CASE STUDY

Ministry of Defence (MOD)

Providing a Security Assurance Coordinator as part of the design and build team for an experimental data platform.

Overview

i3Secure were approached by a trusted partner to provide a Security Assurance Consultant (SAC) as part of the design and build team for an experimental data platform for the Ministry of Defence. The team was formed of personnel from a range of commercial companies, government laboratories and His Majesty’s Armed Forces.  Having such a diverse team required the understanding of MOD policies and directives along with national and international cyber security standards and methodology. As the SAC, the role required the formulation of all papers and plans to support the cyber security elements of the project throughout the Concept, Assessment, Demonstration, Manufacture, In-Service and Disposal (CADMID) lifecycle.

 

The Challenge

Appointed during the CONCEPT phase, the SAC was fully immersed in the project from the early design stages.  The SAC was able to advise and direct on the relevant MOD policies and how they should be applied in conjunction with the National Institute of Science and Technology (NIST) Risk Management Framework process and select appropriate controls.

The MOD accreditation process is complicated and lengthy: the SAC was responsible for undertaking and directing all security work strands and the completion of all accreditation support documentation.  They acted as a conduit between MOD agencies and the commercial sector: a key element for successful delivery.

 

Our Solution

Our SAC quickly gained the confidence of all collaborative partners and built effective professional relationships with all elements of the project.  To ensure timely progress, the SAC produced a Risk Assessment in line with NIST 800-30, a Risk Treatment Plan and Risk Register, Baseline Control Set, System Security Categorisation (FIPS…), Risk Management Accreditation Document Set, Plan of Action and Milestones, a NIST 800-37 Document Tree, Security Working Group (SWG) documents and presentations and chaired the bi-weekly SWG. The document set fulfilled the requirements defined in JSP 440 and JSP 604.

The Result

The professional ability of the SAC coupled with the nature of the interactions with all individual elements of the project, has resulted in the SAC being requested to join the team once again during the next evolution of the system.  Our SAC had full understanding of the processes involved which consequently allowed the project to deliver within tight timelines and changing requirements.  Collaborative working, striving for excellence and high professional competence produced an outstanding product.

At a Glance 

  • SAC produced a Risk Assessment in line with NIST 800-30, a Risk Treatment Plan and Risk Register, Baseline Control Set, System Security Categorisation (FIPS…), Risk Management Accreditation Document Set, Plan of Action and Milestones, a NIST 800-37 Document Tree, Security Working Group (SWG) documents and presentations.
  • Advised and directed on the relevant MOD policies and how they should be applied in conjunction with the NIST Risk Management Framework process.
  • Chaired the bi-weekly Security Working Group.
  • Asked to support with next evolution of the system.