*FM 3-12
Field Manual
No. 3-12
Headquarters
Department of the Army

Washington, DC, 17 September 2025

CYBERSPACE AND ELECTROMAGNETIC WARFARE OPERATIONS

This chapter begins with an overview of the context for cyberspace and electromagnetic warfare operations as part of combined arms. It goes on to discuss operational environments, threats, and hazards. The chapter concludes with a discussion of systems analysis to support targeting and protection planning.

This chapter describes how different portions of cyberspace may be controlled and operated by different entities, with users relying on systems they neither control nor operate. It goes on to discuss how Army forces protect against threat use of cyberspace and preserve friendly ability to use it. The chapter concludes with an explanation of the conduct of operations against threats in and through cyberspace as well as in the air and land domains based on their reliance upon cyberspace. JOINT AND ARMY NETWORKS 2-1. Cyberspace is a manmade domain. Its components are built and operated for certain purposes. Cyberspace includes enterprise and tactical networks, civilian cell phones, telecommunications infrastructure, other components of critical infrastructure, and weapon systems. Among other devices, as parts of cyberspace, information technology systems perform networking, information processing, and other tasks typically associated with home computers and the Internet. The DODIN comprises the entire portion of DOD cyberspace. D EPARTMENT OF D EFENSE I NFORMATION N ETWORK 2-2. The Department of Defense information network is the set of information capabilities and associated processes owned or leased by the Department of Defense for collecting, processing, storing, disseminating, and managing information, whether interconnected or stand-alone (JP 6-0). The DODIN includes common enterprise service networks, intelligence networks operated by the DOD components, stand-alone mission and weapon systems, other special-purpose networks, DOD-owned smartphones, radio frequency identification tags, industrial control systems, isolated laboratory networks, and platform information technology operated by or on behalf of the DOD components. 2-3. The DODIN interacts with and provides connections to national and global cyberspace. The DODIN encompasses the Service-specific enclaves of the Army, Navy, Air Force, Marine Corps, and Space Force combined with joint capabilities provided by the Defense Information Systems Agency. The DODIN provides access to Defense Information Systems Network services, including SECRET Internet Protocol Router Network, Nonclassified Internet Protocol Router Network, and classified mission partner networks. D EPARTMENT OF D EFENSE I NFORMATION N ETWORK -A RMY 2-4. The Department of Defense information network-Army (DODIN-A) is an Army-operated enclave of the Department of Defense information network that encompasses all Army information capabilities that collect, process, store, display, disseminate, and protect information worldwide (ATPATPArmy Techniques Publications 6-02.71). The DODIN-A includes all Army automated information systems and networks, including stand-alone networks supporting intelligence, sustainment, medical, Army National Guard, and United States Army Reserve. S IGNAL S UPPORT 2-5. Signal units have effectively integrated communications capabilities across the air, land, maritime, space, and cyberspace domains for decades. The DODIN-A and the services it extends enable collaboration and synchronization across domains and among mission partners. Signal support is a key enabler for Army operations. Signal Soldiers install, operate, maintain, and secure the DODIN-A in locations where both friendly and threat cyberspace operations occur. 2-6. Given the high risk to the network, signal operators and information system users must continuously manage risk and secure their respective portions of the DODIN-A. Signal planners and cybersecurity personnel assess cybersecurity risk during network design, mitigate risk in software employment, and continuously monitor for signs of malicious activity within the network. Individual users must maintain cybersecurity awareness and learn to identify signs of malicious cyberspace activity. While cybersecurity efforts cannot prevent every intrusion, commanders and their staffs must take steps to identify, prioritize, and secure their most important networks and data. See appendix D for more information about recognizing and responding to malicious cyberspace activity. Refer to FM 6-02 and ATPATPArmy Techniques Publications 6-02.71 for more information about signal support and DODIN operations in Army networks. CYBERSPACE DEFENSE 2-7. Cyberspace defense is actions taken within protected cyberspace to defeat specific threats that have breached or are threatening to breach cyberspace security measures (JP 3-12). Cyberspace defense includes actions to detect, characterize, counter, and mitigate threats, including malware or the unauthorized activities of users, and to restore the system to a secure configuration. Cyberspace defense is a shared mission between cyberspace defense forces, local network defenders, and cybersecurity service providers. D EFENSIVE C YBERSPACE O PERATIONS 2-8. Defensive cyberspace operations are missions to preserve the ability to utilize and protect blue cyberspace capabilities and data by defeating on-going or imminent malicious cyberspace activity (JP 3-12). Corps, division, and brigade commanders can gain important tactical advantages through cyberspace if they understand the nature and potential of the cyberspace domain. During planning, the CEMA section identifies mission-relevant terrain in cyberspace to support both targeting and protection planning. Assets identified as friendly mission-relevant terrain in cyberspace contribute to the critical asset list and the defended asset list. Note. Joint doctrine for cyberspace operations makes use of the colloquial terms blue, gray, and red cyberspace. The Army refers to these portions of cyberspace respectively as friendly, neutral, and threat cyberspace. 2-9. Networks inherently make it difficult to detect and identify malicious activity where the avenues of approach are wide. Furthermore, threat forces move at the speed of the network. Defense involves building or changing the terrain, consolidating information, and restricting routes. Developing named areas of interest and target areas of interest in terms of system nodes and links (which may include temporary denial to friendly systems) is necessary for effective cyberspace defense. Further necessary actions include vulnerability assessments to understand the attack surface and threat avenues of approach and inform defensive planning. Because many cyberspace nodes exist in other domains (primarily land and space), defending friendly cyberspace requires active defense in other domains. Because many capabilities in the air, land, maritime, and space domains depend on cyberspace, those capabilities require cyberspace defense as well as defense in their respective physical domains. 2-10. Defensive cyberspace operations are further categorized based on mission, intent, and the location of the actions in cyberspace as— • Defensive cyberspace operations-internal defensive measures. • Defensive cyberspace operations-response actions. Defensive Cyberspace Operations-Internal Defensive Measures 2-11. Defensive cyberspace operations-internal defensive measures are a defensive cyberspace operations mission in which defense actions occur within the defended portion of cyberspace (JP 3-12). The defended portion of cyberspace for the Army is typically considered to be the DODIN-A, which provides classified and nonclassified voice, data, and video connectivity and is a network extending from the strategic level to as low as individual Soldiers. 2-12. At the brigade, commanders are primarily concerned with cybersecurity activities to harden their respective portions of the network and ensure the general confidentiality, integrity, and availability of command and control information systems. These actions are informed by configuration guides, best practices, and general knowledge of cyberspace vulnerabilities, agnostic of threat activities or tactics, techniques, and procedures. In the event of suspected malicious cyberspace activity affecting brigade assets, personnel are expected to report these activities in accordance with the unit standard operating procedure (SOPSOPStandard Operating Procedures) for remediation by local network defenders or higher headquarters. See appendix A for cyber incident reporting procedures. 2-13. The division secures and defends its portion of the network and provides defensive cyberspace operations support to subordinate brigade combat teams. For example, the division cyber team may have intelligence indicating a threat is targeting the unit and take steps to counter the indicated activity. 2-14. At the corps, the CEWO and CEMA section maintain direct dialog with the joint cyberspace center and Joint Force Headquarters-Cyber as required to track requests for cyberspace effects and to enable shared understanding of designated cyberspace. Defensive Cyberspace Operations-Response Actions 2-15. Defensive cyberspace operations-response actions are a defensive cyberspace operations mission executed external to the defended network or portion of cyberspace without the permission of the owner of the affected system (JP 3-12). Defensive cyberspace operations-response actions consist of the same cyberspace actions as offensive cyberspace operations (cyberspace exploitation and cyberspace attack) but are undertaken for defensive purposes to prevent a threat from conducting malicious cyberspace activity against friendly networks. Defensive cyberspace operations-response actions missions are undertaken by cyber mission forces under USCYBERCOM authorities and rules of engagement. C YBERSPACE D EFENSE M ISSIONS AND F UNCTIONS 2-16. The combatant command, Service, or DOD agency that provides or operates the network is generally authorized to take steps to harden their portion of the network and manage risk. These organizations take cyberspace defense actions except in cases where those actions would negatively impact networks or systems outside of their responsibility. Cyber protection teams may reinforce local network defenders to undertake cyberspace defense actions. DOD Cyber Defense Command directs and synchronizes all defensive actions that impact more than one combatant command or have impacts outside the responsibility of the network owner. Analytic Support to Defensive Cyberspace Operations 2-17. Analytic support enables the movement, processing, and analysis of data to build real-time network situational understanding and enhance cyberspace defense. Data analytics are an essential function for defensive cyberspace operations. Analytics provide the means to understand the cyberspace environment and to detect and characterize threat cyberspace activity. Refer to TC 3-12.2.4.1 for more information about analytic support to defensive cyberspace operations. Mission Thread Defense 2-18. In DOD usage, mission thread refers to a set or arrangement of systems that results when independent and useful systems are integrated into a larger system that delivers unique capabilities. The mission thread includes all tasks to carry out a mission and satisfy a defined objective. Threads define the task execution sequence in a chain of events of how systems, people, data, methods, tactics, timing, and interfaces interact to complete necessary tasks to achieve a mission objective. Examples of mission threads include kill chains (lethal) or effects chains (nonlethal). Mission thread defense is a change from traditional point defenses in cyberspace that failed to account for mission, network, and data interdependencies. Defensive cyber forces conduct mission thread analysis (systems analysis) as described in chapter 1 to identify the critical capabilities and dependencies for a mission thread, identify defended assets, and plan appropriate defenses. Refer to TC 3-12.2.90 for more information about mission thread defense. Hunt Operations 2-19. Defensive cyber forces conduct hunt operations with the assumption that threats may already be present in friendly networks and may have the initiative. Depending on operational objectives, hunt operations may be analogous to reconnaissance, counterreconnaissance, or movement to contact in the air, land, or maritime domain as cyber defenders seek to answer reconnaissance objectives, counter threat presence, or establish contact with the threat. Refer to TC 3-12.2.98 for more information about hunt operations. Hunt Forward Operations in Ukraine U.S. joint forces, in close cooperation with the government of Ukraine, conducted defensive cyberspace operations alongside Ukrainian Cyber Command personnel from December 2021 to March 2022 as part of a wider effort to enhance the cyber resiliency of critical Ukrainian national networks. In late 2021, with the consent of Ukraine, USCYBERCOM deployed its largest hunt forward team yet. The joint team of Navy and Marine Corps cyber operators hunted for malicious cyberspace activity on Ukrainian networks. The operation persisted until days before Russian forces launched a wide-scale invasion of the nation. The Ukrainian government provided the hunt forward teams with access to multiple networks. Sitting side-by-side, Ukrainian and U.S. cyber professionals began a meticulous, multi-pronged hunt looking for suspected malicious cyberspace activity. This mission postured Ukrainian cyber professionals to identify and address vulnerabilities on their networks and mitigate them in order of severity. CYBERSPACE OFFENSE 2-20. Offensive cyberspace operations are missions intended to project power in and through cyberspace (JP 3-12). Offensive cyberspace operations missions are executed by direction of Commander, USCYBERCOM to support combatant commander objectives or other national security objectives. 2-21. Cyber mission forces conduct offensive cyberspace operations outside of DOD networks by conducting cyberspace surveillance and reconnaissance and cyberspace effects operations to expose threat infrastructure to risk in support of a commander’s objectives. Commanders must integrate offensive cyberspace operations planning throughout the operations process to support the combined arms scheme of maneuver. 2-22. The Army provides cyber forces to the joint force, trained to perform offensive cyberspace operations across the competition continuum. Cyber mission forces may conduct offensive cyberspace operations to support commanders at echelons corps and below through the joint targeting process in response to requests for support. Targets identified for cyberspace effects require extended planning time, target development, extended approval time, synchronization, and deconfliction with other mission partners. See chapter 4 for a detailed discussion of targeting considerations in cyberspace. C YBERSPACE S URVEILLANCE AND R ECONNAISSANCE 2-23. Cyberspace surveillance and reconnaissance is a cyberspace exploitation action conducted on behalf of the joint force commander, authorized by an execute order and conducted by a military cyber unit that has been given direct support authority by Commander, USCYBERCOM. Cyberspace surveillance and reconnaissance includes activities in cyberspace conducted to gather information required to support planning and execution of current and future offensive cyberspace operations. Cyberspace surveillance and reconnaissance focuses on tactical and operational information and on identifying and mapping threat cyberspace to support planning. Army units conducting cyberspace surveillance and reconnaissance operate as part of the joint force supporting cyberspace operations missions. C YBERSPACE E XPLOITATION 2-24. Cyberspace exploitation requires forces trained to a standard that prevents compromise of related operations. Cyberspace exploitation is conducted pursuant to military authorities and must be coordinated and deconflicted with other U.S. Government departments and agencies. Cyberspace exploitation actions include— • Access creation. • Intelligence activities. • Maneuver. • Information collection. • Other enabling actions required to prepare for future military operations. 2-25. Cyberspace exploitation includes actions to gain and maintain cyberspace superiority and support intelligence preparation of the operational environment for current and future operations through activities such as— • Gaining and maintaining unauthorized access to threat networks, systems, and nodes of military value. • Maneuvering to positions of advantage. • Positioning cyberspace capabilities to enable follow-on actions, such as a cyberspace attack. 2-26. Cyberspace exploitation supports current and future operations through collection of information, including— • Mapping threat and neutral cyberspace to develop situational understanding. • Discovering threat cyberspace vulnerabilities. • Enabling— ▪ Joint intelligence preparation of the operational environment. ▪ Threat warning. ▪ Joint target development. • Supporting the planning, execution, and assessment of military operations throughout the operational environment. C YBERSPACE A TTACK 2-27. Cyberspace attack consists of actions taken in and through cyberspace that create denial (i.e., degradation, disruption, or destruction) or manipulation effects in cyberspace and are considered a form of fires (JP 3-12). Cyberspace attack may be conducted for offensive cyberspace operations (see paragraph 2-20) or defensive cyberspace operations-response actions (see paragraph 2-15). 2-28. Cyberspace attack actions may limit a threat’s ability to use cyberspace to harm the United States and its allies. For example, a cyberspace attack that targets a threat’s critical infrastructure to disrupt their ability to exercise command and control over hostile forces and deny the transfer of information residing on, or in transit between, computers or mobile devices. 2-29. Cyberspace attacks provide commanders a way to degrade, disrupt, or destroy the threat’s freedom of action in cyberspace. Preserving friendly freedom of action through cyberspace defense while denying the same to threats through cyberspace attack offers commanders an operational advantage. 2-30. The Army provides forces trained to conduct offensive cyberspace operations. Cyber mission forces may only conduct offensive cyberspace operations when delegated the appropriate authorities by the combatant command and USCYBERCOM. 2-31. Cyberspace operations can create both lethal and nonlethal effects. It is important for commanders to understand offensive cyberspace operations can create desired effects from the strategic level (influence and deterrence) to the tactical level (disruption or destruction of a threat capability), destroying or otherwise denying the threat’s ability to tactically maneuver. The requesting unit submits a cyber effects request format (CERF) to their higher headquarters articulating the desired effect along with other coordinating instructions. When the CERF reaches the joint force headquarters, the cyberspace operations integrated planning element further develops the target through the joint targeting cycle and enters a request for service in the USCYBERCOM request for service portal. If offensive cyberspace operations support is approved, the capabilities used to produce the desired effects must be resourced by the higher headquarters or national-level cyber forces. 2-32. Cyberspace attacks are conducted by joint force commanders with the mission and authority to create offensive effects in or through cyberspace after having deconflicted them with Commander, USCYBERCOM. Targeting for cyberspace generally follows the processes and procedures used for traditional targeting but must account for the unique nature of cyberspace as compared to the air, land, maritime, and space domains and the unique requirements for matching cyberspace capabilities to targets in cyberspace. Combatant command staffs develop targets according to combatant commander priorities and forward them to USCYBERCOM for validation and possible action. Refer to JP 3-12 for more information about joint targeting in cyberspace. C YBERSPACE O FFENSE AT B ATTALION AND B ELOW 2-33. Effects in cyberspace at echelons battalion and below are likely to be delivered by available lethal and nonlethal fires capabilities. Offensive cyberspace operations support is unlikely to be approved and resourced at these echelons. The commander’s targeting guidance describes the desired effects to be generated by lethal fires, maneuver, cyberspace attack, electromagnetic attack, or other nonlethal capability. Targeting enables the commander to leverage lethal and nonlethal attack capabilities (within fire control measures) to produce the desired effects in support of operations. If the scheme of maneuver requires effects in cyberspace, the commander either engages the target with organic lethal or nonlethal fires capabilities or requests this support from higher echelons through the brigade combat team. If the brigade combat team, division, or corps cannot meet the battalion’s support requirements, the support may be provided by joint, theater, or national-level assets. See chapter 4 for more information about targeting in cyberspace and appendix C for instructions for the CERF.

