WASHINGTON — The US Army says it has mitigated several cybersecurity risks discovered in an early iteration of its nascent Next Generation Command and Control (NGC2) platform, as detailed in a blunt memo obtained by Breaking Defense.

Penned on Sept. 5 and signed by Army Chief Information Office Chief Technology Officer Gabriele Chiulli, the document said the NGC2 platform “in its current state, exhibits critical deficiencies in fundamental security controls, processes, and governance.”

“These issues collectively create a significant risk to data, mission operations, and personnel by rendering the system vulnerable to insider threats, external attacks, and data spillage,” the document said. Chiulli wrote at the time that the Army “lack[s] the visibility and controls necessary to ensure the security and integrity of the platform. There seems to be a rush to get capabilities into the system without actual oversight or process to do it, putting greater risk as this system further increases this risk.”

But Army officials told Breaking Defense that in the three-plus weeks since the document was written and subsequently circulated within industry, the problems have been addressed.

“The issues were mitigated immediately,” Army Chief Information Officer Leonel Garciga said in a statement. He added that the “streamlined cyber security processes were able to quickly identify and assist the program office and vendor in triaging cyber security vulnerabilities and put mitigations in place.”

In a recent interview, Lt. Gen. Jeth Rey, deputy chief of staff at the Army’s G-6 which deals with Army cybersecurity and networks, argued that finding those early deficiencies early was all part of the service’s intended process, and that efforts were undertaken to correct them.

“We have to bake in cybersecurity early in the process and I think this is what we did,” Rey said in a Sept. 25 interview. “This is a new capability coming in and we found a risk and we mitigated it right out the gate. I think it’s a good news story for us going forward. If we continue to look at things in that manner and our processes work, I’m happy.”

He noted that the Army is still in the experimentation phase and moving to prototype, continuing to improving processes.

NGC2 is the service’s number one modernization priority and is meant to provide commanders and units a new approach to manage information, data, and command and control with agile and software-based architectures. It is a so-called clean slate approach, meaning it was built from the ground up as opposed to previous modernization efforts to bolt on new capabilities to legacy architectures and systems.

In July, the Army awarded nearly $100 million to Anduril and a team of vendors to develop a prototype of the system, scaling to the entire division level at Project Convergence Capstone 6 this summer with the 4th Infantry Division. A prototype was tested at last year’s event at the battalion level. Chiulli’s document doesn’t say what NGC2 platform he was referring to, and Anduril referred Breaking Defense’s questions regarding the vulnerabilities to the Army. More recently, Lockheed Martin and its team also recently scored a contract to develop an integrated data layer with 25th Infantry Division.

As the Army is looking to scale Anduril’s prototype up to the entire division level, 4th ID has begun a series of so-called sprint events between now and Project Convergence to incrementally add capability. These events are called the Ivy Sting series.

Chiulli’s memo came 10 days before the first event. At the time, it listed a host of concerns, the “cumulative effect” of which was that NGC2 appeared more like a “black box” in which the service couldn’t control which users do or see what on the network.

“The lack of governance means there is no one person or entity accountable for accepting this risk on behalf of the Army,” it states. “Given the current security posture of the platform and hosted 3rd party applications the likelihood of an adversary gaining persistent undetectable access to the platform requires the system to be treated as very high risk.”

The issues listed include lack of access control and accountability, unverified and vulnerable codebase for third-party applications, critical gaps in governance and basic security hygiene and lack of data governance.

The first deficiency highlighted noted the system had no Role-Based Access Control, which means once a user is granted access, they would have unrestricted access to all applications and all data — anathema to the Pentagon’s broader zero trust principles. The memo described this as a critical security failure that could lead to potential access and misuse of classified information.

Regarding third-party applications, the memo notes the Palantir Federal Cloud Service that hosts the apps in a container hosting methodology has not been assessed by the Army or an Army CIO policy supporting the function of contractor owned/contractor operated pipeline. None of the apps had been subject to routine web-application security scanning.

The memo alleged that the system is operating with known, unmitigated vulnerabilities, akin to deploying a weapon system with known defects. With no clear mission owner to take responsibility for the system’s operational security, the memo warned security will fall through the cracks.

The Army officials didn’t say exactly how or when each purported deficiency was addressed, but at Ivy Sting on Sept. 15, NGC2 performed well, according to Garciga. He noted that the streamlined cyber security processes allowed Ivy Sting 1 to “move forward without delay.”

Maj. Sean Minton, an Army spokesperson, said broadly, “The Army is undergoing a once-in-a-generation transformation to provide our Soldiers the capabilities they need swiftly.

“As demonstrated in this case, our proactive cybersecurity posture is designed to identify risk and mitigate it while minimizing effects on the force,” he said.