The 30 Year Journey of the U.S. Army’s C5ISR (Command, Control, Communication, Computers, Cyber, Intelligence, Surveillance and Reconnaissance) Center CSSP
Since 1996, the C5ISR Center CSSP has cemented its position as one of the top Federal CSSPs protecting and defending a portion of the Department of War (DoW) cyberspace domain. In recognition of its upcoming 30th year anniversary; here’s how it got started, its evolution, and what it does now.
A provider and premier leader in the advancement of 24/7/365 cybersecurity services (i.e., identify, protect, detect, respond, and recover), the C5ISR Center is home to an authorized (certified and accredited) DoW CSSP responsible for protecting and defending a portion of the DoW Information Network (DODIN).
The C5ISR Center Cybersecurity Service Provider (CSSP), a key component to the U.S. Army Futures Command, U.S. Army Combat Capabilities Development Command, provides advanced Defensive Cyberspace Operation (DCO) services and solutions to DoW subscribers globally impacting the soldier and their warfighting capabilities, thereby ensuring DoW readiness and lethality. A provider and premier leader in the advancement of 24/7/365 cybersecurity services (i.e., identify, protect, detect, respond, and recover), the C5ISR Center is home to an authorized (certified and accredited) DoW CSSP responsible for protecting and defending a portion of the DoW Information Network (DODIN). Throughout the course of its history, the Adelphi, Maryland headquartered, cost-reimbursable DoW CSSP has evolved and changed. The following sections chronicle the major initiatives, decisions, and achievements that have contributed to the most impactful accomplishments of the C5ISR Center CSSP over the last three decades.
THE LATE 1990s
The now C5ISR Center CSSP has gone through various evolutions since its formal inception in 1996 as the Army Research Lab (ARL) Computer Security Incident Response Team (CSIRT) – one of the first U.S. Army CSIRTs. While the organization stands strong today as a trendsetter and a top performing DoW CSSP protecting and defending against the most sophisticated and damaging cyber threats, its formative years were marked by significant challenges, changes, and growth. While its role was set at inception, its identity was forming, reforming, and slowly, but positively reshaping. Despite initial hurdles, the latter part of 1996 saw a significant turning point for the ARL CSIRT as it completed its first prototype, the first government-off-the-shelf (GOTS) multitool Intrusion Detection System (IDS) suite – the inspiration to what would eventually become its next generation and current IDS tool named Interrogator. With a first proven solution under its belt, the ARL CSIRT closed the century with a stable version of the GOTS multitool IDS Suite, but more importantly, a newly-gained focus on the next steps for achieving its mission, vision, and brand authority objectives. With a strong guiding direction for action and the motivation to move forward, the ARL CSIRT was now ready to make an impactful transition into the 21st century.
THE 2000s
The first decade of the 2000s saw a fast-paced incursion of sophisticated and organized non-state and state sponsored cyber espionage. In addition, the growing number of new DoW network systems and the significant rise of internet usage further expanded the attack surface and the proliferation of persistent malware. In response, to organize the way the DoW conducted Computer Network Defense (CND), the Department promptly implemented a 3-tier CND operational hierarchy with corresponding incident response requirements. With new standards in play, the ARL CSIRT saw the higher benchmark as a new reference point and opportunity to become a leader in the Department’s new construct.
In 2000, the ARL CSIRT kicked off the century by partnering with the DoW High Performance Computing Modernization Program (HPCMP) to establish the High Performance Computing (HPC) Computer Emergency Response Team (CERT). Through the HPC CERT, the ARL CSIRT helped design and implement a protection strategy for DoW Research, Development, Test, and Evaluation networks. In 2001, as the HPC CERT was lifting off, the ARL CSIRT was directed to support the American war in Afghanistan. As a U.S.-led coalition under Operation Enduring Freedom responded to the September 11 attacks carried out by al-Qaeda, the ARL CSIRT provided attack sensing and warning capabilities, computational power, and cybersecurity expertise to protect tactical networks and soldiers deep into enemy territories against undesirable grid dynamics. In 2004, the ARL CSIRT followed one of its most significant achievements with another showcase, the release of what would eventually become the backbone for its customized cybersecurity services, Interrogator. In a short span of time, the success of Interrogator framework echoed throughout the many branches of the government, resulting in a DoW-wide peer recognition and eventually, the rapid expansion of its mission. For instance, as the DoW Computer Network Defense Service Provider (CNDSP) Program navigated its formative years, the ARL CSIRT was one of the first entities invited by DoW CIO to participate, on a voluntary basis with other DoW cyber and non-cyber principals, to attend working groups that eventually resulted in the formation of the program’s evaluation process. Later, in 2007, after a successful certification and accreditation evaluation process, the ARL CSIRT earned its designation as a DoW CNDSP Tier 2 entity; that is, from that point on the ARL CSIRT became known as the ARL CNDSP.