This chapter introduces electromagnetic warfare and the divisions of electromagnetic warfare. It goes on to discuss the application of electromagnetic attack, electromagnetic protection, electromagnetic support, and electromagnetic reprogramming in Army operations. The chapter then addresses the synchronization of electromagnetic warfare with complementary signals intelligence capabilities. The chapter concludes with a description of organic electromagnetic warfare forces at echelons corps and below.

3-1. Since the beginning of the 20th century, EW has played an ever-increasing role in shaping the outcomes of various military conflicts around the globe. Electromagnetic warfare is military action involving the use of electromagnetic and directed energy to control the electromagnetic spectrum or to attack the enemy (JP 3-85). The divisions of EW are— • Electromagnetic attack. • Electromagnetic protection. • Electromagnetic support. 3-2. Electromagnetic warfare reprogramming is a separate function of EW. While not classified as a division of EW, electromagnetic warfare reprogramming supports electromagnetic attack, electromagnetic protection, and electromagnetic support. ELECTROMAGNETIC ATTACK 3-3. Electromagnetic attack is the division of electromagnetic warfare involving the use of electromagnetic energy, directed energy, or antiradiation weapons to attack personnel, facilities, or equipment with the intent of degrading, neutralizing, or destroying enemy combat capability and is considered a form of fires (JP 3-85). Electromagnetic attack methods include— • Electromagnetic countermeasures. • Electromagnetic deception. • Electromagnetic intrusion. • Electromagnetic jamming. • Electromagnetic probing. 3-4. Defensive electromagnetic attack protects friendly personnel and equipment by degrading the threat’s ability to employ weapons that use radio frequency-activated triggers. Defensive electromagnetic attack measures include radar jammers, counter-unmanned aircraft systems, and counter radio-controlled improvised explosive device electromagnetic warfare systems. E LECTROMAGNETIC C OUNTERMEASURES 3-5. The Army uses electromagnetic countermeasures to mitigate threat EW sensing and attack activities. Countermeasures can be active or passive and used preemptively or reactively. Countermeasure devices and techniques include infrared flares, chaff, radar jammers, counter radio-controlled improvised explosive device electromagnetic warfare systems, and decoys. The devices and defensive techniques are permissible without restrictions since they serve as protection and are responses to enemy engagements. E LECTROMAGNETIC D ECEPTION 3-6. Electromagnetic deception involves radiation, reradiation, alteration, suppression, absorption, denial, enhancement, or reflection of electromagnetic energy to convey misleading information to a threat or to threat spectrum-dependent devices, thereby degrading or neutralizing the threat’s capability. Deception in an EW context presents enemy operators and higher-level processing functions erroneous inputs, either directly through the sensors or through spectrum-dependent network capabilities, such as voice communications or data links. Note. Electromagnetic deception should not be confused or conflated with military information support operations or military deception, which are often used to present false messages to high-level threat decision makers. The distinction is important because the required legal authorities governing electromagnetic attack differ from those governing military information support operations or military deception. 3-7. EW supports both strategic and tactical deception, using electromagnetic means and scaling appropriately for the desired effect. Electromagnetic deception can increase or decrease ambiguity, affecting the situational understanding of threat decision makers. Deception measures can indicate to a threat commander the certainty of a course of action or create sufficient confusion to disrupt decision making. When planning electromagnetic deception, EW planners consider activities that support the current friendly operation, as well as those that will support the deception mission, integration, and deconfliction. 3-8. Electromagnetic deception techniques support information advantage. The G-3 staff (specifically the G-39) develops plans and supervises deception missions. The CEWO prepares the EW portion of the deception plan. Integration of electromagnetic deception with other information activities is necessary when conducting deception missions. Time is a critical factor in deception planning. The more extensive the deception, the greater the planning and coordination effort required. Regardless of the duration, the longer the deception goes on, the more unintended effects may occur. 3-9. Planners should consider that each spectrum-dependent device exhibits a unique electromagnetic signature. Electromagnetic deception must present realistic decoy signatures to threat sensors. The intent of electromagnetic deception is to cause the threat to draw incorrect conclusions about friendly locations and activities. The three types of electromagnetic deception are— • Simulative. • Manipulative. • Imitative. Simulative 3-10. Simulative electromagnetic deception attempts to represent friendly notional or actual capabilities to mislead threat forces. Simulative deception requires extensive command and staff collaboration to present a believable deception plan. What the threat detects electronically should be consistent with other information sources. That is, a threat is more likely to be deceived by simulative techniques if the signals they detect are consistent with what they expect. Simulative electromagnetic deception transmissions require close attention. Manipulative 3-11. Manipulative electromagnetic deception seeks to convey misleading indicators of friendly intentions. Manipulative electromagnetic deception uses communication or noncommunication signals to convey indicators that mislead the enemy. For example, to indicate that a unit will attack when it is really planning to withdraw, the unit might transmit false plans and requests for ammunition. Units use manipulative electromagnetic deception to mislead the enemy to misdirect their electromagnetic attack and electromagnetic support assets, while interfering less with friendly communications. Imitative 3-12. Imitative deception mimics threat emissions with the intent to mislead them. Imitative electromagnetic deception, if recognized by the enemy, can compromise friendly SIGINT efforts. Imitative deception normally requires approval from higher-echelon commands. 3-13. An example of imitative electromagnetic deception includes entering the threat’s communication nets by using their call signs and radio procedures and giving threat commanders instructions to initiate actions that are advantageous to friendly forces. Refer to ATPATPArmy Techniques Publications 3-12.3 for more information about electromagnetic deception techniques. E LECTROMAGNETIC I NTRUSION 3-14. Electromagnetic intrusion is the intentional insertion of electromagnetic energy into transmission paths in any manner, with the objective of deceiving operators or of causing confusion (JP 3-85). Electromagnetic intrusion techniques are discrete and tailored to specific target systems, as opposed to more broad techniques such as spot, sweep, or barrage jamming. An example of electromagnetic intrusion would be radio transmissions simulating air traffic control communications and giving false instructions to a pilot. E LECTROMAGNETIC J AMMING 3-15. Electromagnetic jamming is the deliberate radiation, reradiation, or reflection of electromagnetic energy for the purpose of preventing or reducing an enemy’s effective use of the electromagnetic spectrum, with the intent of degrading or neutralizing the enemy’s combat capability (JP 3-85). CEWOs direct the use of jamming techniques to disrupt the threat’s ability to effectively receive or process electromagnetic signals. 3-16. Successful jamming requires understanding available jamming techniques and overpowering threat receivers with higher-power transmissions. The primary effects of jamming persist as long as the jammer is within range of the target and emitting. Jamming effects may be observable through threat actions during or following an electromagnetic jamming attack. Jamming techniques include— • Standoff jamming. • Escort jamming. • Spot jamming. • Barrage jamming. • Sweep jamming. • Follower jamming. 3-17. Depending on mission objectives, the different jamming techniques each have certain advantages and disadvantages. The CEWO advises commanders of the available jamming techniques and the benefits and risks of each technique. Ultimately the commander assumes an acceptable level of risk to achieve mission objectives. All jamming techniques can interfere with friendly systems if not used properly. If targeted threat systems operate in frequencies near those in use by friendly forces, some level of degraded friendly capabilities is possible. The CEMA spectrum manager deconflicts frequencies used for jamming with the G-6 or S-6 spectrum manager to minimize the risk of degraded friendly capabilities. The relatively high radio frequency power used for electromagnetic jamming puts EW teams at risk of threat geolocation and lethal fires. Standoff Jamming 3-18. A standoff jamming mission projects from a protected location within an assigned area. Due to the distance involved, standoff jamming requires high power and large antennas to reach threat positions. This jamming technique requires precise technical information about threat frequencies and receiver locations to maximize jamming effects. Advantages 3-19. Standoff jamming affords maximum protection for EW professionals and the systems they deploy from threat actions. It also creates windows of opportunity for Army and joint forces to conduct maneuver. Disadvantages 3-20. Standoff jamming allows an enemy to identify, geolocate, and target the jammer through radio frequency direction finding. The greater the distance between the jamming site and the enemy, the greater the likelihood the attack will unintentionally interfere with friendly systems. This is colloquially referred to as frequency fratricide. Escort Jamming 3-21. Escort jamming is a defensive electromagnetic attack that protects maneuver forces from threat weapons systems that use radio frequency triggers. Escort jamming uses a jamming platform that accompanies maneuver forces to implement electromagnetic countermeasures, such as counter radio-controlled improvised explosive device electromagnetic warfare. Escort jamming requires precise intelligence regarding threat frequency use. Escort jamming usually does not require the same level of power or large antennas as standoff jamming. Depending on the mission, escort jamming does not necessarily require EW Soldiers to operate the equipment performing this mission. EW personnel perform pre-combat checks to verify programming and operation of the equipment which can be operated by general-purpose users. Advantages 3-22. Escort jamming is highly mobile and has low vehicle power requirements. Escort