Naval Information Warfare Center (NIWC) Atlantic announced the command’s passing of two back-to-back Command Cyber Readiness Inspections (CCRIs) held earlier this year.
The successful completion of the inspections, conducted in April by Fleet Cyber Command’s Office of Compliance and Accreditations (OCA), at the command’s Component Enterprise Data Centers (CEDC) in Charleston and New Orleans, highlight the overall effectiveness of the command’s cybersecurity posture and marks the first time CCRIs were physically conducted onsite since the beginning of the COVID-19 pandemic.
“The inspection gauges your cybersecurity compliance in areas like security technical implementation guides, assured compliance assessment solution scanning and host based security system compliance, and makes assessments from an organizational standpoint, like how leadership is engaging with your unit,” said Karey J. Bowers, Jr., information systems security manager (ISSM) for NIWC Atlantic’s Data Center and Cloud Hosting Services (DC2HS) division.
Each CEDC exceeded the minimum passing score with a combination of individual inspection results conducted on unclassified and secure networks. Bowers attributes the positive inspection results to the pre-inspection effectiveness of his seven-person command Audit Readiness Team (ART).
“With the ART program, we keep pushing those numbers higher and higher, and because some things are weighted more than others, they’re worth more points than others,” said Bowers. “We have a very strategic approach to how we do things. We run a lot of analytics on the compiled data to ensure we get the highest possible score.”
Bowers and his team operate at a division level, which means nearly the entire DC2HS division is engaged in both preparations and inspections. Every DC2HS technology area being inspected provides a subject matter expert (SME) who is then paired with a technology SME from the OCA inspection team.
“When they (inspection team) first start the week, leadership attends an in-briefing. Upon completion of the briefing, we align division staff with the OCA inspectors and the inspection staff then starts doing assessments,” said Bowers.
Besides keeping the command ready for CCRIs, Bowers said having the ART in place also saves money because it eliminates the need for extra support while ramping up for inspections. Remaining in a state of inspection readiness, he added, requires less overtime and surge support requests, thus providing a cost savings.
“Before the implementation of the ART program, DC2HS would have to bring in additional command staff to assist in inspection preparations. Now, whenever we’re prepping, and it’s almost time for the inspection, you almost can’t tell an inspection is upcoming or ongoing. It’s our normal way of doing business,” said Bowers. “We don’t have to expend a lot of manpower hours. We don’t have to bring in any surge support. We’re pretty much self-contained from an inspection perspective. We inspect ourselves monthly the exact same way as the inspectors. This approach has done wonders in terms of budgeting and saving money on things like manpower hours and travel.”
While the ART process is not mandated, Bowers sees it as a part of the process to keep his division and the command inspection ready.
“We assess ourselves at all of our responsible sites. It’s done for the cloud, Charleston, New Orleans, Kansas City, and the Millington data centers. The program covers everything we have under our purview. It helps us stay audit-ready. I’m not certain that I’ve seen another organization that has a team like that either, so it’s pretty innovative as well,” said Bowers.
Being onboard NIWC Atlantic for more than 10 years, two of those years as a contractor and eight as a government employee, Bowers has experienced several variations to the inspection process. That experience has given him and his team the insight and ability to be proactive with inspection preparations and handle future changes with flexibility and grace.
As there are many types of inspections and audits, DC2HS likes to focus on effectiveness and completing as many things as possible once, while also having them count in multiple areas.
“There’s no point in doing the same work over and over again,” said Bowers. “As an enterprise, we ensure our infrastructure gear remains inspection-ready regardless of site. This methodology allows us to be prepared for any assessments at any of our sites.”
That’s exactly how Bowers and his team are approaching all future inspections.
“The goal is to assess a more proactive stance to cybersecurity and the efforts being taken to protect the Department of Defense Information Network (DODIN),” said Bowers. “It all ties into our Risk Management Framework continuous monitoring.”
With all inspection results being shared with command leadership and beyond, for Bowers and his team, there is a great sense of pride and accomplishment when they exceed expectations.
“I think it’s great. It’s more about looking at the big picture, knowing that all your efforts and the ART program are successful.” said Bowers. “It’s really fulfilling when it does come to fruition, to see the program rolled out and know that you’re protecting the DODIN. I’m very proud of the team, program and everybody involved in the division that made this happen.”
As a part of Naval Information Warfare Systems Command, NIWC Atlantic provides systems engineering and acquisition to deliver information warfare capabilities to the naval, joint and national warfighter through the acquisition, development, integration, production, test, deployment, and sustainment of interoperable command, control, communications, computer, intelligence, surveillance, and reconnaissance, cyber and information technology capabilities.