Professional Documents
Culture Documents
US Ciberoperations 2018 PDF
US Ciberoperations 2018 PDF
T OF T H
EN E
TM HI
S W E' L L
DE
FE
T
ND
AR
AR
• DE P
MY
•
I CA
U NI
ER
TE
M
D
ST A
AT E S O F
Cyberspace Operations
8 June 2018
PREFACE
1. Scope
This publication provides joint doctrine to plan, execute, and assess cyberspace
operations.
2. Purpose
This publication has been prepared under the direction of the Chairman of the Joint
Chiefs of Staff (CJCS). It sets forth joint doctrine to govern the activities and performance
of the Armed Forces of the United States in joint operations, and it provides considerations
for military interaction with governmental and nongovernmental agencies, multinational
forces, and other interorganizational partners. It provides military guidance for the exercise
of authority by combatant commanders and other joint force commanders (JFCs), and
prescribes joint doctrine for operations and training. It provides military guidance for use
by the Armed Forces in preparing and executing their plans and orders. It is not the intent
of this publication to restrict the authority of the JFC from organizing the force and
executing the mission in a manner the JFC deems most appropriate to ensure unity of effort
in the accomplishment of objectives.
3. Application
a. Joint doctrine established in this publication applies to the Joint Staff, commanders
of combatant commands, subordinate unified commands, joint task forces, subordinate
components of these commands, the Services, and combat support agencies.
KEVIN D. SCOTT
Vice Admiral, USN
Director, Joint Force Development
i
Preface
Intentionally Blank
ii JP 3-12
SUMMARY OF CHANGES
REVISION OF JOINT PUBLICATION 3-12
DATED 05 FEBRUARY 2013
iii
Summary of Changes
Intentionally Blank
iv JP 3-12
TABLE OF CONTENTS
EXECUTIVE SUMMARY .............................................................................................. vii
CHAPTER I
OVERVIEW OF CYBERSPACE AND CYBERSPACE OPERATIONS
CHAPTER II
CYBERSPACE OPERATIONS CORE ACTIVITIES
Introduction ................................................................................................................II-1
Military Operations In and Through Cyberspace .....................................................II-2
National Intelligence Operations In and Through Cyberspace ..................................II-9
Department of Defense Ordinary Business Operations
In and Through Cyberspace .......................................................................................II-9
The Joint Functions and Cyberspace Operations .......................................................II-9
CHAPTER III
AUTHORITIES, ROLES, AND RESPONSIBILITIES
CHAPTER IV
PLANNING, COORDINATION, EXECUTION, AND ASSESSMENT
v
Table of Contents
APPENDIX
GLOSSARY
FIGURE
vi JP 3-12
EXECUTIVE SUMMARY
COMMANDER’S OVERVIEW
vii
Executive Summary
viii JP 3-12
Executive Summary
ix
Executive Summary
x JP 3-12
Executive Summary
xi
Executive Summary
xii JP 3-12
Executive Summary
xiii
Executive Summary
xiv JP 3-12
Executive Summary
xv
Executive Summary
Command and Control of The complex nature of CO, where cyberspace forces
Cyberspace Forces can be simultaneously providing actions at the global
level and at the theater or joint operations area level,
requires adaptations to traditional C2 structures.
Joint forces principally employ centralized planning
with decentralized execution of operations. CO
require constant and detailed coordination between
theater and global operations, creating a dynamic C2
framework that can adapt to the constant changes,
emerging threats, and unknowns. Certain CO
functions, including protection of the DODIN’s
global networks and pursuit of global cyberspace
threats, lend themselves to centralized planning and
execution to meet multiple, near-instantaneous
requirements for response. Centrally controlled CO
should be integrated and synchronized with the
CCDR’s regional or local CO, conducted by forces
assigned or attached to the CCDR, or in support of
the CCDR.
xvi JP 3-12
Executive Summary
CONCLUSION
xvii
Executive Summary
Intentionally Blank
xviii JP 3-12
CHAPTER I
OVERVIEW OF CYBERSPACE AND CYBERSPACE OPERATIONS
“... the United States (US) Department of Defense (DOD) is responsible for
defending the US homeland and US interests from attack, including attacks
that may occur in cyberspace. ... the DOD seeks to deter attacks and defend
the US against any adversary that seeks to harm US national interests during
times of peace, crisis, or conflict. To this end, the DOD has developed
capabilities for cyberspace operations and is integrating those capabilities into
the full array of tools that the US government uses to defend US national
interests…”
1. Introduction
a. Most aspects of joint operations rely in part on cyberspace, which is the domain
within the information environment that consists of the interdependent network of
information technology (IT) infrastructures and resident data. It includes the Internet,
telecommunications networks, computer systems, and embedded processors and
controllers. Cyberspace operations (CO) is the employment of cyberspace capabilities
where the primary purpose is to achieve objectives in or through cyberspace.
(1) Cyberspace capabilities provide opportunities for the US military, its allies,
and partner nations (PNs) to gain and maintain continuing advantages in the operational
environment (OE) and enable the nation’s economic and physical security. Cyberspace
reaches across geographic and geopolitical boundaries and is integrated with the
operation of critical infrastructures, as well as the conduct of commerce, governance, and
national defense activities. Access to the Internet and other areas of cyberspace provides
users operational reach and the opportunity to compromise the integrity of critical
infrastructures in direct and indirect ways without a physical presence. The prosperity
and security of our nation are significantly enhanced by our use of cyberspace, yet these
same developments have led to increased exposure of vulnerabilities and a critical
dependence on cyberspace, for the US in general and the joint force in particular.
I-1
Chapter I
(3) Permanent global cyberspace superiority is not possible due to the complexity
of cyberspace. Even local superiority may be impractical due to the way IT is
implemented; the fact US and other national governments do not directly control large,
privately owned portions of cyberspace; the broad array of state and non-state actors; the
low cost of entry; and the rapid and unpredictable proliferation of technology. Therefore,
commanders should be prepared to conduct operations under degraded conditions in
cyberspace. Commanders can manage resulting risks using threat mitigation actions; post-
impact recovery measures; clear, defensive priorities; primary/secondary/tertiary
communication means; and other measures to accomplish their mission and ensure critical
data reliability. Once one segment of a network has been exploited or denied, the
perception of data unreliability may inappropriately extend beyond the compromised
segment due to uncertainty about how networks interact. Therefore, it is imperative
commanders be well informed of the status of the portions of cyberspace upon which they
depend and understand the impact to planned and ongoing operations.
(1) The physical network layer consists of the IT devices and infrastructure in
the physical domains that provide storage, transport, and processing of information within
I-2 JP 3-12
Overview of Cyberspace and Cyberspace Operations
cyberspace, to include data repositories and the connections that transfer data between
network components. The physical network components include the hardware and
infrastructure (e.g., computing devices, storage devices, network devices, and wired and
wireless links). Components of the physical network layer require physical security
measures to protect them from physical damage or unauthorized physical access, which
may be leveraged to gain logical access. The physical network layer is the first point of
reference CO use to determine geographic location and appropriate legal framework.
While geopolitical boundaries can easily and quickly be crossed in cyberspace, there are
still sovereignty issues tied to the physical domains. Every physical component of
cyberspace is owned by a public or private entity, which can control or restrict access to
their components. These unique characteristics of the OE must be taken into consideration
during all phases of planning.
(2) The logical network layer consists of those elements of the network related
to one another in a way that is abstracted from the physical network, based on the logic
programming (code) that drives network components (i.e., the relationships are not
I-3
Chapter I
necessarily tied to a specific physical link or node, but to their ability to be addressed
logically and exchange or process data). Individual links and nodes are represented in the
logical layer but so are various distributed elements of cyberspace, including data,
applications, and network processes not tied to a single node. An example is the Joint
Knowledge Online Website, which exists on multiple servers in multiple locations in the
physical domains but is represented as a single URL [uniform resource locator] on the
World Wide Web. More complex examples of the logical layer are the Department of
Defense’s (DOD’s) Non-classified Internet Protocol Router Network (NIPRNET) and
SECRET Internet Protocol Router Network (SIPRNET), global, multi-segment networks
that can be thought of as a single network only in the logical sense. For targeting purposes,
planners may know the logical location of some targets, such as virtual machines and
operating systems, that allow multiple servers or other network functions with separate
Internet protocol (IP) addresses to reside on one physical computer, without knowing their
geographic location. Logical layer targets can only be engaged with a cyberspace
capability: a device or computer program including any combination of software,
firmware, or hardware, designed to create an effect in or through cyberspace.
I-4 JP 3-12
Overview of Cyberspace and Cyberspace Operations
on order, and when requested by other authorities, to defend or secure other United States
Government (USG) or other cyberspace, as well as cyberspace related to critical
infrastructure and key resources (CI/KR) of the US and PNs. The term “red cyberspace”
refers to those portions of cyberspace owned or controlled by an adversary or enemy. In
this case, “controlled” means more than simply “having a presence on,” since threats may
have clandestine access to elements of global cyberspace where their presence is
undetected and without apparent impact to the operation of the system. Here, controlled
means the ability to direct the operations of a link or node of cyberspace, to the exclusion
of others. All cyberspace that does not meet the description of either “blue” or “red” is
referred to as “gray” cyberspace.
