).
• Interoperable – works with existing equipment; no need to rip and replace.
• Incredibly easy to use – Sigma’s intuitive UI reduces training and ramp-up time.

REDCOM Sigma XRI

Sigma XRI expands on Sigma by combining our C2 software with a ruggedized, low-SWaP, purpose-built C2 hardware platform. Sigma XRI empowers warfighters with the capability to talk across the spectrum to disparate communications devices, while also reducing manpower, lowering end item cost, and conserving training resources. REDCOM Sigma XRI is now available in multiple platforms: the stand-alone XRI-400 and the XRI-M4K module for the Klas Voyager. 

Sigma XRI benefits:

• Fast deployment time – the entire solution can be set up and operational within minutes.
• Built for contested environments – enables warfighters to maintain situational awareness for troop and equipment maneuverability.
• Solves Joint/Coalition interoperability challenges – bridges the gap between disparate IP devices and radio nets on different frequencies.
• Radio over IP (RoIP) – integrates multiple disparate radio networks into a SIP-based C2 network

REDCOM Sigma C2 Console

REDCOM Sigma C2 Console is an app within our Command and Control software solution, Sigma. The C2 Console provides operators with a single pane of glass to monitor and control all communications within the tactical C2 network, including SIP endpoint, radio endpoints, and TSM talk groups. The REDCOM C2 Console is browser-based and runs on any PC, laptop, or tablet.  

C2 Console benefits: 

• Unified interface for controlling all comms on the C2 network
• Instantly patch together disparate endpoints 
• Operators can communicate (listen/talk) to any connection
• Optimized UX built for warfighters at the tactical edge 
• Drastically reduces cost, infrastructure, & complexity 

The U.S. Army defined a suite of open architecture standards to reduce C5ISR (command, control, computers, communications, cyber-defense, intelligence, surveillance, and reconnaissance) demands. These standards will address SWaP (System Size, Weight, and Power) requirements and provide commonality across multiple platforms by sharing hardware and software components. This architecture defines CMOSS, (C5ISR Modular Open Suite of Standards), driving a change in how hardware and software interact.

Existing networks and systems work through multiple types of hardware and software running on different systems, which are often unable to communicate with one another. If one component or subcomponent fails, it would need to be replaced manually to continue communication. CMOSS will allow for all resources to be shared and swapped, usually in real-time. This would lead to a consolidation of hardware such as radio boards, GPS, control boards, and computer boards into one box. CMOSS will continue to push industry innovation with a standards-based approach, instead of relying on proprietary standards.

Key Benefits and Advantages of CMOSS

CMOSS has the potential to revolutionize communications at the tactical edge:

• Initial implementation costs will prove to be more cost-effective as upgrade capabilities reduce the need for manual repair and replacement of failed or obsolete components.
• It will be easier to keep pace with commercially available solutions, reducing integration challenges and costs. With the open architecture structure, multiple vendors can create boards for the CMOSS platform.
• CMOSS dramatically reduces data stovepipes, making the sharing of hardware between systems simpler where appropriate. This enables optimized integration and utilization of all the communications, collection, and management information available across any platform.

REDCOM's path forward with CMOSS

While CMOSS has many benefits and advantages, there are still gaps that can be filled:

• Low SWaP. The current systems in place are high in SWaP, and REDCOM Sigma will not only allow for voice and chat management, which current systems do not have, but it will reduce hardware and software footprint. REDCOM will provide a bridge between new CMOSS components and existing legacy components, obviating the need to integrate CMOSS gracefully into the data, and communications architecture.
• Conferencing and patching capabilities. REDCOM provides important voice, chat, and video conference management software — services that are not on the near-term roadmap for CMOSS. Our conferencing engine is endpoint agnostic, which means any endpoint can be connected together, from SIP desk phones and smartphones to radios and satcom devices.
• Ease of Use. REDCOM Sigma has a simplified user interface. Systems that are easy to learn will reduce time spent in training and reduce the need for direct involvement of vendors on the battlefield. Recently REDCOM visited Camp Lejeune and trained Marines in less than two days, a massive reduction of training commitment that allowed warfighters to attend to their primary objectives with minimal investment in training time. Not only was training quick, but the interface was so easy to use and understand that the Marines felt confident enough to train others.
• Simultaneous Chat. Our Chat Manager allows management of multiple chat sessions simultaneously in an environment where multiple users need to touch base frequently and urgently. Simplified management translates into increased speed and safety.
• Transcoding. REDCOM Sigma features the built-in ability to handle radio to VoIP transcoding. Sigma will be able to transcode between common radio codecs such as MELPe and GSM-AMR and VoIP CODECs such as G.729 and G.711. This reduces the need for having DSP resources or additional CPU boards for handling transcoding.
• Authentication Service. REDCOM has been studying the principles of Zero Trust Architecture. REDCOM is looking to help produce a zero-trust network that is operationally secure at the enterprise level while prioritizing a zero-trust architecture in forward-deployed environments, bringing security to even the most fringe areas of the DoDs operations.

