The basic principles of Information Assurance (IA) that encompass the integrity, availability, authenticity, non-repudiation and confidentiality of user data are well known in most current business environments. However, the actual implementation of the technology, processes and procedures that manage the risk of a data security breach are less well understood. Cyber threats continually evolve and counter strategies must evolve as well. Meeting the requirements of government mandates, be they securing non classified or classified networks, personal identifying information of customers or employees or safe guarding medical records and information sets the minimum of protection. One breach of data security, one episode of classified spillage, one violation of patient confidentiality can cost a business in systems mitigation and verifications alone many times over the price of protection. But perhaps the biggest cost is the loss of trust the business experiences from its customers and business partners.
TTC’s IA offerings, while based on government and industry regulations, directives and mandates, extend further into the physical and social aspects of security. Education is as important as technology in preventing security breaches. An exposed password on a Post-it note, a social engineered phishing attempt or insufficient enforcement of established policies is equal if not greater risks than the most sophisticated cyber-attack. It is this focus on detail of all aspects of IA that sets TTC apart.
USAACE Information Assurance Manager
The experience and expertise of ourInformation Assurance Manager (IAM) assureda highly effective development and maintenance of the IA program for the USAACE. This was accomplished by the development, publication and maintenance of USAACE Regulation 25-2 (IA) and annual reviews to assure its continued relevance to evolving policies and processes. We provided subject matter expertise and assure compliance with key DoD and Army IA policy (such as DoDI 8510, DoDI 8570, AR 25-2, etc.).
As a part of this effort, specific activities included:
- Coordinate Certification and Accreditation (C&A) of information and telecommunications systems in secure and sensitive environments
- Plans steps, procedures and schedules necessary to complete accreditation as a project
- Coordinates appropriate milestone review with USAACE, which includes kick-off meeting, C&A documentation and evaluation reviews and directs remediation reviews
- Renew Authority to Operate (ATO) for specialized systems and networks, including DOSNET, BLCSE and IP-based secure Video Teleconference (VTC) systems
- Identify and aggressively seek C&A for other specialized systems and networks within the USAACE domain, including the Tactical Training Network (TTN) and the NCOA Simulations Network (NCOASN)
- Coordinate and manage requests from subordinate offices for CoN
- Coordinate computer incident response as required by the Network Enterprise Center (NEC)
- Maintain SIPRNET Tenant Security Plan (TSP) for Bldg 101 and subordinate units
- Provide Subject Matter Expert (SME) support enabling compliance with Protective Distribution System (PDS), Tempest, and SIPRNET regulations
- Maintain and provide input to the Army Portfolio Management Solution (APMS)
- Develop and maintain IT Contingency and Continuity of Operations Plans
- Assign, test, and evaluate IA controls to software being developed by CIO/G6
- Submit Privacy Impact Assessments (PIA) for systems that process Personally Identifiable Information (PII)
- Support government personnel in responding to official tasking from higher HQ
Our Information Assurance Manager (IAM) prepared security accreditation packages for USAACE network systems in accordance with Army Regulation 25-2 and the DIACAP/DIARMF. Working with the local IAM and USAACE stakeholders, our IAM prepared security accreditation packages for systems under USAACE operational control. In so doing, our IAM coordinated information gathering, reporting, verification, testing and remediation activities with the IAM and functional proponents of all USAACE systems requiring DIACAP/DIARMF accreditation.This reporting led to enforcement throughout USAACE and resulted in 98.43% of the more than 4,400 information system users meeting the standard.
Under the direction of the PM, the IAM worked with USAACE CIO/G6 staff to determine the correct Mission Assurance Categories (MACs) and Confidentiality Levels (CLs) for the target systems. Once determined, the IAM made recommendations on the IA Controls that are the baseline requirements for IA C&A and that the levels of confidentiality, integrity and availability system security requirements were met. The IAM then developed a C&A Plan of Action and Milestones (POA&M) to identify all accreditation activities necessary to complete the DIACAP/DIARMF package for review and approval
DIAMONDS- Defense Threat Reduction Agency
TTC provides Top Secret level System Administration support at Fort Belvoir. TTC is a subcontractor to Cherokee Systems who supports the DTRA that maintains the automated tracking and management system of the Department of Defense nuclear stockpile. TTC personnel comprise approximately 7% of the DIAMONDS III Program.
Our Administrators conduct on-site surveys for secure physical infrastructure compliance and present recommendations for mitigations. We provide tiered level support to the Army, Navy and Air Force for DIAMONDS III specific classified infrastructure and applications to include an accelerated refresh cycle.