I-5
Chapter I
(2) State and non-state threats use a wide range of advanced technologies, which
represent an inexpensive way for a small and/or materially disadvantaged adversary to pose
a significant threat to the US. The application of low-cost cyberspace capabilities can
provide an advantage against a technology-dependent nation or organization. This can
provide an asymmetric advantage to those who could not otherwise effectively oppose US
military forces. Additionally, organized crime or other non-state, extralegal organizations
often make sophisticated malware available for purchase or free, allowing even non-
sophisticated threats to acquire advanced capabilities at little to no cost. Because of the
low barriers to entry and the potentially high payoff, the US can expect an increasing
number of adversaries to use cyberspace threats to attempt to negate US advantages in
military capability.
I-6 JP 3-12
Overview of Cyberspace and Cyberspace Operations
key terrain) provide a way to visualize and describe a network map. Obstacles in
cyberspace may include firewalls and port blocks. Avenues of approach can be analyzed
by identifying nodes and links, which connect endpoints to specific sites. Cover and
concealment may refer to hidden IP addresses or password protected access. Cyberspace
observation and fields of fire refer to areas where network traffic can be monitored,
intercepted, or recorded. Examples of potential key terrain in cyberspace include access
points to major lines of communications (LOCs), key waypoints for observing incoming
threats, launch points for cyberspace attacks, and mission-relevant cyberspace terrain
related to critical assets connected to the DODIN. Operators, planners, and intelligence
staff work together to match plans’ objectives with terrain analysis to determine key
terrain in blue, gray, and red cyberspace for each plan. Correlating plan or mission
objectives with key terrain ensures mission dependencies in cyberspace are identified and
prioritized for protection in a standard manner across DOD. In many cases, the systems,
networks, and infrastructure that support a mission objective will be interdependent.
These complex interdependencies may require in-depth analysis to develop customized
risk mitigation methodologies.
I-7
Chapter I
Refer to Joint Publication (JP) 3-0, Joint Operations, for information on the primary
activities that support the information joint function.
a. During joint planning, cyberspace capabilities are integrated into the JFC’s plans
and synchronized with other operations across the range of military operations. While
not the norm, some military objectives can be achieved by CO alone. Commanders
conduct CO to obtain or retain freedom of maneuver in cyberspace, accomplish JFC
objectives, deny freedom of action to the threat, and enable other operational activities.
Refer to Chapter IV, “Planning, Coordination, Execution, and Assessment,” for more
information about planning, synchronization, integration, and interorganizational
coordination of CO.
I-8 JP 3-12
Overview of Cyberspace and Cyberspace Operations
the Commandant of the Coast Guard retains operational control (OPCON) of US Coast
Guard Cyberspace forces when employed in support of DOD. USCYBERCOM uses a
mission alignment process to make requirements-driven, risk-informed, Cyber Mission
Force (CMF)-alignment recommendations and task assignments to assigned or attached
cyberspace units to perform CO utilizing cyberspace capabilities to achieve objectives.
b. CMF. The Secretary of Defense (SecDef) and Chairman of the Joint Chiefs of
Staff (CJCS) established the CMF to organize and resource the force structure required
to conduct key cyberspace missions. CDRUSCYBERCOM exercises combatant
command (command authority) (COCOM) of the CMF, which is a subset of the DOD’s
total force for CO. Various Service tactical cyberspace units, assigned to
CDRUSCYBERCOM, comprise the three elements of the CMF:
(1) Cyber Protection Force (CPF). The CPF conducts CO for internal
protection of the DODIN or other blue cyberspace when ordered. The CPF consists of
cyberspace protection teams (CPTs) organized, trained, and equipped to defend assigned
cyberspace in coordination with and in support of segment owners, cybersecurity service
providers (CSSPs), and users.
Refer to Chapter II, “Cyberspace Operations Core Activities,” for more information
about the operations of CMF units.
Refer to Chapter IV, “Planning, Coordination, Execution, and Assessment,” for more
information about C2 of CO.
I-9
Chapter I
Cyber Mission
Force
Consists
of
National Mission
Consists of Teams
Cyber National
Mission Force
National Support
Teams Directed by Cyber National
Co
ns Mission Force
ist
s of Headquarters
National CPTs
Directed by Service
Service CPTs
Cyberspace
Component
Commands
Combat Mission
Consists of
Teams Directed by Joint Force
Cyber Combat Headquarters -
Mission Force Cyberspace
Combat Support
Teams
Legend
CCMD combatant command DODIN Department of Defense information network
CPT cyberspace protection team
d. Other Cyberspace Forces and Staff. Most cyberspace forces that protect the
DODIN are Service-retained and some are employed in support of a specific CCDR.
They may be used by the Service or SCCs to operationalize networks (i.e., design, build,
configure and otherwise prepare to place into operation) and then secure, operate, and
defend their Service enterprise portions of the DODIN. The Services may retain, or other
CCDRs may organize, other scarce cyberspace forces that support CCMD missions as
required, including CSSPs. Some of these Service-retained cyberspace forces that
operate CCMD networks and systems are assigned directly to various CCDR staffs. In
addition, the Defense Information Systems Agency (DISA) and various DOD agencies
I-10 JP 3-12
Overview of Cyberspace and Cyberspace Operations
and activities employ civilian staff and contractors to do these same operationalizing and
DODIN operations functions.
The JFC faces a unique set of persistent challenges executing CO in a complex global
security environment.
a. Threats. Cyberspace presents the JFC’s operations with many threats, from
nation-states to individual actors to accidents and natural hazards.
(1) Nation-State Threat. This threat is potentially the most dangerous because
of nation-state access to resources, personnel, and time that may not be available to other
actors. Some nations may employ cyberspace capabilities to attack or conduct espionage
against the US. Nation-state threats involve traditional adversaries; enemies; and
potentially, in the case of espionage, even traditional allies. Nation-states may conduct
operations directly or may outsource them to third parties, including front companies,
patriotic hackers, or other surrogates, to achieve their objectives.
I-11
Chapter I
complicated by the requirement for significant coordination external to DOD and/or the
temporary reliance on back-up systems with which operators may not be proficient.
I-12 JP 3-12
Overview of Cyberspace and Cyberspace Operations
(ISPs) and global supply chains, over which DOD and its forces have no direct authority.
This includes both data storage services and applications provided from a cloud
computing architecture. Cloud computing enables DOD to consolidate infrastructure,
leverage commodity IT functions, and eliminate functional redundancies while
improving continuity of operations. But, the overall success of these initiatives depends
upon well-executed risk mitigation and protection measures, defined and understood by
both DOD components and industry. Dependency on commercial Internet providers
means DOD coordination with the Department of Homeland Security (DHS), other
interagency partners, and the private sector is essential to establish and maintain security
of DOD’s information. DOD supports DHS, which leads interagency efforts to identify
and mitigate cyberspace vulnerabilities in the nation’s critical infrastructure. DOD has
the lead for improving security of the defense industrial base (DIB) sector, which
includes major sector contractors and major contractor support to operations regardless
of corporate country of domicile and continues to support the development of whole-of-
government approaches for its risk management. The global technology supply chain
affects mission-critical aspects of the DOD enterprise, and the resulting IT risks can only
be effectively mitigated through public-private sector cooperation.
(2) Mitigations. DOD partners with the DIB to increase the security of
information about DOD programs residing on or transiting DIB unclassified networks.
The Department of Defense Cyber Crime Center (DC3) serves as DOD’s operational
I-13
Chapter I
focal point for voluntary cyberspace information sharing and incident reporting program.
In addition, DOD is strengthening its acquisition regulations to require consideration of
applicable cybersecurity policies during procurement of all DODIN components to
reduce risks to joint operations.
I-14 JP 3-12
CHAPTER II
CYBERSPACE OPERATIONS CORE ACTIVITIES
“When I first started working cyberspace operations, these operations were often
just concepts, and when conducted, performed ad-hoc by technical specialists
on loan from other organizations. Today this is not the case. Now, a mature and
highly capable cyber force is built and in the fight, aggressively defending our
network, conducting daily operations against adversaries, and strengthening the
combat power and lethality of U.S. forces around the world. This swift growth
represents tremendous opportunity.”
1. Introduction
II-1
Chapter II
interagency policies, practices, and training, is critical to the success of all types of
cyberspace-enabled DOD missions.
II-2 JP 3-12
Cyberspace Operations Core Activities
CMT CCMDs/Services/Agencies
Threat Specific
since their aggregate effect establishes the framework on which most DOD missions
ultimately depend.
See JP 6-0, Joint Communications System, for a more detailed discussion of DODIN
operations and the management of networked communication systems.
(2) DCO. DCO missions are executed to defend the DODIN, or other cyberspace
DOD cyberspace forces have been ordered to defend, from active threats in cyberspace.
Specifically, they are missions intended to preserve the ability to utilize blue cyberspace
capabilities and protect data, networks, cyberspace-enabled devices, and other designated
systems by defeating on-going or imminent malicious cyberspace activity. This
distinguishes DCO missions, which defeat specific threats that have bypassed, breached,
or are threatening to breach security measures, from DODIN operations, which endeavor
to secure DOD cyberspace from all threats in advance of any specific threat activity. DCO
are threat-specific and frequently support mission assurance objectives. DCO missions are
conducted in response to specific threats of attack, exploitation, or other effects of
malicious cyberspace activity and leverage information from maneuver, intelligence
II-3
Chapter II
collection, counterintelligence (CI), law enforcement (LE), and other sources as required.
