1. Mission Analysis
Planning starts upon receipt of mission orders (TASKORD/FRAGORD/CTO/etc.). This section outlines the tasks that the MPC Chief (MPCC) is responsible for PRIOR to convening the Mission Planning Cell (MPC).
- Mission Analysis is conducted by the MPCC (and D-MPCC if available) prior to convening the MPC.
- The purpose of Mission Analysis is to:
- Understand the problem to be solved by the CPT
- Analyze the higher commander's mission and intent
- Establish the initial framework for the MPC to plan from
- Mission Analysis answers four foundational questions:
- What are we being directed to do?
- Why are we being directed to do it?
- How are we directed to do it?
- Under what limitations and level of risk?
1.1. Initial Order Reviewβ
The goal at this stage is overall mission orientation and problem framing.
Upon receipt of the order:
- Read the entire order, including annexes, SPINS, and referenced documents
- Identify supported and supporting relationships in relation to the CPT
- Extract key dates/times (RFI deadlines, product suspenses, execution windows)
- Identify classification constraints
- Identify any immediate coordination requirements
- Identify decision authorities (risk approval, escalation, mission termination, terrain changes, ATC approval)
CPT's are typically formally tasked via 5-Paragragh orders (OPRORD/TASKORD/FRAGO). They are usually outlined in the following structure (with the most relevant sub-sections also listed):
- Paragraph 1 - Situation
- 1.A. General/Assessment
- 1.B. Area of Concern
- 1.C. Enemy
- 1.D. Friendly
- 1.E. Legal Considerations
- Paragraph 2 - Mission
- Paragraph 3 - Execution
- 3.A. Commander's Intent
- 3.A.1. Purpose
- 3.A.2. Method/Key Tasks
- 3.A.3. End State
- 3.B. Concept of Operations
- 3.B.1. Objectives
- 3.B.2. Effects
- 3.B.3. Courses of Action
- 3.C. Tasks
- 3.D. Coordinating Instructions
- 3.A. Commander's Intent
- Paragraph 4 - Administration and Logistics
- Paragraph 5 - Command and Signal
- 5.A. Command Relationships
- 5.B. Command, Control, Communications, and Computer Systems
1.2. Identify the Tasked Missionβ
1.2.1. Define the Mission Statementβ
The CPT's tasked mission must be clearly identified so that the MPC is clear on what to plan toward.
- Frame the tasked mission using the 5 W's:
- Who - Which CPT / element is tasked?
- What - What task(s) must be accomplished?
- When - When must execution occur?
- Where - What terrain / network / AO?
- Why - What operational objective or end state is being enabled?
NOTE: If the mission cannot be restated clearly in one sentence, it is not yet understood.
- The mission statement must:
- Reflect higher commander intent
- Contain no method or TTP language
- Primary source:
Order paragraph 2 - Mission
- Supporting context:
Order paragraph 3.A - Commander's IntentOrder paragraph 3.B - Concept of Operations
## MISSION STATEMENT
On order, 852 CPT is tasked to provide assistance to the SKYVIEW network with hunting and clearing any
malicious cyber actor activity from their network to preserve the security of critical systems and enable
continued mission operations.
1.2.2. Identify the End-Stateβ
The MPCC must define the condition that must exist at mission completion to declare success.
- Extract the higher commander's stated End-State
- Translate it into conditions observable at the tactical level
- Identify:
- Required conditions that must exist
- Conditions that must not occur
- Any stated termination criteria
- The End-State must:
- Be condition-based
- Be measurable
- Directly resolve the Tactical Problem
- Primary source:
Order paragraph 3.A.3 - End State
## DESIRED END-STATE
- No disruption to MRT-C operations beyond stated ALR
- MCA presence within approved terrain is confirmed absent or cleared
- MRT-C and KT-C systems are operating within acceptable risk thresholds
- Defensive posture is strengthened to reduce likelihood of re-compromise
1.2.3. Identify the Tactical Problemβ
Restating the mission alone is insufficient to guide the MPC. The MPCC must also define the conditions preventing mission success.
