Pentesting The Public Sector through the IRT Program
CPT Andrew Wilmoth
Background
The Innovative Readiness Training Program (IRT) is a collaborative program that leverages military contributions and community resources to multiply value and cost savings for participants. At its core, the IRT program provides a pathway for military training to work hand-in-hand with State/Local/Tribal/Territorial governments, as well as public sector organizations, to benefit American institutions and communities. Since its founding it has been integral for hundreds of training opportunities across the US, with medicine, engineering, and construction being key facets from the start.
How the MT Cyber Team Learned to “Do The Cyber”
The Idaho National Guard “cracked the nut” on Cyber IRT projects in 2022, being the first to stand up an IRT project as part of Cyber Discovery, a regional cyber exercise hosted by the Idaho National Guard. Cyber Discovery 2022 first taught students on CISA’s Cyber Resilience Review (CRR) assessment methodology, instructed by CISA’s AES department, and then had them conduct CRR assessments with Idaho public sector organizations, including Idaho school districts and the Idaho Department of Labor. Cyber Discovery 2023 followed a similar path, first teaching students on CISA’s Risk and Vulnerability Assessment (RVA) methodology, and then conducting a grey-box penetration test on an Idaho public sector organization.
Montana brought this training home in 2024, conducting the CyberCat IRT Project with Montana State University, and again in 2025 with the recently concluded CyberGriz IRT Project with University of Montana.
What does this look like for Montana public sector participants?
The biggest benefit of any IRT project is that the costs to the civilian participants are low-to-zero. National Guard members conduct the training while on a paid status, usually as part of their drill days or annual training days (those “one weekend a month, two weeks in the summer” days you’ve probably heard of). For Montana, our on-site lodging and transportation is paid for internally, so the only thing you have to provide is space for us to work and the necessary coordination with whatever stakeholders will be involved.
Assessment days are scheduled during the week as participant’s stakeholders are available. Those “one weekend a month, two weeks in the summer” are flexible to meet your availability, and can generally be thought of as “two days per month” and “fifteen days for anytime”.
Our process so far as been to conduct a two-day CRR assessment with the “main” campus or business unit one month, then the following month conduct a two-day CPG assessment with the satellite/subordinate campuses or business units. (CPGs are just a slimmed down version of the CRR). This can be broken out into multiple sites each month as the Cyber Team has enough members to support 4-5 CRR/CPG assessments at a time, assuming all members are available. At the end of each assessment, the participants will have assessment results and a report they can take with them, as well as any related best practices.
Once the CRRs and CPGs are complete, we will transition to the penetration test. Initial coordination is typically over email or video calls like Zoom to establish Scope of Work and Rules of Engagement, and to smooth out any issues. The penetration test typically uses our 15 days of annual training that we have available; so far we have found the most benefit using the days in three sessions of 5 days each, Monday to Friday. This is entirely flexible depending on the project requirements, and availability of the Cyber Team.
We utilize CISA’s Risk and Vulnerability Assessment methodology, which takes an “outside-in” approach where we first evaluate your network broadly, unauthenticated, through scans and research; then narrowly, unauthenticated, through targeted scans and exploits; then broadly and narrowly again, but with basic user credentials in an “assumed breach” scenario. This provides us with a comprehensive look at your network with the limited time we have.
We generally utilize common open-source tools available with Kali Linux, Tenable Nessus Professional scanners, Metasploit Professional, and other scanners. We also have our own process to vet and incorporate open-source projects into our toolkit to ensure we are using the tools the bad guys might use, while avoiding potential viruses and malicious code.
At the end of each week of the RVA we will conduct an out-brief outlining the major findings and results of that week’s work. At the completion of the penetration test, we will conduct a final out-brief going over all of the results, as well as provide you a formal penetration test report and all artifacts and evidence from the penetration test.
How do I get started?
Generally, the process is:
- Contact the MT Guard Cyber Team with your interest in an IRT project
- Apply for and complete the IRT paperwork online on the IRT website in coordination with the Cyber Team Point-of-Contact
- Once approved, the project begins! The Cyber Team will coordinate with you to begin scheduling.
Frequently Asked Questions
What authorities are involved?
- Section 2012 of Title 10, United States Code authorizes the IRT program and provides the necessary legal framework. Public Sector Organizations and governments are the intended participants of the IRT program.
What is the CRR assessment?
- It is a business process assessment based on NIST 800-53 and the NIST Cybersecurity Framework that looks at your Cybersecurity policies and procedures and assesses their maturity. The CRR is ~360 questions long and takes about two days to complete due to the conversations it drives.
How does that differ from the CPG assessment?
- The Cyber Performance Goals assessment is basically a slimmed down version of the CRR, focused on high-priority security actions and immediate “things” that an organization can do to better their cybersecurity posture.
- Think of the CRR as if its an internal audit against the NIST standards, and the CPGs as “stuff everyone should be doing”.
What do you do with the assessment data?
- Provide it to you at the end of the assessment. We do not provide data to CISA unless you request to participate in their PCII program.
- All assessment data will be consolidated into an encrypted zip file and stored securely for 1 year as a backup for the stakeholder.