DCO include outmaneuvering or interdicting adversaries taking or about to take actions
against defended cyberspace elements, or otherwise responding to imminent internal and
external cyberspace threats. The goal of DCO is to defeat the threat of a specific adversary
and/or to return a compromised network to a secure and functional state. The components
of DCO are:
II-4 JP 3-12
Cyberspace Operations Core Activities
these and other non-DOD cyberspace segments, like national CI/KR or partner networks.
Prioritization schemes for defense of CI/KR should be established in advance. If DCO-
IDM missions are ordered as part of a defense support of civil authorities (DSCA)
operation, Active Component forces may be supported by National Guard (NG) forces
activated under Title 32,United States Code (USC), if authorized by SecDef, or Title 10,
USC; US Coast Guard Forces under Title 14, USC; and/or other cyberspace forces from
one of the Reserve Component (RC) units.
(3) OCO. OCO are CO missions intended to project power in and through
foreign cyberspace through actions taken in support of CCDR or national objectives. OCO
may exclusively target adversary cyberspace functions or create first-order effects in
cyberspace to initiate carefully controlled cascading effects into the physical domains to
affect weapon systems, C2 processes, logistics nodes, high-value targets, etc. All CO
missions conducted outside of blue cyberspace with a commander’s intent other than to
defend blue cyberspace from an ongoing or imminent cyberspace threat are OCO missions.
Like DCO-RA missions, some OCO missions may include actions that rise to the level of
use of force, with physical damage or destruction of enemy systems. Specific effects
created depend on the broader operational context, such as the existence or imminence of
open hostilities and national policy considerations. OCO missions require a properly
coordinated military order and careful consideration of scope, ROE, and measurable
objectives.
II-5
Chapter II
(2) Cyberspace Defense. Cyberspace defense actions are taken within protected
cyberspace to defeat specific threats that have breached or are threatening to breach the
cyberspace security measures and include actions to detect, characterize, counter, and
mitigate threats, including malware or the unauthorized activities of users, and to restore
the system to a secure configuration. The CCMD, Service, or DOD agency that owns or
operates the network is generally authorized to take these defensive actions except in cases
when they would compromise the operations of elements of cyberspace outside the
responsibility of the respective CCMD, Service, or agency. In some cases, a CPT will be
assigned to assist with re-securing and mitigation actions. JFHQ-DODIN coordinates all
defensive actions that impact more than one CCMD or have impacts outside the realm of
the network owner. Cyberspace defense actions are the component actions of a DCO-IDM
mission. Since the same personnel often perform both cyberspace security and cyberspace
defense actions, these actions are collectively referred to as protection.
II-6 JP 3-12
Cyberspace Operations Core Activities
II-7
Chapter II
(2) Forces Conducting DCO-RA and OCO. DCO-RA missions are normally
assigned to NMTs, which are tactical units of the CNMF that defend the DODIN, or other
blue cyberspace when ordered. The NMTs are aligned under the CNMF-HQ against
specific cyberspace threats. OCO missions are normally assigned to CMTs, tactical units
of the CCMF that support CCDR plans and priorities to project power in support of
national objectives. The CMTs are aligned, under the JFHQs-C, in support of CCMDs.
In addition to NMTs and CMTs, there are NSTs and CSTs not depicted in Figure II-1
that provide specialized technical and analytic support for the units of the CMF. This
II-8 JP 3-12
Cyberspace Operations Core Activities
Refer to Chapter IV, “Planning, Coordination, Execution, and Assessment,” for more
information about C2 of these cyberspace forces.
See JP 2-0, Joint Intelligence, and JP 2-01, Joint and National Intelligence Support to
Military Operations, for a more complete discussion of national intelligence activities,
including intelligence federation.
II-9
Chapter II
grouped together to help commanders integrate, synchronize, and direct joint operations.
This section presents an overview of how military operations leverage cyberspace
capabilities to enable these functions in support of all DOD missions and how the
functions themselves are accomplished in cyberspace during CO.
See JP 3-30, Command and Control of Joint Air Operations; JP 3-31, Command and
Control for Joint Land Operations; and JP 3-32, Command and Control of Joint Maritime
Operations, for more information on how cyberspace is used to enable operations in the
physical domains.
II-10 JP 3-12
Cyberspace Operations Core Activities
See JP 2-0, Joint Intelligence, for more information on the joint intelligence process.
d. Fires. Cyberspace attack capabilities create fires in and through cyberspace and
are often employed with little or no associated physical destruction. However,
modification or destruction of computers that control physical processes can lead to
cascading effects (including collateral effects) in the physical domains. Depending upon
the commander’s objective, fires in cyberspace can be offensive or defensive, supporting
or supported. Like all forms of fires, fires in and through cyberspace should be included
in the joint planning and execution processes to facilitate synchronization and unity of
effort and must comply with the law of war and ROE. Fires in and through cyberspace
encompass a number of tasks, actions, and processes, including targeting, coordination,
and deconfliction. If multiple USG or allied entities have requirements to create effects
or collect intelligence on the same target in cyberspace, synchronization and
deconfliction across all USG entities will be required, otherwise their uncoordinated
actions could expose or interfere with each other. Even if effects can be created
independently and are sufficiently justified, a technical analysis is still required to
determine if the capabilities can operate as planned in the same environment without
interference or increasing the chances of unwanted detection.
See JP 3-60, Joint Targeting, for more information on joint targeting, and Chapter IV,
“Planning, Coordination, Execution, and Assessment,” for more information on
targeting during CO.
(1) Movement and maneuver involves deploying forces and capabilities into an
OA and positioning within that area to gain operational advantage in support of mission
objectives, including accessing and, as necessary, controlling key terrain. Cyberspace
operations enable force projection without the need to establish a physical presence in
foreign territory. Maneuver in the DODIN or other blue cyberspace includes positioning
II-11
Chapter II
of forces, sensors, and defenses to best secure areas of cyberspace or engage in defensive
actions as required. Maneuver in gray and red cyberspace is a cyberspace exploitation
action and includes such activities as gaining access to adversary, enemy, or intermediary
links and nodes and shaping this cyberspace to support future actions. The ability to access
or even control such terrain can change the outcome of an engagement. A significant factor
in maneuverability in cyberspace is gaining and maintaining logical access to the
environment. This capability to maneuver and provide operational reach may be lost at
any time if the configuration of the relevant cyberspace nodes are modified. The ubiquitous
nature of cyberspace creates another major consideration, because it enables an adversary
or enemy to establish key points of presence outside the physical OA, in third-party
countries, protected areas, or even inside the US. Additionally, adversaries or enemies may
conduct CO from physical network connections within the US, PNs, or third-party nations,
thereby limiting the JFC’s maneuver space based on law and policy restriction and creating
dependencies on our ability to coordinate with interagency and other mission partners.
f. Sustainment
II-12 JP 3-12
Cyberspace Operations Core Activities
(3) Sustainment planning should identify and address legacy systems. Many
legacy mission-critical systems were not designed and configured to be easily updated. As
a result, many of the vulnerabilities incurred on the DODIN are introduced via unpatched
(and effectively un-patchable) systems. These vulnerabilities can be mitigated through
additional layers of protection, which must then be sustained. Additionally, hardware
capabilities, including sensors and other forward-deployed cyberspace capabilities, can
deteriorate over time due to wear and tear or adversary discovery, requiring component
repair or replacement to remain operable. This can be particularly problematic when
physically inaccessible systems (such as those deployed to remote sites) require
replacement or upgrade. It is vital that commanders understand the mission risk created
by leaving such cyberspace capabilities in place over long periods, not just to current
operations but to the success of future DOD missions that rely on such capabilities. Finally,
contingency software capabilities that are infrequently accessed may also require periodic
refreshing and retesting to verify they are still secure and capable of creating the required
effects, despite changes in the OE.
g. Protection
(1) Protection of the DODIN and other critical US cyberspace includes the
continuous and synchronized integration of cyberspace security and, when required,
cyberspace defense actions. Protection of cyberspace assets is complicated by their logical
connectivity that can enable enemies to create multiple, cascading effects that may not be
restricted by physical geography and civil/military boundaries. Cyberspace capabilities
requiring protection include not only the infrastructure (computers, cables, antennas, and
switching and routing equipment) but also parts of the EMS (datalink frequencies to
include satellite downlink, cellular, and wireless) and the content (both data and
applications) on which military operations rely. Key to cyberspace protection is the
positive control of all direct connections between the DODIN and the Internet and other
public portions of cyberspace, as well as the ability to monitor, detect, and prevent the
entrance of malicious network traffic and unauthorized exfiltration of information through
these connections.
II-13
Chapter II
h. Information
(2) The joint force conducts CO in concert with other capabilities, to gain and
maintain an advantage. Cyberspace is a medium through which specific information
capabilities, such as MISO or MILDEC may be employed. Note that while some operations
in the information environment may be done using only CO, they are still synchronized,
integrated, and deconflicted with other activities and operations that impact the commander’s
objectives.
Refer to JP 1, Doctrine for the Armed Forces of the United States, for more information about
the joint functions and their role in the military operations.