In this series of blog posts, we will discuss our observations on the DISA Reference ZTA and posit different strategies for effectively mitigating the technical, organizational, and strategic risks associated with them. Likewise, we will also be tapping the expertise of REDCOM team members with a DoD background to hear their thoughts on how the benefits of zero-trust can be actualized at all echelons.

What is Zero-Trust Architecture (ZTA)?

The Zero-Trust Architecture (ZTA) is not in itself a specific technology. Instead, it is a cutting-edge operational philosophy that security architects utilize to preserve the networks of today. Traditionally, the security of the network has been focused mainly on its perimeter. If access to the network is heavily guarded, less scrutiny is given to accessing the network’s resources.

Current Gaps in Network Security

Recent cybersecurity incidents (especially major ones such as the Snowden data leaks and the more recent SolarWinds supply chain attack) have shown current systems are not working. Executives, security practitioners, and customers alike see that a perimeter-focused approach to network security is not stable or effective for today’s networks and certainly not for the networks of tomorrow. The modern network includes vastly more endpoints, technologies, applications, geolocations, and communication protocols than those of yesterday. It is challenging to define a logical perimeter when considering the monolithic size and capability of the modern (and future) network.

Furthermore, considering the numerous different endpoints, BYOD policies, and the potential use of cloud-based third-party tools and services, defining such a perimeter may be a near impossibility for your network and its assets. Cyber adversaries have used this emerging trend to their advantage, and zero-trust is cybersecurity’s response to this.

Primary goals of Zero-Trust

Zero-Trust is, in its essence, a “never trust, always verify, and assume breach” thought process for modern cybersecurity. To be clear, removing the concept of “trust” is the primary goal of zero-trust. As an example, users do not connect to the network as untrusted and authenticate themselves to a trusted state to utilize resources. In ZTAs, the concept of trust does not exist, so users are required to constantly prove their identities to the network’s governance structure to conduct their daily business.

The National Institute of Standards and Technology (NIST) has formalized the theories of the ZTA, its fundamental tenets and assumptions, and its overall mission. Similarly, some preliminary guidance has been drafted (also by NIST) for government organizations seeking to implement zero-trust principles into their existing networks. Still, many questions about the practical ZTA remain, especially for government and military entities. This has slowed organizations’ willingness and ability to adapt or re-architect their networks to match this zero-trust model of cybersecurity. However, various pilot programs and pieces of practical guidance have emerged to help different organizations construct zero-trust architectures, most recently (and perhaps notably) DISA’s Reference Zero Trust Architecture explicitly tailored for the DoD.

Government and Military vs. Commercial Industry

Zero-Trust in the government and military space is a unique problem set versus the issues faced by the rest of the commercial industry. Similar trends with other technical developments like 5G infrastructure, methods, technologies, and strategies for actualizing effective zero-trust networking will be starkly different between industry and the government & military. Similarly, there are unique implications for designing and enforcing organizational policies in a zero-trust regime regarding the homogeneous zero-trust information enterprise.

REDCOM, ZTA, and the DoD

Like the rest of the contracting and subcontracting market, REDCOM has been eagerly studying the foundational principles of zero-trust. REDCOM is looking to help produce a zero-trust network operationally secure at the enterprise level and includes some considerations for how zero-trust principles can be actualized in forward-deployed environments, bringing security to even the most fringe areas of the DoDs operations. REDCOM has been engaged in conversations with the DoD and the larger federal government to assist in bringing the security of the zero-trust model to all levels of the military without the need for overloaded architectures, infeasible computational requirements, or sacrifices of operational security.

