A defense agency providing command and control for transporting, distributing, and sustaining personnel and assets worldwide relies on information technology to achieve its mission in the most agile and efficient manner possible. Cybersecurity of the underlying systems and programs is a primary concern as is safe, secure, and uninterrupted mission performance.
Securing systems and communications becomes more complex every day as cyber criminals apply increasingly novel tactics to penetrate system vulnerabilities and access sensitive information. The threats emanate from nation-states, cyber gangs, and other evildoers that seek to undermine the U.S. government. A defense agency needed the expertise of a firm specializing in cybersecurity to provide risk management support, assess security controls across a multitude of systems, facilitate the implementation of DevSecOps techniques, and develop access control policies consistent with Zero Trust and governance principles.
In September 2022, Electrosoft’s experienced team of cybersecurity professionals, aligned by expertise within four distinct task areas, began supporting this defense agency under a contract with a 1-month base period and four option years. The team directed its efforts toward:
- Implementing and conducting operations for all phases of the DoD Risk Management Program (DoDI 8510) and the National Institute of Standards and Technology (NIST 800-37) Risk Management Framework (RMF).
- Performing comprehensive assessments of the effectiveness of management, operational, privacy, and technical security controls and controls enhancements within or inherited by over 65 programs and systems.
- Facilitating the implementation of DevSecOps in support of RMF activities by acting as a cybersecurity engineer, evaluating and reporting on not just potential risks and mitigation measures using Continuous Integration/Continuous Delivery tools but also offering recommendations for new tools and countermeasures.
- Supporting the creation and approval of Zero Trust access control policies as part of a collaborative and iterative policy governance program.
In our first contract year, our team (85 percent of whom are IA III certified) delivered impressive results that were both far-reaching and quantifiable:
- Relative to RMF activities, Electrosoft reduced Assured Compliance Assessment Solution (ACAS) scanning from three times/week to one time/week and added Tenable Software Administration across the Non-Secure Internet Protocol Router (NIPR), Secure Internet Protocol Router (SIPR), and cloud at no cost to the government as part of our ongoing effort to improve efficiency and reduce vulnerabilities across the enterprise. Electrosoft also recovered SIPRNet Nessus Manager after a catastrophic environmental upgrade ‒ and did so with minimal impact to agency mission.
- Relative to security packages and controls, Electrosoft reduced ports, protocols, and service management discrepancies by 57 percent and published an update to an RMF artifact rubric that, due to its refinements and enhancements, has streamlined package reviews to less than 10 days and reduced potential package returns by more than 20 percent. Electrosoft processed over 300 authorization packages in the first 10 months alone.
- Regarding DevSecOps and Zero Trust support, Electrosoft established new capabilities and delivered a series of publications including a security implementation guide for DevSecOps pipelines and thresholds and whitepapers supporting security orchestration, automation and response (SOAR) and the Cisco identity services engine. We also conducted an as-is assessment that included RMF controls to help objectively review all seven Zero Trust pillars across the enterprise against the 2027 target requirements and the 2032 advanced requirements. We sought to identify gaps and assist in planning for the resources needed to achieve the Zero Trust goals and objective set forth in the Zero Trust Integrated Project Team Charter. Notably, we helped draft this charter.
- Created a new MS Teams Deliverable Tracking System to support functional and contractual visibility as well as review, acceptance, and publishing of 200+ documents that we have processed in the first option year. This site will soon encompass additional metrics, scheduling, and more as we integrate it with customer tools and processes to provide near real-time insight for decision making on associated risks and issues.
Electrosoft is proud of these initial accomplishments. Our efforts did not go unnoticed by our customer. We have already been awarded Option Year 2 and there’s an effort in process to increase the contract scope to include additional Zero Trust assessment work and more analytics to obtain “Metrics that Matter.” The goal is to help further reduce risks to networks, applications, service, facilities, operations, and personnel.