Towards Centralized Orchestration of Cyber Protection Condition (CPCON)
Mark Timmons, Daniel Lukaszewski, Geoffrey Xie, Thomas Mayo, Donald McCanless
TL;DR
This paper tackles the challenge of implementing CPCON in DoD networks by introducing a centralized CPCON orchestrator that automates policy-driven responses and real-time threat containment across heterogeneous environments. The authors design standardized CPCON rules in JSON, develop enforcement modules, and extend a Layer 4.5 orchestrator with a UI for human-in-the-loop control. They validate the approach in a multi-subnet testbed using MITRE ATT&CK–based attack scenarios, demonstrating automated CPCON transitions, rapid module deployment, and verifiable compliance through network scans. Findings indicate linear scalability with host count and improved speed, accuracy, and verifiability of CPCON transitions, while outlining concrete extensions for DoDIN-wide deployment and threat-intelligence integration. The work advances practical, policy-driven security orchestration that could enhance DoD cyber resilience in large-scale, heterogeneous networks.
Abstract
The United States Cyber Command (USCYBERCOM) Cyber Protection Condition (CPCON) framework mandates graduated security postures across Department of Defense (DoD) networks, but current implementation remains largely manual, inconsistent, and error-prone. This paper presents a prototype system for centralized orchestration of CPCON directives, enabling automated policy enforcement and real-time threat response across heterogeneous network environments. Building on prior work in host-based intrusion response, our system leverages a policy-driven orchestrator to standardize security actions, isolate compromised subnets, and verify enforcement status. We validate the system through emulated attack scenarios, demonstrating improved speed, accuracy, and verifiability in CPCON transitions with human-in-the-loop oversight.
