Case Study for Washington Headquarters Service Information Technology Management Directorate (ITMD)
The Washington Headquarters Service (WHS) is a Department of Defense (DOD) Field Activity, created on October 1, 1977. DOD Field Activities supply services common to more than one DOD component or military department. WHS provides consolidated administrative and operational support to several Defense Agencies including DOD Field Activities, various departments of the military, the White House, and in select cases Congress.
The Department of Defense requires military agencies to periodically reaccredit information services for security compliance. WHS had attained the accreditation several years prior, but was soon set to expire. Since its previous accreditation, the certification process had changed from DITSCAP (Department of Defense Information Technology Security Certification and Accreditation Process) to DIACAP (DOD Information Assurance Certification and Accreditation Process). This would require the composition of new documentation, considerably different than the previous documentation. In addition, the WHS needed to reaccredit its VoIP infrastructure with several departments of the DOD.
With DITSCAP, the DOD sent teams to DOD sites to perform an audit and make recommendations for remediation. With DIACAP, the agencies instead became responsible for self-auditing and remediation. To assist the agencies, the DOD provides instructions for performing an audit, including benchmarks that must be met for compliance. Upon completion of the audit, the agency must perform needed remediation and provide supporting documentation. The documentation is then submitted to the DOD for final approval. The DOD will perform spot checks to assure everything is in compliance and issues an Authorization to Operate (ATO) letter once confirmed.
The biggest issue facing the agencies is the shift of the audit to self implementation. The burden of the audit now lies with the agencies and not the DOD. In most cases these agencies do not have the technical expertise and security experts familiar with the DOD requirements on staff, and must look to external contractors who are knowledgeable in this field.
Hamilton-Ryker was the external contractor selected to perform the audits, remediation, and provide the documentation associated with DIACAP for its VoIP telephony infrastructure. Hamilton-Ryker had an existing relationship with WHS, having successfully completed several network installations and maintenance projects over prior years.
The WHS is responsible for a VoIP network that spans across two different entities within the Pentagon, traversing ten buildings in and around Crystal City, VA. The entities served by the VoIP network are all under the DOD. WHS needed to assess, remediate, and document all servers and applications within the network for security deficiencies in accordance with DIACAP requirements. This included analyzing Windows servers, DHCP servers, DNS, web servers, and Avaya application servers and appliances. The physical infrastructure (cabling, etc) had adequate security in place and simply needed to be documented.
Hamilton-Ryker used several software tools to perform the assessment and remediation required by the DOD:
- DISA Gold Disk – software that runs on Windows and other systems that scans systems and applications for security vulnerabilities according to DISA (Defense Information Systems Agency) STIGs (Security Technical Implementation Guides). The user instructs Gold Disk to scan for Category 1, 2, and 3 vulnerabilities according the applicable Mission Assurance Category (MAC), a measure of how essential a system is in the achievement of DOD goals and objectives. The user selects the MAC level (classified, unclassified, public) and Gold Disk analyzes the system, identifying and documenting vulnerabilities. The software also has the capability, in certain cases, to make changes and remediate the vulnerability.
- Retina – a network vulnerability tool by eEye Corporation. Retina is a unified vulnerability management and compliance solution and functions similar to Gold Disk.
These tools were run by an engineer who analyzed the results and made the appropriate changes. This process was continuously completed until all results were satisfactory. These tools were used on all of the servers and applications located within the closed VoIP network. In some cases this was performed in a live environment with minimal impact on the end users.
The documentation deliverable to the Customer required by the DIACAP included:
- Physical Device Inventory
- Server and Application Security
- Operating System Security
- Physical Infrastructure
- Change Management Policies and Procedures
- Disaster Recovery Policies and Procedures
- Physical Access
A central goal of the project was a timely execution. WHS needed to gain DIACAP certification prior the customer’s Joint Interoperability Test Center (JITC) certification expiration for its PBX. (The JITC is essentially an Underwriters Laboratory for the DOD.) In addition, the agencies Authorization to Operate (ATO) letter expired at the end of year and all work would need to be completed timely in order to acquire a renewal.
The primary benefit to the WHS was receiving its DIACAP certification and Authorization to Operate (ATO) letter. WHS also received necessary documentation and policies and procedures to maintain its certification into the future. All of this was accomplished by a means that resulted in a minimal impact to WHS staff and end users.
Hamilton-Ryker was the right choice for this project as our team was able to bring to the table deep experience in such desirable areas as information security and government operations. The familiarity of the WHS infrastructure and applications enabled for a timely and orderly execution of the project. This experience permitted WHS to complete the certification quickly and economically, avoiding unnecessary expenses or scrutiny assuring the new certifications would be in place in time for renewal.
Products and services
- DISA Gold Disk
- eEye Retina
- AD Group Policies/ Local Policies
- SRR Scripts
- McAfee/Symantec antivirus
- Microsoft MMC Snap-Ins
- Group Policy Management (GPM)
- RSoP (resultant set of policies)
- Security Template
- Windows 2003 Server
- Redhat Linux
- Avaya S8700
- Avaya 8500
- VPI – Voice Recorder
- Redksy E-911
- Avaya MAS
- Avaya MSS
- Avaya CMS
- Conference Bridge EMMC
- UCC 1X Speech
- Avaya Cajun
- Cisco 2800, 4500, 7200, 3745
- Cisco Switches 4507, 3750, Extreme Summit
- Cisco PIX Firewall