US Army NGC2 Prototype Had “Critical Deficiencies” in Zero Trust Security Before Ivy Sting Trials
The U.S. Army has resolved critical cybersecurity flaws in the prototype of its new Next Generation Command and Control (NGC2) system — a project regarded as a cornerstone of the military’s digital transformation. Early testing revealed vulnerabilities that could have resulted in data loss and operational compromise. These issues surfaced shortly before the large-scale Ivy Sting trials, designed to scale the system to an entire division level.
A document dated September 5 delivered a stark assessment of the platform’s state, stating that NGC2 “in its current form exhibits critical deficiencies in fundamental protections, procedures, and governance,” posing risks of unauthorized access, data leaks, and even potential danger to personnel. The memo by Kiwuli highlighted insufficient oversight over the integration of new capabilities and warned that development was progressing faster than security monitoring could keep pace.
After the memorandum was leaked and circulated throughout the defense industry, Army leadership announced three weeks later that all risks had been mitigated. According to Army CIO Leonel Garciga, enhanced cybersecurity protocols enabled rapid problem detection, contractor mobilization, and the implementation of corrective measures. He emphasized that the incident did not delay the program or disrupt testing.
Officials at the Army Network Technology Command noted that uncovering such vulnerabilities early was a deliberate feature of the development strategy. A spokesperson stated that this exemplifies the “security-by-design” approach — threats are discovered during prototyping, resolved immediately, and the system is strengthened prior to deployment. The situation, they added, should be seen as a positive example of how the project is meant to evolve.
NGC2 stands as the Army’s flagship technology initiative, intended to replace legacy command networks with a software-defined architecture offering unified data access and real-time force management. The project is being built entirely from the ground up, independent of previous systems. In July, the Army allocated approximately $100 million to Anduril and a consortium of contractors to develop a prototype for the 4th Infantry Division, slated for testing during Project Convergence Capstone 6 this summer. The system represents a key pillar in the broader digital transformation of the U.S. armed forces.
Kiwuli’s memorandum, issued ten days before the first Ivy Sting demonstration, outlined an extensive array of threats — including inadequate access control, unverified and potentially vulnerable third-party code, weak data management practices, and poor data flow monitoring. It asserted that the system operated with known but unresolved vulnerabilities and lacked an appointed officer responsible for operational security. The memo also criticized the platform for functioning as a “black box,” where user activity within the network could not be effectively traced.
Particular attention was drawn to the absence of Role-Based Access Control (RBAC), which allowed any authorized user to view and modify all information — a direct violation of the Zero Trust principles mandated by the Pentagon. It also noted that the Palantir Federal Cloud service in use had not undergone official security evaluation or received an authorization to operate, and that applications had not been subjected to standard vulnerability scanning.
By mid-September, however, Garciga reported that NGC2 had successfully passed the first phase of Ivy Sting testing. The trials demonstrated that the newly implemented cybersecurity procedures enabled the identification and remediation of all weaknesses without impacting the schedule. Army officials concluded that NGC2 marks the beginning of a “generational restructuring” of the military’s command architecture — and that the vulnerabilities, rather than a setback, served as proof of the effectiveness of the Army’s new model for proactive threat detection and rapid incident response.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
