1 / 8

DoD Title 40/CCA LSS Initiative

DoD Title 40/CCA LSS Initiative. IA Strategy Team Presentation 16 Sep 08 Art King, IBM ODASD(IIA)DIAP. IA Strategy – Customers, Requirement and Impacts. “CCA Compliance” Customers: Component CIO Staff (CCA focus area POCs) DoD CIO Staff (CCA focus area POCs)

raphael-hardy
Download Presentation

DoD Title 40/CCA LSS Initiative

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DoD Title 40/CCA LSS Initiative IA Strategy Team Presentation 16 Sep 08 Art King, IBM ODASD(IIA)DIAP

  2. IA Strategy – Customers, Requirement and Impacts • “CCA Compliance” Customers: • Component CIO Staff (CCA focus area POCs) • DoD CIO Staff (CCA focus area POCs) • Minimum Requirements - evidence of a “compliant” IA strategy: • Compliance: Binary determination through SME assessment. • Either adequate or not adequate for compliance • Evidence: • Component CIO approved IA Strategy document • DoD CIO formal review report (favorable) • Impact: • IA is addressed early and appropriately in the strategic acquisition planning for the program and system. • IA architectural, performance, and technical requirements will be more effectively and efficiently addressed in the myriad planning and execution activities of the program • Reduction in negative impacts on cost, schedule and performance. It is the non-CCA uses of the Acquisition IA Strategy where the IA Strategy delivers its real value.

  3. IA Strategy – Key Stakeholders • Key Stakeholders in the IA Strategy process: • PMO • System User organizations • Information suppliers/consumers • Connecting organizations (networks/enclaves/hosts) • Information System Security Engineering (ISSE) organization • PEO/SYSCOM/MAJCOM • Component IA staffs • Designated Approving Authority (DAA) • Certifying Authority (CA) • NSA (GIG IA Architecture • DASD(IIA)DIAP Stakeholder involvement is simple: Do you agree with the program’s approach to satisfying IA?

  4. IA Strategy – The Process MS – 90 days MS – 120 days MS – 150 days MS – 180 days Event-driven Event-driven PEO, SYSCOM, MAJCOM Compliance requirement discovery or active engagement PMO/WIPT address comments – smooth submission PMO/WIPT address comments – revised submission PMO/WIPT develop early rough draft IAS DASD(IIA) DIAP Early Coordination Review Component IA staff ODASD(IIA)DIAP Component staffing process… Artifact #1 Component CIO Approved Program “X” IA Strategy Document Artifacts are for “plug-in” to CCA Confirmation Package (or incorporation by reference). Component CIO approval ODASD(IIA) DIAP Formal Review Artifact #2 DoD CIO Formal Review Report for Program “X” IA Strategy MS – 58 days MS – 60 days The overall timeline depends on the maturity of other program factors. The IA Strategy can not “wag the dog”.

  5. IA Strategy – Key Success Factors • What do “successful” IA Strategies have in common? • Oversight organizations pro-actively reach out and ensure the PMO is aware of the requirement, and has the latest policy and guidance • PMO develops an early, very rough draft IA strategy document • The PMO engages DoD CIO staff early in the draft stage • An IA WIPT or similar stakeholder working group is involved in content review/validation (not necessarily content development) • Critical content areas are addressed commensurate to life cycle stage (see next slide) • PMO, WIPT, PEO/SYSCOM/MAJCOM, Component IA and DASD(IIA) conduct concurrent reviews to reduce cycle time • IA Strategy review and approval is decoupled from CCA compliance package review and approval process “Success” is an IA Strategy that is compliant and meaningfully informs the overall system acquisition.

  6. IA Strategy – Critical Content Criteria • Acquisition IA Strategy essential content for compliance: • Milestone A (25% solution) • Program info (ACAT, system type, MC/ME) • DoD 8500 series applicability (policy and standards) • Mission Assurance Category (MAC) and Confidentiality Level • C&A method, key roles identified • Milestone B (85% solution), add: • Expanded system description • IA acquisition approach • IA architecture (system and GIG alignment) • C&A detail (schedule/roles/boundaries) • IA testing • Milestone C (95% solution), add • Update for schedule and reality changes • Full Rate Production/Deployment (100% solution), add • Update for schedule and reality changes Content criticality is a function of current life cycle stage.

  7. IA Strategy – Key Lessons Learned • Key Lessons Learned in the IA Strategy process: • Programs want and need guidance • Templates eliminate guesswork, structure thought, and save time • Programs have terrible track record for selecting “equivalent methods and products” for IA strategy compliance • Demands for equivalents are almost always from a “cutting edge” and “best and brightest” program • Resulting systems have been poster children for poor IA, cost/schedule growth • If left uninformed, programs will squander time and resources on “building a document”: • Irrelevant content and non-value-added boilerplate • Replication of existing material, superfluous annexes and appendices • Good strategies are readily identifiable as planning drivers – the content is designed to answer questions and make things happen. Every program is special, but…

  8. IA Strategy – Barriers/Obstacles/Problems • Problems we discovered and are addressing: • Originally, no documentation was available to Components or programs describing what it meant to be compliant, nor of the process to determine it • The CCA IA compliance statement that has been in use for years presumed (prematurely) the existence of sufficiently robust DoD IA policy, architecture and standards against which program/system compliance could be measured. • Low level of awareness below ACAT 1D/1A oversight • Negligible field network to support implementation within Components IA Strategy for CCA -- Not perfect, but hopefully not in the critical path!

More Related