Service Operations Support (SOS-7)
TDG Inc. created an information assurance program for the Communications, Flight Services & Weather Engineering Group (CFWG), a 500 person organization within the FAA located at the FAA’s Technical Center in Atlantic City, NJ. We have had this role since 2004 and performed under the predecessor contract – SOS-5 – and have continued that support under the new contract awarded in 2009 – SOS-7. We have developed triennial system certification and authorization (C&A) packages, performed annual security assessments, provided disaster recovery/contingency planning, COOP/contingency plan testing, and POA&M remediation tracking for critical National Airspace Systems (NAS) within the organization. Additionally, we ensured that users and managers were certified and knowledgeable in information assurance by teaching three Senior System Managers (SSM) courses – a .5, 2, and 3 day course. The SSM course is a copyrighted security course for senior federal managers that was developed with our academic partner, the Indiana University of Pennsylvania, a DHS/NSA certified Center for Academic Excellence in Information Assurance Education. This new course for what was known as the Designated Approval Authority (DAA) also combines our copyrighted Security Life Cycle that provides an understanding for senior managers of not only “what” needs to be in an Information Assurance (IA) Program but “how” to successfully implement an IA program.
Our involvement is across the spectrum of FISMA, NIST, DOT, and FAA information security requirements. We support the individual systems within the National Airspace System by ensuring that industry best practices are integrated into all security architecture design changes/upgrades to the systems and that the FAA managers are kept abreast of the latest technology. Cost/benefit analyses are made and presented as part of our analysis. In support of COOP and disaster recovery preparedness, we have developed and executed (in accordance with the new NIST SP-800-84, Guide to Single-Organization IT Exercises) functional contingency planning exercises. We have introduced new security concepts and tools into the organization and are now conducting routine vulnerability assessments of the National Airspace systems at the Technical Center – a first in the history of the organization.
Our work with the FAA organization began in 2004 with a part-time person supporting COOP Planning. From that time, our role has continually expanded to cover the spectrum of security activities and has expanded in scope to include introduction of the Safety Management System (SMS) into the organization. With the new contract our responsibilities have been expanded once again to include introduction of SEI CMMI and PMBOK processes for the automation support group within the organization. This required instruction to the automation on the SEI CMMI/PMBOK standards and development of a handbook that defines and documents the processes to be used by the automation group.
TDG provided support to the Communications, Flight, and Weather Engineering Group (CFWG) the Air Traffic Operations of the FAA. The group provides operational support to the field activities by performing second level engineering support to the National Airspace Systems (NAS). Working directly with the systems teams, TDG provides infrastructure management services for network/hardware support focusing on the security aspects of the NAS systems. Based on help desk/IT support calls, new changes/modifications to NAS systems are recommended, designed, developed, and implemented. TDG reviews all system changes as part of our annual assessments of the system within the group. As part of continual service improvement to the Group, we have introduced new technologies not only in the security arena but also in response management, software development methodologies, and other areas.
We developed a new process for managing Plan of Action and Milestone (POA&M) actions that is not being used at the ATO-level for tracking POA&M across the entire ATO, the largest organization within the FAA. We also have provided IT training to senior managers/team leads within the organization using our copyrighted security life cycle.
In support of the FAA, we continually have performed gap analyses across the entire IT portfolio to identify areas for improvement of their security architecture. These risks assessments allow the CFWG Group manager to make explicit decisions in regards to risk and how particular risks can be mitigated.
A key element in our work with the FAA is to provide test and evaluation services focusing on the security controls within the IT portfolio - included in that process is architecture validation and verification for all the systems. We work directly with the system teams to address security issues and to recommend alternative architectural solutions for the CFWG systems. For the National Airspace Data Interchange Network (NADIN) and its associated CFWG systems, we worked directly with the FAA Telecommunication Infrastructure (FTI) team to perform infrastructure engineering, development, implementation, and integration to determine the optimal solution for the CFWG systems to migrate to the FTI architecture.
The TDG has strong qualifications across the entire spectrum of Critical Infrastructure – it is one of many of our strengths. We began our support for the CFWG organization in 2004 providing COOP analysis and support. From that beginning we have evolved to providing full spectrum security support that includes the ongoing operation of the information assurance program for the organization. Initially the organization was “outsourcing” their security activities costing hundreds of thousands of dollars on an annual basis. Working with TDG, CFWG has developed an internal team that only performs the old security functions but also expanded in to performing COOP/DR exercises, implementing a safety risk management process, and conducting continuous monitoring of CFWG systems – something that had never been done before.
