For those on the Federal/DoD side

philz1982

Can you help explain the process of qualifying ,monitoring, and reporting for cyber security in regards to contractor software? I've done some softeware c&a (now its a&a with DIARMF). I'm just looking to better understand the process. You've got DFARS that lists out the aquistion and contractor roles. You've got FIPs which along with NIST 800 lays out your framwork and controls. You then have your security reporting. It seems everything is so piecemeal with no clear flow diagram.

BlackBeret

Take all of that, throw it out of the window, develop in-house policies and procedures for each organization.

philz1982

Not an option when trying to comply with DoD hence why I asked the question.

BlackBeret

Every DoD agency I've worked for does it, seems like a valid option to me. What specifically are you trying to do? Obtain a contract? Every contract solicitation I have seen (fbo.gov) has the exact requirements laid out for you.

BlackBeret

I wasn't trying to be sarcastic. I was telling you what the Ar-CERT, AF-Cert, and AF Cyber Command have done. Now if you're trying to ensure that your own company is compliant and need to prove you follow the guidelines, it seems you have them handy. Should be some checklists in the NIST STIGS somewhere.

smokeyalien

Look up DIACAP for your baseline and then FIPS/NIST to get more in depth. DIACAP is being replaced with the RMF which is a recent change so going forward you want to align to that.

yeah yeah

Philz, you can PM me if you need some specifics. I'll speak broad for now. What kind of software is it? General COTS desktop/server like Adobe, Office, or something like a Apache Tomcat web application requiring server/client connectivity?

In the Army, there's a Certificate of Networthiness process. If the software has to be installed, a CoN must exist. Air Force has a similar effort. If it's an IA or IA-enabled product, basically the software is IA/security focused, then it must be NIAP and/or FIPS certified. Depending on the software, there may be applicable security technical implementation guides (STIG) that must be implemented as well.

Hit me for specifics.

philz1982

Building Automation Software to Control HVAC systems.

yeah yeah

I'm sure that's going to require a full C&A under DIACAP (A&A under RMF). That's more of a system/network vs. software. If you can provide me the DoD service or component, I can tell you if it's going to be under DIACAP/RMF. If it's federal, it MAY be RMF. Depends on who the organization is. Like I said, PM me if you need specifics.

philz1982

Do you think ISSEP would help me understand all of this?

yeah yeah

Nope. Besides having a nice ring to it, ISSEP is only respected by those that already have it. There are few DoD 8570 positions that require it, and since you can get away with having other certs instead, most don't go after it.

You can go for for a CAP, since that's all C&A and A&A. Either way, majority of DoD is still in the implementation process of moving from DIACAP to RMF. Majority of Federal is at RMF. There are those (DHS, IC Community) that have their other processes like DCID 5/3, RMF-lite, etc.