- Describe the current condition preventing mission success
- Identify what is unknown, degraded, or contested (that affects mission success)
- Identify primary friction points:
- Technical
- Authority-driven
- Time-constrained
- Adversary-driven
- Confirm the problem is bounded within approved mission scope
- The tactical problem must describe:
- A condition - not a task
- A gap between current state and desired state
- The operational risk created by that gap
## TACTICAL PROBLEM
The SKYVIEW network lacks validated visibility and assurance that MCA activity is not present within MRT-C
and KT-C systems. Without deployed sensors, validated terrain understanding, and threat-focused hunting,
adversary access may persist undetected and negatively impact mission-critical operations.
1.3. Identify Essential Tasksβ
Essential Tasks directly support the mission or Commander's Intent. Depending on how they are written, they are considered the Operational Objectives (OOs) or Operational Tasks (OTs).
Essential Tasks = Specified Tasks + Implied Tasks. They drive the MPCC's identification of the Tactical Objectives (TOs) needed to generate the effects that achieve them.
NOTE: Incorrect identification of Essential Tasks will lead to misaligned Tactical Objectives (TOs) and wasted effort.
Essential Tasks may be comprised of tasks that are accomplished through either planning and/or execution. For example, some orders have explicitly stated tasks for a CPT to begin planning - something that is accomplished by the MPC.
In the "Plan-to-plan", the MPCC outlines Mission Planning Objectives (MPOs) and Mission Planning Tasks (MPTs) that the MPC will accomplish. These are not the same as TOs and TTs that are executed by the CPT Mission Element (ME).
1.3.1. Identify Specified Tasksβ
- Specified Tasks are explicitly directed in the order
- Primary source:
Order paragraph 3 - Execution
- Supporting context:
Order paragraph 2 - Mission
NOTE: The MPCC will extract these tasks verbatim before modifying or refining them.
### SPECIFIED TASKS
- Develop a Tactical Mission Plan (TMP)
- If required, provide recommendation from 616 OC to further scope the area of operations
- Triage discovered MCA effects and document the conditions in which the effect was discovered
- Provide daily situational report (SITREP) to 616 OC
- Clear all confirmed malicious entities discovered within assigned terrain
1.3.2. Generate Implied Tasksβ
- When necessary, the MPCC must "fill in the gaps" and identify all other additional pre-requisite tasks needed to accomplish the Specified Tasks
NOTE: These are not Tactical Objectives (TOs) - TOs generate effects that accomplish these tasks
- Implied Tasks are not written directly but must occur for specified tasks to succeed
- They may also be derived from the stated End State or Desired Effects within an order
- "What unstated tasks are required to meet the desired End State?"
- "What unstated tasks are required to meet the generate the Desired Effects?"
- Primary source:
Order paragraph 3 - Execution
- Supporting context:
Order paragraph 2 - Mission
### IMPLIED TASKS
- Perform FMA-C within the scope of the AO network
- Deploy and configure CVA/H
- Conduct terrain validation
- Establish communications contracts
- Coordinate Authorities to Connect (ATC)
1.3.3. Develop Initial Tactical Objectivesβ
Execution Essential Tasks must be translated into measurable Tactical Objectives (TOs) that define the conditions the CPT must create during execution.
For each execution Essential Task, the MPCC will:
- Rewrite the task into a condition-focused objective
- Ensure each TO:
- Describes a desired condition
- Is measurable
- Directly supports an Essential Task
- Does not prescribe specific TTPs
### INITIAL TACTICAL OBJECTIVES
- TO-1: Deploy CVA/H to the assigned area of operations
- MOE-1: CVA/H is operational and collecting required data across approved terrain
- TO-2: Baseline and characterize the defended environment
- MOE-2: Defended cyber terrain understanding is sufficient to support MCA detection and response
- TO-3: Hunt for evidence of MCA within the defended environment
- MOE-3: Presence or absence of MCA is determined with high confidence
- TO-4: Clear all MCA identified within the defended environment
- MOE-4: Identified MCA can no longer access, persist in, or impact systems within the AO
1.4. Identify Limitationsβ
The MPCC must identify the stated Limitations (Constraints + Restraints) in order to properly bound the parameters of mission execution (that the CPT must/must not do), therefore the MPCC planning.
- Primary source:
Order paragraph 3 - Execution(Coordinating Instructions)Order paragraph 4 - Administration and LogisticsOrder paragraph 5 - Command and Signal- Legal considerations (often referenced in
Order paragraph 1or annexes) - SPINS / ROE annexes
NOTE: Failure to identify limitations early will cause execution failure later.