jammers can use similar vehicle configurations of maneuver vehicles to screen them from visual identification. Disadvantages 3-23. Escort jamming capabilities are typically employed during tactical movement, increasing the likelihood of attack. While some escort jammers can be carried on foot (dismounted), the usability of dismounted escort jamming systems is limited due to high battery consumption. Spot Jamming 3-24. Spot jamming is a technique to jam a discrete frequency. Spot jamming is the least intrusive form of electromagnetic jamming, as it does not jam adjacent, untargeted frequencies. To plan spot jamming, the CEWO needs accurate intelligence regarding the targeted threat system’s characteristics, such as frequency, transmit and receive power, and the antenna height and type. Advantages 3-25. Spot jamming achieves a high jamming-to-signal ratio because it concentrates the available transmit power on the targeted frequency, so threats are unlikely to overcome the jamming without changing to another frequency. Disadvantages 3-26. Spot jammers are not effective for agile frequency transmission, such as frequency hopping radios. Frequency hopping radios do not use a discrete frequency but change frequency continually across a relatively wide frequency range. Barrage Jamming 3-27. Barrage jamming is the jamming of all frequencies within a specified portion of the electromagnetic spectrum at the same time. Barrage jamming techniques apply less power to each jammed frequency because the power spans the targeted frequency range. Advantages 3-28. Multiple frequencies can be targeted by a single jammer simultaneously. Disadvantages 3-29. Barrage jamming achieves a lower jamming-to-signal ratio than spot or sweep jamming, because the available transmit power is spread over a wider bandwidth. Barrage jamming generally requires the electromagnetic attack platform to be closer to the targeted receivers; this increases the likelihood of detection and geolocation by the threat. Barrage jammers require high radio frequency power to affect a broad frequency range. Sweep Jamming 3-30. Sweep jamming is the jamming of a specified portion of the electromagnetic spectrum by sweeping a defined frequency range at a predetermined rate. Sweep jamming may use less transmit power than barrage jamming but gives a higher jamming-to-signal ratio because the jamming power is spread over a narrower bandwidth at any given time as with spot jamming. Sweep jamming may be the most appropriate technique when the electromagnetic order of battle provides a frequency range but not the precise frequency in use. Advantages 3-31. Sweep jamming will allow the electromagnetic attack asset to operate further from the intended target than barrage jamming. Disadvantages 3-32. The greater the distance between the jamming site and the enemy, the greater the likelihood the jamming will interfere with friendly systems (frequency fratricide). Follower Jamming 3-33. Follower jamming is a form of electromagnetic attack to target receivers automatically when the system detects a threat transmission. Follower jamming remains passive until a targeted transmitter emits a signal. Follower jamming uses a combination of spot, barrage, and sweep jamming techniques; this is useful against frequency hopping receivers. EW professionals program the jammer to attack either a discrete frequency or a range of frequencies. The G-2 or S-2 compiles the electromagnetic order of battle and determines the frequencies employed by the threat and when a particular type of emitter is being used by the threat. The electromagnetic order of battle feeds the cyberspace and EW running estimate. The G-2 or S-2, G-6 or S-6, and the CEWO track the electromagnetic order of battle in their running estimates and update it as needed. The CEWO clarifies and expands the electromagnetic order of battle before briefing during course of action comparison. Advantages 3-34. Because the jamming system does not continuously transmit, the follower jamming technique allows a jammer to maximize its resources against a target while minimizing the threat’s ability to sense and geolocate the jammer. Disadvantages 3-35. Sometimes the threat’s capability is too agile and the jamming system response too slow. If the threat system is too sophisticated, it can outpace the follower jammer’s responsiveness and render the jamming ineffective. E LECTROMAGNETIC P ROBING 3-36. Electromagnetic probing is intentional radiation designed to be introduced into the devices or systems of an adversary for the purpose of learning the functions and operational capabilities of the devices or systems (JP 3-85). Electromagnetic probing aims to penetrate and exploit threat systems and operations. Division and below units do not typically have organic electromagnetic probing capabilities. Units can request electromagnetic probing effects by submitting an electromagnetic attack request format through their higher echelon CEMA section. See appendix C for instructions for submitting the electromagnetic attack request format. ELECTROMAGNETIC PROTECTION 3-37. Electromagnetic protection is the division of electromagnetic warfare involving actions taken to protect personnel, facilities, and equipment from any effects of friendly or enemy use of the electromagnetic spectrum that degrade, neutralize, or destroy friendly combat capability (JP 3-85). Electromagnetic protection is a preemptive and constant function where the CEWO introduces operational approaches and plans to ensure the unit is prepared to defend spectrum-dependent devices from threat actions. Not all units have electromagnetic attack or electromagnetic support capabilities. However, all units are required to train and maintain readiness for electromagnetic protection. While not part of electromagnetic protection, spectrum management operations support all electromagnetic protection actions. Electromagnetic protection actions include— • EMCON. • Electromagnetic masking. • Electromagnetic compatibility. • Electromagnetic hardening. • Wartime reserve modes. E MISSION C ONTROL 3-38. Emission control is the selective and controlled use of electromagnetic, acoustic, or other emitters to optimize command and control capabilities while minimizing, for operations security: a. detection by enemy sensors; b. mutual interference among friendly systems; and/or c. enemy interference with the ability to execute a military deception plan (JP 3-85). EMCON reduces the likelihood of detection by threat sensors and direction-finding systems and helps conceal the locations of friendly forces. 3-39. The CEWO advises the G-6 or S-6 in developing communication plans that provide a low probability of threat detection of friendly communications. This can be accomplished by attempting to hide the unit’s communications in plain sight—blending into the background electromagnetic environment. A common analogy for this is hiding a needle in a haystack, but hiding a needle in a haystack may not be effective if the threat has a metal detector. Perhaps the more appropriate analogy is hiding a needle in a stack of needles. The more a unit’s use of the electromagnetic spectrum parallels what is already used by local governments and civilian populations in the operational area, the more difficult it is for a threat to identify and locate friendly emissions. 3-40. An EMCON plan contributes to a reduced electromagnetic signature by providing progressively more restrictive measures to limit electromagnetic emissions based on the tactical situation and threat. At the least restrictive EMCON condition (EMCON 1 [green]), operation of all spectrum-dependent devices continues with basic security precautions. At the highest threat level (EMCON 5 [black]), units remove most electromagnetic emitters from operation until the tactical situation allows return to a less restrictive EMCON condition. Units should exercise the established EMCON plan, including transitions between EMCON conditions, during all unit training and exercises to ensure they know the correct procedures and can transition between EMCON conditions quickly. Table 3-1 on page 41 summarizes EMCON conditions. ELECTROMAGNETIC WARFARE FORCES AT ECHELONS DIVISION AND BELOW 3-73. Maneuver units at echelons division and below are assigned organic EW forces and capabilities. This section describes organic EW formations at the division and brigade combat team. D IVISION 3-74. The division EW company (see figure 3-2 on page 48) provides layered, long-range sensing and electromagnetic attack capabilities in the division deep area and downward reinforcement to brigade combat teams in the close area. The company’s electromagnetic support capabilities can detect, recognize, locate, and identify threat signals of interest and assist the commander, G-3, CEWO, and G-6 in formulating electromagnetic protection plans. The company employs electromagnetic attack capabilities to disrupt enemy spectrum-dependent devices. 3-75. While electromagnetic support mainly enables situational understanding, decision making, and targeting, the CEMA section also coordinates with the G-2 to ensure electromagnetic support data from the EW company reaches the appropriate analysts for processing into intelligence, as necessary. Early designs of capabilities support the intent of the company to deliver radio frequency-enabled offensive cyberspace operations payloads while also enabling military information support operations, military deception, and other information advantage activities. Note. Division EW companies are authorized in unit tables of organization and equipment but are in the initial stages of resourcing in the operational force. References to the division EW company in the text reference capabilities and functions of the unit as designed and authorized. B RIGADE C OMBAT T EAM 3-76. The brigade combat team EW platoon (see figure 3-3) operates under the operational control of the brigade S-3. The brigade CEMA section controls EW taskings for the teams through technical channels. Technical channels are the chain of authority for ensuring the execution of clearly delineated technical tasks, functions, and capabilities. The EW platoon supports the commander’s ability to engage targets with lethal and nonlethal attack capabilities. The platoon detects and locates communications and noncommunications emitters in the brigade’s assigned area using its organic electromagnetic support capabilities. The platoon reports the locations of enemy emitters to the CEMA section for situational awareness and targeting. The CEMA section forwards unidentified signals detected to the S-2 for further analysis. Because brigade combat team EW elements operate in close contact with enemy forces, they may be positioned to answer some commander’s critical information requirements by direct observation. EW teams must be aware of collection requirements; unit SOPs should include reporting requirements. Refer to ATPATPArmy Techniques Publications 3-12.4 for detailed information about the composition and capabilities of EW companies and platoons. Note. There is a pending force design update to restructure the brigade combat team EW platoon from three EW teams to six EW teams.