Refer to JP 3-0, Joint Operations, for information on the primary activities that support the
information joint function.
II-14 JP 3-12
CHAPTER III
AUTHORITIES, ROLES, AND RESPONSIBILITIES
Ashton B. Carter
Secretary of Defense
The Department of Defense Cyber Strategy, April 17, 2015
1. Introduction
a. Under the authorities of SecDef, DOD uses cyberspace capabilities to shape cyberspace
and provide integrated offensive and defensive options for the defense of the nation.
USCYBERCOM coordinates with CCMDs, the JS, and the Office of the Secretary of Defense
(OSD); liaises with other USG departments and agencies; and, in conjunction with DHS,
DOD’s DC3, and the Defense Security Service, liaises with members of the DIB. Similarly,
as directed, DOD deploys necessary resources to support efforts of other USG departments and
agencies, and allies.
b. The National Military Strategy and The Department of Defense Cyber Strategy provide
high-level requirements for national defense in cyberspace and DOD’s role in defending DOD
and larger US national security interests through CO.
c. DOD’s Roles and Initiatives in Cyberspace. DOD’s roles in cyberspace are, for the
most part, the same as they are for the physical domains. As a part of its role to defend the
nation from threats in cyberspace, DOD prepares to support DHS and the Department of
Justice (DOJ), the USG leads for incident response activities during a national cybersecurity
incident of significant consequences. To fulfill this mission, DOD conducts military operations
to defend DOD elements of CI/KR and, when ordered, defend CI/KR related to vital US
interests. DOD’s national defense missions, when authorized by Presidential orders or
standing authorities, take primacy over the standing missions of other departments or agencies.
The Department of Defense Cyber Strategy establishes strategic initiatives that offer a roadmap
for DOD to operate effectively in cyberspace, defend national interests, and achieve national
security objectives.
III-1
Chapter III
e. CI/KR Protection. CI/KR consist of the infrastructure and assets vital to the nation’s
security, governance, public health and safety, economy, and public confidence. IAW the
National Infrastructure Protection Plan, DOD is designated as the sector-specific agency for
the DIB. DOD provides cyberspace analysis and forensics support via the DIB Cybersecurity
and Information Assurance Program and the DC3. Concurrent with its national defense and
incident response missions, DOD may be directed to support DHS and other USG departments
and agencies to help ensure all sectors of cyberspace CI/KR are available to support national
objectives. CI/KR protection relies on analysis, warning, information sharing, risk
management, vulnerability identification and mitigation, and aid to national recovery efforts.
Defense critical infrastructure (DCI) is a subset of CI/KR that includes DOD and non-DOD
assets essential to project, support, and sustain military forces and operations worldwide.
Geographic combatant commanders (GCCs) have the responsibility to prevent the loss or
degradation of DCI within their AORs and coordinate with the DOD asset owner, heads of
DOD components, and defense infrastructure sector lead agents to fulfill this responsibility.
CCDRs may act to prevent or mitigate the loss or degradation of non-DOD-owned DCI only
in coordination with the CJCS and the Under Secretary of Defense for Policy (USD[P]) and at
the direction of SecDef IAW Department of Defense Directive (DODD) 3020.40, Mission
Assurance (MA). As the lead agent of the DODIN sector of the DCI, the Commander, JFHQ-
DODIN, is responsible for matters pertaining to the identification, prioritization, and
remediation of critical DODIN infrastructure issues. Likewise, DOD coordinates and
integrates when necessary with DHS for support of efforts to protect the DIB.
2. Authorities
a. Authority for CO actions undertaken by the US Armed Forces is derived from the US
Constitution and federal law. Key laws that apply to DOD include Title 10, USC, Armed
Forces; Title 50, USC, War and National Defense; and Title 32, USC, National Guard. See
Figure III-1 for a summary of applicable titles of USC as they apply to CO.
b. Authorities for specific types of military CO are established within SecDef policies,
including DOD instructions, directives, and memoranda, as well as in EXORDs and OPORDs
authorized by the President or SecDef and subordinate orders issued by commanders approved
to execute the subject missions. These include the directive authority for cyberspace operations
(DACO), established by CJCS EXORD, that enables DOD-wide synchronized protection of
the DODIN. The military missions and related actions of the cyberspace forces remain as
described in Chapter II, “Cyberspace Operations Core Activities,” regardless of the type of
authority under which they are executed.
a. SecDef
(1) Directs the military, intelligence, and ordinary business operations of DOD
in cyberspace.
III-2 JP 3-12
Authorities, Roles, and Responsibilities
United
States Principal
Code Title Key Focus Organization Role in Cyberspace
(USC)
Title 44 Public Defines basic agency All Federal The foundation for what we now
Printing and responsibilities and departments and call cybersecurity activities, as
Documents authorities for agencies outlined in Department of
information security Defense Instruction, 8530.01,
policy Cybersecurity Activities Support
to DOD Information Network
Operations.
(2) Provides policy and guidance for employment of forces conducting cyberspace
missions through the USD(P), the SecDef’s Principal Cyber Advisor, and the Deputy
Assistant Secretary of Defense for Cyber Policy.
III-3
Chapter III
(3) Develops and issues the DOD Information Resources Management Strategic
Plan through the DOD CIO. The DOD CIO is the DODIN architect and, as such, develops,
maintains, and enforces compliance with DODIN architecture standards and cybersecurity
policy. Inherent in the DOD CIO’s architecture responsibility are the responsibilities for
interoperability, data sharing, effective use of enterprise services, spectrum management, and
DODIN program synchronization.
b. CJCS
(1) As the global integrator, advises the President and SecDef on operational
policies, responsibilities, and programs.
(4) Ensures cyberspace plans and operations are compatible with other military
plans and operations.
c. Service Chiefs
(2) Train and equip cyberspace forces and develop cyberspace capabilities for
deployment/support to CCMDs, as directed by SecDef.
III-4 JP 3-12
Authorities, Roles, and Responsibilities
(5) Provide users of the EMS with regulatory and operational guidance in the use
of frequencies through the authority of Army (Army Spectrum Management Office), Navy
(Navy and Marine Corps Spectrum Center), and Air Force (Air Force Spectrum
Management Office).
e. CDRUSCYBERCOM
(b) Prepare to, and when directed, conduct military CO external to the
DODIN, including in gray and red cyberspace, in support of national objectives.
(3) For CO events requiring actions and effects across multiple geographic
AORs, CDRUSCYBERCOM is the supported commander. For theater-specific events,
CDRUSCYBERCOM may be designated a supporting or supported commander,
depending upon the order issued.
(4) Leverages intelligence community (IC) sensors and directs DODIN sensors,
as appropriate, to establish and share comprehensive situational awareness of red and gray
cyberspace in support of assigned mission.
(5) Coordinates with the IC, CCMDs, Services, DOD agencies and activities, and
multinational partners to facilitate development of improved cyberspace accesses to
support planning and operations.
III-5
Chapter III
III-6 JP 3-12
Authorities, Roles, and Responsibilities
f. Other CCDRs
(1) Secure, operate, and defend tactical and constructed DODIN segments
within their commands and AORs.
(2) Integrate CO into plans (e.g., theater and functional campaign plans,
concept plans [CONPLANs], and operation plans [OPLANs]); integrate cyberspace
capabilities into military operations as required; and work closely with the joint force,
USCYBERCOM, SCCs, and DOD agencies to create fully integrated capabilities.
(5) Serve as a focal point for in-theater DODIN operations that integrate
multinational partners.
(6) Plan for communications system support of operations that may be directed
by SecDef and ensure the interoperability of DOD forces with non-DOD mission partners
in terms of equipment, procedures, and standards.
(8) In coordination with the DOD asset owner, heads of DOD components, and
DOD infrastructure sector lead agents, GCCs act to prevent the loss, degradation, or other
denial of DOD-owned DCI within their AORs. Act only in coordination with the CJCS
and USD(P) to prevent or mitigate the loss or degradation for non-DOD-owned DCI.
(10) Provide users of the EMS with regulatory and operational guidance in the
use of required frequencies for CO IAW coordinated agreements between US forces and
PNs.
III-7
Chapter III
i. Director, DISA
(5) Acquires all commercial SATCOM resources (unless the DOD CIO has
granted a waiver to the requesting organization). Supports CDRUSSTRATCOM as the
Consolidated SATCOM System Expert for commercial SATCOM and DOD gateways.
(6) Plans, mitigates, and executes service restoration at the global and enterprise
level, as directed by commander of JFHQ-DODIN.
III-8 JP 3-12
Authorities, Roles, and Responsibilities
(7) Provides and maintains a critical nodes defense plan for long-haul
communications.
(3) Serves as the DOD focal point for all CI cyberspace investigations and
operations. In conjunction with the Military Departments and DOD agencies, DIA strives
to identify and neutralize all CI-related cyberspace threats to DOD. DIA supports CI
operations in cyberspace to promote cyberspace superiority and provides worldwide
cyberspace CI situational awareness and coordination.
