Clients: Case Studies

Joint Strike Fighter

VIGNETTE

TDI provides information assurance services to the Joint Strike Fighter (JSF) Program Office to include Certification and Accreditation (C&A) documentation for several levels of classified data across the JSF enterprise comprised of fourteen networks. TDI engineers provide input on total computer network security solutions ensuring participating agencies meet all Federal Government guidelines, policies, and procedures for IA requirements. Additionally, TDI ensures that networking infrastructures use best practices and meet all legal requirements.

We develop C&A documentation that follows DoD Information Assurance Security Certification and Accreditation Process (DIACAP) requirements. The accreditation work involves requesting and collecting information from JSF government-owned bases across the nation. Site visits are required to interview, update, inform, and verify site profile information with site security officers, system owners, and IT staff. Throughout the process, TDI provides IA liaison services by offering regulatory guidance for C&A, including advice on how to adhere to DoD as well as national and organizational security requirements such as FISMA, The Privacy Act of 1974, and OMB Circular A-130.

TDI is also responsible for obtaining and continuously maintaining the accreditation of the SIPRNet network through the Connection Approval Process (CAP) within the JSF program. These duties include functions such as the following: Completing the entire DIACAP process utilizing the System Identification Profile (SIP), DIACAP Implementation Plan (DIP), the DIACAP Scorecard, the SSP, and the Plan of Action and Milestones, as well as meeting the Security Technical Implementation Guides (STIGs) and vulnerability assessments as required by the Defense Information Systems Agency (DISA).

TDI is also responsible for policy compliance, internal policy development, and strategic planning for the Information Technology Division. TDI designs Business Continuity and Disaster Recovery Plans for JSF, developing security record keeping procedures and program impact analyses. We monitor DoD compliance notices and ensure that security patches, Communication Tasking Orders and Warning Orders are implemented in a timely fashion. We also manage Intelligence Community PKI tokens within JSF and were responsible for the security design review and corrections for the 8th floor vault build. TDI provides guidance on establishing preventive controls, maintaining physical security and sound environmental controls.

TDI also assists in providing Information Assurance Officer (IAO) duties within the Governments classified vault space for Top Secret Special Access Programs (SAP) which includes the following duties: devising and writing the Certification and Accreditation Plans for both the collateral and Top Secret networks; ensuring that systems are operated, maintained and disposed of in accordance with internal security policies and practices as outlined in the SSP; and ensuring that all users have requisite security clearances, authorization, and need-to-know, and are aware of their security responsibilities before granting access to the IS. TDI formally notifies the Information Assurance Manager (IAM) and Designated Approval Authority (DAA) when any changes occur that might affect the accreditation. We also report any security-related incidents or violations, and notify management of any change in a systems' intelligence and SAP level information. TDI also ensures that all system IA requirements are addressed during all phases of the system life cycle and authorizes software, hardware and firmware use before allowing implementation on any of the classified systems.

Our team also serves as JSF's primary contact for the U.S. Air Force Information Warfare Center's (AFIWC) Automated Security Incident Monitor (ASIM), the Air Force's 24 hour/7 day per week worldwide intrusion detection tool. Communications are maintained frequently ensuring prompt responses to reported security incidents. We develop configurations and Automated Information System Security Plans (AISSPs) for network and standalone classified processing systems from Secret/Collateral to Top Secret/Special Access Required (TS/SAR). The security architecture of the network complies with stringent national computer security requirements. As the COMSEC custodian for both of these networks, we order, control, and install all encryption key material.

CASE STUDY
Joint Strike Fighter (JSF) Certification & Accreditation

TDI performs extensive Certification and Accreditation (C&A) support efforts at JSF, including development and maintenance of documentation for several levels of classified data on the JSF network. We are constantly advising and consulting the Government and the contracting agency on total computer network security solutions. Part of our role requires ensuring that these agencies met all of the Federal Government guidelines, policies, and procedures for security requirements. We also ensure that JSF uses best practices, due diligence, and meets all legal requirements for their networking infrastructures. The development process for the C&A documentation required following the DoD IT Security Certification and Accreditation Process (DITSCAP) originally but now adheres to DoD Information Assurance Certification and Accreditation Process (DIACAP). The type of documentation we produce includes all of the following: System Security Authorization Agreements (SSAA), Requirement Traceability Matrix (RTM) and Security Test and Evaluations (ST&E) (following the DoD requirement according to DoD 5200.28), Security Risk Assessments (SRA) (following the guidelines of NIST SP 800-30), Backup and Contingency plans (following the guidelines of NIST SP 800-34), Configuration Management plans (following the guidelines of NIST SP 800-18), Life Cycle Process documentation (following the guidelines of NIST SP 800-14), User Rules of Behavior documentation (following the guidelines of NIST SP 800-18), as well as many others to include Federal laws and Presidential directives.

TDI also supports the running of a Configuration Control Board (CCB) for any new changes to the networking environment. Each change to the networking environment would be brought in front of the board, discussed, tested, and in addition the security posture would be checked against Government set standards. A final unanimous vote would be reached by the CCB before allowing any change to go forward within the network.

CASE STUDY
Joint Strike Fighter (JSF) Cryptography

TDI implemented the Joint Strike Fighter (JSF) Program Public Key Infrastructure (PKI) to organize and manage individual encryption keys to securely transmit For Official Use Only (FOUO) information across public networks. TDI validates users' identities, tracks PKI certificates, when they expire, and revokes them as per JSF policy. Our PKI work involves applying knowledge of Federal Information Processing Standard (FIPS) 201: Personal Identity Verification of Federal Employees and Contractors, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-32: Introduction to Public Key Technology and the Federal PKI infrastructure, NIST SP 800-73: Interfaces for Personal Identity Verification, and Homeland Security Presidential Directive (HSPD)-12 PIV-1 security controls. Incorporating these and various other standards, TDI ensures the security architecture of the JSF network complies with stringent national computer security requirements.

TDI also continuously tests web applications and manages program bug-tracking software. We installed VeriSign certificates (PKI security key) for the Flight Clearance application and helped to export/import VeriSign keys for the Flight Test Status Report. As the COMSEC custodian, we order, control, and install all encryption key material. TDI manages Intelligence Community PKI tokens within JSF and were responsible for the security design review and corrections a security vault build. We wrote the User Instructional Guide for the Security System, Flight Clearance, and Suspense Tracking Applications. Finally, we wrote technical advisory White Papers, such as one to recommend encryption and its usage on Personal Digital Assistants program-wide.

TDI's implementation and management of cryptologic technologies has significantly increased the security of data transmitted on the JSF networks. Our successful efforts have led to TDI becoming the central point of reference for all cyber security related matters at JSF. Some examples include responsibility for policy compliance, internal policy development, and strategic planning for the Information Technology Division. At various times throughout the project, TDI personnel have received commendations from the JSF PM and Deputy PM. TDI has continued to provide cyber security support to JSF since February, 2005. TDI performance was praised (July of 2008) by our customer who indicated "what a great job [TDI employee] is doing for the Information Assurance team at Joint Strike Fighter". He added: "My hat's off to [TDI Employee] and the rest of the TDI team for creating such a higher standard within the IA Industry."