This chapter discusses cyberspace electromagnetic activities. It begins with an overview, followed by a discussion of cyberspace electromagnetic activities roles by echelon. The chapter continues with a discussion of cyberspace electromagnetic activities through the operations process—planning, preparation, execution, and assessment—and the integrating processes. The chapter ends with a discussion of integration with the joint force. OVERVIEW 4-1. The use of cyberspace and the electromagnetic spectrum are critical to successful operations. U.S. and threat forces alike rely heavily on cyberspace-and spectrum-dependent capabilities for— • Command and control. • Information collection. • Situational understanding. • Navigation. • Target acquisition. • Attack. 4-2. Achieving positions of relative advantage in cyberspace and the electromagnetic spectrum significantly contributes to the achievement of military objectives. By integrating cyberspace and EW operations into combined arms operations, commanders can limit the threat’s available courses of action, diminish their ability to gain momentum, degrade their command and control, and affect their ability to operate effectively in the other domains. 4-3. Commanders leverage cyberspace and EW capabilities with other capabilities in a combined arms approach to seize, retain, and exploit the initiative. They do this through CEMA. Cyberspace electromagnetic activities are the planning, integration, and synchronization of cyberspace and electromagnetic warfare operations as part of a combined arms approach through the operations process. Integrating and synchronizing cyberspace and EW operations into the concept of operations contributes to mission success. 4-4. CEMA sections at echelons theater army through brigade play an important role in planning combined arms operations. They do this through the operations process, the integrating processes, and in working groups and boards. CYBERSPACE ELECTROMAGNETIC ACTIVITIES ROLES BY ECHELON 4-5. CEMA sections are made up of cyber warfare officers, EW technicians, EW specialists, and spectrum managers. The grade levels within the CEMA section vary by echelon; higher echelons are staffed by more senior grades. CEMA sections at echelons corps and below plan, integrate, and synchronize cyberspace and EW operations across the competition continuum. The key activities of CEMA sections at echelons corps and below are— • Developing and seeking approval of high-priority target lists, target nominations, collection priorities, and risk mitigation measures. • Synchronizing cyberspace and EW operations with other lethal and nonlethal capabilities. • Deconflicting frequency use with G-6 or S-6 spectrum managers. 4-6. Along with joint and multinational partners, Army forces use cyberspace and EW operations to support engagement, counter threat narratives, and conduct deception to create uncertainty within a threat’s decision-making process. CEMA sections at all echelons exercise technical control over organic EW elements. In this role, the CEMA sections control electromagnetic support taskings and issue electromagnetic attack guidance within delegated electromagnetic attack control authority. The corps conducts shaping operations in the deep area, coordinates with tactical elements operating in the close area, and integrates operations with the theater army. 4-7. Figure 4-1 illustrates tactical electromagnetic support reporting. CEMA sections issue electromagnetic support taskings to EW platoons in the close area. EW platoons conduct electromagnetic support sensing and report to the CEMA section through technical channels. The CEMA section integrates electromagnetic support into the operations process through coordination with other staff sections: • Targeting working group (identifying and locating targets; triggers for fires; assessment). • G-2 or S-2 (update electromagnetic order of battle; refer signals for processing into intelligence). • G-3 or S-3 (combat information for decision support). • G-6 or S-6 spectrum manager (frequency deconfliction; update joint restricted frequency list). Note. The content on the corps’ CEMA responsibilities in this manual is based on the corps operating as a tactical echelon or ARFOR headquarters. If the corps is designated as a joint task force headquarters, the commander and staff refer to joint doctrine for their responsibilities for cyberspace operations and joint electromagnetic spectrum operations. C ORPS 4-8. The corps is the primary integrating echelon for multidomain convergence. The corps CEMA section integrates subordinate divisions and brigade combat teams’ cyberspace and EW activities and CEMA reporting. The corps CEMA section reports through the theater army to the joint task force joint cyber center (for cyberspace operations) and the joint electromagnetic spectrum operations cell (for EW and spectrum use). During crisis and armed conflict, the corps CEMA section participates in the targeting process to nominate cyberspace and EW targets in the corps deep area and validate target nominations from subordinate divisions. 4-9. The corps CEMA section integrates cyberspace and EW operations into the corps commander’s concept of operations. The CEMA section leads the CEMA working group (see paragraph 4-42) to assist in planning, development, integration, and synchronization of cyberspace and EW operations into combined arms operations through staff collaboration and shared understanding. 4-10. The CEWO participates in the targeting working group to nominate, vet, and process possible targets received from subordinate units and targets developed by the corps staff for effects in cyberspace and the electromagnetic spectrum. The CEWO— • Assists the staff in integrating and synchronizing cyberspace and EW operations into combined arms. • Advises the commander and staff on the effects of cyberspace and EW capabilities, including rules of engagement, impacts, and constraints. • Develops and maintains a consolidated cyberspace and EW targeting synchronization matrix and assists in nominating cyberspace and EW targets in collaboration with the targeting working group. • Monitors and assesses measures of performance and effectiveness while maintaining updates on cyberspace and EW effects on the operational environment. • Requests and coordinates for offensive cyberspace operations and electromagnetic attack support through the combatant command while integrating received cyber mission forces and other Service EW capabilities into operations. • Coordinates with joint and multinational partners for cyberspace and EW capabilities that complement or increase the unit’s organic capabilities. • Coordinates and deconflicts cyberspace and EW activities, including frequency deconfliction, with the G-2 and the G-6. • Develops and implements cyberspace and EW home-station training. Note. Planning for EW home-station training at all echelons includes collaboration with the G-6 or S-6 spectrum manager for frequency assignments and frequency deconfliction. D IVISION 4-11. The division CEMA chief is the primary advisor to the division commander on cyberspace and the electromagnetic spectrum. The division CEMA section— • Plans operations for organic cyberspace and EW capabilities. • Prepares requests for external cyberspace and EW support. • Integrates effects. • Deconflicts spectrum use with the G-6 spectrum manager. • Assesses cyberspace and EW effects in the division’s assigned area. 4-12. Divisions do not have an assigned capability to plan and integrate all aspects of cyberspace operations, in particular future operations. The division CEMA section may be augmented with support from the corps or theater army to plan, coordinate, integrate, and synchronize cyberspace and EW operations into combined arms. The CEMA section vets and processes targets nominated by subordinate units for cyberspace effects. The CEMA chief leads the CEMA working group (see paragraph 4-42) when required to synchronize and integrate cyberspace and EW operations into the concept of operations. B RIGADE C OMBAT T EAM 4-13. The brigade EW platoon conducts electromagnetic support to understand friendly, threat, and neutral use of the electromagnetic spectrum in the brigade’s assigned area. Understanding friendly spectrum use informs electromagnetic protection efforts, including EMCON plans. The EW platoon is normally under operational control of the S-3 and technical control of the CEMA section. The commander may task-organize the EW platoon with other elements and establish other command relationships to meet the brigade’s requirements. The platoon reports the locations of enemy emitters to the CEMA section to support situational understanding and targeting. 4-14. The brigade combat team CEWO is the primary advisor to the brigade commander on cyberspace and the electromagnetic spectrum. The CEWO leads the CEMA section in— • Planning operations for the EW platoon. • Preparing requests for external cyberspace and EW support. • Integrating effects. • Assessing cyberspace and EW effects in the assigned area. 4-15. The CEMA section plans, coordinates, and integrates cyberspace and EW operations in support of the commander’s intent and concept of operations. The CEMA section collaborates with all staff sections and subordinate units to meet the commander’s operational objectives and desired end state. The CEMA section plans, synchronizes, and integrates cyberspace and EW operations through the operations process and through integrating processes and working groups, and deconflicts spectrum use with the S-6 spectrum manager. 4-16. The brigade CEMA section participates in the targeting process to nominate cyberspace and EW targets to support the maneuver plan. The CEMA section provides technical control of organic EW teams during operations. Though the CEMA section aligns cyberspace and EW operations with the operations process, they must collaborate with the S-3 to task EW platoons in support of brigade operations through the orders process. When required, the CEWO may form and lead a CEMA working group (see paragraph 4-42) to synchronize and integrate cyberspace and EW operations in a combined arms approach. 4-17. Data and information gathered through electromagnetic support provide the commander with critical combat information. The CEMA section uses combat information from the EW platoon to develop situational understanding and support targeting. The CEMA spectrum manager uses electromagnetic support data from the EW platoon to develop and update electromagnetic spectrum information in the common operational picture. The CEMA section also reports unknown signals detected to the S-2 to for processing into intelligence. CYBERSPACE ELECTROMAGNETIC ACTIVITIES IN THE OPERATIONS PROCESS 4-18. The CEMA section, supported by the CEMA working group, integrates and synchronizes cyberspace and EW operations during planning, preparation, execution, and assessment. The CEMA section provides representatives to the plans, future operations, and current operations integrating cells as required to ensure cyberspace and EW operations are integrated and synchronized into the concept of operations in accordance with the commander’s intent. 4-19. The CEMA section works closely with other members of the CEMA working group to ensure unity of effort to meet the commander’s objectives. Integration and synchronization of cyberspace and EW operations— • Ensure information collected in cyberspace and the electromagnetic spectrum is routed to the appropriate staff to support the commander and staff’s situational understanding of the operational environment. • Ensure the effective use of cyberspace and EW assets for information collection and targeting. • Ensure appropriate coordination between Army and joint forces, multinational partners, and host nations before employing offensive cyberspace or EW capabilities. • Minimize unintended interference (frequency fratricide) with friendly spectrum-dependent capabilities. P LANNING 4-20. Planning is a continuous activity of the operations process —the major command and control activities performed during operations: planning, preparing, executing, and continuously assessing the operation (ADP 5-0). Commanders use the operations process to drive the conceptual and detailed planning necessary to understand an operational environment; visualize and describe the operation’s end state and operational approach; make and articulate decisions; and direct, lead, and assess operations. Refer to ADP 5-0 for fundamentals of the operations process. Operation Plans 4-21. Plans and orders come in many forms and vary in the scope, complexity, and length of time they address. Generally, commanders and staffs develop an operation plan well in advance of execution; the operation plan is not executed until directed in an operation order (see paragraph 4-31). Commanders and staffs may develop operation plans through the Army design methodology if the military problem and situation are not well-defined. The conceptual operation plan must be integrated with the detailed planning typically associated with the military decision-making process to produce executable operation orders. Refer to ATPATPArmy Techniques Publications 5-0.1 for detailed information about the Army design methodology. Information Requirements 4-22. During planning, commanders and staffs determine their information requirements to support decision making and protection. The CEWO participates in the definition of information requirements including— • Commander’s critical information requirements. • Priority intelligence requirements. • Friendly force information requirements. • Essential elements of friendly information. Commander’s Critical Information Requirements 4-23. A commander’s critical information requirement is specific information identified by the commander as being essential to facilitate timely decision making (JP 3-0). A commander’s critical information requirement is directly tied to a decision that supports the successful execution of military operations. Commanders designate critical information requirements based on likely decisions and their visualization of the operation. A commander’s critical information requirement may support one or more decisions. During planning, staffs recommend information requirements for commanders to designate as critical information requirements. Information requirements may be selected based on considerations in cyberspace or electromagnetic spectrum. 4-24. Commander’s critical information requirements related to cyberspace and EW may include information relating to friendly, civilian, and threat use of, and activity in, cyberspace and the electromagnetic spectrum. Refinement of the commander’s critical information requirements is continuous throughout operations. During preparation and execution, staffs recommend changes to commander’s critical information requirements based on their running estimates. Indicators in cyberspace or the electromagnetic spectrum may aid in answering commander’s critical information requirements. For example, the CEMA section may assist in answering information requirements relating to enemy composition, disposition, strength, and activity. The detection of a certain radio or radar emission may reveal the enemy course of action or the location of a high-payoff or high-value target. Priority Intelligence Requirements 4-25. A priority intelligence requirement is the intelligence component of commander’s critical information requirements used to focus the employment of limited intelligence assets and resources against competing demands for intelligence support (JP 2-0). Priority intelligence requirements identify the information about the enemy and other aspects of an operational environment that the commander considers most important. Intelligence about civil considerations may be as critical as intelligence about the enemy. 