By Angela French and Mary Kitson
NGA Office of the Chief Information Officer
For the past two years, the Intelligence Community has focused on developing and implementing the Intelligence Community Information Technology Environment initiative, known as IC ITE. IC ITE provides a number of services that support Director of National Intelligence James R. Clapper’s vision of true intelligence integration. While many are focused on the mission user improvements that IC ITE will bring, personnel at NGA are working behind the scenes to develop and implement the framework and policies necessary to support this ambitious undertaking.
System security, often an afterthought when designing or using IT resources, is required for the IC to operate on all networks and is a key component to the success of the initiative’s success. This includes safeguarding the IT infrastructure against outside malicious actors while ensuring intelligence professionals have the right authentications and accesses to data within the new integrated environment.
“NGA is leading the community in this area by proactively adopting emerging IT solutions and simplifying security processes,” said former NGA Deputy Director Mike Rodrigue. “NGA’s work is an example of how the entire IC can better manage and operate securely within the IC Cloud. By executing this security strategy, NGA is able to more rapidly — and transparently — provide online, on-demand GEOINT.”
In the summer of 2014, NGA was the first IC agency to deploy an operational capability to the Commercial Cloud Services, or C2S, which offers agile, cost effective cloud computing to the IC. To test the capabilities of the cloud environment and to drive forward one of its key initiatives, NGA chose to first add the foundational elements for NGA’s dynamic Map of the World, an initiative which enables analysts throughout the IC to access data of all intelligence disciplines. Once fully operational, MoW will enable users to visualize and access integrated intelligence content fixed to accurate geographic features on the Earth.
“These initial capabilities are noteworthy, but they are only the first steps in a long process to evolve NGA’s role as the provider of a platform for intelligence integration, which will enable all agencies to collaborate in one environment,” said David White, NGA’s former chief information officer. NGA’s Deputy CIO Shishu Gupta noted that once MoW is fully deployed in the C2S as a common service for the IC, it will provide the opportunity for other agencies to decommission their agency-unique geospatial portals and data programs.
As the first to release capabilities into the C2S, NGA leaders knew they needed to formulate a strategy for securing content and mitigating risk in this environment that could be used by the entire IC. Fortunately, NGA security professionals had an early concept to build upon, one that was used to secure and test one of IC ITE’s first services, the Desktop Environment, or DTE.
Led by NGA’s Office of the Chief Information Officer, staff from multiple key components, the DTE Joint Program Management Office and the Defense Intelligence Agency began working together in the summer of 2013 to develop a method for testing and securing DTE. The environment provides a common suite of collaborative tools such as “.coe” email addresses and the same instant messaging capabilities for the entire IC.
For initial DTE security, the team focused on implementing a new IC security mandate — Intelligence Community Directive 503 — which improves the agency’s process of assessing and authorizing information systems for use and establishes the new Risk Management Framework. This state-of-the-art countermeasure is a more intuitive risk management process, according to Lance Dubsky, NGA’s chief information security officer.
“The countermeasure better serves program managers’ needs throughout the IT system lifecycle and provides leadership a near real-time security posture of NGA’s systems,” said Dubsky.
All systems used within IC ITE must be accredited using ICD 503 requirements.
“The RMF improves the way we manage risk associated with NGA’s information systems,” said Dubsky. “Through better safeguarding of our systems and using common services and practices, we can responsibly manage IT security in an increasingly dangerous world while offering substantial savings to program budgets.”
After successfully securing the DTE using ICD 503 and RMF, the security testing team used best practices and lessons learned to adapt its security strategy to apply to systems and GEOINT content added to the cloud environment.
Air Force Tech. Sgt. Jason Hess, who serves as NGA’s IC Cloud information system security manager, worked with NGA IT Services to develop the first security strategy for adding content into C2S by leveraging the agility that the RMF provides.
“By using the enterprise services of others, we have reduced our typical security process from 90 days to two weeks,” said Hess. “The streamlined process enables us to develop more systems in an agile framework while also doing it securely. Program managers need to be able to have enough information about security-related risk to make a decision quickly about launching their IT system in support of the mission.”
Security engineers and developers who are working to add programs that will enable MoW supported the risk-based security solution.
The ability to move at mission speed is all about how you approach security according to Allison Roulier, an IT Services engineer.
“Using a streamlined approach to security risk management changes everything,” said Roulier. “The best way to adopt the new process successfully is to jump in with both feet.”
According to Hess, NGA’s security personnel continue to improve how NGA applies ICD 503 requirements and manages risk as it adds more content to C2S.
“The team has held a number of cloud security summits to collaborate with IC partners — including the CIA, DIA, NRO, NSA and FBI — to ensure a community approach to securing all systems that will used in the IC IT environment,” Hess said.