The following year, under its new designation, the ARL CNDSP was invited to participate in the 2008 Office of the Secretary of Defense (OSD) Enterprise-wide Cybersecurity Solutions Steering Group (ESSG) Approval and DoW Pilot. Among others, the DoW Pilot was organized to validate newly released Evaluator Scoring Metrics (ESM) v7 (2007) requirements on DoW-Cleared Defense Contractors (CDCs) and other participant sub-scribers. ARL CNDSP’s successful participation in the DoW Pilot resulted in the firsthand recommendation and request from DoW CIO to the ARL CNDSP leadership to assist the Department in protecting CDCs, a cybersecurity service that became offered by the ARL CNDSP in 2010.
THE 2010s
The 2010s witnessed a significant increase in data volume, variety, veracity, and velocity; the proliferation of nation-state actor’s advanced persistent threats; and a growing concern about zero-day exploits due to the widespread adoption of new technologies, which all generated daily new sets of attack vectors and vulnerabilities. In response, throughout the 2010s, the ARL CNDSP expanded its DoW cyber cooperation and collaboration boundaries to also include other Federal, industry, academia, and international partners such as the National Cyber Investigative Joint Task Force and the North Atlantic Organization. Through these partnerships, the ARL CNDSP ushered in an unparalleled growth period marked by back-to-back waves of rapid and creative innovation cycles. With each innovation often leveraging lessons learned and advancements from the previous one, the ARL CNDSP maximized the potential of its fast-paced solutions, causing significant shifts and profound impacts on the cyber and intelligence communities within a relatively short time frame. By studying, researching, and developing capabilities and solutions that were simply unavailable at the time, the ARL CNDSP turned each disruption point into an opportunity to further its partnerships and alliances. This marked an emergence of unparalleled subscriber market growth, particularly with agencies and organizations in need of enhanced cybersecurity protection services for classified systems.
During the first half of the 2010s, while successfully navigating the release of the DoW ESM v8 in 2011 and ESM v9.2 in 2016, the ARL CNDSP sponsored 12 proof of concepts and demonstrations, prototypes, test and evaluations (T&Es), pilots, and products development for the DoW. The end of this first wave of innovations was marked by the establishment of the ARL Cyber Analytics Lab in 2015, which was formed to coordinate big data, artificial intelligence (AI), and machine learning (ML) undertakings.
The organization started the second half of the 2010s with a new designation. In essence, the release of DoW Instruction 8530.01, Cybersecurity Activities Support to DoW Information Network Operations advanced the DoW cyber lexicon by replacing the term CNDSP with the term Cybersecurity Service Provider (CSSP). The ARL CNDSP was from that point on known as the ARL CSSP. Alongside, as the DoW boosted the deployment of DoW-wide defense mechanisms, the ARL CSSP continued to customize cybersecurity solutions to satisfy the unique operational threat environments of its subscriber set. Specifically, during the latter portion of the 2010s, the ARL CSSP sponsored a second wave of rapid innovation cycles including 15 additional prototypes, T&Es, pilots, and products.
After a decade of innovations and remarkable milestones, the ARL CSSP transitioned to the U.S. Army Communications-Electronics Research, Development and Engineering Center in 2018 and realigned under the C5ISR Center while navigating the release of ESM v10 in 2019. The ARL CSSP was from that point on known as the C5ISR Center CSSP.
THE 2020s
...as the C5ISR Center CSSP navigated evolving DoW CSSP requirements, including the release of ESM v11, Leidos played a pivotal role in driving innovation and enhancing cybersecurity capabilities... A standout achievement was the development and deployment of a cutting-edge, centralized cloud-based SIEM solution, which revolutionized the C5ISR Center CSSPs ability to monitor billions of events in real-time. This advanced system, powered by hundreds of custom detections ranging from static (query-based) to dynamic (machine learning and heuristic), significantly strengthened proactive threat detection and response.