4-26. Priority intelligence requirements may include the location and electromagnetic signature of enemy command and control nodes, radar systems, or jamming assets. Cyberspace and EW priority intelligence requirements may also include information about the enemy electromagnetic order of battle, such as cyberspace and EW capabilities, spectrum-dependent devices, or electromagnetic signatures of key enemy systems. Cyberspace and the electromagnetic spectrum may provide key indicators that answer priority intelligence requirements, for example— • Location of a threat signal of interest may indicate the position of an enemy command post. • Locations of threat radar systems may reveal the presence of enemy fires or air defenses in the assigned area. • Social media activity may reveal an upcoming civil disturbance. • Open source data from navigation applications may reveal congestion. • Software application content and metadata may reveal operations security vulnerabilities. Friendly Force Information Requirements 4-27. A friendly force information requirement is information the commander and staff need to understand the status of friendly force and supporting capabilities (JP 3-0). Friendly force information requirements identify the information about the mission, troops and support available, and time available for friendly forces that the commander considers most important. Examples of friendly force information requirements relevant to cyberspace and EW operations include— • Targeting of personnel or dependents via cyberspace. • The capture of sensitive hardware. • The suspected jamming of positioning, navigation, and timing systems. Essential Elements of Friendly Information 4-28. An essential element of friendly information is a critical aspect of a friendly operation that, if known by a threat, would subsequently compromise, lead to failure, or limit success of the operation and therefore should be protected from enemy detection (ADP 5-0). Essential elements of friendly information establish the information friendly forces need to protect from unauthorized disclosure. Identifying essential elements of friendly information is the first step in the operations security process and central to the protect information activity. Examples of essential elements of friendly information relevant to cyberspace and EW operations include— • Critical passwords. • Cryptologic keys. • Classified waveforms. • Existence or functionality of wartime reserve modes. 4-29. In addition to cyberspace and EW essential elements of friendly information, the CEMA section plays an important role in protecting other friendly tactical information, such as— • Locations of critical command and control nodes (electromagnetic protection). • The fact that a certain operation is a deception (realistic electromagnetic decoys). 4-30. Refer to JP 3-55 for more information about the joint operations security process. Refer to ADP 3-13 for more information about information advantage activities. Operation Orders 4-31. An operation plan becomes an operation order when directed for execution based on a specified time or event. The commander and staff produce operation orders through the military decision-making process. This planning also involves various integrating processes and working groups to integrate and synchronize combined arms planning. See paragraphs 4-62 through 4-100 for more information about the CEMA section’s role in the integrating processes and appendix B for information on the CEMA section’s role in preparing operation orders. Military Decision-Making Process 4-32. The commander and staff integrate cyberspace and EW operations with combined arms maneuver through the military decision-making process. The CEWO and CEMA section either produce or contribute to multiple portions of the operation order during the military decision-making process. See appendix B for detailed information about the CEWO’s key inputs, substeps, and outputs for each step of the military decision-making process. Emission Control Plans 4-33. During planning, the CEWO develops EMCON plans in conjunction with the G-3 or S-3 and the G-6 or S-6. A well-constructed EMCON plan contributes to reduced electromagnetic signatures by providing progressively more restrictive measures to control electromagnetic emissions based on the tactical situation. It specifies operating procedures for emitters based on terrain, threat, and the scheme of maneuver. It is integrated into the execution checklist and decision support templates. At the least restrictive EMCON condition (EMCON 1 [green]), normal operation of all spectrum-dependent devices continues with basic security precautions. At the most restrictive level (EMCON 5 [black]), units may cease operation of all electromagnetic emitters until the tactical situation allows return to a less restrictive EMCON condition. Restrictive EMCON conditions may require maneuver elements to maintain extended periods of radio silence, relying on disciplined initiative of subordinate commanders within the commander’s intent under the mission command approach. Terrain, assigned mission, or other factors may result in elements within a unit operating under different EMCON conditions. 4-34. Creating an EMCON plan involves defining operational requirements for the use of emitters, determining the operating criteria for each type of emitter, and determining triggers for transition between EMCON conditions. The EMCON plan should be published in Tab D to Appendix 12 (Cyberspace Electromagnetic Activities) to Annex C (Operations) of the operation order. A complete EMCON plan requires— • Integration with the scheme of maneuver. • Operating criteria for emitters, by EMCON condition. • Triggers for transition between EMCON conditions. 4-35. When developing EMCON plans, it is important for the CEWO and the G-6 or S-6 to understand the background electromagnetic environment in their assigned area. It is difficult to maintain a low probability of detection in remote areas where there is little background radio frequency noise. In these cases, a very restrictive EMCON plan may be necessary to provide a reasonable measure of electromagnetic protection. In more populated areas where the background radio frequency noise floor is typically much higher, planners may be able to effectively hide the signals within the higher background noise if the signal is not discernable as a military communications system. 4-36. G-3 or S-3 participation is critical in the development of EMCON plans. Electromagnetic signatures can reveal the locations of command posts, exposing them to risk of lethal fires. Experience at combat training centers shows that the opposing force can determine the location, size, disposition, and direction of travel of maneuver formations based on their electromagnetic emissions. Considering EMCON in selection of movement routes may allow the unit to take advantage of manmade and natural terrain to mask electromagnetic emissions from threat detection. EMCON plans may include maneuver elements observing radio silence on a movement to contact to prevent revealing the operation to the enemy. Implementing such restrictive EMCON measures requires commanders to trust in the disciplined initiative of subordinates under the mission command approach. Integration With the Scheme of Maneuver 4-37. During mission planning, the staff should determine the minimum required capabilities for each phase of the operation. Knowing which emitters are necessary to conduct operations enables the CEWO, the G-3 or S-3, and the G-6 or S-6 to create an EMCON plan that minimizes the unit’s electromagnetic signatures while ensuring the availability of critical command and control capabilities. Emitter Criteria 4-38. The CEWO assists the G-3 or S-3 and the G-6 or S-6 in determining operating criteria for each type of emitter for each EMCON condition. Detailed planning helps inform the commander’s risk decisions and ensures smooth transitions between EMCON conditions. The emitter criteria specify the operating procedures for a particular emitter type across the EMCON conditions and the triggers for removing the emitter from operation. To build a complete EMCON plan, the staff builds an emitter criteria table for each type of emitter in the formation. Table 4-1 on page 56 illustrates an example of emitter criteria for single-channel ground and airborne radio system by EMCON condition. Army Approach to Electromagnetic Spectrum Operations 4-104. Each Service has a unique approach to electromagnetic spectrum operations; the Army’s Service approach is CEMA. Army commanders and their staffs conduct CEMA to plan, integrate, and synchronize cyberspace and EW operations as a unified effort to project power in and through cyberspace and the electromagnetic spectrum (JP 3-85). 4-105. Component commanders should establish electromagnetic spectrum operations cells (or equivalent) to enable command and control of their respective electromagnetic spectrum operations and to coordinate their electromagnetic spectrum operations with the joint force through the joint electromagnetic spectrum operations cell (CJSCM 3320.01D). For the Army, the theater army CEMA section performs the functions of an electromagnetic spectrum operations cell for all Army forces in the combatant command through the CEMA working group. The ARFOR CEMA section and CEMA working group are the equivalent for a joint task force. 4-106. The CEWO hosts the CEMA working group with representation from maneuver, intelligence, fires, space, information advantage, and spectrum management operations personnel (see paragraph 4-42) to integrate cyberspace operations and EW in operation plans and orders. The G-6 or S-6 spectrum manager participates in the CEMA working group to deconflict friendly spectrum use with EW and SIGINT elements and update the joint restricted frequency list (including TABOO, protected, and guarded frequencies). The ARFOR coordinates EW and spectrum management operations with the joint task force joint electromagnetic spectrum operations cell and joint frequency management office. Refer to ATPATPArmy Techniques Publications 6-02.70 for more information about the roles and responsibilities of the G-6 or S-6 spectrum manager. Joint Integration 4-107. The joint task force’s joint electromagnetic spectrum operations cell coordinates electromagnetic spectrum management with the joint frequency management office, and integrates cyberspace and EW operations with SIGINT, collection management, and space operations to support electromagnetic spectrum superiority. Refer to AR 525-24 for more information about the relationship of CEMA to joint and multinational electromagnetic spectrum operations. J OINT E LECTROMAGNETIC S PECTRUM O PERATIONS P LANNING 4-108. Joint force commanders centralize joint electromagnetic spectrum operations planning under the designated electromagnetic spectrum coordinating authority and decentralize execution to ensure unity of effort while maintaining tactical flexibility. The joint force prioritizes, integrates, and synchronizes operations in the electromagnetic spectrum to— • Achieve electromagnetic spectrum superiority. • Achieve the commander’s objectives. • Mitigate electromagnetic interference. • Avoid friendly fire electromagnetic attack incidents (frequency fratricide). Commander’s Guidance 4-109. The joint force commander conveys guidance for achieving electromagnetic spectrum superiority within the joint operations area through their concept of operations. Subordinate commanders plan operations within the joint force commander’s guidance and intent. The joint force commander’s guidance includes— • Operational approach. • Mission statement. • Commander’s planning guidance. • Commander’s intent. • Commander’s critical information requirements. Staff Estimate 4-110. The joint electromagnetic spectrum operations staff estimate forms the basis for the commander’s approach to achieve electromagnetic spectrum superiority. The staff estimate is used during course of action development and analysis to determine— • The spectrum activities and capabilities needed to accomplish the mission. • The joint electromagnetic spectrum capabilities required to support operations. • The risk to the operation if electromagnetic spectrum superiority is not achieved. Joint Electromagnetic Spectrum Operations Appendix 4-111. The joint electromagnetic spectrum operations appendix to Annex C (Operations) of joint plans and orders establishes procedures for command and control of forces conducting joint electromagnetic spectrum operations in the joint operations area and includes spectrum coordination measures, specifying procedures and rules of engagement for joint force use of the electromagnetic spectrum. 4-112. The joint electromagnetic spectrum operations appendix should form the basis of Appendix 12 (Cyberspace Electromagnetic Activities) to Annex C (Operations) to the ARFOR’s operation plan or order to ensure the Army component operates within the higher commander’s mission and intent. The ARFOR CEMA appendix becomes the basis of subordinate Army units’ CEMA appendixes. J OINT T ARGETING 4-113. While the Army plans effects through the Army targeting methodology—decide, detect, deliver, and assess—as the primary integrating echelon for converged effects, the corps must also integrate into the joint targeting cycle: • Commander’s objectives, targeting guidance, and intent. • Target development and prioritization. • Capabilities analysis. • Commander’s decision and force assignment. • Mission planning and force execution. • Combat assessment. 4-114. CEMA sections must integrate with the joint targeting cycle to allow time to develop tailored cyberspace and EW capabilities. While the delivery of effects in cyberspace and the electromagnetic spectrum can occur quickly, generating capabilities requires significant planning, preparation, software development, and iterations of intelligence and reconnaissance operations. Generally, these types of effects are only feasible for deliberate targets that are preplanned during concept plan or operation plan development. Depending on the nature of a capability, it may be able to engage unscheduled targets if the target is exposed for long enough or meets certain conditions. In these instances, using a tailored capability may or may not preclude its future use. 4-115. In the event a division or corps is tasked as the ARFOR or tactical headquarters, the targeting team must be prepared to participate in the joint targeting cycle of the higher headquarters to submit target nominations for joint capabilities. All effects that cannot be created by organic capability must be requested through predetermined channels. Higher headquarters typically prescribe the methods for support requests and target nominations. In addition to participating in the higher headquarters processes, divisions and corps conduct joint targeting working groups and joint targeting coordination boards at their level for echelon-specific synchronization and integration. Working group and board facilitators must be conscious of roles, targeting tasks, and command and support relationships and include all necessary participants. Refer to JP 3-60 for more information about joint targeting. 4-116. Targeting in cyberspace requires close integration with the joint targeting cycle through the joint force commander and combatant command. This integration is necessary for three main reasons: • Targets engaged through cyberspace must be on an approved joint target list or restricted target list. • Cyberspace attacks may generate adverse second-and third-order effects that extend far beyond the requesting commander’s assigned area. • National-level intelligence assets may be conducting ongoing exploitation of a requested target. Approval to engage these targets requires a high-level intelligence gain-loss decision, balancing continued intelligence value versus the military utility of engaging the target. 4-117. Other Services employ EW capabilities the corps and joint task force may leverage to engage targets nominated by Army units. Navy and Air Force airborne EW platforms can conduct electromagnetic support sensing and electromagnetic attack in the deep area, which greatly enhances the corps and division’s ability to set conditions for lower echelons. 4-118. The CEMA section nominates targets in cyberspace through the Army targeting methodology. Identified targets should support the commander’s desired end state and objectives. Units forward CERFs prepared through the Army targeting methodology through their chain of command to the joint task force headquarters, where the CERF is entered into the joint targeting cycle as a request for service. Developing a cyberspace capability to engage targets requires extended lead time and high-level approval. Figure 4-3 on page 71 shows the integration of Army targeting in cyberspace at echelons corps and below with the joint targeting cycle. This page intentionally left blank.

