3. STANDARDIZATION IN IA REPORTING
BACKGROUND INFO
The NMCI/NGEN C&A team is responsible for accurate and
standardized IAC Security reports that are submitted to the
government for the Navy’s IT systems. These reports are used to
determine current and potential security controls that can improve the
overall security of the Navy’s biggest IT network.
• IAC or Information Assurance Control is “an objective IA condition of
integrity, availability, and/or confidentiality achieved through the
application of specific safeguards or through the regulation of
specific activities expressed in a specified format” (Department of the Navy,
2008)
4. STANDARDIZATION IN IA REPORTING
BACKGROUND INFO CONTINUED
• IAM or Information Assurance Manager is “the point of contact
for all command information assurance matters and
implements the command’s IA program.” (Chief of Naval Operations , 2006)
• “C&A personnel perform tasks required to analyze, assess, and
document IA capabilities and services of DoD ISs to establish
compliance with IA requirements, identify vulnerabilities, and
quantify risk per reference.” (Chief Information Officer of the Navy , 2009)
5. INTRODUCTION:
THE PROBLEM
• Currently, there is no standardized method or process
documentation that C&A inspectors adhere to when conducting
site survey visits.
• This lack of standardization has led to numerous errors, delays
and inconsistencies in the reporting packages.
• The Government kicks back these packages when errors are
present and this causes rework for C&A causing the company
time, man hours and ultimately money.
6. INTRODUCTION:
THE SOLUTION
• By implementing a standardized method of
conducting site survey inspections, the C&A
team can minimize the errors, delays and
inconsistencies in the package reporting.
• This can also improve package submissions,
turnover, and overall man hours for C&A
inspectors while on site and increase overall
productivity.
7. SOLUTION:
THE PURPOSE OF C&A SITE SURVEYS
To begin building a standardized process a clear and concise
document must be drafted to determine what it is specifically
that the C&A site surveys’ goals are.
• Interview command security and IA personnel for policies and
processes regarding the security of their information systems.
• Visually observe facility attributes and take notes on basic facility
safety and building codes. (Lighted exit signs, fire suppression, fire
extinguishers, etc)
• Compile the results from the site visit into a standardized reporting
spreadsheet or web based system to submit the data to the
government for approval.
8. OPPOSITIONAL CONCERNS
• Senior C&A inspectors may feel their methods are superior and
may not want to change their methods.
• This is a flawed mindset because there is no obvious
correlation between the senior inspectors and junior inspectors’
rework numbers.
• A preliminary study has not been conducted to determine the
weak inspectors or where a majority of rework is coming from.
9. OPPOSITIONAL CONCERNS CONTINUED
REBUTTALS
• Having standardized new hire training documents so as new
C&A team members come on board there should be no issues
on personal methods developed over time as with senior
inspectors.
10. CONCLUSION
• With a standard site survey procedure for the Navy’s C&A
department in place and 100% compliance from every team
member we can reduce the amount of rework due to errors,
delays and inconsistent reporting.
11. REFERENCES
• Chief of Naval Operations (N09N), (2006). Department of The Navy
Information Security Program. Retrieved from
http://doni.documentservices.dla.mil/SECNAV%20Manuals1/5510.36.pdf.
• Chief Information Officer of the Navy, (2009). Department of The Navy
Information Assurance (IA) Workforce Management Manual. Retrieved from
http://www.doncio.navy.mil/uploads/SECNAV5239_%202IA_WF_MGMT_%20
DON_%20CIO_%20Signature29May09.pdf.
• Department of the Navy (2008). DOD Information Assurance Certification &
Accreditation Process (DIACAP) Handbook. Retrieved from
http://www.doncio.navy.mil/uploads/0721MRT65474.pdf.