The U.S. Army has taken swift action to resolve several cybersecurity vulnerabilities discovered in an early version of its Next Generation Command and Control (NGC2) platform, according to Army officials, after a critical memo detailing the issues was obtained by Breaking Defense.
„Critical Deficiencies” Prompted Immediate Action
The memo, dated Sept. 5, and authored by Army Chief Information Office Chief Technology Officer Gabriele Chiulli, highlighted „critical deficiencies in fundamental security controls, processes, and governance” within the NGC2 platform. The document warned that these issues posed a „significant risk to data, mission operations, and personnel,” rendering the system susceptible to insider threats, external attacks, and data breaches.
Chiulli expressed concerns about the lack of visibility and controls necessary to ensure the platform’s security, stating that there appeared to be „a rush to get capabilities into the system without actual oversight or process to do it.”
Army Asserts Rapid Mitigation of Risks
In response to the memo, Army officials assured Breaking Defense that the identified problems have been addressed promptly.
„The issues were mitigated immediately,” stated Army Chief Information Officer Leonel Garciga. He credited streamlined cybersecurity processes for quickly identifying and assisting the program office and vendor in resolving the vulnerabilities.
Lt. Gen. Jeth Rey, deputy chief of staff at the Army’s G-6, emphasized that identifying these early deficiencies was part of the Army’s planned process and that corrective measures were undertaken.
„We have to bake in cybersecurity early in the process and I think this is what we did,” Rey stated in a Sept. 25 interview. „This is a new capability coming in and we found a risk and we mitigated it right out the gate. I think it’s a good news story for us going forward.”
Rey also noted that the Army is still in the experimentation phase and moving to prototype, continuing to improve processes.
NGC2: A Top Modernization Priority
The NGC2 platform, considered the Army’s top modernization priority, aims to provide commanders and units with a new approach to managing information, data, and command and control through agile and software-based architectures. It represents a „clean slate” approach, built from the ground up rather than adding new capabilities to existing systems.
In July, the Army awarded nearly $100 million to Anduril and a team of vendors to develop a prototype of the system for the 4th Infantry Division. More recently, Lockheed Martin and its team secured a contract to develop an integrated data layer with the 25th Infantry Division.
„Black Box” Concerns and Specific Vulnerabilities
Chiulli’s memo raised concerns that the NGC2 platform appeared as a „black box,” limiting the Army’s control over user access and data visibility. It warned that the „lack of governance means there is no one person or entity accountable for accepting this risk on behalf of the Army.”
The memo specifically cited the absence of Role-Based Access Control, which could grant users unrestricted access to all applications and data, violating the Pentagon’s zero trust principles. It also noted that third-party applications hosted on the Palantir Federal Cloud Service had not been adequately assessed for security vulnerabilities.
The Army officials did not provide specific details on how or when each deficiency was addressed. However, Garciga stated that NGC2 performed well at Ivy Sting on Sept. 15, and that the streamlined cybersecurity processes allowed the event to „move forward without delay.”
Maj. Sean Minton, an Army spokesperson, emphasized the Army’s commitment to proactive cybersecurity, stating that it is „designed to identify risk and mitigate it while minimizing effects on the force.”