Combined Arms This chapter addresses the contributions of cyberspace and electromagnetic warfare operations in a combined arms approach. The chapter begins with a discussion of convergence, and integration with the joint force. It then discusses cyberspace and electromagnetic warfare operations across the competition continuum.

Cyber incident response refers to the processes and technologies for detecting and responding to malicious cyberspace activity or security breaches. The goal of incident response is to minimize the cost and mission disruption resulting from threat malicious cyberspace activity. This appendix explains how different types of malicious cyberspace activity should be identified, analyzed, reported, contained, and resolved.

This appendix discusses how Army units request external cyberspace operations and electromagnetic warfare support from higher echelon Army or joint forces. Army forces may require offensive cyberspace operations support for identified targets that require engagement using an offensive cyberspace capability. Defensive cyberspace operations support may be necessary when an identified threat in friendly cyberspace is beyond the defensive capabilities of local network defenders. Electromagnetic warfare support may be required when an Army unit needs augmentation, when their electromagnetic warfare capabilities or authorities cannot fulfill their mission requirements, or when the required support must be delivered by airborne electromagnetic warfare platforms.

and Malicious Cyberspace Activity This appendix addresses the means to recognize and overcome threat electromagnetic attacks and malicious cyberspace activity in a contested environment. It includes an overview of peer threat tactics, techniques, and procedures and methods to prevent, identify, and react to threat electromagnetic attacks and malicious cyberspace activity.

This appendix gives the formats for various electromagnetic warfare messages and electromagnetic warfare reprogramming messages. ELECTROMAGNETIC WARFARE MESSAGES S TOP J AMMING M ESSAGE E-1. To stop jamming, the CEWO submits a stop jamming message as illustrated in figure E-1. E LECTROMAGNETIC W ARFARE F REQUENCY D ECONFLICTION M ESSAGE E-2. The CEWO completes an EW frequency deconfliction message (see figure E-2 on page 164) to identify and categorize frequencies to be used by friendly forces and to prevent frequency fratricide. The EW frequency deconfliction message promulgates a list of TABOO, protected, and guarded frequencies to prevent adverse impact to friendly operations. Guarded frequencies are enemy frequencies that are, for a specified time period, being exploited for combat information and intelligence or jammed after the commander has weighed the potential operational gain against the loss of technical information. See paragraph 4-51 for a description of TABOO and protected frequencies. E LECTROMAGNETIC W ARFARE M ISSION S UMMARY E-3. The CEWO maintains a record of EW missions. The record is the EW mission summary (see figure E-3 on page 165). E LECTROMAGNETIC W ARFARE T ASKING M ESSAGE E-4. The CEWO uses the EW tasking message format (see figure E-4 beginning below and continued on page 167) to task an EW asset to provide a requested effect. M EACONING, I NTRUSION, J AMMING, AND I NTERFERENCE F EEDER R EPORT E-5. The meaconing, intrusion, jamming, and interference feeder report (figure E-5 on page 168) is used for immediate tactical reporting of electromagnetic interference. Elements submitting the report should forward the report to the G-6 or S-6 spectrum manager. ELECTROMAGNETIC WARFARE REPROGRAMMING MESSAGES E-6. There are a variety of EW reprogramming messages that coincide with the phases of the integrated reprogramming cycle: • Determine the requirement —threat information message or operational change request. • Determine the response —system impact message. • Create the response —reprogramming impact message. • Implement the response —unit loading message. M ESSAGE P RIORITY E-7. Reprogramming messages are submitted with routine, urgent, or emergency priority, depending on the strategic context and tactical situation. Units should generally assign priority to reprogramming messages and based on these criteria: • Routine —assigned during competition below armed conflict. • Urgent —assigned during crisis. • Emergency —assigned during armed conflict. P RIORITY OF P ROGRAMMING A CTIONS E-8. Priority of a reprogramming action may change if a crisis occurs or ends in the middle of the action. Recipients of reprogramming messages should perform reprogramming actions as required by the implementation authority based on message priority and the commander’s guidance. • Routine —Considered normal day-to-day operations. Units may schedule implementation of the reprogramming action around the daily training and maintenance schedule. Note. A not-later-than date for completion may be specified in the reprogramming message. Units should adhere to these dates even for routine reprogramming actions. • Urgent —Urgent changes should be accomplished during normal duty hours but should take precedence over other activities until completed. Urgent reprogramming changes should generally be implemented within 72 hours after message publication. The actual implementation timeline may vary depending on mission requirements and implementation authority guidance. • Emergency —Responsible personnel should immediately perform reprogramming actions as specified in the reprogramming message. Emergency changes require 24-hour operations until completed, with the goal of implementing the reprogramming action for all affected systems within 24 hours after message publication. Commanders make the final determination whether training or operational missions can be conducted without the specified reprogramming action being completed. T HREAT I NFORMATION M ESSAGE E-9. The Army Reprogramming Analysis Team uses the threat information message (see figure E-6) to disseminate information regarding system-or region-specific threat EW capabilities. O PERATIONAL C HANGE R EQUEST E-10. An operational change request (see figure E-7) is a formal request from an Army unit, routed through their respective theater army and combatant command, which identifies the inability of an electromagnetic warfare system to meet operational requirements and specifies a need for new mission data to address the operational requirement. The Army Reprogramming Analysis Team Program Office treats the operational change request as a request for reprogramming support. S YSTEM I MPACT M ESSAGE E-11. The Army Reprogramming Analysis Team uses the system impact message (see figure E-8 on page 171) to disseminate information about the impact of threat system changes, correlated with the capabilities of an EW system, approved changes to tactics, techniques, and procedures, and operational and tactical considerations. R EPROGRAMMING I MPACT M ESSAGE E-12. A reprogramming impact message (see figure E-9 on page 172) provides notification to aviation mission survivability officers and EW personnel of available new or updated EW mission data or software, special instructions, and implementation guidance. The Army distributes mission data, software, and tactics, techniques, and procedures via the Army Reprogramming Analysis Team Portal. U NIT L OADING M ESSAGE E-13. Units use the unit loading message (see figure E-10 on page 173) to notify the Army Reprogramming Analysis Team when they complete implementation of a reprogramming action. The unit describes any anomalies or issues they observed during implementation. When required, instructions for submitting a unit loading message are included in the applicable system impact message or reprogramming impact message. A RMY R EPROGRAMMING A NALYSIS T EAM I NFORMATION M ESSAGE E-14. The Army Reprogramming Analysis Team information message (see figure E-11 on page 174) contains general information of importance to units and personnel conducting EW operations that does not fall under one of the other message formats.

