Legacy Systems, Applications Challenge Intranet Rollout

December 2002
By Tiffany Gerstmar

Modified verification process offers immediate solution.

The U.S. Navy and an information assurance tiger team made up of industry and government personnel are tailoring certification and accreditation processes to validate the legacy systems and applications that are transitioning into the Navy/Marine Corps Intranet. The work ensures that fielded systems comply with U.S. Defense Department information security requirements.

Some experts believe that the current certification and accreditation process, known as the Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP), does not lend itself to evaluating legacy systems and applications. This process is primarily intended to examine major automated information systems at the beginning of the life cycle. Although the DITSCAP application manual allows the process to be adjusted to include existing system certifications and previously evaluated products as well as new security technology or programs and then modified to the applicable standards, the implementation guidance does not define how to step into the mid to late life cycle.

Defense Department and Navy directives, public law and federal regulations, some introduced as early as 1983, require that information systems be tested for adequate incorporation of information assurance. Navy policy mandates that the final step before placing an information system into operation is to apply standard methods to ensure that risks to the systems are reduced to known and acceptable levels. It also must be possible to review and reassess these risks in the future. The certification and accreditation process is the primary method to measure this residual risk to a system or application and determine its information assurance posture and operational suitability.

DITSCAP is a standardized method used across military commands for this accreditation. It establishes a central set of activities, general tasks and management structures to certify and accredit systems to maintain the information assurance and security posture of a system or site. The process is used for security certification and accreditation of both unclassified and classified information technology. DITSCAP stresses the importance of a life-cycle management approach to the certification, accreditation and reaccreditation of information technology systems.

However, implementation of the Navy/Marine Corps Intranet (NMCI) is forcing the Navy to adjust DITSCAP for the assessment of deployed legacy systems and applications. A standardized approach helps the intranet’s designated approval authority make sound decisions when considering systems and applications for inclusion in the secure NMCI enterprise.

The Space and Naval Warfare Systems Command (SPAWAR), San Diego, working with an information assurance tiger team of information security specialists from government and industry contractors, has developed an adaptive strategy that complies with Navy certification and accreditation guidance and the DITSCAP application manual.

“The very flexibility that permits DITSCAP to apply to a wide variety of scenarios has yielded a wide diversity of end products in the rapid implementation of NMCI,” says James Patterson, certification and accreditation consultant, Falconwood Incorporated, San Diego. Patterson is the liaison between SPAWAR and one of the teams that is part of the NMCI legacy systems certification process.

The strategy uses Navy certification and accreditation guidance as a starting point and builds from there. According to the DITSCAP application manual, implementation details of certification and accreditation activities may be adjusted and, where applicable, integrated with other acquisition activities and documentation.

“Lessons learned show that NMCI transition activities for legacy systems and applications require a great deal of information discovery and engineering review and design for operational functionality, architectural placement and security compliance,” Patterson says.

Prior to NMCI implementation, personnel at the site review their systems’ applications and determine which ones they will need to carry out their duties and must be transitioned to the NMCI. These applications are then tested to ensure that they are compatible with various components of the NMCI. Much of the information that is required to certify and accredit legacy systems and applications can be drawn from this certification procedure.

Key NMCI legacy system and application transition activities and specific information developed during the transition process can consist of many different documents. For example, a request for service contains information about each system and application for the Information Strike Force, the industry team developing the NMCI. Activities and information also include the rapid certification testing phase for functional and security certification and a tiger team vulnerability assessment package. In addition, a quarantine desktop application transition solution document may be required for applications that fail testing.

Contact information for the requesting site, command and certified design authority, the engineering data required to transition each system or application to the NMCI, and a description of system interdependencies also may be acquired during the transition process.

The process also may produce an end-to-end system topology, including critical system and information assurance components, a risk assessment and residual risk statement, and a certification and accreditation plan of action and milestones.

Additional key information may be acquired in the transition process. This may include data required for special circumstances or for compliance with the National Industrial Security Program Operating Manual for contractor-hosted hardware or information, Joint Staff validation of foreign national access to systems and applications, and any memoranda of agreement.

Finally, a certified design authority and site/command agreement may be obtained to notify the NMCI designated approval authority about upcoming changes, upgrades and refresh schedules or changes to the level of sensitivity of the systems and applications in accordance with the NMCI release management process.

This type of information is assembled, and its documentation acts as an interim system security authorization agreement. It is packaged by the site or command system and application owners, developers or life-cycle managers and provided to the NMCI designation approval authority for consideration. This interim agreement allows the NMCI designated approval authority to approve the legacy system’s or application’s transition into the intranet. The second step in the certification and accreditation method developed by SPAWAR and the tiger team focuses on taking that same information and reusing it as one of the components of an actual system security authorization agreement.

All major players in the Navy’s general service designated approval authority roles—which include the Naval Network Warfare Command, Chief of Naval Operations and U.S. Marine Corps Command, Control, Communications and Computers directorate—approve of this strategy. The method is codified in the NMCI security certification and accreditation process. These parties also agree that this is only an interim solution and that follow-on activities are required to grant an interim authority to operate.

The rollout of the NMCI expedited the adaptation of a DITSCAP-compliant certification and accreditation strategy for fielded legacy systems and applications and forced the evolution of very specifically formatted information collection devices such as the risk mitigation engineering review questionnaire, request for service and topology diagrams.

Some information required by DITSCAP for a system security authorization agreement remains lacking in this strategy. For example, a full security test and evaluation and a complete environmental description is required. However, these and other information shortfalls will be addressed in the certification and accreditation plan of action and milestones as part of the transition package and also are included as part of the life-cycle maintenance plan. This strategy has been socialized among and approved by government representatives responsible for the accreditation of existing Navy general service systems, applications and networks.

The Navy’s information assurance professionals agree that the challenge of certification and accreditation of legacy systems and applications is too big to address in the short period of time necessitated by an accelerated NMCI rollout. There is neither sufficient time nor resources for the Navy to implement the extensive DITSCAP process.

The current strategy embraces developing a snapshot of the basic information assurance posture of fielded legacy systems and applications, ensuring that the owners and developers know the end goal requirements of a full DITSCAP accreditation. It also assists them in developing a plan of action and milestones to address the requirements that will provide a complete and thorough certification and accreditation process in the end.


Tiffany Gerstmar is an information security architect for R.L. Phillips Group LLC. She also is a member of the information assurance tiger team.