A defense agency providing command and control for transporting, distributing, and sustaining personnel and assets worldwide relies on information technology to achieve its mission in the most agile and efficient manner possible. Cybersecurity of the underlying systems and programs is a primary concern to national security as well as to safe, secure, and uninterrupted mission performance.
Assuring secure systems and communications grows in complexity every day as cyber criminals apply increasingly novel tactics to penetrate system vulnerabilities and access sensitive information. The threats emanate from nation-states, cyber gangs, and other evildoers who seek to undermine the U.S. government. A defense agency needed the expertise of a cybersecurity specialist that could provide risk management support, assess security controls across a multitude of systems, facilitate the implementation of DevSecOps techniques, and develop access control policies consistent with Zero Trust and governance principles.
In September 2022, Electrosoft’s experienced team of cybersecurity professionals, aligned by expertise within four distinct task areas, began supporting this defense agency. The team directed its efforts toward:
- Implementing and conducting operations for all phases of the DoD Risk Management Program (DoDI 8510) and the National Institute of Standards and Technology (NIST 800-37) Risk Management Framework (RMF).
- Performing comprehensive assessments of the effectiveness of management, operational, privacy, and technical security controls and controls enhancements within or inherited by over 65 programs and systems.
- Facilitating the implementation of DevSecOps in support of RMF activities by acting as a Cybersecurity Engineer, evaluating and reporting on not just potential risks and mitigation measures using Continuous Integration/Continuous Delivery tools but also offering recommendations for new tools and countermeasures.
- Supporting the creation and approval of Zero Trust access control policies as part of a collaborative and iterative policy governance program.
In just the first 8 months on the contract, Electrosoft delivered impressive results that were both far-reaching and quantifiable:
- Relative to RMF activities, Electrosoft reduced Assured Compliance Assessment Solution (ACAS) scanning from three times/week to one time/week and added Tenable Software Administration across the Non-Secure Internet Protocol Router (NIPR), Secure Internet Protocol Router (SIPR), and cloud at no cost to the government as part of our ongoing effort to improve efficiency and reduce vulnerabilities across the enterprise. Electrosoft also recovered SIPRNet Nessus Manager after a catastrophic environmental upgrade ‒ and did so with minimal impact to agency mission.
- Relative to security controls, Electrosoft reduced ports, protocols, and service management discrepancies by 27 percent and published an update to an RMF artifact rubric that, due to its refinements and enhancements, has streamlined package reviews to less than 10 days and reduced potential package returns by more than 20 percent.
- Regarding DevSecOps and Zero Trust support, Electrosoft established new capabilities and delivered a series of publications including a security implementation guide for DevSecOps pipelines and thresholds and white papers supporting security orchestration, automation and response and the Cisco identity services engine.
Electrosoft is proud of these initial accomplishments and will report more on our successes as the contract term progresses.