Risk Management in Submarine Information Assurance Assessment

Risk Management in Submarine Information Assurance Assessment

Organization: NAVSEA, PEO (SUB), PMS (401)

Team Name: Submarine Information Assurance Team

Related Acquisition Topic(s): Integrated Product Teams (IPT), Integrated Product and Process Development (IPPD), Partnering, Risk Management

Description:

Two significant transitions in the Navy acquisition community have dramatically increased the criticality of addressing Information Assurance (IA) in the weapons systems and platforms fielded to today's Naval warfighter. As the strategies employed for procuring submarine Non-Propulsion Electronics (NPE) systems increasingly focus on commercial electronics and software, Open Systems Architectures (OSA), and network topologies the IA vulnerabilities inherent to our combat systems could expand geometrically. When this acquisition environment came under the auspices of the new DoD security Certification & Accreditation (C&A) policy in 1997 (DoDI 5200.40, DoD Information Technology Security C&A Process (DITSCAP)), a window of opportunity opened to develop a new model for integrating IA concerns into submarine NPE systems design.

The Submarine IA Team took on the challenge of developing this new model for achieving security C&A of submarine NPE systems. The team's objectives were to create an innovative and precedent setting series of processes that would apply to all submarine NPE systems and address IA issues across all submarine platforms. Via this set of common processes, the Submarine IA Team has been able to perform IA activities and apply them to systems across several submarine system developments. While DoD and DoN C&A requirements open the door to duplication and inefficiency by permitting the performance of IA tasks system-by-system, the IA team has used its collective expertise in the security disciplines and overall submarine systems engineering to make optimum use of limited resources and maximize the benefit of the common IA C&A process model.

Specific examples of our efforts to date:

1. Development of a System Security Authorization Agreement (SSAA), required under the new DoD C&A policy (usually referred to as the "DITSCAP") for the VIRGINIA (SSN 774) Class Submarine. The IA Team's innovation in developing the SSAA was to define the system boundary as the entire grouping of 23 NPE subsystems. Defining the system boundary at the highest system level allows the IA Team to address threats, vulnerabilities, IA requirements, security operational concepts, testing, etc. collectively across the entire system. This strategy has resulted in significant cost containment by precluding up to 23 separate C&A efforts.
2. Development of an IA requirements document designed specifically for the submarine environment. The IA team analyzed volumes of potential IA requirements for submarine NPE systems from DoD, DoN, and intelligence community sources and consolidated those deemed applicable into a single resource ready for application to all submarine NPE systems. This effort at defining and consolidating submarine-specific IA requirements has proven successful as the basis of IA requirements for both the VIRGINIA (SSN 774) Class NPE system and the Tactical Integrated Digital System (TIDS) backfit network program.
3. Conduct of a submarine-specific IA Threat / Vulnerability / Risk Mitigation study to document threats to submarine NPE systems and associated methods for mitigating those risks. This document has been used as a foundation for C&A efforts in the VIRGINIA (SSN 774) Class NPE system, the Acoustic-Rapid COTS Insertion program and will be used in the TIDS program.
4. Each of these tasks was undertaken in close concert with all of the organizations within the security community that have influence over the C&A of submarine NPE systems. Representatives from Chief of Naval Operations N87, Commander in Chief, Atlantic Fleet, National Security Agency, Office of Naval Intelligence, Submarine Forces, US Pacific and Atlantic Fleets, and the Space and Naval Warfare Systems Command (SPAWAR PMW161) have been involved in submarine IA Team efforts and have signed the VIRGINIA (SSN 774) Class NPE SSAA. By focusing and coordinating the expectations of these organizations during common efforts, the IA team has gathered input and developed relationships that will benefit multiple programs without additional investment.
5. The objective of performing IA activities in line with the common model will continue to influence tasks the IA team plans to perform in the near future, examples include:
   
6. Development of a Team Submarine IA IPT to continue discourse between security community organizations and representatives of each submarine NPE system (forward fit or backfit) planning to conduct IA C&A tasks. This IPT will meet quarterly to address information system threats and vulnerabilities, IA policies and requirements, training, testing, security concepts of operation, etc. This common forum will continue the cost containment processes put in place by the submarine IA team by coordinating the conduct of IA tasks and presaging community expectations.
7. Finalization of Operating System (OS) Secure Configuration guides specific to the submarine NPE system environment. The submarine IA Team determined a requirement existed to assess and tailor existing OS secure configuration guides to enable their widespread implementation across NPE subsystems and platforms. By conducting this tailoring once and applying the products across as many systems as possible, benefit can be maximized while controlling costs.
8. Continued coordination with submarine Fleet representatives to develop methods for updating the IA posture of in-service submarines and NPE systems. The submarine IA team has been asked to assist in evaluating the IA documentation, testing, training, etc. requirements for existing Fleet assets. In keeping with the established common IA model, the IA team has proposed a "modular" method for evaluating the needs of each particular system or platform and conducting any required IA-related tasks to ensure appropriate security safeguards are in place.

The common IA C&A process put in place by the Submarine IA Team is an innovative way for the Navy to address critical IA issues in a way that minimizes impacts to the costs of system ownership and acquisition and provides value-added IA solutions to the Fleet. As indicated by the cross-system benefits already observed and noted above, the Submarine IA Team's approach is considered a model for other programs and will endeavor to continue this legacy in the future.

NAVSEA, PEO (SUB), PMS (401)

Submarine Information Assurance Team