(4) In coordination with JS, Services, other DOD agencies and activities, and
OSD, engineers, develops, implements, and manages the sensitive compartmented
information portion of the DODIN, including the configuration of information, data, and
communications standards for intelligence systems. Included within this is the overall
responsibility for the operation of Joint Worldwide Intelligence Communications
System, a strategic, secure, high-capacity telecommunications network serving the IC
with voice, data, and video services. DIA establishes defense-wide intelligence priorities
for achieving interoperability between tactical, theater, and national intelligence-related
systems and between intelligence-related systems and the tactical, theater, and national
elements of the DODIN.
III-9
Chapter III
(5) Sets policies, standards, and requirements for targets, including the virtual
elements of facility, individual, organization, and equipment targets. All target
development, to include targets in support of CO, adheres to the standards put forth in
Chairman of the Joint Chiefs of Staff Instruction (CJCSI) 3370.01, Target Development
Standards.
l. Director, DC3. Administratively assigned to the Department of the Air Force but
supporting the entire DOD, the DC3:
(2) Serves as the DOD center of excellence and establishes DOD standards for
digital and multimedia forensics.
(3) Serves as the operational focal point for the DIB cyberspace security
information sharing activities performed to protect unclassified DOD information that
transits or resides on unclassified DIB information systems and networks.
m. Other DOD Agencies and Activities. All DOD agencies and activities are
responsible for developing and maintaining their IT in a manner consistent with and
reflective of applicable DODIN architecture and cybersecurity standards, and they plan,
resource, acquire, implement, and maintain agency-specific IT IAW the DOD policy and
resource priorities. Those DOD agencies, which are also part of the IC, are additionally
subject to the policies and guidance of the IC CIO. All DOD agencies and activities
respond to direction from USCYBERCOM and JFHQ-DODIN, issued under DACO, to
secure, operate, and defend their segments of the DODIN.
n. DHS
(1) DHS has the responsibility to secure US cyberspace, at the national level,
by protecting non-DOD USG networks against cyberspace intrusions and attacks,
including actions to reduce and consolidate external access points, deploy passive
network defenses and sensors, and define public and private partnerships in support of
national cybersecurity policy.
(2) DHS protects USG network systems from cyberspace threats and partners
with government, industry, and academia, as well as the international community, to
make cybersecurity a national priority and a shared responsibility.
(3) Pursuant to the Homeland Security Act of 2002 and Homeland Security
Presidential Directive-5, Management of Domestic Incidents, the Secretary of Homeland
Security is the principal federal official for domestic incident management. Pursuant to
PPD-41, United States Cyber Incident Coordination, DHS is the lead federal agency for
cyberspace incident asset response. For significant cybersecurity incidents external to
the DODIN and IC networks, DHS’s National Cybersecurity and Communications
III-10 JP 3-12
Authorities, Roles, and Responsibilities
Integration Center is the lead federal agency for technical assistance and vulnerability
mitigation.
o. DOJ
(2) The FBI also conducts domestic collection, analysis, and dissemination of
cybersecurity threat information and operates the National Cyber Investigative Joint Task
Force, a multi-agency focal point for coordinating, integrating, and sharing pertinent
information related to cybersecurity threat investigations, with representation from DHS,
the IC, DOD, and other agencies as appropriate.
4. Legal Considerations
b. Application of the Law of War. Members of DOD comply with the law of war
during all armed conflicts and in all other military operations. The law of war
encompasses all international law for the conduct of armed hostilities binding on the US
or its individual citizens, including treaties and international agreements to which the US
is a party and applicable customary international law. The law of war rests on
fundamental principles of military necessity, proportionality, distinction
(discrimination), and avoidance of unnecessary suffering, all of which may apply to
certain CO.
III-11
Chapter III
See JP 1-04, Legal Support to Military Operations; DODD 2311.01E, DOD Law of War
Program; CJCSI 5810.01, Implementation of the DOD Law of War Program; and the
Department of Defense Law of War Manual for more information on the law of war.
III-12 JP 3-12
CHAPTER IV
PLANNING, COORDINATION, EXECUTION, AND ASSESSMENT
“We’re trying to both physically and virtually isolate ISIL [Islamic State of Iraq
and the Levant], limit their ability to conduct command and control, limit their
ability to communicate with each other, limit their ability to conduct operations
locally and tactically. I’ll be one of the first ones arguing that that’s about all
we should talk about.... We want them to be surprised when we conduct
cyber[space] operations. And, frankly, they’re going to experience some
friction that’s associated with us and some friction that’s just associated with
the normal course of events in dealing in the information age.”
a. Commanders integrate CO into their operations at all levels. Their plans should
address how to effectively integrate cyberspace capabilities, counter adversaries’ use of
cyberspace, identify and secure mission-critical cyberspace, access key terrain in
cyberspace, operate in a degraded environment, efficiently use limited cyberspace assets,
and pair operational requirements with cyberspace capabilities. The commander provides
initial planning guidance, which may specify time constraints, outline initial coordination
requirements, authorize the movement of forces within the commander’s authority, and
direct other actions as necessary. Supporting CO plans and concepts describe the role and
scope of CO in the commander’s effort and address how CO support the execution of the
supported plan. If requested by a commander, CDRUSCYBERCOM provides assistance
in integrating cyberspace forces and capabilities into the commander’s plans and orders.
b. JP 5-0, Joint Planning, describes the joint planning process (JPP) as a proven
process to organize the work of the commander, staff, subordinate commanders, and other
partners to develop plans that appropriately address the problem to be solved. It focuses
on framing the situation and end states, defining the military mission, analysis of critical
factors, and designing an operational approach to accomplish mission objectives. CO
capabilities and functions are integrated along with all other joint capabilities and functions
into the JPP and into the Adaptive Planning and Execution enterprise.
IV-1
Chapter IV
capabilities in cyberspace involves understanding the target, not only at the underlying
physical network layer but also at the logical network layer and cyber-persona layer,
including profiles of system users and administrators and their relationship to adversary
critical factors. For planning internal operations within DOD cyberspace, DODIN
operations and DCO-IDM planners require a clear understanding of which friendly forces
or capabilities might be targeted by an adversary; what DODIN vulnerabilities are most
likely to be targeted and the potential effects of the adversary’s action; the mission
assurance risks involved; and an understanding of applicable domestic, foreign, and
international laws and USG policy. Threats in cyberspace may be nation-states, non-state
groups, or individuals, and the parts of cyberspace they control are not necessarily within
the geographic borders associated with the threat’s nationality or proportional to their
geopolitical influence. A criminal element, a politically motivated group, or even a well-
resourced individual may have a greater presence and capability in cyberspace than do
many nations. Moreover, many adversaries operate cyberspace capabilities from portions
of cyberspace geographically associated with the US or owned by a US entity. Each of
these factors complicates the planning of CO.
IV-2 JP 3-12
Planning, Coordination, Execution, and Assessment
associated with using the capability. All other factors being equal, cyberspace capabilities
that have the fewest environmental dependencies and/or allow the operator to reconfigure
the capability are preferred. DODI O-3600.03, Technical Assurance Standard (TAS) for
Computer Network Attack (CNA) Capabilities, provides detailed requirements for technical
assurance evaluations that document these characteristics.
IV-3
Chapter IV
(1) For Specific Plans and Operations. DODIN operations underpin nearly
every aspect of military operations, and this reliance on cyberspace is well understood
by our adversaries. However, a commander’s reliance on specific segments of the
DODIN is often not considered during plans development, but planning for DODIN
resiliency is essential. JFC planning staffs should incorporate DCO-IDM branches and
sequels for any operations that pose an increased threat to the DODIN. The CCDR’s CO
staff coordinates and deconflicts DCO-IDM mission activities with the USCYBERCOM
CO-IPEs. If the planned defensive actions will create effects in cyberspace outside of
the GCC’s AOR, JFHQ-DODIN will ensure the cyberspace defense actions are
coordinated and synchronized globally.
IV-4 JP 3-12
Planning, Coordination, Execution, and Assessment
IV-5
Chapter IV
a. IRs. During mission analysis, the joint force staff identifies significant information
gaps about the adversary and other relevant aspects of the OE. After gap analysis, the staff
formulates IRs, which are general or specific subjects upon which there is a need for the
collection of information or the production of intelligence. Based upon identified IRs, the
staff develops more specific questions known as information requirements (those items of
information that must be collected and processed to develop the intelligence required by
the commander). Information requirements related to cyberspace can include such things
as network infrastructures and status, readiness of adversary’s equipment and personnel,
and unique cyberspace signature identifiers such as hardware/software/firmware versions
and configuration files. These IRs are met through a combination of military intelligence
and national intelligence sources.
See JP 2-01, Joint and National Intelligence Support to Military Operations, for additional
information on RFIs.
For more information on TCPED, see JP 2-01, Joint and National Intelligence Support to
Military Operations.
IV-6 JP 3-12
Planning, Coordination, Execution, and Assessment
may not be easily distinguishable from legitimate network activity. Detecting of activities
in cyberspace is critical for enabling effective CO.
(3) Analysis and Attribution. Due to the characteristics of the physical network,
logical network, and cyber-persona layers of cyberspace, attribution of malicious
cyberspace activity to a specific person, criminal organization, non-state threat, or even a
responsible nation-state can be exceptionally difficult. Although attribution is not
necessarily required for self-defense, the difficulty of attribution, along with the possibility
that an apparent threat may actually be an attempt at misdirection, is one of the principal
reasons DCO-RA mission planning may be more difficult than planning for response to
conventional attack. The risks of a defensive response against the wrong threat,
particularly a nation-state or a target within an unwitting nation-state where the attack
originated, are weighed against strategic objectives and the consequences of making an
attribution mistake. Working effectively within these constraints requires unique skills on
the part of all-source intelligence analysts to understand the context of the threat activity.
