Integrating cybersecurity into NAVAIR OTPS acquisition

Abstract

Assessment of cybersecurity vulnerabilities and associated risks is a prevalent and escalating requirement for the Operational Test Program Set (OTPS) acquisition and development communities. In August of 1992, the Defense Information Systems Agency (DISA) developed the Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP); an assessment process for all Department of Defense (DoD) information systems. The accreditation and requirements process was service-specific and system-centric. In July 2006, the DoD Information Assurance Certification and Accreditation Process (DIACAP) was distributed. DIACAP implemented enterprise-wide Information Assurance (IA) through a standardized set of IA controls with continuous monitoring and annual reviews of the system's security posture. The current process, implemented in May 2014, is the Risk Management Framework (RMF). RMF is a more dynamic and integrated process than its predecessors. Instead of DoD defined security controls, RMF uses the Committee on National Security Systems Instructions (CNSSI) and National Institute of Standards and Technology (NIST) publications for its risk assessment guidelines and security control references respectively. Under RMF, all Information Technology (IT) is placed into four broad categories. These categories are Information Systems (IS), Platform IT (PIT), IT services and IT products. Fundamentally, all DoD IT assets must be categorized, security controls tailored, and implemented for the specific asset. Operational Test Program Sets (OTPS) mainly fall into the category of PIT. However, there may be circumstances where OTPSs fall into the category of an IS or any number of ambiguous areas. Since only generic high-level guidance is provided to evaluate PIT, guidelines for evaluating PIT OTPSs will be summarized. Also, since not all OTPSs are PIT and it may not be immediately clear which system category an OTPS falls, guidelines will be created to define these systems for proper evaluation. For the majority of OTPSs during the acquisition lifecycle; risk categorization, control selection, and assessment will occur. Case studies of OTPSs will be analyzed and discussed; OTPS PIT, OTPS IS, and ambiguous examples. In each of these cases, the question of task dependence versus the definition of what makes a particular OTPS a PIT or IS will be explored.