1.4.1. Identify Constraintsβ
Constraints are "Must-dos" that the CPT must perform according to the orders/SPINS
### CONSTRAINTS
- Must target specific systems for action
- Must coordinate with specific organization prior to action
- Must submit daily SITREP
1.4.2. Identify Restraintsβ
Restraints are "Must-not-dos" that the CPT is prohibited from performing according to the orders/SPINS
### RESTRAINTS
- Must not disrupt or degrade the execution of operations at any sites
- Must not operate outside of approved cyber terrain
- Must not conduct Cyber Threat Emulation (CTE) without approval from USCC and mission partner
- Must not scan or interact with assets on the no strike list
- Must not submit malware samples, artifacts, iocs, etc. to public clouds or security vendors without authorization
1.4.3. Identify Acceptable Level of Risk (ALR)β
The MPCC must determine what level of operational, technical, and mission risk has already been accepted - and what requires additional approval.
- Identify stated ALR (if provided in order/SPINS)
- Identify:
- Acceptable operational disruption thresholds
- Asset protection priorities (MRT-C / KT-C implications)
- Escalation authorities for additional risk acceptance
- Conditions that require mission pause or abort
- Identify conditions that would require mission pause or abort
### ACCEPTABLE LEVEL OF RISK (ALR)
- OPERATIONAL RISK:
- Limited latency or bandwidth impact to non-MRT-C systems is acceptable
- No degradation to MRT-C systems beyond 5% performance threshold
- No interruption to mission-critical industrial control processes
- TECHNICAL RISK:
- Active scanning permitted within approved terrain during defined windows
- Host agent deployment authorized on all Windows-based MRT-C assets
- No exploitation or credential harvesting without explicit authorization
- ASSET PROTECTION PRIORITY:
- MRT-C assets must not be disrupted
- KT-C assets may tolerate limited investigative interaction
- Non-critical enterprise systems may accept short-duration investigative disruption
- ESCALATION AUTHORITIES:
- Mission Commander may accept temporary degradation to KT-C
- Any risk to MRT-C requires approval from 616 OC
- Any action outside approved terrain requires DIRLAUTH validation
- ABORT / PAUSE CRITERIA:
- Unexpected impact to MRT-C systems
- Loss of ATC or mission partner authorization
- Adversary activity indicating compromise of CPT infrastructure
1.5. Identify Key Informationβ
1.5.1. Identify Initial Factsβ
The MPCC must identify the key pieces of information backed by factual evidence that are required to execute the mission. Facts influence how you the mission will be executed.
NOTE: Don't go crazy and list every obvious fact, especially if does not affect your mission
- Facts drive how the CPT will execute the mission
- Facts should be logically divided into functional categories
### FACTS
- ENEMY:
- [CYBER THREAT ACTOR] has targeted this specific environment in the past
- Malware has been found on this network in the past
- LOGISTICS:
- The mission partner will pay for expenses incurred in relation to Siemens vendor coordination
- LOGICAL ENVIRONMENT:
- Windows hosts within the network all have WinRM enabled
- Siemens devices exists within the network
- The network does not consist of any wireless segments
- PHYSICAL ENVIRONMENT:
- Mission Partner will grant Mission Element members 24/7 access to all required facilities
- CAPABILITIES:
- CVA/H is capable of performing 802.11 wireless assessments
- SUPPORT:
- 33rd COS has been tasked by 616 OC to provide assistance to the CPT during execution
1.5.2. Identify Initial Assumptionsβ
The MPCC must identify the key pieces of information lacking factual evidence that are required to execute the mission.
- If information required to plan is missing, the MPCC must:
- Identify the assumption
- Determine whether an FFIR/RFI is required
- Initiate coordination if necessary
- Every Assumption represents potential mission risk
- Assumptions must either:
- Be validated via FFIR/RFI, or
- Be addressed through contingency planning
- Assumptions should be logically divided into functional categories
### ASSUMPTIONS
- ENEMY:
- [CYBER THREAT ACTOR] has capabilities that can be used to compromise this specific environment
- LOGISTICS:
- Mission Partner facilities have sufficient space for the entire CPT and CVA/H equipment
- Mission Partner network infrastructure has enough free ports to accommodate CVA/H network connections
- LOGICAL ENVIRONMENT:
- Solaris systems are not present within the network
- There are no technical controls within the network that will interfere with CPT activities
- PHYSICAL ENVIRONMENT:
- Mission partner facilities temperatures and humidity are within CVA/H equipment tolerances
- CAPABILITIES:
- CVA/H is capable of analyzing Siemens network traffic
- SUPPORT:
- 36th CS will be tasked via Cyber Tasking Order (CTO) to assist the CPT
1.5.3. Generate Initial FFIRs/RFIsβ
Assumptions generate an information need and must have a corresponding Request For Information (RFI) or Friendly Force Information Request (FFIR).
