Knowledge Transfer, Training, and Advisory: DOD Information Assurance- Understanding Security Technical Implementation Guide s (STIG) and UC APL Listing
The Challenge: Building a Comprehensive Internal Training Program for STIG and UC APL Process for a Large Security Vendor
Apex Assurance Group has been tasked with developing internal training to educate engineers, product managers, and sales teams on various Information Assurance (IA) initiatives in the Public Sector. The first phase addressed the Department of Defense (DOD) IA requirements by developing an internal training for Security Technical Implementation Guide (STIG) compliance and Unified Capabilities Approved Products List (UC APL) listing.
The Apex Assurance Advantage: Experienced Understanding of STIGs and UC APL Requirements
With Apex Assurance, you get a seasoned team with deep experience leading certification initiatives from the product vendor perspective. Whether it’s FIPS 140, Common Criteria, or DOD assurance for UC APL listing, our resources have built and led strategic and tactical programs for product vendors in the networking and security space. We approach training and consulting from a practical and experienced perspective.
Apex was selected for this task not only because of our resources’ vast experience but also because our team of dynamic speakers, problem-solvers, and practitioners has experience developing internal and external training. We know what it takes to clearly communicate a message and lay the groundwork for success.
The Result: An Internal Training Session That Clearly Communicated a Complex Topic
Apex Assurance recorded a training session that is now a part of our customer’s internal training curriculum. This course covered the following:
- DOD policies and relationships to assurance and initiatives
- Review of security controls and the risk management framework
- Community resources
- The anatomy of STIGs
- How STIGs can help improve product security
- Flows and process for successful STIG activity and UC APL listing
This effort was the first in a series of sessions designed to educate our customer’s resources on public sector policies, requirements, trends, best practices, and sales strategies.
Contact Apex Assurance Group if your organization is in need of customized training to understand STIG / UC APL details. We can help with knowledge transfer to your product teams, and we lead your product through STIG and UC APL listing.
Course Development: Best Practices in Security Risk Management for (ISC)²
The Challenge: Building an Extensive Course to Educate (ISC)² Constituents on Best Practices in Security Risk Management
Apex Assurance Group has worked with (ISC)² for over 6 years. Our Security Testing and Risk Assessment talks at the Security Leadership Series and (ISC)² events have been immensely popular, and (ISC)² heard demands from its constituents for more in-depth sessions.
The Apex Assurance Advantage: Experienced Understanding of Security Risk Management and Proven Communication Ability
(ISC)² reached out to Apex for two main reasons:
- Our experience with systems security and enterprise risk management
- Our team of dynamic speakers, problem-solvers, and practitioners.
Through our Risk Management consulting services, Apex has developed considerable knowledge and experience in information security and enterprise risk management issues. We have sat on the same side of the table with end users discussing risk management needs with product vendors, executives, and their customers.
Apex has led dozens of successful talks and risk management workshops, yielding even more input and observations from the field.
The Result: A Highly-Rated Road Show and Workshop That Helped (ISC)² Members Solve Real Problems
The Security Risk Management series has continued to be one of the most popular events held by (ISC)². It is consistently sold out in every geographic market, and attendees continually remark on their take-aways (even those in it just for CPEs).
As a follow up to the success of the event and the attendees’ desire to learn more, Apex partnered with Brightfly to deliver a heavily facilitated Risk Management session/workshop as a second-day offering to (ISC)² members. This intensive, one-day workshop explored the following:
- The difference between policies for auditors vs. policies for business users
- How to align policies with business, audit, and testing procedures
- Practical strategies for embedding security awareness in organizational culture
- Measurement and reporting mechanisms that support policy enforcement
- How to extend internal policies to contractors, partners, and other business contributors
Apex and Brightfly delivered practical strategies, tips, and concrete tools to improve policy awareness and compliance throughout the organization. Brightfly and Apex shared best practices and lessons-learned to leave participants with pragmatic plans and battle-tested steps for policy generation, alignment, communication, and enforcement.
Contact Apex Assurance Group if your organization is in need of non-biased, researched-based training, interactive exercises, knowledge sharing, and peer networking.
Strategic High Assurance Support for Honeywell International
The Challenge: Addressing COTS IT Assurance in an Environment Already Inundated with High Assurance
Honeywell was in the middle of the development cycle for an aircraft avionics system and on-board networking system. This is high assurance at its highest. These components cannot fail. Compliance to strict assurance standards is baked into the development process.
