The Navy depends on understanding the risks of operating information technology and information systems (IT/IS) to successfully carry out its mission and business functions. These systems are subject to serious threats that can have adverse effects on naval operations by exploiting both known and unknown vulnerabilities. To successfully identify and understand cybersecurity risks, the Navy first introduced the “Validator” role in 2002 as part of the Defense Information Technology Security Certification and Accreditation Process (DITSCAP) to ensure Information Assurance Controls (IACs) were implemented correctly, as well as effectively in their application.
In 2007, the Navy transitioned to the Defense Information Assurance Certification and Accreditation Process (DIACAP) and the validator role was updated to ensure Navy IT/IS met the latest information assurance (IA) requirements as prescribed in the DIACAP.
During the DIACAP era, the Navy validator provided an independent, third-party validation of the correct implementation of applicable IACs and analyzed the test results. Once reviewed, the validator provided the risk assessment to the Navy Certifying Authority (CA), which is headquartered within the Space and Naval Warfare Systems Command (SPAWAR), for review and approval.
In 2010, the oversight of the validator role was formally assigned to the SPAWAR Navy CA and official Navy validator qualification standards and registration procedures were developed and released.
Now that the Navy has begun its transition from DIACAP to the Risk Management Framework (RMF), and given the importance of the validator’s role in the RMF, the SPAWAR Navy Security Control Assessor (SCA), formerly the Navy Certifying Authority, has developed a new set of qualification standards and responsibilities, as well as a new registration process, for Navy validators. The SPAWAR Navy SCA established these new standards to ensure a functionally strong and proficient base of Navy validators.
The Navy SCA maintains oversight of the cybersecurity risk assessment process within the overall Risk Management Framework Assessment and Authorization (A&A) process, assists with the assessment of the security controls, and certifies the residual risk in support of an RMF authorization.
To determine the overall effectiveness of the security controls, the SCA relies on qualified validators to conduct an independent, comprehensive assessment of the management, operational, and technical controls employed within or inherited by a Navy system. The validator acts as an independent third party who assesses and validates that the system has implemented the approved security control baseline. In this role, the validator acts as a trusted agent to the SCA.
To become a Navy Qualified Validator (NQV), candidates must submit an application and supporting documentation to the SPAWAR Information Assurance Technical Authority (IA TA). To receive the NQV designation, which is required to perform validator duties within the RMF process, candidates are now required to meet the qualification criteria developed and enforced by the Navy SCA.
The qualification standards are broken up into four main categories: Certifications, Education, General Experience, and Navy Experience. In addition to the qualification standards, the Navy recognizes three qualification levels of NQVs (Level I, II and III) with Level I being the most basic level and Level III considered expert level.
In addition, the SPAWAR Information Assurance Technical Authority has also developed computer-based training courses, as well as instructor-led training courses, to ensure validators receive the proper training prior to assessing RMF packages. Successful completion of these courses will be a requirement to receive the NQV designation.
Once approved, the validator will receive a Navy Qualified Validator appointment certificate and will be added to the list of approved NQVs maintained and published by the Information Assurance Technical Authority.
To enhance and maintain the quality of validators, the SPAWAR Information Assurance Technical Authority will score and record the proficiency of each registered Level II and Level III NQV (Level I NQVs will not be scored) using a set of pre-defined performance measures. The Proficiency Tracking Record (PTR) is intended to help improve performance, identify gaps in training and education, and provide constructive feedback.
With this new approach that the SPAWAR Security Control Assessor and Information Assurance Technical Authority has taken to ensure validators are properly trained and qualified, the Navy has positioned itself to be in an improved state of readiness to defend against cyber-attacks.
Paul Harig works in the Office of the Navy Security Control Assessor for Space and Naval Warfare Systems Center Atlantic.
Space and Naval Warfare Systems Command (SPAWAR) – www.public.navy.mil/spawar/Pages/default.aspx
Department of the Navy Chief Information Officer (DON CIO) – www.doncio.navy.mil/