Table of Contents
Fetching ...

Towards Centralized Orchestration of Cyber Protection Condition (CPCON)

Mark Timmons, Daniel Lukaszewski, Geoffrey Xie, Thomas Mayo, Donald McCanless

TL;DR

This paper tackles the challenge of implementing CPCON in DoD networks by introducing a centralized CPCON orchestrator that automates policy-driven responses and real-time threat containment across heterogeneous environments. The authors design standardized CPCON rules in JSON, develop enforcement modules, and extend a Layer 4.5 orchestrator with a UI for human-in-the-loop control. They validate the approach in a multi-subnet testbed using MITRE ATT&CK–based attack scenarios, demonstrating automated CPCON transitions, rapid module deployment, and verifiable compliance through network scans. Findings indicate linear scalability with host count and improved speed, accuracy, and verifiability of CPCON transitions, while outlining concrete extensions for DoDIN-wide deployment and threat-intelligence integration. The work advances practical, policy-driven security orchestration that could enhance DoD cyber resilience in large-scale, heterogeneous networks.

Abstract

The United States Cyber Command (USCYBERCOM) Cyber Protection Condition (CPCON) framework mandates graduated security postures across Department of Defense (DoD) networks, but current implementation remains largely manual, inconsistent, and error-prone. This paper presents a prototype system for centralized orchestration of CPCON directives, enabling automated policy enforcement and real-time threat response across heterogeneous network environments. Building on prior work in host-based intrusion response, our system leverages a policy-driven orchestrator to standardize security actions, isolate compromised subnets, and verify enforcement status. We validate the system through emulated attack scenarios, demonstrating improved speed, accuracy, and verifiability in CPCON transitions with human-in-the-loop oversight.

Towards Centralized Orchestration of Cyber Protection Condition (CPCON)

TL;DR

This paper tackles the challenge of implementing CPCON in DoD networks by introducing a centralized CPCON orchestrator that automates policy-driven responses and real-time threat containment across heterogeneous environments. The authors design standardized CPCON rules in JSON, develop enforcement modules, and extend a Layer 4.5 orchestrator with a UI for human-in-the-loop control. They validate the approach in a multi-subnet testbed using MITRE ATT&CK–based attack scenarios, demonstrating automated CPCON transitions, rapid module deployment, and verifiable compliance through network scans. Findings indicate linear scalability with host count and improved speed, accuracy, and verifiability of CPCON transitions, while outlining concrete extensions for DoDIN-wide deployment and threat-intelligence integration. The work advances practical, policy-driven security orchestration that could enhance DoD cyber resilience in large-scale, heterogeneous networks.

Abstract

The United States Cyber Command (USCYBERCOM) Cyber Protection Condition (CPCON) framework mandates graduated security postures across Department of Defense (DoD) networks, but current implementation remains largely manual, inconsistent, and error-prone. This paper presents a prototype system for centralized orchestration of CPCON directives, enabling automated policy enforcement and real-time threat response across heterogeneous network environments. Building on prior work in host-based intrusion response, our system leverages a policy-driven orchestrator to standardize security actions, isolate compromised subnets, and verify enforcement status. We validate the system through emulated attack scenarios, demonstrating improved speed, accuracy, and verifiability in CPCON transitions with human-in-the-loop oversight.
Paper Structure (17 sections, 12 figures)

This paper contains 17 sections, 12 figures.

Figures (12)

  • Figure 1: Illustration of proposed centralized orchestration system.
  • Figure 2: CPCON Directive message format highlighting syntax.
  • Figure 3: CPCON Event message format highlighting syntax.
  • Figure 4: Adapted from secsoft2025lukaszewski2023software. Modified Layer 4.5 orchestrator consists of new policy components to facilitate CPCON directives (red). The existing components (grey) are leveraged to deploy policy throughout the network.
  • Figure 5: Orchestrator UI Prototype
  • ...and 7 more figures