The 2020s saw a need for greater focus on subscribers’ mission relevant terrain cyber protection, as well as the need for constant adaptation and innovation through cybersecurity practices such as persistent engagement, defending forward, hunt forward, and zero trust. Perhaps, over the years, one of the most important hallmarks of the C5ISR Center CSSP had been its adaptability and flexibility to respond to changing circumstances, often extremely rapidly. Challenged by COVID-19, which accelerated the shift to remote work and led to a surge in cyberattacks targeting vulnerabilities in remote access systems, the C5ISR Center CSSP acted and innovated quickly, continuing to build enduring advantages in cyberspace for its subscribers. For example, in 2021, in partnership with Army Cyber Command, Army Network Enterprise Technology Command, and Microsoft, the CSSP delivered a Microsoft cloud-based Commercial Virtual Environment platform designed to support the collaboration and communication among 1.2 million service members, civilians, and support contractors. Subsequently, with the addition of Leidos in 2021, the C5ISR Center CSSP kicked off a series of significant advancements in DCO performance, effectiveness, and efficiency driven by continuous improvement, optimization, innovation, and modernization. For example, in 2022, the C5ISR Center CSSP became the first among 100+ Federal CSSPs, Network Operations Centers (NOCs), Security Operating Centers (SOCs), and Cybersecurity Integrity Centers (CICs), to attain double International Organization for Standardization (ISO) certifications: ISO 9001: 2015, Quality Management System and ISO 22301:2019, Business Continuity Management System, under a distinctive cyber scope―“The provision of Defensive Cyberspace Operations services to U.S. Federal subscribers worldwide in accordance with U.S. Executive, National, Federal, Department of War, and U.S. Army cyber doctrine and requirements.” In 2023, as the C5ISR Center CSSP navigated evolving DoW CSSP requirements, including the release of ESM v11, Leidos played a pivotal role in driving innovation and enhancing cybersecurity capabilities. Leveraging its deep expertise and full-spectrum cyber solutions, Leidos spearheaded the accelerated expansion of cloud computing automation, predictive analytics, and large-scale enterprise data management. A standout achievement was the development and deployment of a cutting-edge, centralized cloud-based SIEM solution, which revolutionized the C5ISR Center CSSPs ability to monitor billions of events in real–time. This advanced system, powered by hundreds of custom detections ranging from static (query–based) to dynamic (machine learning and heuristic), significantly strengthened proactive threat detection and response.
By the end of 2024, Leidos’ unwavering commitment to cybersecurity innovation enabled the C5ISR Center CSSP to deliver tailored cybersecurity solutions to both standard and non–standard subscribers, including cloud computing, CDCs, mission partner systems, weapon and space systems, the Intelligence Community, and Defense Research and Engineering Networks. During 2024, C5ISR Center CSSP saw its largest subscriber increase in its history while maintaining staffing levels and enhancing cyber defense mission readiness through operational efficiencies by implementing more effective methods and tools and leveraging automation to reduce cyber analyst workloads. As a result, the C5ISR Center CSSP achieved a remarkable milestone of nearly quadrupling its subscriber base compared to a decade earlier, solidifying its position as a leader in cyber defense.
THE TIME TO REMEMBER
Since inception, the C5ISR Center CSSPs leaders have always shown a strong set of core values guiding its actions and decisions, a clear vision for the future, and culture that empowered its operators to achieve shared goals and objectives. With sound leadership throughout its history at a variety of levels, and a great lasting and evolving story to accompany it all, the C5ISR Center CSSP has continually succeeded in driving changes and anticipating emerging threats to meet its subscriber’s evolving cybersecurity demands and ensuring DoW cyber resiliency, readiness, and lethality. Throughout the years, many have benefited from the C5ISR Center CSSPs innovations, yet only few have witnessed its challenges. Many have also celebrated the CSSPs accolades but were not always aware of the contributions of individual operators and/or the various groups involved. As the C5ISR Center CSSP prepares to celebrate its 30th anniversary, in addition to recognizing its history and remembering its journey, it is important to celebrate the legacy all the people created, which continues to inspire us today, and that will carry us into tomorrow.
“Beyond the innovations and achievements, it is important to also remember the extraordinary impact–driven and world class professionals, organizations, and subscribers who have contributed to where we are today.”
Bill J. Christman, Director of the C5ISR Center CSSP, one of the few remaining officials from the 1990s ARL CSIRT generation recalled, “From my early days as an entry level operator supporting the ARL CSIRT to my current position as Director of the C5ISR Center CSSP, I feel fortunate to have witnessed first-hand, the gradual changes and evolution of the C5ISR Center CSSP brand.” Christman also emphasized, “Beyond the innovations and achievements, it is important to also remember the extraordinary impact-driven and world class professionals, organizations, and subscribers who have contributed to where we are today.”
"After almost 30 years, while people may not remember the names, statistics, facts, or figures, they will always remember the significance of the organization, the impact it has had in shaping DCO across the DoW,"
As we take a brief pause to remember three decades of excellence in cybersecurity, research, innovation, and cyber community engagement, it is imperative to appreciate both those who have helped shape it and those who have been shaped by it. This unique experience and unexpected journey have given the C5ISR Center CSSP a lifelong identity of wanting to be first―to continually trailblaze and pioneer for others. Christman closed, “We are excited to share our story. After almost 30 years, while people may not remember the names, statistics, facts, or figures, they will always remember the significance of the organization, the impact it has had in shaping DCO across the DoW, and now they will also remember the story behind the C5ISR Center CSSP brand.” 
-Zemma Chachu, Cesar Pie
Leave a Comment