They use skills like analyzing deception techniques, anonymity techniques, virtual
representations and avatars, and other artifacts of the logical network and cyber-persona
layers to characterize activities with the requisite degree of confidence required to enable
an effective response.
c. IGL. Another planning concern is that maneuver and fires in red and gray
cyberspace could potentially compromise intelligence collection activities sources and
methods. To the maximum extent practicable, an IGL assessment is required prior to
executing such actions. The IGL assessment can be complicated by the array of non-DOD
USG and multinational partners operating in cyberspace. JFCs use IGL analysis to weigh
the risks of conducting the CO versus achieving the desired objective via other methods.
IV-7
Chapter IV
source activity offers the opportunity to add useful data to all-source analysis. But this
constantly changing landscape of media and the low “signal to noise” ratio of data available
in cyberspace also complicate the intelligence collection problem, requiring active
collection management to stay abreast of these sources.
4. Targeting
The purpose of targeting is to integrate and synchronize fires (the use of weapon
systems or other actions to create a specific lethal or nonlethal effect on a target) into joint
operations. Targeting is the process of selecting and prioritizing targets and matching the
appropriate response to them, considering operational requirements and capabilities.
Integrating and synchronizing planning, execution, and assessment are pivotal to the
success of joint targeting. The overall joint targeting cycle and target development process
described in JP 3-60, Joint Targeting, apply generally to targeting in support of CO. In
addition, the coordination required by Chairman of the Joint Chiefs of Staff Manual
(CJCSM) 3139.01, (U) Review and Approval Process for Cyberspace Operations, for
certain OCO and DCO-RA missions is unique to CO and applies to many aspects of the
joint targeting cycle. Therefore, CO planners and decision makers often use a targeting
process specifically adapted to the circumstance. Three fundamental aspects of CO require
consideration in the targeting processes: recognizing cyberspace capabilities are a viable
option for engaging some designated targets; understanding a CO option may be preferable
in some cases, because it may offer low probability of detection and/or no associated
physical damage; and higher-order effects on targets in cyberspace may impact elements
of the DODIN, including retaliation for attacks attributed to the joint force. Additionally,
some characteristics unique to the cyberspace components of targets and to cyberspace
capabilities are described below.
IV-8 JP 3-12
Planning, Coordination, Execution, and Assessment
(1) Physical Network Layer Target Features. The physical network layer is
the medium where the data travels. It includes wired (e.g., land and undersea cable) and
wireless (e.g., radio, radio-relay, cellular, satellite) transmission means. It is a point of
reference for determining geographic location and the applicable legal framework.
(2) Logical Network Layer Target Features. The logical network layer
provides an alternate view of the target, abstracted from its physical location, and
referenced from its logical position in cyberspace. This position is often represented
through a network address (e.g., IP address). It depicts how nodes in the physical domains
address and refer to one another to form entities in cyberspace. The logical network layer
is the first point where the connection to the physical domains may be lost. Targeting in
the logical layer requires the logical identity and logical access to the target to have a direct
effect.
IV-9
Chapter IV
See JP 3-60, Joint Targeting, and CJCSI 3370.01, Target Development Standards, for
additional details on vetting, validation, and joint targeting working groups.
(1) A TST is a validated target of such high priority to friendly forces that the
commander designates it for immediate engagement because it poses (or will soon pose) a
threat to friendly forces or is a highly lucrative, fleeting target. TSTs are normally engaged
dynamically. However, to be successfully engaged, they require considerable planning and
preparation within the joint targeting cycle. Engaging TSTs in cyberspace is difficult in
most situations, because they are likely to cross-AORs and require detailed joint,
interagency, and/or multinational planning efforts.
IV-10 JP 3-12
Planning, Coordination, Execution, and Assessment
coordination and decision making as possible, based on the types of TSTs expected and
the nature of the mission, is the key to success.
See JP 3-60, Joint Targeting, for additional information on joint targeting, and JP 2-01,
Joint and National Intelligence Support to Military Operations, for additional information
on intelligence operations.
a. Clearly established command relationships are crucial for ensuring timely and
effective employment of forces, and CO require unity of command and unity of effort.
However, the complex nature of CO, where cyberspace forces can be simultaneously
providing actions at the global level and at the theater or JOA level, requires adaptations
to traditional C2 structures. Joint forces principally employ centralized planning with
decentralized execution of operations. CO require constant and detailed coordination
between theater and global operations, creating a dynamic C2 framework that can adapt to
the constant changes, emerging threats, and unknowns. Certain CO functions, including
protection of the DODIN’s global networks and pursuit of global cyberspace threats, lend
themselves to centralized planning and execution to meet multiple, near-instantaneous
requirements for response. Centrally controlled CO should be integrated and synchronized
with the CCDR’s regional or local CO, conducted by forces assigned or attached to the
CCDR, or in support of the CCDR. For these reasons, there may be times when C2 of
forces executing simultaneous global CO and theater CO is conducted using
supported/supporting command relationships under separate, but synchronized, chains of
command. CO are integrated and synchronized by the supported commander into their
CONOPS, detailed plans and orders, and specific joint operations.
IV-11
Chapter IV
routine cyberspace security actions for global networks will continue shifting to centralized
locations, such as a global enterprise operations center.
(1) The following relationships guide the C2 of cyberspace forces during normal
operating conditions, when no crisis or contingency is in effect:
IV-12 JP 3-12
Planning, Coordination, Execution, and Assessment
Combatant
USCYBERCOM Command
JCC/
Cyber Staff
*
CO-IPE CCMD
CPTs
Service
CNMF-HQ JFHQ-C Cyberspace JFHQ-DODIN
Components
Legend
CCMD combatant command JFHQ-C joint force headquarters-cyberspace
CMT combat mission team JFHQ-DODIN Joint Force Headquarters-Department
CNMF-HQ Cyber National Mission Force of Defense Information Network
Headquarters NMT national mission team
COCOM combatant command (command NST national support team
authority) OPCON operational control
CO-IPE cyberspace operations-integrated TACON tactical control
planning element USCYBERCOM United States Cyber Command
CPT cyberspace protection team
CST combat support team
DACO directive authority for cyberspace COCOM
operations OPCON
DOD Department of Defense TACON
DODIN Department of Defense information DACO
network supporting/supported
JCC Joint Cyber Center direct support
coordination
IV-13
Chapter IV
Combatant
USCYBERCOM Command
*
Mission Tailored JCC/
Force Package Cyber Staff
**
CO-IPE CCMD
CPTs
Service
CNMF-HQ JFHQ-C Cyberspace JFHQ-DODIN
Components
* USCYBERCOM Commander has OPCON of the mission-tailored force package and retains the flexibility to
delegate OPCON to subordinate headquarters depending on the nature of the crisis/contingency. The
commander receiving a mission-tailored force package has TACON to control the timing and tempo of
cyberspace operations.
**Organizational relationships between CO-IPEs and USCYBERCOM subordinate headquarters will be specified
via USCYBERCOM orders.
Legend
CCMD combatant command JFHQ-C joint force headquarters-cyberspace
CMT combat mission team JFHQ-DODIN Joint Force Headquarters-Department
CNMF-HQ Cyber National Mission Force of Defense Information Network
Headquarters NMT national mission team
CO-IPE cyberspace operations-integrated NST national support team
planning element OPCON operational control
CPT cyberspace protection team TACON tactical control
CST combat support team USCYBERCOM United States Cyber Command
DACO directive authority for cyberspace
operations
DOD Department of Defense OPCON
DODIN Department of Defense information TACON
network DACO
JCC Joint Cyber Center supporting/supported
direct support
coordination
IV-14 JP 3-12
Planning, Coordination, Execution, and Assessment
4. JFHQ-C commanders support more than one CCDR using the general
support model.
IV-15
Chapter IV
aware of the remote supporting forces’ operational status. In other cases, CPTs may be
deployed to specific locations where they are placed in direct support to local commanders
to resecure compromised cyberspace. In other cases where there is no local military
commander, for instance, when a CPT is deployed to assist a DOD agency, all C2
authorities remain with the CPT’s commander. Supported and supporting commanders
coordinate the deployment and employment of cyberspace forces required to accomplish
the assigned mission.
(3) Based on the nature of CO, the cyberspace C2 framework is adjusted for
flexible and agile C2 of cyberspace forces to ensure US freedom of action in cyberspace
while denying adversaries the same. For additional details beyond those discussed here,
refer to the applicable CJCS EXORD and other relevant orders.
IV-16 JP 3-12
Planning, Coordination, Execution, and Assessment
(3) Reachback. At the same time, CCMDs require the freedom and capability
to effectively plan, coordinate, and conduct theater and functional CO. To enable these
efforts, staff supporting GCCs and other CCDRs should arrange for timely and effective
reachback support from USCYBERCOM and its subordinate units to augment the
expertise and capacity of the supported commander.
