BERTHOLF Granted Authority to Operate -- Ready for Ops
Guest Post from CAPT Joseph M. Vojvodich (CG-933), C4ISR Acquisition Program Manager and CAPT Drew Rambo (CG-62), Office of Communications Policy
The Coast Guard Designated Approving Authority (DAA) granted the Authority to Operate (ATO) yesterday for USCGC Bertholf's classified systems. The ATO is the formal accreditation decision issued by the official with the authority to assume responsibility for operating a system at an acceptable level of risk. Bertholf is now allowed to process, store, and transmit classified information until re-authorization is required in three years. An ATO indicates the information system has adequately implemented all assigned Information Assurance safeguards to a point that is acceptable to the DAA. USCGC Bertholf is operationally ready right now to conduct Coast Guard missions.
The ATO considers a number of Information Assurance aspects, including TEMPEST, to ensure a sound security posture for the cutter?s information systems. We met a critical milestone by performing the Instrumented TEMPEST Survey (ITS) as planned. In April, the U.S. Navy?s Space & Naval War Systems Command (SPAWAR) completed the ITS on Bertholf. Besides leveraging the expertise of our Navy partner, the Coast Guard called upon industry capability as well. Throughout the past months the Acquisition Project Manager (PM), under the guidance of the CTTA (Certified TEMPEST Technical Authority), employed the service of a National Security Agency certified TEMPEST test services facility to prepare for the ITS. Using an exacting "test, fix, test" methodology for high-risk areas, all known TEMPEST discrepancies were resolved prior to the final instrumented SPAWAR evaluation.
The Coast Guard received a classified assessment from SPAWAR in mid-May, which was an important artifact to obtain the ATO. While national security concerns prevent the public release of the assessment, the Coast Guard?s CTTA reviewed the document, considered the results of Visual TEMPEST Inspections and discrepancy resolutions, and recommended TEMPEST certification for the Bertholf.
The Coast Guard's role as the Lead Systems Integrator for Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance (C4ISR) was largely facilitated through an integrated effort of the technical authority, sponsor, and acquisition PM. For example, the Coast Guard?s CTTA monitored the TEMPEST testing to ensure a thorough evaluation of all systems was properly completed and documented. The PM managed cost-schedule-performance parameters of the effort and the sponsor ensured the PM and technical authority were accountable for capability and technical requirements.
The Coast Guard also analyzed and audited software and hardware devices and their configurations for known threats and adherence to applicable security guidelines and policies. SPAWAR, as an independent validation and verification agent, completed the final software and network scan of the classified system on board Bertholf for vulnerabilities. The most recent updated software load was deployed and tested in mid-May. The recent software load, among other things, contained necessary adjustments that addressed IA risks while maintaining the operating capability of the system. Like previous versions, the most recent version of software has IA incorporated into its development and testing and is a product of best practices and findings of the past.
An enhancement called a Sensitive Compartmented Information Facility (SCIF), which is an enclosed area that is used to process Sensitive Compartmented Information will be completed during the Bertholf Post Shakedown Availability (PSA) scheduled for September 2009 through February 2010. After events of September 11, 2001, the Coast Guard recognized the need to include a SCIF on its National Security Cutters (NSC), starting with Bertholf. Beginning in 2003, the Coast Guard implemented a phased approach to design and build the space, procure the equipment, and install the SCIF equipment aboard the NSCs. The C4ISR equipment installation to support the SCIF capability has been planned for the post-delivery phases outside of the NSC production contract. At the end of PSA, the Bertholf will go through another TEMPEST testing and Information Assurance verification, again working with technical authority and the SPAWAR to gain appropriate certification and accreditation before requesting the authority to process classified information with its enhanced SCIF capability.
The Coast Guard considers the security of its information systems to be of the highest priority and is confident about its processes, due to its oversight program and relationships with industry and SPAWAR. The second NSC, Waesche, has already benefited from the lessons learned aboard Bertholf as these lessons are incorporated earlier in the construction phase, resulting in a much improved TEMPEST posture.