Operational Freedom for Digital Identity

After reviewing the DoD Reference ZTA put forward by DISA, we identified many notable trends and significant findings — some promising and others daunting. First is the open-standards approach to the construction of the ZTA. From almost every standpoint, the architecture relies on open standards, policies, and technologies as frequently as possible. This is critically important for actualizing enterprise-wide, interoperable zero-trust frameworks, especially regarding policy. As there are doctrinal sources of government and military policy, simply adhering to those guidelines is not enough to ensure an organization’s security and ability to interoperate with other separate (albeit similar) organizations. For example, documents such as NIST SP 800-63 provide a great deal of operational freedom in how different organizations could structure their overall digital identity and authentication solutions — as granular as specific technology an organization employs. While other organizations could use different solutions certified under a given level of SP 800-63, technical interoperability between the two solutions remains an independent consideration if the two entities were ever to collaborate on a specific mission. Reliance upon open standards, technologies, and policies is an excellent approach to ensuring this, but it is not the complete picture. Phenomena such as “vendor lock-in” still has the potential to wreak havoc on large, complex, multi-faceted systems like the ZTA.

Minimizing technological footprint

The next consideration which arises from the DISA reference architecture is that of computational overhead or technological footprint. While the fundamental mechanics of zero-trust require a magnitude of computational architecture and platforms, it is still critically important to minimize unneeded or ancillary architecture and focus on critical assets. This is especially necessary for environments where cloud access is unavailable and employable, compute architecture is severely limited. Although limited in their cyber capabilities, these environments are often overlooked in strategic conversations about bringing zero-trust to the different military settings. As the cyber domain will serve as a new battlefront in the next great conflict, failing to address this oversight would be a critical misstep appropriately. Indeed, many believe that this “next great conflict” has already begun.

Conclusion: Why implement ZTA?

The last central theme, and perhaps most obvious, is the desired adherence to the fundamental principles of zero-trust. The cybersecurity benefits of zero-trust emerge from how its basic principles are defined and implemented. However, to receive these benefits at all echelons, utmost importance must be placed on minimal cyber footprints and interoperability between technologies and policies. Overcoming this challenge while retaining the integrity of the original vision of zero-trust is no small feat and must not be considered lightly.

While the primary benefits of zero-trust will significantly boost the security posture of any organization, the lifecycle of its different components and experiences of its various users must remain highly efficient. This must be done for the zero-trust model of networking to see ubiquitous long-term use and evolution. Especially in environments where personnel can only carry a limited volume of equipment, actualizing the maximum amount of zero-trust benefits with the least amount of different technological (hardware and software) components is critical for long-term and successful ZTA adoption.

The State of the Defense Industrial Base 

For decades outsourcing manufacturing to foreign nations has become the new normal across all industries. But now the United States is coming face-to-face with the consequences of handing control of technology and the supply chain to foreign entities. Our entire Defense Industrial Base (DIB) and our nation’s critical infrastructure is at risk from several significant factors including sole-source suppliers, material obsolescence, diminishing manufacturing sources, the erosion of U.S.-based infrastructure, and foreign dependency.

An NDIA Vital Signs report from early 2020 underscores the state of U.S. Defense Industrial Base with a worryingly mediocre “C” grade. The report singles out three highly intertwined areas of concern: cybersecurity, production inputs, and the supply chain.  From its peak in 1979, U.S. manufacturing has declined significantly ever since, down 7.1 million manufacturing jobs by 2017. Offshoring our manufacturing to countries such as China may have saved money in the short term, but it has greatly crippled our country’s flexibility and security today. A 2018 Presidential Task Force report identified a significant supply chain risk associated with foreign provision, including counterfeits, lack of traceability, and insufficient quality controls throughout the supply tiers. In fact, the document linked above states that the “imports of electronics lack the level of scrutiny placed on U.S. manufacturers, driving lower yields and higher rates of failures in downstream production, and raising the risk of ‘Trojan’ chips and viruses infiltrating U.S. defense systems.”

