NSWC Dahlgren Division Departments Achieve Successful Authorization to Operate Compliance


The workforce at Naval Surface Warfare Center Dahlgren Division (NSWCDD) is known for developing innovative, technologically advanced warfare systems for the fleet and the warfighter. What may not be common knowledge is the amount of work behind the scenes that system developers accomplish in order for those warfare systems to begin operating.

From identifying a need for particular system capabilities to the delivery and implementation of the warfare system for the fleet and warfighter, there are numerous steps and procedures to follow to achieve successful compliance.

Over the course of two years, the NSWCDD Assessment and Authorization (A and A) team reviewed and obtained authorization to operate (ATO) documentation for all 49 submitted Risk Management Framework (RMF) Security Authorization Packages, achieving 100% compliance status.

Once a system is developed, it proceeds through the test, evaluation, certification and validation stages before it is delivered to the warfighter and fleet. However, before any warfare system is deemed fully operational, it must first go through an assessment and authorization process.

Various NSWCDD department teams developing warfare systems submit a RMF Security Authorization Package to the Cybersecurity and Compliance Branch to obtain an ATO document. The ATO classifies a warfare system as legally operational and is authorized by Naval Sea Systems Command (NAVSEA) or U.S. Fleet Cyber Command to begin integrating into existing networks or as stand-alone systems.

These packages provide the A and A team with a detailed implementation of security controls of the warfare system, including a complete description of the system, hardware and software lists, architecture and data flow diagrams, system life cycle, technical testing and a list of system development personnel. The A and A team then conducts a thorough review of each package to ensure it is in compliance with Department of Defense, Department of the Navy and NAVSEA regulations and requirements.

The NSWCDD Cybersecurity and Compliance Branch Assessment and Authorization Team Lead Barney Mahaney stated that “there are eight departments with specific IT systems or networks that we work with here at Dahlgren. When any of the departments submit a package, we review all elements and provide them with feedback on fixes to execute, meaning making sure that vulnerabilities and high risk items are closed out before we submit the package to NAVSEA.”

Each RMF Security Authorization Package goes through a multitude of processes and procedures, including the utilization of scanning tools for technical testing such as assured compliance assessment solution and security technical implementation guides.

Through the scanning process, the Validation team reviews reports generated from these scanning tools to check for all vulnerabilities present in the system. Once completed, the A and A team works with the system development teams to create solutions to remediate and mitigate the vulnerabilities.

Additionally, Mahaney and his team work to establish a schedule for the packages and confirm that each are staying on schedule to ensure sustainment requirements are met.

The NSWCDD Cybersecurity and Compliance Branch A and A team is considered one of the Trusted Package Submitting Office (TPSO) for the Security Control Assessor Liaison for NAVSEA, which signifies that the office is a certified reviewer ensuring that each package meets a high level of quality assurance.

As a TPSO, Mahaney and his team work diligently to reduce the time it takes to submit packages forward for an authorization. Each package can take up to 18 months to go through the multiple step process.

“As we are a TPSO, it has contributed to the time savings of at least 30 to 60 days because the RMF Security Authorization Packages sent to NAVSEA for review and approval bypasses the standard A and A package compliance review and triage; that helps a great deal,” said Mahaney.

The A and A team continues to take steps to ensure that all ATO compliant packages maintain approval status. By conducting mock inspections, walk-throughs at various NSWCDD department labs – scanning systems for any risk factors and making sure contingency plans, physical and environmental security controls and software configuration processes are in place – Mahaney and his team continue to support the development of warfare systems.

“We established streamlined communication with all of the departments, holding biweekly meetings to review any issues and address department concerns, using SharePoint to track all of the afloat operational and RDT&E systems and utilize several tracking systems,” said Mahaney. “It’s an entire warfare center collaboration that leads to total compliance.



Read More:NSWC Dahlgren Division Departments Achieve Successful Authorization to Operate Compliance