(a) CCDRs size and structure their CO support staff to best support their
mission and requirements. This staff, supported by a USCYBERCOM CO-IPE,
coordinates CO requirements and capabilities throughout their planning, intelligence,
operations, assessment, and readiness processes to integrate and synchronize CO with other
military operations. Additionally, as necessary and in partnership with USCYBERCOM,
the CCMD coordinates regionally with interagency and multinational partners. The
CCMD:
IV-17
Chapter IV
of the operation, the cyberspace presence or sophistication of the adversary, and the types
of targets identified. Regardless of which elements are established, the overlaps between
global and theater missions in cyberspace, and relevant operational limitations, necessitate
close coordination, and potentially, some level of integration, among CCDRs conducting
multinational operations, CDRUSCYBERCOM, and other multinational and interagency
partners. See paragraph 9, “Multinational Considerations,” for additional information on
multinational CO.
IV-18 JP 3-12
Planning, Coordination, Execution, and Assessment
and processes related to IJSTO and its contribution to CO can be obtained from the IJSTO
planners at CCMD or Service component HQ.
c. EMS Factors
(2) Fires in and through the EMS. Cyberspace attack, EA, and offensive space
control (OSC) are deconflicted to maximize the impact of each type of fires.
Uncoordinated EA may significantly impact EMS-enabled cyberspace attack actions, and
vice-versa. Depending upon power levels, the geographic terrain in which they are used,
and the nature of the system being targeted, unintended effects of EA and OSC could also
occur outside of a local commander’s OA, just as higher-order effects of CO may be
possible outside the OA. The JFC and staff may need to comply with different coordination
requirements for the various types of fires that depend upon the EMS, forwarding requests
for execution as early in the planning process as possible to comply with US law and to
facilitate effective and timely effects. To minimize overlap, the primary responsibility for
cyberspace attack coordination between USCYBERCOM and the joint force resides with
the applicable JFHQ-C and USCYBERCOM CO-IPEs in coordination with the CCMD
CO staff. Refer to respective doctrine and policy documents of supported IRCs for
specifics on their authorities.
See JP 3-13.1, Electronic Warfare; JP 3-14, Space Operations; and JP 6-01, Joint
Electromagnetic Spectrum Management Operations, for more information on EMS factors.
IV-19
Chapter IV
military operation, and coordinated with lethal fires to create maximum effect on target.
Integrated fires are not necessarily simultaneous fires, since the timing of cyberspace attack
effects may be most advantageous when placed before or after the effects of lethal fires.
Each engagement presents unique considerations, depending upon the level and nature of
the enemy’s dependencies upon cyberspace. Supporting cyberspace fires may be used in
a minor role, or they can be a critical component of a mission when used to enable air, land,
maritime, space, and special operations. Forces operating lethal weapons and other
capabilities in the physical domains cannot use cyberspace fires to best advantage unless
they clearly understand the type and timing of planned effects in cyberspace. Properly
prepared and timed cyberspace fires can create effects that cannot be created any other
way. Poorly timed fires in cyberspace can be useless, or even worse, interfere with an
otherwise effective mission.
e. Risk Concerns. JFCs should continuously seek to minimize risks to the joint force,
as well as to friendly and neutral nations, societies, and economies, caused by use of
cyberspace. Coordinated joint force operations benefit from the use of various cyberspace
capabilities, including unclassified Web sites and Web applications used for
communication efforts with audiences internal and external to DOD. Forward-deployed
forces use the Internet, mobile phones, and instant messaging for logistics and morale
purposes, including communication with friends and family. These uses of cyberspace are
targeted by myriad actors, from foreign nations to malicious insiders. The JFC works with
JFHQ-DODIN and the Services, as well as with assigned cyberspace forces, to limit the
threat to the DODIN and mission partners’ cyberspace. Several areas of significant risk
exist for the JFC:
(1) Insider threats are a significant concern to the joint force. Because insiders
have a trusted relationship with access to the DODIN, the effects of their malicious or
careless activity can be far more serious than those of external threat actors. Any user who
does not closely follow cybersecurity policy can become an insider threat. Malicious
insiders may exploit their access at the behest of foreign governments, terrorist groups,
criminal elements, unscrupulous associates, or on their own initiative. Whether malicious
insiders are committing espionage, making a political statement, or expressing personal
disgruntlement, the consequences for DOD and national security can be devastating. JFCs
use risk mitigation measures for this threat, such as reinforcing training of the joint force
to be alert for suspicious insider activity and use of two-person controls on particularly
sensitive hardware, software, or data.
IV-20 JP 3-12
Planning, Coordination, Execution, and Assessment
b. The assessment process for external CO missions begins during planning and
includes measures of performance (MOPs) and measures of effectiveness (MOEs) of fires
and other effects in cyberspace, as well as their contribution to the larger operation or
objective. Historically, combat assessment has emphasized the battle damage assessment
(BDA) component of measuring physical and functional damage, but this approach does
not always represent the most complete effect, particularly with respect to CO. CO effects
are often created outside the scope of battle and often do not create physical damage.
Assessing the impact of CO effects requires typical BDA analysis and assessment of
physical, functional, and target system components. However, the higher-order effects of
cyberspace actions are often subtle, and assessment of second- and third-order effects can
be difficult. Therefore, assessment of fires in and through cyberspace frequently requires
significant intelligence collection and analysis efforts. Incorporating pre-strike prediction
and post-strike assessment for CO into the existing joint force staff processes increases the
likelihood that all objectives are met.
IV-21
Chapter IV
objectives, tasks, and subordinate targeting objectives and effects and to plan tactical
actions and MOPs/MOEs for those actions. Individual tactical actions typically combine
with other tactical actions to create operational-level effects; however, they can have
operational or strategic implications. Usually, the summation of tactical actions in an
operational theater is used to conduct an operational-level assessment principally operation
assessments (see JP 3-0, Joint Operations, and JP 5-0, Joint Planning), which in turn
supports the strategic-level assessment (as required). Operational MOPs/MOEs avoid
tactical information overload by providing commanders a shorthand method of tracking
tactical actions and maintaining situational awareness. MOPs and MOEs are clearly
definable and measurable, are selected to support and enhance the commander’s decision
process, and guide future actions that achieve objectives and attain end states.
(a) MOEs. MOEs are used to assess changes in targeted system behavior or
in the OE. They measure progress toward the attainment of an end state, achievement of
an objective, or creation of an effect. Data gathered on the target from its pre-mission state
through access, execution, and possibly long-term post-operations analysis may enable later,
more comprehensive assessment, including that of higher-order effects. MOEs generally
reflect a trend or show progress toward or away from a measurable threshold. While MOEs
may be harder to derive than MOP for a discrete task, they are nonetheless essential to
effective assessment. For example, a MOE for a cyberspace attack action might be a
meaningful reduction in the throughput of enemy data traffic or their shift to a more
interceptable means of communication. Assessment of CO takes place both inside and
outside of cyberspace. For instance, an OCO mission to disrupt electric power might be
assessed through visual observation to determine that the power is actually out.
IV-22 JP 3-12
Planning, Coordination, Execution, and Assessment
See JP 5-0, Joint Planning, for a detailed description of assessment. See JP 3-60, Joint
Targeting, and Defense Intelligence Agency Publication 2820-4-03, Battle Damage
Assessment (BDA) Quick Guide, for more information on the assessment process related to
targeting, BDA, and munitions effectiveness assessment.
8. Interorganizational Considerations
a. When appropriate, JFCs coordinate and integrate their CO with interagency partners
during planning and execution. Effective integration of interagency considerations is vital
to successful military operations, especially when the joint force conducts shaping, stability,
and transition to civil authority activities. Just as JFCs and their staffs consider how the
capabilities of other USG components and NGOs can be leveraged to assist in accomplishing
military missions and broader national strategic objectives, JFCs should also consider the
capabilities and priorities of interagency partners in planning and executing CO. In
collaboration with interagency representatives, JS, and USCYBERCOM, JFCs should
coordinate with interagency partners during CO planning to help ensure appropriate
agreements exist to support their plans.
b. At the national level, the National Security Council, with its policy coordination
committees and interagency working groups, advises and assists the President on all aspects
of national security policy. OSD and JS, in consultation with the Services and CCMDs,
coordinate interagency support required to support the JFC’s plans and orders. While
supported CCDRs are the focal points for interagency coordination in support of operations
in their AORs, interagency coordination with supporting commanders is also important. For
integration into their operational-level estimates, plans, and operations, commanders should
only consider interagency capabilities and capacities that interagency partners can
realistically commit to the effort.
c. Military leaders work with the other members of the national security team to
promote unified action. A number of factors can complicate the coordination process,
including various agencies’ different and sometimes conflicting policies, overlapping legal
authorities, roles and responsibilities, procedures, and decision-making processes for CO. A
supported commander develops interagency coordination requirements and mechanisms for
each OPLAN. The JFC’s staff requires a clear understanding of military CO capabilities,
requirements, operational limitations, liaison, and legal considerations. Additionally,
planners should understand the nature of this relationship and the types of CO support
interagency partners can provide. In the absence of a formal interagency command structure,
JFCs are required to build consensus to achieve unity of effort. Robust liaison facilitates
understanding, coordination, and mission accomplishment.