- Adversary-focused information needs typically require an RFI directed to Intel
- Most other needs or FFIRs may more appropriately be directed toward specific entities outlined in Order Paragraph 5 - Command and Signal
- CPT or CVA/H specific information needs can be resolved by SMEs within the MPC
### INFORMATION NEEDS
- ENEMY:
- [ ] Does [CYBER THREAT ACTOR] have capabilities that can be used to compromise Siemens devices?
- LOGISTICS:
- [ ] Will facilities have sufficient space for the entire CPT and CVA/H equipment?
- [ ] Will network infrastructure has enough free ports to accommodate CVA/H network connections?
- LOGICAL ENVIRONMENT:
- [ ] Does the network have Solaris systems present?
- [ ] Is the 33rd COS employing capabilities that will prevent the CPT from deploying agents?
- PHYSICAL ENVIRONMENT:
- [ ] Will facility environmental controls keep temperatures within CVA/H equipment tolerances?
- CAPABILITIES:
- [ ] Is CVA/H capable of analyzing Siemens network traffic?
- SUPPORT:
- [ ] Does the 616 OC have a CTO tasking the 36th CS to assist the CPT?
1.6. EXAMPLE: Mission Analysisβ
# MISSION ANALYSIS
---
## MISSION STATEMENT
On order, 852 CPT is tasked to provide assistance to the SKYVIEW network with hunting and clearing any
malicious cyber actor activity from their network to preserve the security of critical systems and enable
continued mission operations.
## DESIRED END-STATE
- No disruption to MRT-C operations beyond stated ALR
- MCA presence within approved terrain is confirmed absent or cleared
- MRT-C and KT-C systems are operating within acceptable risk thresholds
- Defensive posture is strengthened to reduce likelihood of re-compromise
## TACTICAL PROBLEM
The SKYVIEW network lacks validated visibility and assurance that MCA activity is not present within MRT-C
and KT-C systems. Without deployed sensors, validated terrain understanding, and threat-focused hunting,
adversary access may persist undetected and negatively impact mission-critical operations.
---
## ESSENTIAL TASKS
### SPECIFIED TASKS
- Develop a Tactical Mission Plan (TMP)
- If required, provide recommendation from 616 OC to further scope the area of operations
- Characterize and enumerate the network to achieve baseline understanding of the terrain
- Develop and initiate a sensor employment plan to identify or trigger future alerts for MCA activity
- Triage discovered MCA effects and document the conditions in which the effect was discovered
- Develop and initiate MCA response or remediation actions in coordination with NOC.
