Emerging Information Assurance Tools and Techniques: Automated C&A

Office of CIO Communications

Information Assurance (IA) has emerged as a vital part of strategic, operational and tactical operations. Organizations must be able to manage the ever-changing information security threat landscape while simultaneously meeting shifting regulatory compliance and reporting requirements. The stakes are high. Without a complete understanding of the current security posture, methods to mitigate risk and respond to threats, and an effective ability to demonstrate and measure compliance, our network systems – critical to mission success – are increasingly at risk.

In an era when new cyber threats are introduced into the networks every day, risk-based countermeasures are critical to cyber survival. In today’s globally networked environment, DoD systems are increasingly vulnerable to cyber warfare attacks. Securing information systems requires awareness, an understanding of the nature of cyber threats, and emerging technologies available to counter threats. IA professionals must be equipped with tools, methodologies, and strategies for keeping pace with the volume and velocity of hacker activity.
Looking forward requires some shifting and expanding of our current approach. It requires going beyond individual solutions to create an environment for improved information sharing. It requires an end-to-end IA solution that keeps pace with both risk and mandate.

The Certification and Accreditation (C&A) process was designed to protect against the threat and ensure compliance with public law, federal guidance, and DOD directive. However, C&A activities can be time-consuming, expensive, and complex.

Government and industry have responded to this challenge with technologies that automate the process. These tools reduce cost, level of effort, and opportunity for analyst error while standardizing documentation across the organization and providing improved visibility into the postures of multiple systems. Automated C&A can provide a much sought-after “set it and forget it” capability for yearly IA assessment and make requisite documentation drills a relative breeze. They guide users through step-by-step processes to determine risk posture and assess system and network configuration for compliance with regulations, standards, and industry best practices. Features and capability, as well as compatibility with enumeration tools, vary among systems, but all offer marked improvement over manual methods of IA planning, analysis, test, evaluation, risk assessment, and compliance documentation.

The paradox lies in the fact that while industry has been successful in providing security and C&A tools, these have never been integrated into a single, cooperative suite of tools that address both security and DoD systems and networks C&A requirements.
NAVAIR approached industry leaders, IBM Internet Security Systems (ISS) and Telos Xacta, to forge a strategic partnership for the purpose of developing an automated enterprise level security and C&A and ISS capability that increases security posture across the Enterprise by leveraging automated technologies to reduce IA related workload, reallocate manpower to Warfighter support, and facilitate FISMA and DIACAP reporting compliance. As a result, NAVAIR and industry leaders developed ISS-Xacta – an automated interface between the ISS Enterprise Site Protector and Telos Xacta IA Manager.

Recently, ISS-Xacta was submitted to the Navy Cyber Asset Reduction and Security (CARS) as a High Payoff Enterprise Solution. After a peer review, it was selected for funding and the scope was expanded from an Echelon II initiative to a Navy-wide solution. ISS-Xacta is currently being deployed in the RDT&E environment as an Operational Evaluation (OPEVAL). Upon successful completion of the OPEVAL NAVAIR intends to deploy ISS-Xacta across the Enterprise. This integration of computer network defense technology with automated C&A and risk management has demonstrated the merit of automated tools in presenting a true picture of a systems’ security posture not available through today’s paper-based C&A process.

NAVAIR’s foresight in encouraging these cutting edge technology companies to form a partnership created a critical technology that has resulted in providing significant improvements in the security posture of our networks and systems and in decreasing the IA workload across the workforce, allowing us to focus on our primary mission – support to the Warfighter.

About the author: Jen Borst, a regular contributor to Office of CIO communications, is an employee of Smartronix Corporation, Information Assurance Division. Ms. Borst is a senior analyst supporting PMA 231.