There are specific safety assessment processes. There are network security processes defined by the FAA. There are safety guidelines and certification considerations that are broader and deeper than the Common Criteria. On top of these, there the Risk Management procedures discussed in NIST 800-30 and implemented with the self-assessment guide defined in NIST 800-26. It’s the perfect storm of high assurance for point products and the system.
The FAA required evidence to address the functional and assurance claims of the system in Common Criteria language. The Common Criteria is flexible enough to handle this, but making it happen in this high assurance environment is not trivial to say the least.
The Apex Assurance Advantage: The Ability to Digest Large Quantities of Complex Information and Present an Actionable Work Plan
Apex Assurance Group was hired to help Honeywell understand the Common Criteria and its role in assurance. After leading an intense training session to audience members already well-versed in the world of high assurance, we were tasked with an action plan to map aviation-specific assurance programs to the Common Criteria methodology and deliver documentation to address the gaps, overlaps, and mapping of functional and assurance requirements
Apex brought unique experience to the project:
- Working knowledge of high assurance C&A processes
- Familiarity with mobile networking technology
- Past performance in NIST 800-30-based initiatives
- Ability to digest and translate lengthy, complex certification standards and processes
- Solid project management approaches to set an action plan for success
The Result: Clear Documentation to Satisfy Our Customer and Their Customers’ Needs
There is no formal Common Criteria certificate for this effort, as the high assurance practices of the other industry-specific standards superseded the need for a tangible Common Criteria certificate. We stepped out of our comfort zone of traditional COTS security appliances and software products to play a very small part of the design and certification processes of a new avionics system and mobile networking system.
Low Level Design Documentation for a Large Fortune 1000 Networking Vendor
The Challenge: Creating Complex Documentation in an Enterprise Development Environment
One of our large networking vendors pursued Common Criteria evaluation with compliance to the Medium Robustness Protection Profile. This rigorous evaluation standard requires (among other things) semi-formal documentation of product subsystems, modules, and internal/external interfaces.
Developers know this stuff. It’s in their heads and scratched on bar napkins. It’s jotted down in functional specifications and captured in source code comments. Presenting this low-level design information in a manner that can be efficiently detailed and evaluated takes time, which is a rare commodity in the product development community.
The Apex Assurance Advantage: Leading from the First Step
Apex Assurance Group was hired to help this company digest the requirements of semi-formal, low-level designs and ultimately complete the required information. We facilitated the presentation of the architecture, asking the tough questions or how things work and how they work together.
Using tools and techniques to organize and categorize the information, we developed a template for developers to fill in the appropriate source code files, interface descriptions, APIs, and logs parameters. The challenge was to create a template that could be used by multiple development teams in locations spanning the globe.
The Result: Successful Evaluation
Using the materials provided, the client was able to successfully gather required data, organize it, and “fill in the blanks” to meet the content and presentation requirements of this rigorous standard. The client saved weeks of searching and experimenting, allowing their development teams to spend more time on other important tasks.
Detailing Best Practices in Security Assurance and Software Development
SAFECode is dedicated to increasing trust in information and communications technology products and services through the advancement of proven software assurance methods.
The Challenge: Communicating the Tools and Processes in Software Development Lifecycle in a Broad and Understandable Way
SAFECode wanted to capture best practices for incorporating security assurance into the software development lifecycle to improve product security and product quality. SAFECode asked Apex Assurance Group to draft the first whitepaper to tackle this important, complex subject.
The Apex Assurance Advantage: Capturing What the Best Companies Do to Build the Best Products
Security assurance is hard. The software development lifecycle is complex, and there is not a “one size fits all” model for software development processes. Apex drew from our resources’ experience in the vendor and government world and interviewed Symantec, Microsoft, Cisco, and other leaders to gather case studies to exemplify the academic best practices presented in the paper.
The Result: Clarity in a Complex Subject
Apex leveraged experience and structured information-gathering techniques to develop a publicly available white paper that:
- Provided an overview of security assurance
- Described the software development lifecycle
- Reviewed best practices for integrity controls within the software development lifecycle
- Included case studies from industry leaders on the incorporation of security assurance into the software development lifecycle
- Gave SAFECode a strong initial paper to solidify their introduction into the information security community
The final version of the whitepaper was distilled significantly from the exhaustive research and information provided by Apex Assurance Group. The result is a clear, concise description of one of the most complex and misunderstood areas in the IT industry. See “Software Assurance: An Overview of Current Industry Best Practices” at this link.