The supply chain risks of foreign outsourcing are not limited to just hardware. Outsourcing software development to third parties in foreign nations is all too common. Developers from India, Romania, Brazil, or the Philippines command salaries up to five times lesser than software engineers based in North America, making it irresistible for many companies to tap into this cheap global talent pool. But outsourcing software development to coders from foreign nations may lead to serious national security risks due to lax or undocumented security policies, quality control issues, intellectual property theft, and cyber vulnerabilities, just to name a few.

Indeed, vulnerabilities within software platforms used by government contractors present a growing source of supply chain risk. One of the most significant software breaches — the SolwarWinds hack — happened recently when suspected Russian hackers infiltrated federal agencies through a contractor’s software. Cybersecurity experts are calling this breach inevitable: the company had poor cybersecurity hygiene, and had outsourced its software development to Eastern Europe. As the DoD relies more on third-party suppliers for IT needs, these types of supply chain attacks are likely to become more common.

Taking action to secure supply chain risks

The United States still has the greatest military and defense equipment in the world, but if we don’t address the issues with our supply chain, we are going to get beaten by near-peer adversaries. Over the past few years, the supply chain has suddenly come under increased scrutiny, as it matters not just who is building the solution, but where it gets engineered, sourced, built, and supported.

The DoD is already taking action through the new Cybersecurity Maturity Model Certification (CMMC) standards, designed to enhance the cybersecurity posture of the Defense Industrial Base as well as other critical market verticals. CMMC will provide increased assurance to the DoD that a company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain. One of the most significant changes for DoD contractors under the CMMC is the need to undergo external security audits, which will help filter out nefarious entities and shell companies. Already the DHS and GSA are imposing CMMC standards on their own supply chains, and government contractors will be following suit quickly.

How REDCOM mitigates supply chain risks

REDCOM is one of the few tech companies that always resisted the impulse to outsource. While competitors rushed to offshore as many jobs as possible, REDCOM realized that the risks to security and quality far outweighed any potential cost savings.

Because the products we build at REDCOM are at the heart of mission-critical communications networks in the defense sector, we take the development of hardware and software very seriously. In fact, we are so concerned with security and supply chain management that we own and operate a manufacturing facility at our main campus in Victor, NY. REDCOM designs, engineers, and manufactures all of our products right here in the United States, and we work only with vetted and trusted suppliers to ensure that we source the best and most reliable components for every product. REDCOM has proactively addressed every step of the supply chain to reduce risk, making our products TAA compliant.

From a software perspective, all our engineers are U.S. persons working out of our headquarters. The same internal development team that handles new development is also responsible for patches and support. We do not outsource software engineering to developers from foreign nations. REDCOM does leverage open-source software where it makes sense, but we only select software that we have vetted and has been proven and thoroughly tested by the industry. In fact, large open-source software packages (i.e. Apache, OpenSSL, and FreeBSD) have established review and vetting processes that tightly control the content of their releases.

REDCOM is always working to improve our security posture. Here are just some of the things we are focusing on:

• We are constantly evolving our cybersecurity policy and honing our cyber incident response procedures.
• We use NIST 800-171 as our foundation and will be targeting CMMC certification as that becomes available to us in the DoD’s phased approach.
• Wherever possible we have moved away from commercial cloud platforms in favor of FedRAMP-approved GovCloud platforms.
• Our manufacturing business unit REDCOM EMS is focused on meeting and exceeding the most rigorous industry standards, with a quality management system certified to ISO 9001:2015, AS9100D:2016 (aviation, space, & defense), and ISO 13485 (medical devices).

The REDCOM Advantage

REDCOM’s stance on supply chain security and cybersecurity gives us several distinct advantages for our customers, including:

• Shorter turns on development – with all software and hardware engineering efforts under one roof, we can adapt quickly to customer requirements without compromising security.
• U.S.-based manufacturing – Our manufacturing lines are located in upstate NY, within our wholly-owned secure facility.
• U.S.-based support – All support calls are answered and resolved by our in-house technical staff in upstate NY.
• Focused roadmap — Our focused roadmap drives specialized solutions for our targeted customer segments in the commercial, strategic, and tactical marketplaces. The way we have structured our business allows us to pivot quickly to emerging trends in the marketplace and keep up with DoD directives.
• Established certification cadence — Our predictable certification cadence ensures our products comply with the latest guidance from certifying organizations such as FIPS, JITC, and the NSA. This ensures our products are constantly being validated for interoperability and cybersecurity.