- Provide recommendations for follow-on operations to 616 OC
- Provide daily situational report (SITREP) to 616 OC
- Investigate all MCA indicators provided by intelligence
- Clear all confirmed malicious entities discovered within assigned terrain
### IMPLIED TASKS
- Perform FMA-C within the scope of the AO network
- Deploy and configure CVA/H
- Conduct terrain validation
- Establish communications contracts
- Coordinate Authorities to Connect (ATC)
### INITIAL TACTICAL OBJECTIVES
- TO-1: Deploy CVA/H to the assigned area of operations
- MOE-1: CVA/H is operational and collecting required data across approved terrain
- TO-2: Baseline and characterize the defended environment
- MOE-2: Defended cyber terrain understanding is sufficient to support MCA detection and response
- TO-3: Hunt for evidence of MCA within the defended environment
- MOE-3: Presence or absence of MCA is determined with high confidence
- TO-4: Clear all MCA identified within the defended environment
- MOE-4: Identified MCA can no longer access, persist in, or impact systems within the AO
- TO-5: Assess the attack surface of the defended environment
- MOE-5: High-impact vulnerabilities affecting KT-C and MRT-C are identified
- TO-6: Enable hardening of potential MCA attack vectors within the defended environment
- MOE-6: Actionable mitigations are defined to reduce exploitation risk to KT-C and MRT-C
- TO-7: Enable the assessment of implemented hardening actions
- MOE-7: Adversary-representative actions are ready to be executed to validate hardening state
---
## LIMITATIONS
### CONSTRAINTS
- Must target specific systems for action
- Must coordinate with specific organization prior to action
- Must submit daily SITREP
### RESTRAINTS
- Must not disrupt or degrade the execution of operations at any sites
- Must not operate outside of approved cyber terrain
- Must not conduct Cyber Threat Emulation (CTE) without approval from USCC and mission partner
- Must not scan or interact with assets on the no strike list
- Must not submit malware samples, artifacts, iocs, etc. to public clouds or security vendors without authorization
### ACCEPTABLE LEVEL OF RISK (ALR)
- OPERATIONAL RISK:
- Limited latency or bandwidth impact to non-MRT-C systems is acceptable
- No degradation to MRT-C systems beyond 5% performance threshold
- No interruption to mission-critical industrial control processes
- TECHNICAL RISK:
- Active scanning permitted within approved terrain during defined windows
- Host agent deployment authorized on all Windows-based MRT-C assets
- No exploitation or credential harvesting without explicit authorization
- ASSET PROTECTION PRIORITY:
- MRT-C assets must not be disrupted
- KT-C assets may tolerate limited investigative interaction
- Non-critical enterprise systems may accept short-duration investigative disruption
- ESCALATION AUTHORITIES:
- Mission Commander may accept temporary degradation to KT-C
- Any risk to MRT-C requires approval from 616 OC
- Any action outside approved terrain requires DIRLAUTH validation
- ABORT / PAUSE CRITERIA:
- Unexpected impact to MRT-C systems
- Loss of ATC or mission partner authorization
- Adversary activity indicating compromise of CPT infrastructure
---
## KEY INFORMATION
### FACTS
- ENEMY:
- [CYBER THREAT ACTOR] has targeted this specific environment in the past
- Malware has been found on this network in the past
- LOGISTICS:
- The mission partner will pay for expenses incurred in relation to Siemens vendor coordination
- LOGICAL ENVIRONMENT:
- Windows hosts within the network all have WinRM enabled
- Siemens devices exists within the network
- The network does not consist of any wireless segments
- PHYSICAL ENVIRONMENT:
- Mission Partner will grant Mission Element members 24/7 access to all required facilities
- CAPABILITIES:
- CVA/H is capable of performing 802.11 wireless assessments
- SUPPORT:
- 33rd COS has been tasked by 616 OC to provide assistance to the CPT during execution
### ASSUMPTIONS
- ENEMY:
- [CYBER THREAT ACTOR] has capabilities that can be used to compromise this specific environment
- LOGISTICS:
- Mission Partner facilities have sufficient space for the entire CPT and CVA/H equipment
- Mission Partner network infrastructure has enough free ports to accommodate CVA/H network connections
- LOGICAL ENVIRONMENT:
- Solaris systems are not present within the network
- There are no technical controls within the network that will interfere with CPT activities
- PHYSICAL ENVIRONMENT:
- Mission partner facilities temperatures and humidity are within CVA/H equipment tolerances
- CAPABILITIES:
- CVA/H is capable of analyzing Siemens network traffic
- SUPPORT:
- 36th CS will be tasked via Cyber Tasking Order (CTO) to assist the CPT
### INFORMATION NEEDS
- ENEMY:
- [ ] Does [CYBER THREAT ACTOR] have capabilities that can be used to compromise Siemens devices?
- LOGISTICS:
- [ ] Will facilities have sufficient space for the entire CPT and CVA/H equipment?
- [ ] Will network infrastructure has enough free ports to accommodate CVA/H network connections?
- LOGICAL ENVIRONMENT:
- [ ] Does the network have Solaris systems present?
- [ ] Is the 33rd COS employing capabilities that will prevent the CPT from deploying agents?
- PHYSICAL ENVIRONMENT:
- [ ] Will facility environmental controls keep temperatures within CVA/H equipment tolerances?
- CAPABILITIES:
- [ ] Is CVA/H capable of analyzing Siemens network traffic?
- SUPPORT:
- [ ] Does the 616 OC have a CTO tasking the 36th CS to assist the CPT?
---