Captain Joseph M. Vojvodich
C4ISR Acquisition Program Manager
Coast Guard Acquisition Directorate (CG-933)
Captain Drew A. Rambo
Office of Cyber Security & Telecommunication
Coast Guard C4&IT Directorate (CG-62)
The Coast Guard Designated Approving Authority (DAA) granted the Authority to Operate (ATO) yesterday for USCGC Bertholf's classified systems. The ATO is the formal accreditation decision issued by the official with the authority to assume responsibility for operating a system at an acceptable level of risk. Bertholf is now allowed to process, store, and transmit classified information until re-authorization is required in three years. An ATO indicates the information system has adequately implemented all assigned Information Assurance safeguards to a point that is acceptable to the DAA. USCGC Bertholf is operationally ready right now to conduct Coast Guard missions.
The ATO considers a number of Information Assurance aspects, including TEMPEST, to ensure a sound security posture for the cutter?s information systems. We met a critical milestone by performing the Instrumented TEMPEST Survey (ITS) as planned. In April, the U.S. Navy?s Space & Naval War Systems Command (SPAWAR) completed the ITS on Bertholf. Besides leveraging the expertise of our Navy partner, the Coast Guard called upon industry capability as well. Throughout the past months the Acquisition Project Manager (PM), under the guidance of the CTTA (Certified TEMPEST Technical Authority), employed the service of a National Security Agency certified TEMPEST test services facility to prepare for the ITS. Using an exacting "test, fix, test" methodology for high-risk areas, all known TEMPEST discrepancies were resolved prior to the final instrumented SPAWAR evaluation.
The Coast Guard received a classified assessment from SPAWAR in mid-May, which was an important artifact to obtain the ATO. While national security concerns prevent the public release of the assessment, the Coast Guard?s CTTA reviewed the document, considered the results of Visual TEMPEST Inspections and discrepancy resolutions, and recommended TEMPEST certification for the Bertholf.
The Coast Guard's role as the Lead Systems Integrator for Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance (C4ISR) was largely facilitated through an integrated effort of the technical authority, sponsor, and acquisition PM. For example, the Coast Guard?s CTTA monitored the TEMPEST testing to ensure a thorough evaluation of all systems was properly completed and documented. The PM managed cost-schedule-performance parameters of the effort and the sponsor ensured the PM and technical authority were accountable for capability and technical requirements.
The Coast Guard also analyzed and audited software and hardware devices and their configurations for known threats and adherence to applicable security guidelines and policies. SPAWAR, as an independent validation and verification agent, completed the final software and network scan of the classified system on board Bertholf for vulnerabilities. The most recent updated software load was deployed and tested in mid-May. The recent software load, among other things, contained necessary adjustments that addressed IA risks while maintaining the operating capability of the system. Like previous versions, the most recent version of software has IA incorporated into its development and testing and is a product of best practices and findings of the past.
An enhancement called a Sensitive Compartmented Information Facility (SCIF), which is an enclosed area that is used to process Sensitive Compartmented Information will be completed during the Bertholf Post Shakedown Availability (PSA) scheduled for September 2009 through February 2010. After events of September 11, 2001, the Coast Guard recognized the need to include a SCIF on its National Security Cutters (NSC), starting with Bertholf. Beginning in 2003, the Coast Guard implemented a phased approach to design and build the space, procure the equipment, and install the SCIF equipment aboard the NSCs. The C4ISR equipment installation to support the SCIF capability has been planned for the post-delivery phases outside of the NSC production contract. At the end of PSA, the Bertholf will go through another TEMPEST testing and Information Assurance verification, again working with technical authority and the SPAWAR to gain appropriate certification and accreditation before requesting the authority to process classified information with its enhanced SCIF capability.
The Coast Guard considers the security of its information systems to be of the highest priority and is confident about its processes, due to its oversight program and relationships with industry and SPAWAR. The second NSC, Waesche, has already benefited from the lessons learned aboard Bertholf as these lessons are incorporated earlier in the construction phase, resulting in a much improved TEMPEST posture.
Captain Joseph M. Vojvodich
C4ISR Acquisition Program Manager
Coast Guard Acquisition Directorate (CG-933)
Captain Drew A. Rambo
Office of Cyber Security & Telecommunication
Coast Guard C4&IT Directorate (CG-62)
Posted at
1:50 PM
1 Comments:
This is a great first step to putting to rest the fire storm over on CGR. Can these two captains do a blogger's round table and go in depth on the issue? There seems to be a group of people that just have not been satisfied with the provided information.
Post a Comment
Links to this post:
Create a Link
<< Home