Volume 5
and Risk Management Framework/RMF policies. In
addition to the components meeting these requirements, the applications, hardware and connected
devices are vigorously scanned against all published
“known vulnerabilities” to ensure that they are sufficiently hardened to operate on the network and
have no previous history of being breached. Issued
by DISA on behalf of the DoD, a Security Technical
Implementation Guide or STIG outlines a methodology for standardized secure installation and maintenance of computer software and hardware. When
implemented these guides lockdown common and
typically permissive software to further reduce vulnerabilities. These implementation guidelines include
recommended administrative processes that span
the devices' lifecycle. Integrators must employ STIG scanning software to implement/validate
proper configuration and ultimately to obtain an ATO/
Authority to Operate. These standards are applied to
a range of systems from those that provide for the
safety and security of personnel in barracks to those
that monitor the health and security of nuclear reactors on Navy ships and submarines.
Taking a Holistic Approach to Cyber Security
June 2016 Edition
port, cyber security of that technology has to be
managed on multiple fronts simultaneously. In
recognition of that challenge, the Federal Government and the DoD are converging on a process
called Risk Management Framework (RMF). Formerly called DIACAP (Defense Information Assurance Certification and Accreditation Process),
RMF provides a disciplined and structured process
that integrates information security and risk management activities into the system development
life cycle. Those suppliers, manufacturers and
integrators wishing to do business with government agencies will be required to follow this process to ensure that their solutions are accredited
and allowed to be deployed on a DoD or Federal
network. Video surveillance vendors would also
need to extend the RMF process to the vetting
and selection of their strategic video management
system partners to guarantee the proper level of
interoperability and assurance.
Ultimately, in order to receive an ATO/Authority to
Operate at a given site, the entire system must be
validated from edge (i.e., camera) to core (storage) which includes the application layer and the
network infrastructure.
Because the integration of systems and components
is so key to government network operations and sup-
14