Innovate Integrate Standardize Improving the C&A Process to Deliver Today s Technology Tomorrow

Transcription

1 Improving the C&A Process to Deliver Today s Technology Tomorrow Colonel Todd Whitlow Director, Modernization and Innovation Global Cyberspace Integration Center

2 RDT&E Challenge 2

3 The Good Emerging RDT&E DAA, CA, ACA governance structure and processes will be more responsive to our non-operational environments RDT&E Workgroup progress Developed C&A workflow for RDT&E enclaves and systems Identified IA Controls that apply to RDT&E enclaves and systems JMETC DIACAP Tiger Team Addressing IA guidance and technical approaches to support RDT&E RDT&E provides non operational venues where security vulnerabilities can be discovered You don t want to get to DT/OT and find that IA controls have not been adequately implemented RDT&E is where you want to build in IA from the beginning 3

4 Process and Tools We look forward to implementation of the RDT&E workflow in EITDR in the future to apply the appropriate IA controls to RDT&E enclaves and systems Validators and certifiers experienced in and dedicated to RDT&E will minimize the churn associated with answering questions that do not pertain to RDT&E Institutionalize Technical Configuration Control Board and Modified DIACAP Implementation Plan to assess risk of emerging technologies Need a means to review/approve cross domain solutions for temporary connections to RDT&E environments. Current process is geared for permanent connection to operational networks. Each service has different C&A process and tools but our capabilities must be connected to the same networks emass is the GFE DoD standard tool that no service is currently using Transition to emass all services 4

5 Incomplete C&A Guidance Enclave STIG and AFI : Zone definitions incomplete IAMs will say NO! for a classified Zone B or a Zone B on DREN We don t really have any experience with RDT&E. Can you help us rewrite the STIG? Enclave STIG Authors. CJCSI E: doesn t refer to zones Addresses RDT&E for software development and test labs. But IAMs say NO! for hardware in the loop (JREs, JASSM-ER models, DoDI : IA Controls aligned to MAC and CL levels but for RDT&E many do not apply or impact the broader community Validators and certifiers say no, you must address all IA Controls DoDI : IATTs are for temporary connection to operational networks IAMs will say NO! for temporary connection to DREN, SDREN, JMETC, CFBLnet, or JTEN 5

6 Legacy, M&S, and Innovations Security patches and scans break legacy test and range tools No program of record or programmer to repair M&S tools require reconfiguration and recoding to stimulate systems under test Agile RDT&E events require a pace that current DIACAP can t support Innovations require assessment in distributed environment before implementing all IA controls We require means to accommodate these tools and M&S Procedural risk review via TCCB Technology implementation with emerging Controlled Interface 6

7 Build and Test IA Incrementally 7

8 Culture Change Needed We can t Deliver Today's IT Capabilities Tomorrow with an Information Assurance workforce and certification & accreditation process that is only geared to verify or certify and to say: no you can t plug that new system in to our enclave or network. We need to shift our limited IA resources to team with developers of emerging technologies to coach and assist them to implement the appropriate IA controls necessary for innovation and experimentation venues and engineer and build in IA as you progress through acquisition. Move to incrementally build in IA smartly from the beginning 8