Task #193
closedProvide services to support DON security automation
100%
Description
3.3.22 Provide services to support DON security automation activities to include security controls selection and implementation, System Security Plan (SSP) documentation, and the Authority to Automate (ATO) process. Recommend automation frameworks based on standards.
Files
Updated by Lloyd Osafo over 2 years ago
- Due date changed from 09/28/2023 to 08/03/2023
Updated by Lloyd Osafo about 2 years ago
Follow up discussion with the Accreditation team
Government to provide process documentation derived from industry standard of the NIST 800-53 controls.
Government NDP co location team to provide NDP co location Triton Platform equivalent of controls implemented or "to be" implemented that ORE as a cloud native application can inherit.
Updated by Tom Eden about 2 years ago
Recommend stating latest dates process documentation and colocation controls can be received by 2 Twelve to allow us to meet our task order requirements.
Updated by Jacob Halle about 2 years ago
In order to meet the accreditation timeline for internal scans that will be submitted as part of our evidence for the accreditation package, we would like these environment variables for the platform no later than 1 April. Thanh has already obtained documentation as it pertains to RMF and NIST 800-53 controls for us to populate the ORE's accreditation package. However, we'll need these environment controls from the platform for us to complete this activity.
Updated by Christina LaRussa-Martin about 2 years ago
PEO Digital (NMCI) has an SSP. When the NDP team went through the first SETR, we were asked to provide an SSP and we stated that the SSP was an ECH II level document that currently covers the entire Naval Enterprise Network. I don't see why ORE would need to create a separate SSP. Perhaps for the SPP part, 2Twelve just needs a copy of the current SSP for review and proposed updates. I cannot speak to the automation activities, but will identity the appropriate SME if needed.
Updated by Jacob Halle about 2 years ago
From 2 Twelve's extensive experience with RMF, the NDP ORE has separate management and operational stakeholders and is in a parallel accreditation path as compared to the NDP platform. It would require its own SSP and associated accreditation artifacts.
2 Twelve has provided to the government the initial hardware and software and data flow for the ORE for CSR (Cyber Security Review) and we are still waiting for the government to provide the list of controls that we will inherit form NDP so that when we complete the scans and submit the evidence package it is clear what controls 2 Twelve is responsible for and what controls 2 Twelve will inherit from the government provided NDP Platform.
Attachment of file uploaded in the ORE.
Updated by Christina LaRussa-Martin about 2 years ago
The Person who should be providing the inherited controls is Trajan as the RMF SME. I will ask him to provide the package that has been submitted for NDP.
Updated by Trajan Crocker about 2 years ago
Initial list of inherited controls as follows:
AT-1, AT-2, AT-2(2), AT-3, AT-4, CP-1, CP-2, CP-2(1), CP-2(3), CP-2(8), CP-3, CP-3(1), CP-4, CP-4(1), IR-1, IR-2, IR-2(1), IR-3, IR-3(2), IR-4, IR-4(1), IR-4(4), IR-5, IR-5(1), IR-6, IR-6(1), IR-7, IR-7(1), IR-8, PE-1, PE-2, PE-3, PE-3(1), PE-4, PE-5, PE-6, PE-6(1), PE-8, PE-8(1), PE-9, PE-10, PE-11, PE-11(1), PE-12, PE-13, PE-13(1), PE-13(2), PE-13(3), PE-14, PE-15, PE-15(1), PE-16, PE-18, PS-1, PS-2, PS-3, PS-4, PS-4(2), PS-5, PS-6, PS-7, PS-8, RA-1, RA-3
Will update if I find more.
Updated by Lloyd Osafo almost 2 years ago
Trajan Crocker wrote in #note-9:
Initial list of inherited controls as follows:
AT-1, AT-2, AT-2(2), AT-3, AT-4, CP-1, CP-2, CP-2(1), CP-2(3), CP-2(8), CP-3, CP-3(1), CP-4, CP-4(1), IR-1, IR-2, IR-2(1), IR-3, IR-3(2), IR-4, IR-4(1), IR-4(4), IR-5, IR-5(1), IR-6, IR-6(1), IR-7, IR-7(1), IR-8, PE-1, PE-2, PE-3, PE-3(1), PE-4, PE-5, PE-6, PE-6(1), PE-8, PE-8(1), PE-9, PE-10, PE-11, PE-11(1), PE-12, PE-13, PE-13(1), PE-13(2), PE-13(3), PE-14, PE-15, PE-15(1), PE-16, PE-18, PS-1, PS-2, PS-3, PS-4, PS-4(2), PS-5, PS-6, PS-7, PS-8, RA-1, RA-3
Will update if I find more.
Eric/Thanh- Do you guys have a general estimate of how many controls the ORE should expect to inherit from a similar IaaS, PaaS with your experience
v.rLloyd
Updated by Eric Kim almost 2 years ago
Lloyd Osafo wrote in #note-10:
Trajan Crocker wrote in #note-9:
Initial list of inherited controls as follows:
AT-1, AT-2, AT-2(2), AT-3, AT-4, CP-1, CP-2, CP-2(1), CP-2(3), CP-2(8), CP-3, CP-3(1), CP-4, CP-4(1), IR-1, IR-2, IR-2(1), IR-3, IR-3(2), IR-4, IR-4(1), IR-4(4), IR-5, IR-5(1), IR-6, IR-6(1), IR-7, IR-7(1), IR-8, PE-1, PE-2, PE-3, PE-3(1), PE-4, PE-5, PE-6, PE-6(1), PE-8, PE-8(1), PE-9, PE-10, PE-11, PE-11(1), PE-12, PE-13, PE-13(1), PE-13(2), PE-13(3), PE-14, PE-15, PE-15(1), PE-16, PE-18, PS-1, PS-2, PS-3, PS-4, PS-4(2), PS-5, PS-6, PS-7, PS-8, RA-1, RA-3
Will update if I find more.
Eric/Thanh- Do you guys have a general estimate of how many controls the ORE should expect to inherit from a similar IaaS, PaaS with your experience
v.rLloyd
From past experience, we would expect around 90-120 controls (including enhancements) to be able to be inherited from the upstream provider of the infrastructure and platform.
Updated by Jacob Halle almost 2 years ago
- Status changed from New to In Progress
Updated by Jacob Halle almost 2 years ago
- Due date changed from 08/03/2023 to 08/02/2023
Updated by Oscar Robertson over 1 year ago
Are all the controls now updated to get to 80% and what else is left?
Updated by Jacob Halle over 1 year ago
Yes, we are identifying the different controls we will inherit on the IaaS and platform (i.e. whether it's in NDP or azure or hyperscale clouds).
Updated by Oscar Robertson over 1 year ago
Can the government get an update on this task?
Updated by Jacob Halle over 1 year ago
- Status changed from In Progress to Closed
- % Done changed from 80 to 100