In an increasingly digital world, the Department of Defense (DoD) relies on a complex network of systems and technologies to protect our nation's security. To ensure the integrity and security of these systems, DoD contractors operating within cleared industry must obtain Authorization to Operate (ATO) status, demonstrating compliance with stringent information security and cybersecurity regulations. 

In today's digitally driven world, security compliance isn't just a necessity; it's a mission-critical endeavor, especially for organizations entrusted with classified information under the National Industrial Security Program (NISP). Ensuring robust security measures and meeting Authorization and Accreditation (A&A) requirements is no small feat. This is where Arlington steps in as your trusted partner, providing specialized eMASS (Enterprise Mission Assurance Support Service) NISP consulting to help you navigate the complexities of A&A.

In what seems to be the third time up for bat, the Department of Defense (DoD) is once again taking a swing at IPv6, with the National Security Agency (NSA) providing guidance on such a transition. Per an NSA announcement on January 18, 2023, “IPv6 Security Guidance” highlights how several security issues can surface in networks that are new to IPv6, or in early phases of the IPv6 transition. Networks new to IPv6 lack maturity in IPv6...and dual-stacked networks, which run on IPv4 and IPv6 simultaneously, have an increased attack surface.”

Want to know what’s going on in the world of cybersecurity with the Department of Defense (DoD). Just take a look at the massively detailed DoD Cybesecurity Chart at https://dodiac.dtic.mil/dod-cybersecurity-policy-chart/. At first glance there is a lot - I mean a lot of information on almost any imaginable topic on cybersecurity for the DoD. The DoD’s official stance on their multi-colored, well-organized Cyber chart is “...is to capture the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme. The use of color, fonts and hyperlinks are all designed to provide additional assistance to cybersecurity professionals navigating their way through policy issues in order to defend their networks, systems and data.”

On January 19, 2022, President Biden signed National Security Memorandum-8, Improving Cybersecurity of National Security, DOD, and Intelligence Community Systems. This long awaited NSM requires that, at minimum, National Security Systems employ the same network cybersecurity measures as those required of federal civilian networks in Executive Order 14028. The NSM builds on the Biden Administration’s work to protect the United States from sophisticated malicious cyber activity, from both nation-state actors and cyber criminals.

The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA (Federal Information Security Management Act, 2002) compliance.

Per DCSA,

• All Non compliant security controls must be included on the POA&M.
• Items should include specific steps required in support of particular Milestone events.
• Realistic dates should be provided as supported by the underlying and documented steps. (Note: Don’t include items on the POA&M and simply set a date for three years from when it was entered.).
• POA&M items are approved as a part of the IS authorization package. A separate approval is not needed unless the POA&M needs revision.

Per DCSA,

• Continuous Monitoring (ConMon) is an important aspect of the overall security because it communicates to DCSA how controls are going to be assessed for continued effectiveness over time.
• ConMon strategies should include details related to steps that “will be” taken by the defined frequency to check on controls.
• Frequencies that differ from the recommended DAAPM Appendix A timeframes should be justified. Don’t expect to be able to make all checks an annual event.
• The ISSP will validate your documented ConMon activities against the verbiage in the SLCM during CMEs and eSVAs. Deviations from documented SLCM activities will likely result in vulnerabilities being documented/cited during the CME/eSVA.

Security Technical Implementation Guides (STIGs) are configuration standards developed by the Defense Information Systems Agency (DISA). They are designed to make device hardware and software as secure as possible, safeguarding the Department of Defense (DoD) IT network and systems.