Warfare Organizations This appendix discusses the national, Department of Defense, and Reserve Components organizations that conduct or support cyberspace and electromagnetic warfare operations. This appendix also provides an overview of United States Cyber Command and its subordinate joint organizations that deliver cyberspace operations and electromagnetic warfare support to Army commanders using cyber mission forces. NATIONAL ORGANIZATIONS F-1. The United States Constitution establishes the President’s authority as Commander in Chief of the Armed Forces and gives authority for Congress to fund and regulate the Armed Forces. The President, as Commander in Chief, commands the missions of the Armed Forces and, according to the laws passed by Congress, administers the Armed Forces. The president is also the head of the executive branch of government. As executive branch agencies, the Department of Justice and the Department of Homeland Security also have active roles in national cyberspace security. D EPARTMENT OF J USTICE F-2. The Department of Justice leads the national effort to investigate cyber-based terrorism, espionage, computer intrusions, and major cyber fraud, and is responsible for protecting commercial domains such as.com,.net, and.org. The Federal Bureau of Investigation conducts domestic national security operations; investigates, attributes, and disrupts cyber crime; and collects, analyzes, and disseminates domestic cyber intelligence. D EPARTMENT OF H OMELAND S ECURITY F-3. The Department of Homeland Security oversees protection of the.gov domain and provides expertise and assistance to private sector network owners and operators. The Department of Homeland Security Cybersecurity and Infrastructure Security Agency collaborates with the government, industry, academia, and the international community to make cyberspace security a national priority and shared responsibility. Refer to JP 3-12 for additional information on Department of Homeland Security cyberspace defense responsibilities. DEPARTMENT OF DEFENSE ORGANIZATIONS F-4. The DOD provides cyberspace defense for the.mil domain. Each of the Armed Services has law enforcement and counterintelligence organizations that conduct many of the Federal Bureau of Investigation and Department of Homeland Security functions within their respective Services. These organizations include the Department of the Army Criminal Investigation Division, INSCOMINSCOMU.S. Army Intelligence and Security Command, the Naval Criminal Investigative Service (for the Navy and Marine Corps), and the Air Force Office of Special Investigations (for the Air Force and Space Force). F-5. The DOD uses cyberspace capabilities to shape cyberspace and conduct cyberspace missions to defend the nation under the authorities of the Secretary of Defense. Authorities for cyberspace operations undertaken by the Armed Forces derive from the Constitution and federal law. Key public laws that apply to the DOD include— • Title 10, United States Code: Armed Forces. • Title 32, United States Code: National Guard. • Title 50, United States Code: War and National Defense. F-6. The following DOD agencies provide direct or indirect support for cyberspace operations: • The National Security Agency/Central Security Service. • The Defense Intelligence Agency. • The National Geospatial-Intelligence Agency. • The National Reconnaissance Office. N ATIONAL S ECURITY A GENCY /C ENTRAL S ECURITY S ERVICE F-7. The National Security Agency and Central Security Service provide SIGINT and cyberspace security guidance and assistance to DOD organizations engaged in collecting, processing, analyzing, producing, and disseminating SIGINT data and information for foreign intelligence and counterintelligence purposes. They support national and departmental missions and provide SIGINT support for military operations as assigned by the Secretary of Defense. F-8. The National Security Agency collaborates with other national-level organizations and agencies (Central Intelligence Agency, National Geospatial-Intelligence Agency, and Defense Intelligence Agency) to continually identify, catalog, and update the electromagnetic order of battle of threats. The National Security Agency/Central Security Service serves as an operationally focused analytical clearinghouse for all SIGINT databases that support combatant commands, subordinate commands, and the Joint Force. F-9. The National Security Agency provides cybersecurity policy guidance and assistance to DOD components, the defense industrial base, and national customers. They also provide technical support, including encryption and cross-domain network solutions to support cyberspace security. D EFENSE I NTELLIGENCE A GENCY F-10. The Defense Intelligence Agency satisfies military and military-related intelligence requirements of the Secretary and Deputy Secretary of Defense, the Chairman of the Joint Chiefs of Staff, and the Director of National Intelligence. The Defense Intelligence Agency provides military intelligence contributions to national foreign intelligence and counterintelligence. F-11. The Defense Intelligence Agency plans, manages, and executes intelligence operations during peacetime, crisis, and war. The Defense Intelligence Agency serves as the DOD lead for coordinating intelligence support to meet combatant command requirements, leads efforts to align analysis and information collection activities with all operations, and links and synchronizes military defense and national intelligence capabilities. In conjunction with other national-level intelligence organizations, the Defense Intelligence Agency updates the database of known threat signals in the electromagnetic order of battle. F-12. The Defense Intelligence Agency conducts all-source intelligence analysis to support cyberspace operations, including dynamic threat assessments and campaign intelligence estimates that contribute to combatant command development of cyberspace aspects of joint intelligence preparation of the operational environment. F-13. The Defense Intelligence Agency is the DOD lead for counterintelligence investigations in cyberspace. In conjunction with the Military Departments and DOD agencies, the DIA attempts to identify and neutralize all counterintelligence cyberspace threats to the DOD. The Defense Intelligence Agency’s counterintelligence activities promote cyberspace superiority and provide worldwide situational awareness of cyberspace counterintelligence. N ATIONAL G EOSPATIAL -I NTELLIGENCE A GENCY F-14. The National Geospatial-Intelligence Agency is a combat support agency and an intelligence community member organization subordinate to the Secretary of Defense, the Under Secretary of Defense for Intelligence, and the Director of National Intelligence. The National Geospatial-Intelligence Agency produces timely, relevant, and accurate geospatial intelligence to the joint force and is the primary source for geospatial intelligence analysis, products, data, and services at the national level. The National Geospatial-Intelligence Agency provides advisory tasking recommendations for Service-operated airborne and surface-based geospatial intelligence collection platforms and sensors. F-15. National Geospatial-Intelligence Agency support teams provide direct support to a joint force commander’s intelligence operations center and maintains National Geospatial-Intelligence Agency support teams for each of the Services, DOD agencies, and several non-DOD agencies. The National Geospatial-Intelligence Agency manages satellite-based intelligence collection and develops distribution protocols for the National System for Geospatial Intelligence. RESERVE COMPONENTS F-16. The Army National Guard and the United States Army Reserve benefit from their associated civilian, academic, industry, and interagency communities to obtain Soldiers with specialized cyberspace operations skills, capabilities, and experience. The active Army leverages the Reserve Components’ cyberspace capabilities by providing expanded capabilities in areas that are often too expensive and too time-consuming for Reserve Components to handle alone. N ATIONAL G UARD B UREAU F-17. The National Guard Bureau coordinates Army National Guard and Air National Guard efforts to secure the nation, protect critical state infrastructure, and respond to state cyber emergencies in coordination with the Department of Homeland Security and responsible state and local officials. Many states have established cyber response teams capable of responding to cyber emergencies in the country. F-18. The National Guard Bureau Chief serves as an advisor to Commander, USCYBERCOM. The National Guard Bureau supports planning and coordination for cyberspace and EW missions requested by combatant commanders or the Chairman of the Joint Chiefs of Staff. The National Guard Bureau channels communications between USCYBERCOM and the 50 states, the Commonwealth of Puerto Rico, the District of Columbia, Guam, and the U.S. Virgin Islands on all National Guard matters. A RMY N ATIONAL G UARD F-19. The Army National Guard is a vital component of the Army’s total force cyberspace and EW capabilities. It performs cyberspace operations in the 54 state-level joint force headquarters supporting both the Army and the states pursuant to United States Code Title 10 and Title 32 authorities. Their priority is to establish and maintain a secure cyber environment in the states by— • Protecting critical cyberspace nodes. • Developing cyberspace situational awareness. • Supporting civil authorities for incident response and critical infrastructure protection. F-20. The Army National Guard is the Army’s expert for protecting critical infrastructure and essential resources. It supports the Army and USCYBERCOM with cyber network operations, cyber support, and cyber warfare capabilities. When deployed in a Title 10 status and allocated to a combatant command, Army National Guard CEMA sections and EW formations support the combatant commander in shaping operational environments. U NITED S TATES A RMY R ESERVE F-21. The United States Army Reserve is an expeditionary force that provides cyberspace capabilities to support ARCYBER and USCYBERCOM requirements. The United States Army Reserve provides trained and ready personnel to perform cyberspace operations to support joint, Army, and combatant commander mission requirements. United States Army Reserve personnel bring maturity and depth of experience, providing ready support to current and future operations. Uniquely, the United States Army Reserve will directly link to USCYBERCOM contingency plans, allowing them to mobilize personnel to support ARCYBER plans and operations. UNITED STATES CYBER COMMAND F-22. USCYBERCOM exercises coordinating authority for all DOD cyberspace operations, including operations to operate, secure, and defend the DODIN. USCYBERCOM accomplishes its missions within three primary lines of operation: • Secure, operate, and defend the DODIN. • Defend the nation from attack in cyberspace. • Provide cyberspace support as required by a combatant commander. F-23. USCYBERCOM directs security and defense of the DODIN using directive authority for cyberspace operations. When directed, USCYBERCOM also conducts cyberspace operations external to the DODIN (offensive cyberspace operations and defensive cyberspace operations-response actions) to support national objectives. Refer to JP 3-12 for more information about USCYBERCOM’s roles and responsibilities. F-24. DOD cyberspace forces include forces assigned to USCYBERCOM through the global force management process and Reserve Component forces. Cyberspace forces also include personnel who perform cybersecurity service provider roles established by the Services and DOD agencies to protect segments of the DODIN. Cybersecurity service providers are generally DOD-certified civilians and contractors who perform DODIN protection tasks such as analytics, infrastructure support, incident response, auditing, and service provider management. C YBER M ISSION F ORCE F-25. Commander, USCYBERCOM exercises combatant command authority over the Cyber Mission Force. Commander, USCYBERCOM uses Cyber Mission Force units to conduct national strategic missions or assigns units to support combatant commander missions through a Service joint force headquarters-cyber. The Cyber Mission Force consists of— • Cyber Combat Mission Force. • Cyber Protection Force. • Cyber National Mission Force. Cyber Combat Mission Force F-26. The Cyber Combat Mission Force conducts offensive cyberspace operations and related technical and analytical activities in support of combatant command operations. When authorized and directed, the Cyber Combat Mission Force conducts cyberspace attacks in neutral and threat cyberspace to affect threat capabilities. The Cyber Combat Mission Force consists of combat mission teams and combat support teams. F-27. Combat mission teams are tactical teams that conduct cyberspace surveillance and reconnaissance and cyberspace attacks in neutral and enemy cyberspace. Combat support teams are technical teams that support combat mission teams through intelligence analysis, cyberspace capability development, linguist support, and planning. Cyber Protection Force F-28. The Cyber Protection Force conducts defensive cyberspace operations-internal defensive measures within the DODIN or, when authorized and directed, in friendly cyberspace beyond the DODIN. The Cyber Protection Force consists of cyber protection teams organized, trained, and equipped to defend assigned cyberspace in coordination with and supporting segment owners, cybersecurity service providers, and users. The types of cyberspace protection teams are— • National cyber protection teams—assigned to and directed by Cyber National Mission Force Headquarters. • DODIN cyber protection teams—assigned to and directed by DOD Cyber Defense Command. • Combatant command cyber protection teams—assigned to and directed by combatant commands. • Service cyber protection teams—assigned to and directed by their assigned Service cyber component. Cyber National Mission Force F-29. The Cyber National Mission Force conducts defensive cyberspace operations to protect against malicious cyberspace activity based on USCYBERCOM and national priorities. The Cyber National Mission Force may conduct defensive cyberspace operations within the DODIN or, when authorized, outside of the DODIN in friendly or neutral cyberspace. The Cyber National Mission Force consists of national mission teams, national support teams, and national cyber protection teams. F-30. National mission teams are tactical teams that conduct defensive cyberspace operations-response actions. National support teams support national mission teams with intelligence analysis, cyberspace capability development, linguist support, and planning. National cyber protection teams conduct national-level defensive cyberspace operations-internal defensive measures that can extend to defend non-DOD mission partner or critical infrastructure networks when ordered by the Secretary of Defense. The Cyber National Mission Force is assigned to and directed by the Cyber National Mission Force Headquarters. Table F-1 outlines the relationships between Cyber Mission Force elements, associated cyberspace operations and actions, and typical operating locations in friendly, neutral, and threat cyberspace.

