AST Digital Magazine June 2016 | Page 14

Volume 5 and Risk Management Framework/RMF policies. In addition to the components meeting these requirements, the applications, hardware and connected devices are vigorously scanned against all published “known vulnerabilities” to ensure that they are sufficiently hardened to operate on the network and have no previous history of being breached. Issued by DISA on behalf of the DoD, a Security Technical Implementation Guide or STIG outlines a methodology for standardized secure installation and maintenance of computer software and hardware. When implemented these guides lockdown common and typically permissive software to further reduce vulnerabilities. These implementation guidelines include recommended administrative processes that span the devices' lifecycle. Integrators must employ STIG scanning software to implement/validate proper configuration and ultimately to obtain an ATO/ Authority to Operate. These standards are applied to a range of systems from those that provide for the safety and security of personnel in barracks to those that monitor the health and security of nuclear reactors on Navy ships and submarines. Taking a Holistic Approach to Cyber Security June 2016 Edition port, cyber security of that technology has to be managed on multiple fronts simultaneously. In recognition of that challenge, the Federal Government and the DoD are converging on a process called Risk Management Framework (RMF). Formerly called DIACAP (Defense Information Assurance Certification and Accreditation Process), RMF provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle. Those suppliers, manufacturers and integrators wishing to do business with government agencies will be required to follow this process to ensure that their solutions are accredited and allowed to be deployed on a DoD or Federal network. Video surveillance vendors would also need to extend the RMF process to the vetting and selection of their strategic video management system partners to guarantee the proper level of interoperability and assurance. Ultimately, in order to receive an ATO/Authority to Operate at a given site, the entire system must be validated from edge (i.e., camera) to core (storage) which includes the application layer and the network infrastructure. Because the integration of systems and components is so key to government network operations and sup- 14