IV-23
Chapter IV
relationships between civilian and military planners, providing a CCDR with the capability
to collaborate at the operational level with other USG departments and agencies. JIACG
members participate in all appropriate planning efforts. Additionally, they provide a
collaborative conduit back to their parent organizations to help synchronize joint operations
with the efforts of nonmilitary organizations. In the absence of a JIACG focused on CO,
planners may find it more difficult to verify that all mission partner equities in cyberspace
are accounted for and, therefore, should begin to develop contacts with relevant departments
and agencies as soon as the planning process begins.
9. Multinational Considerations
a. Collective security is a strategic objective of the US, and joint planning is frequently
accomplished within the context of planning for multinational operations. There is no single
doctrine for multinational action, and each alliance or coalition develops its own protocols
and plans. US planning for joint operations accommodates and complements such protocols
and plans for potential use of US cyberspace forces to protect MNF networks. JFCs also
anticipate and incorporate mission partner planning factors, such as their domestic laws,
regulations, and operational limitations on the use of various cyberspace capabilities and
tactics.
b. When working within an MNF, each nation and Service can expect to be tasked by
the commander with the mission(s) most suited to their particular capability and capacity.
For example, a CPT supporting a CCMD could be tasked, with the agreement of all nations
involved, to investigate and mitigate the effects of malicious cyberspace activity on a
multinational network. CO planning, coordination, and execution items that require
consideration when an MNF operation or campaign plan is developed include:
(1) National agendas of the PNs on an MNF may differ significantly from those of
the US, creating potential difficulties in determining the CO objectives.
(4) Nations in an MNF often require approval for the CO portion of plans and
orders from higher authority, which may impede CO implementation. This national-level
approval requirement increases potential constraints and restraints upon the participating
national forces and further lengthens the time required to gain approval for their participation.
Commanders and planners should be proactive in seeking to understand PNs’ laws, policies,
and other matters that might affect their use of CO and anticipate the additional time required
for approval through parallel national command structures. Partners’ national caveats and
ROE are often not transmitted thoroughly to commanders and planners, potentially leading
to misunderstanding, delays, and incompleteness in execution.
IV-24 JP 3-12
Planning, Coordination, Execution, and Assessment
(5) Security restrictions may prevent full disclosure of individual CO plans and
orders between multinational partners; this may complicate cyberspace synchronization
efforts. Therefore, the JFC’s staff should seek approval for sharing required information
among partners and then issue specific guidance on the release of classified US material to
the MNF as early as possible during planning. Likewise, once these information-sharing
restrictions are identified by each nation, policy should be established and mechanisms put
in place to encourage appropriate CO-related information sharing across the force. These
considerations further highlight the importance of ensuring CO material is not over classified
and is releasable to partners to the greatest extent possible.
IV-25
Chapter IV
relationship, especially in the case of conducting CO, because doing so could compromise
their status as an independent entity, restrict their freedom of movement, and even place their
members at risk in uncertain or hostile environments.
IV-26 JP 3-12
APPENDIX A
(U) CLASSIFIED PLANNING CONSIDERATIONS FOR CYBERSPACE
OPERATIONS
(PUBLISHED SEPARATELY)
A-1
Appendix A
Intentionally Blank
A-2 JP 3-12
APPENDIX B
CYBERSPACE OPERATIONS
POINTS OF CONTACT
B-1
Appendix B
Intentionally Blank
B-2 JP 3-12
APPENDIX C
REFERENCES
1. General
o. National Security Directive 42, National Policy for the Security of National
Security Telecommunications and Information Systems.
C-1
Appendix C
m. DODD 5505.13E, DOD Executive Agent (EA) for the DOD Cyber Crime Center
(DC3).
C-2 JP 3-12
References
a. CJCSI 3121.01B, (U) Standing Rules of Engagement/Standing Rules for the Use of
Force for US Forces.
g. CJCSM 3139.01, (U) Review and Approval Process for Cyberspace Operations.
p. JP 3-07, Stability.
C-3
Appendix C
C-4 JP 3-12
APPENDIX D
ADMINISTRATIVE INSTRUCTIONS
1. User Comments
Users in the field are highly encouraged to submit comments on this publication using
the Joint Doctrine Feedback Form located at:
https://jdeis.js.mil/jdeis/jel/jp_feedback_form.pdf and e-mail it to:
[email protected]. These comments should address content
(accuracy, usefulness, consistency, and organization), writing, and appearance.
2. Authorship
a. The lead agent for this publication is USCYBERCOM, and the JS doctrine sponsor
for this publication is the Director for Global Operations (J-39).
3. Supersession
4. Change Recommendations
b. When a Joint Staff directorate submits a proposal to the CJCS that would change
source document information reflected in this publication, that directorate will include a
proposed change to this publication as an enclosure to its proposal. The Services and other
organizations are requested to notify the Joint Staff J-7 when changes to source documents
reflected in this publication are initiated.
5. Lessons Learned
The Joint Lessons Learned Program (JLLP) primary objective is to enhance joint force
readiness and effectiveness by contributing to improvements in doctrine, organization,
training, materiel, leadership and education, personnel, facilities, and policy. The Joint
Lessons Learned Information System (JLLIS) is the DOD system of record for lessons
learned and facilitates the collections, tracking, management, sharing, collaborative
resolution, and dissemination of lessons learned to improve the development and readiness
of the joint force. The JLLP integrates with joint doctrine through the joint doctrine
D-1
Appendix D
development process by providing lessons and lessons learned derived from operations,
events, and exercises. As these inputs are incorporated into joint doctrine, they become
institutionalized for future use, a major goal of the JLLP. Lessons and lessons learned are
routinely sought and incorporated into draft JPs throughout formal staffing of the
development process. The JLLIS Website can be found at https://www.jllis.mil
(NIPRNET) or http://www.jllis.smil.mil (SIPRNET).
6. Distribution of Publications
a. Joint Staff J-7 will not print copies of JPs for distribution. Electronic versions are
available on JDEIS Joint Electronic Library Plus (JEL+) at
https://jdeis.js.mil/jdeis.index.jsp (NIPRNET) and http://jdeis.js.smil.mil/jdeis.index.jsp
(SIPRNET), and on the JEL at http://www.jcs.mil/Doctrine (NIPRNET).
b. Only approved JPs are releasable outside the combatant commands, Services, and
Joint Staff. Defense attachés may request classified JPs by sending written requests to
Defense Intelligence Agency (DIA)/IE-3, 200 MacDill Blvd., Joint Base Anacostia-
Bolling, Washington, DC 20340-5100.
D-2 JP 3-12
GLOSSARY
PART I—ABBREVIATIONS, ACRONYMS, AND INITIALISMS
GL-1
Glossary
EA electronic attack
EMS electromagnetic spectrum
EW electronic warfare
EXORD execute order
HQ headquarters
LE law enforcement
LOC line of communications
GL-2 JP 3-12
Glossary
NG National Guard
NGB National Guard Bureau
NGO nongovernmental organization
NIPRNET Non-classified Internet Protocol Router Network
NMT national mission team
NST national support team
OA operational area
OCO offensive cyberspace operations
OE operational environment
OPCON operational control
OPLAN operation plan
OPORD operation order
OPSEC operations security
OSC offensive space control
OSD Office of the Secretary of Defense
OSINT open-source intelligence
RC Reserve Component
RFI request for information
ROE rules of engagement
GL-3
Glossary
cyberspace attack. Actions taken in cyberspace that create noticeable denial effects (i.e.,
degradation, disruption, or destruction) in cyberspace or manipulation that leads to
denial that appears in a physical domain, and is considered a form of fires. (Approved
for inclusion in the DOD Dictionary.)
cyberspace defense. Actions taken within protected cyberspace to defeat specific threats
that have breached or are threatening to breach cyberspace security measures and
include actions to detect, characterize, counter, and mitigate threats, including
malware or the unauthorized activities of users, and to restore the system to a secure
configuration. (Approved for inclusion in the DOD Dictionary.)
cyberspace superiority. The degree of dominance in cyberspace by one force that permits
the secure, reliable conduct of operations by that force and its related land, air,
maritime, and space forces at a given time and place without prohibitive interference.
(Approved for incorporation into the DOD Dictionary.)
GL-4 JP 3-12
defensive cyberspace operations-response actions. Operations that are part of a
defensive cyberspace operations mission that are taken external to the defended
network or portion of cyberspace without the permission of the owner of the affected
system. Also called DCO-RA. (Approved for replacement of “defensive cyberspace
operation response action” and its definition in the DOD Dictionary.)
directive authority for cyberspace operations. The authority to issue orders and
directives to all Department of Defense components to execute global Department of
Defense information network operations and defensive cyberspace operations internal
defensive measures. Also called DACO. (Approved for inclusion in the DOD
Dictionary.)
information assurance. None. (Approved for removal from the DOD Dictionary.)
GL-5
Glossary
Intentionally Blank
GL-6 JP 3-12
JOINT DOCTRINE PUBLICATIONS HIERARCHY
JP 1
JOINT
DOCTRINE
All joint publications are organized into a comprehensive hierarchy as shown in the chart above. Joint
Publication (JP) 3-12 is in the Operations series of joint doctrine publications. The diagram below
illustrates an overview of the development process:
Initiation
ENHANCED
JOINT JOINT
WARFIGHTING DOCTRINE
CAPABILITY PUBLICATION
Approval Development