This appendix discusses training to prepare Soldiers to execute missions to shape operational environments, prevent conflict, and support large-scale combat operations against peer threats. Training for cyber and electromagnetic warfare Soldiers includes institutional training, continuous home-station training, combat training center rotations, and deployments. OVERVIEW OF TRAINING G-1. Commanders ensure Soldiers and units train under challenging and realistic conditions that closely replicate an operational environment while incorporating the Army principles of training (refer to FM 7-0): • Commanders are the primary trainers. • Noncommissioned officers train individuals, crews, and small teams and advise commanders on all aspects of training. • Train using multi-echelon techniques to maximize time and resource efficiency. • Train as a combined arms team. • Train to standard using appropriate doctrine. • Train as you fight. • Sustain levels of training proficiency over time. • Train to maintain. • Fight to train. G-2. Individual training occurs in all three training domains—institutional, operational, and self-development. Institutional training includes initial and ongoing individual training aligned with each cyber and EW professional’s individual development plan. Additionally, Soldiers conduct individual and collective training during home-station training and combat training center rotations to stay abreast of continually evolving techniques, technologies, and trends in cyberspace and the electromagnetic spectrum. INSTITUTIONAL TRAINING G-3. Commissioned officers, warrant officers, and enlisted Soldiers seeking a career in cyberspace and EW operations benefit from intensive institutional training before reporting to their first unit of assignment. Institutional training continues throughout these Soldiers’ careers. Cyber Common Technical College and Electromagnetic Warfare College reside at the United States Army Cyber School. These colleges provide institutional training to active Army, United States Army Reserve, and Army National Guard cyber and EW Soldiers thorough understanding of cyberspace operations, EW, and associated doctrine. G-4. Cyber Soldiers learn how to combine Army operations, intelligence, and small unit tactics with foundational skills in cyberspace offensive and defensive tasks. EW Soldiers learn Army operations and small unit tactics with foundational skills in electromagnetic attack, electromagnetic protection, and electromagnetic support. Events conducted during institutional training ensure cyber and EW Soldiers’ basic proficiency in their respective military occupational specialties and include such training events as— • Classroom instruction from civilian and military institutional instructors. • Training lanes. • Capstone training events. HOME-STATION TRAINING G-5. The CEWO coordinates with other staff elements to conceive and implement an annual home-station training plan. The CEWO aligns home-station training with the unit’s mission-essential task list and the essential individual and collective tasks Soldiers must accomplish. The CEWO aligns home-station training with how the unit will operate during evaluations at a combat training center. The home-station training plan includes subject matter to ensure cyber and EW professionals’ continued proficiency in their respective military occupational specialties and can consist of such training events as— • Classroom training and instruction from mobile training teams. • Training lanes. • Field training exercises. C LASSROOM T RAINING G-6. Training and instruction from mobile training teams allow cyber and EW Soldiers to meet with military and commercial experts. Mobile training teams provide added real-world insight and practices to establish and maintain professional networks for increased operational efficiency at home station. G-7. Local network defenders require continual training to maintain perishable skills and remain up-to-date with current threat cyberspace capabilities, tactics, techniques, and procedures. Classroom training for local network defenders should include defensive cyberspace operations-internal defensive measures instruction, including— • Threat tactics, techniques, and procedures. • Securing Windows operating systems. • Computer forensic investigation. • Incident response. • Intrusion detection in-depth. • Hacker techniques. • Exploit and incident mitigation and prevention. • Network penetration testing. • Ethical hacking. • Auditing networks, perimeters, and information technology systems. G-8. At a minimum, classroom training for EW Soldiers should include— • General mathematics and algebra. • Radio frequency fundamentals and calculations. • Antenna theory. • Direction-finding fundamentals. • Principles of detecting and identifying frequencies of interest. • Compilation of EW running estimates. • Joint spectrum interference resolution and electromagnetic interference reporting procedures. • Digital signal processing. • Electromagnetic Warfare Planning and Management Tool familiarity and scenario planning. • Fundamentals of maneuver. • Threat EW capabilities. • Visual identification of threat vehicles and EW systems. L ANE T RAINING G-9. Training lanes provide cyber and EW Soldiers the opportunity to exercise combined efforts that culminate home-station training and assist with ensuring unit readiness and survivability. Training lanes can include simulated communications jamming to emphasize the importance of primary, alternate, contingency, and emergency communication plans. Subordinate units can use information from training events by conducting after action reviews to develop primary, alternate, contingency, and emergency communication plans. F IELD T RAINING E XERCISES G-10. Most field training exercises will not include a cyber opposing force, so the opportunity to practice defensive cyberspace operations are limited. During field training exercises, local network defenders maintain the network’s cybersecurity compliance. Units practice electromagnetic protection actions during exercises, including— • Terrain masking. • Camouflage net masking. • EMCON— ▪ Limiting electromagnetic emissions. ▪ Exercising EMCON plans, including triggers and transitions between EMCON conditions. COMBAT TRAINING CENTERS G-11. Combat training center rotations simulate real-world operations by imitating conditions units may encounter during deployment. The combat training center opposing force imposes realistic threat tactics, techniques, and procedures on units. Combat training centers evaluate rotational training units for combat readiness determined by the proactive and reactive measures taken to prevent or mitigate obstacles presented during the training rotation. G-12. In a combined arms training scenario, cyberspace and EW operations are essential to gaining and maintaining tactical advantages needed for a favorable resolution. Combat training centers continuously observe the rotational training unit’s performance in an operational environment that includes simulated conflict and competition. Combat training centers help commanders assess their units’ overall combat readiness; proficiency in mission-essential tasks; and those critical and essential tasks that require additional training. Commanders oversee the implementation of necessary changes during home-station training to improve their units’ proficiency. This page intentionally left blank.

The network hardening guide organizes procedures around four distinct but interrelated areas: domain management and security; network device management and security; network traffic monitoring and alerts; and endpoint (host and server) security. This guide should provide a unit the necessary tools to conduct a risk-based assessment of its cybersecurity posture.

As currently implemented, electromagnetic warfare reprogramming cannot be implemented within a tactically relevant timeframe. The Cyber Center of Excellence led a comprehensive doctrine, organization, training, materiel, leadership and education, personnel, facilities, and policy assessment to define a future state Army integrated reprogramming cycle. This appendix defines the future state reprogramming cycle. OVERVIEW I-1. The modern electromagnetic operational environment is more dynamic than ever. Rapid advances in communications and noncommunications technologies contribute to the pace of change. One of the newest challenges is the widespread employment of software-defined radios. Enemy electromagnetic warfare systems have also advanced, making the electromagnetic operational environment a challenging maneuver space where the commander must maintain situational understanding and be able to control electromagnetic signatures associated with command and control systems, radars, and EW systems. I-2. Electromagnetic attack effects must include advanced techniques beyond brute-force jamming to increase survivability and lethality of Army personnel and systems. The increasingly capable threat throughout the electromagnetic operational environment requires a responsive EW reprogramming enterprise that supports tactical maneuver with software-defined emitter detection and effects delivery capabilities as close to combat speed as possible. I-3. The future Army integrated reprogramming cycle is a modified version of the joint reprogramming cycle outlined in JP 3-85. The Army integrated reprogramming cycle reflects a consolidated Army electromagnetic countermeasures development and delivery process. Figure I-1 illustrates the Army integrated reprogramming cycle for the development of electromagnetic countermeasures. PHASES I-4. The Army integrated reprogramming cycle follows the process in JP 3-85, with minor adjustments to support imitative, manipulative, or simulative electromagnetic attack. The purple cycle phases identified in Figure I-1 are the joint naming convention and the green phases are the naming convention used to support the Army electromagnetic warfare reprogramming enterprise. The Army integrated reprogramming cycle aligns electromagnetic countermeasures development as a subprocess within the scope of EW reprogramming, eliminating the need for new policies and allowing development to occur within existing EW reprogramming authorities. I-5. The Army integrated reprogramming cycle consists of four phases: • Determine the requirement. • Determine the response. • Create the response. • Implement the response. D ETERMINE THE R EQUIREMENT I-6. Staffs develop and maintain an accurate description of the operational environment, specifically threat systems and tactics, techniques, and procedures through intelligence preparation of the operational environment. Maintaining an accurate description of the environment requires the fusion of known electromagnetic data with the collection, analysis, and validation of threat signature changes. I-7. Intelligence preparation of the operational environment (see chapter 4) is a collaborative staff effort led by the intelligence staff. The staff continually updates intelligence preparation of the operational environment products (including the electromagnetic order of battle) to support situational understanding and assist commanders and staff in identifying relevant aspects within their assigned area or area of interest, such as threat signals of interest that can affect mission accomplishment. The commander and staff’s understanding of intelligence preparation of the operational environment and the electromagnetic order of battle help in developing high-payoff and high-value targets. Defining the electromagnetic order of battle requires— • Identifying transmitters and receivers in an area of interest. • Determining their geographic locations or range of mobility. • Characterizing their signals. • Determining their roles in the threat’s broader organizational order of battle where possible. I-8. Threat use of software-defined radios and agile electromagnetic attack capabilities require continual updates to the electromagnetic order of battle. When EW and SIGINT teams detect unidentified signals in their assigned areas, those signals require analysis to identify their characteristics. This contributes to a current, accurate electromagnetic order of battle and allows EW personnel to identify requirements for new or updated electromagnetic countermeasures. D ETERMINE THE R ESPONSE I-9. Once commanders and staff understand the situation and mission, they develop courses of action to generate response options that will drive the production of operation plans or orders. The CEMA section generates cyberspace and EW options to support proposed courses of action. If the CEMA section determines an existing electromagnetic countermeasure is not sufficient or a new countermeasure is needed, they perform additional analysis to determine whether a proposed new countermeasure will provide the emitter detection or effects delivery capability necessary to achieve the commander’s objectives for a given target or set of targets. I-10. CEMA staff at echelon using the Electromagnetic Warfare Planning and Management Tool will review the electromagnetic countermeasures arsenal to determine whether an electromagnetic countermeasure has been developed for a target and that the electromagnetic attack system it was developed for meets their operational requirement. If no countermeasure is available, the CEMA staff submits an operational change request (see appendix E) to request development of an electromagnetic countermeasure to support their fielded EW system and establish the priority (routine, urgent, or emergency) of the request. CEMA sections forward the operational change request through their chain of command to the theater army CEMA section for approval and processing. C REATE THE R ESPONSE I-11. The create the response phase consists of— • Developing and testing an electromagnetic countermeasure. • Cataloging the countermeasure and placing it within the electromagnetic countermeasures arsenal for use by EW community. I-12. The electromagnetic countermeasures arsenal provides detailed information on electromagnetic countermeasure techniques, EW systems, and threat signal characteristics to support modeling and simulation, mission planning, and course of action development. The electromagnetic countermeasures arsenal also provides the capability to store and deliver electromagnetic countermeasures to fielded EW systems via the Electromagnetic Warfare Planning and Management Tool. I-13. Electromagnetic countermeasure developers must determine whether enough threat system data is available to develop a countermeasure. The signal of interest can be complex and may require reverse engineering to determine whether an effective electromagnetic countermeasure can be developed to affect the target. I-14. The electromagnetic countermeasure developer will conduct a vulnerability assessment that consists of— • Signal analysis. • Reverse engineering. • Protocol and specification review. I-15. Once developers discover a vulnerability to the threat system, they develop an electromagnetic countermeasure to exploit the vulnerability. If the vulnerability assessment fails to expose an obvious weakness, an electromagnetic countermeasure may still be created through experimentation or trial and error. By leveraging previously developed electromagnetic countermeasures known to be effective against similar signals of interest, a baseline capability can be quickly established and modified to tailor the countermeasure to the target in question. Developers can then evaluate tactics, techniques, and procedures for deploying these countermeasures through physical testing, modeling, and simulations and predict combat effectiveness against the threat system. I-16. Depending on the urgency of the request, developers may not have enough time to generate a carefully tailored countermeasure for the threat capability. In these cases, they may opt to quickly develop an interim capability or tactics, techniques, and procedures to detect the signal of interest and deliver a brute force effect while continuing to develop and refine a more advanced technique. I-17. The developer tests the electromagnetic countermeasure at a test range to validate tactics, techniques, and procedures, combat effectiveness, and required safety certification for employment. When testing and validating new countermeasures, tactics, techniques, and procedures, developers must consider the risk tolerance of the mission— • Electromagnetic protection and defensive electromagnetic attack techniques carry a low risk tolerance for mission failure. Systems that protect personnel and equipment require stringent testing and evaluation processes. • Electromagnetic attack techniques allow a higher level of accepted risk. Systems designed to deny, disrupt, or destroy threat systems may not require extended testing and evaluation before employment. • Advanced electromagnetic attack techniques (electromagnetic deception, electromagnetic intrusion, electromagnetic manipulation, or electromagnetic spectrum-enabled cyberspace attack) require extensive testing and evaluation to predict their combat effectiveness. I-18. Once a countermeasure is approved, the electromagnetic countermeasure file and tactics, techniques, and procedures for employment are packaged and placed in the electromagnetic countermeasures arsenal. A reprogramming message is then sent to all theater CEMA staff. I MPLEMENT THE R ESPONSE I-19. Upon receipt of the reprogramming message, the CEMA staff will download the electromagnetic countermeasure file and supporting products to complete the mission. The CEMA sections determine the need for a countermeasure and review the electromagnetic countermeasures arsenal. The CEMA section, using an EW planning tool like Electromagnetic Warfare Planning and Management Tool, downloads a countermeasure file with supporting tactics, techniques, and procedures. The CEMA section verifies the new electromagnetic countermeasure effect can be employed withing their delegated electromagnetic attack control authority. I-20. The CEMA section disseminates files and associated tactics, techniques, and procedures to the EW team with the mission task. The team installs the file and adjusts the systems for executing the mission. The CEMA section then submits a unit loading message (see appendix E) to document implementation of the reprogramming action.

The glossary lists acronyms and terms with Army or joint definitions. Where Army and joint definitions differ, (Army) precedes the definition. The proponent publication for terms is listed in parentheses after the definition.

Entries are by paragraph number.