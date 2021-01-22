Naval Information Warfare Center (NIWC) Atlantic’s Command Information Office (CmdIO) team is making significant strides in the software and systems assessments and authorizations (A&A) process by implementing multiple new efficiencies. In turn, these efforts are helping to improve cybersecurity across the command, and ultimately, for the Navy.



NIWC Atlantic’s CmdIO team is working with the command information office from its headquarters organization Naval Information Warfare Systems Command (NAVWAR) and has reduced the number of expired software, system and network authorization packages from 16 to three — an 80% reduction.



“To bolster our efforts and more effectively respond to the latest cybersecurity risk assessments, we increased our security posture for packages needing approval to run on Navy networks,” said NIWC Atlantic Command Information Systems Security Manager (ISSM) Brianeisha Eure.



According to Eure, who leads the command’s cybersecurity and compliance team, they achieved this feat by focusing attention on cybersecurity and authorization improvement opportunities and by implementing new processes, creating and using checklists, and tapping into lessons learned from going through the Risk Management Framework (RMF) process. That process involved developing entry criteria documents to determine readiness for testing and validation of security controls, and communicating needs ahead of time to ensure no impact to schedules.



NIWC Atlantic RMF Lead Matthew Colburn, who works for Eure within the ISSM office, does his part to make sure assessments are completed correctly and are approved by the authorizing official (AO).



“The assessment and authorization process involves securing software and/or a computer network used to support the warfighter,” said Colburn.

“So when you go through an assessment, you’re looking at that system and making sure it is secured, that information is not altered, and the system is available when needed. Basically, you’re ensuring vulnerabilities are closed out to limit holes that can be attacked by an adversary.”



Eure and Colburn attribute the success of the process to NIWC Atlantic’s A&A team as well as program management offices and their respective cybersecurity support teams.



The A&A team now works with program management offices to assist with A&A schedules and more closely monitor statuses through the creation of a dashboard that tracks packages from start to finish, giving them higher visibility.



“We also identified and addressed issues with insufficient personnel and/or funding, to make sure programs are appropriately staffed to maintain a cybersecurity presence; communications and training are increased while learning from the issues involved with each previous package; and that NIWC Atlantic A&A team members are assigned to provide governance and oversight with assisting programs to get through RMF,” said Colburn.



Another element that helps the team streamline the A&A process and meet its goals is maintaining authorizations for Data Center and Cloud Hosting Services, which offers cloud broker services, hosting and other scalable managed service offerings available to Department of Defense.



“Additionally, the command completed a package that supplies inheritance to, or is adopted by all NIWC Atlantic-owned and -funded programs,” said Eure. “This is critical, as this policy-based package provides inheritance for over 50 packages. Instead of all [NIWC Atlantic] teams testing those controls, it is tested once at the command level by the A&A team and inherited by more than 50 other teams.”



Of the three remaining expired packages in need of approval, two of them are scheduled to decommission in the near future, and the last one is following the process to extend its authorization.



“Our team also implemented a local requirement to go over the checklists used by the package submitting officer,” said Colburn. “These reviews ensure the package is ready to proceed with approval from the reviewers, to include the authorizing official.”



According to Colburn, those reviews improved validation efficiency from six months for smaller packages to now just two- and- a- half weeks for an entire infrastructure package.



“This was done by creating an entry criteria checklist that ensured the project met all requirements and was ready for validation,” said Colburn. “Despite all of the policy changes to RMF, our RMF team has still been able to reach this achievement.”



One of the final steps of the RMF process is to achieve an Authority to Operate, which is required to authorize an information technology system or product to operate on government networks.



“NIWC Atlantic owns more than 50 authorization packages, ranging from network and hosting services to telephony and video services to CmdIO and command applications,” Eure said. “In that effort, thanks to the implementation of new processes, we can more efficiently ensure applications, networks and software remain authorized to run on Navy networks to meet mission goals.”



As a part of Naval Information Warfare Systems Command, NIWC Atlantic provides systems engineering and acquisition to deliver information warfare capabilities to the naval, joint and national warfighter through the acquisition, development, integration, production, test, deployment, and sustainment of interoperable command, control, communications, computer, intelligence, surveillance, and reconnaissance, cyber and information technology capabilities.

