2017 CTMA INTEGRATED PROJECT BRIEF:GLIS/CYBER SECURITY RISK MANAGEMENT FRAMEWORK

Background: Modernizing USMC LOG IT

• Original ERP Path had 9 Increments • Everything to be in the Oracle

E-Business Suite

• Under the ACAT IAM program

• Reality of ERP Fielding• ERP implementation replete

with Cost/Schedule Breaches and Capability Gaps

• 9 Years for Increment 1

• The ‘Road to Rome’ became the ‘Rape of NanKing’• Drives PM to madness…and

Innovation

• Seeking a better way

Development of Operational Transition Procedures & Sustainment Analysis for Global Logistics Integration System (GLIS) Supply & Maintenance Functions – Phase IV

Problem Statement• While many ERPs can be an effective logistics management system, their actual

implementation has created several challenges for the end users. Specific Problems & Challenges follow for the USMC effort:– A thorough understanding of the ERP system is lacking across the user base especially in relation to the

deployment of units. – Full utilization of the system and the ability to properly configure units for deployment have led to great

inaccuracies in accountability, auditability, and readiness.– Addressing the training shortfalls and lack of understanding of a new GLIS remains a prime component needed

for successful implementation of the ERP. – The requirement of training a robust workforce along with implementing a completely new approach to

maintenance and logistics processes while not degrading operations -- Key in expeditionary environments. – Linking supply and maintenance functions in a congruous manner for effective resource utilization. – Records tracking maintenance activities have been insufficient, underwriting poor lifecycle management of

equipment which degrades industry’s ability to forecast and manufacture equipment and material. – Better forecasting and utilization measurement for deploying units are needed for the limited storage space

and resupply capabilities of deployed units.

Enterprise Resource Planning (ERP) implementations as well as those developed specifically for the Department of Defense (DoD) have proven to be challenging at best in delivering a required Portfolio Solution in the replacement and modernization of industry and DoD business systems.

Technical Approach• Continued enhanced education and training is a primary effort that underwrites improved system performance and

future quality rollouts. Coupled with this are the other actions including capture of system deficiencies and building of solutions and modifications; reports and analysis of best business practices; and preparation for and evaluation and refinement of ERP upgrade rollouts as well as additional increments to include deployable solutions. Refining these elements will be critical in order to achieve the highest level of safety for the majority of products produced and ultimately sold to the public. The use of specialized training and development of lessons learned will be paramount to the success of the ERP.

The overall objective of GLIS is to explore, develop, and demonstrate improved implementation actions, processes, and procedures in order to increase the accuracy, auditability, efficiency and effectiveness of the supply chain and maintenance functions through knowledge management and general logistical and technical analysis, solution development, and implementation. These efforts are expected to result in the identification and correction of deficiencies in Material Management, Equipment Accountability/Visibility, Distribution Visibility, Fiduciary Accountability and Auditability, User Functionality, and Material Readiness. Special areas of focus will be on reporting and financial compliance activities, accuracy of records, and ability to forecast and project maintenance and supply capabilities, material inventories, and utilization of personnel and assets.

Overall Benefits Benefits to the Public and Industry:• Capturing successful training techniques that address software

lifecycle management requirements shared with industry and can be utilized in the implementation of ERPs in support of multi-echelon, multi-party Supply Chain Management deployments.

• Obtaining an optimal model for design, development, and testing of an ERP that is fully useable in both the public and private sector.

• Providing a reasonable solution for industry on how best to obtain supply chain information such as maintenance and readiness data. This will ultimately help reduce redundancy and streamline logistical support along with producing usable data, further improving products and services availability at best cost.

• Providing the ability to leverage successful software development and implementation through lessons learned and technical and procedural innovations.

• Improved processes and procedures by combating “ERP shock” through enhanced training, better liaison with users, and advocacy for the system resulting in a package that best mitigates the hazards of ERP implementation.

• Offering an enhanced ability to plan, forecast, and execute the manufacture and distribution of key equipment and material through an OEM’s supply chain with improved inventory accuracy.

Benefits to Government:• Results in more effective and timely preventive and corrective

maintenance execution and reduced rebuild turnaround time for equipment with a potential savings.

• Reduction in costs due to a more efficient maintenance pipeline.

• Increased asset readiness with respect to maintenance, readiness, and equipment availability and allocation.

• Increased visibility of supply status and availability of resources.

• Improved maintenance, supply, and asset tracking/accountability.

• Improved efficiency and effectiveness of users within the system.

• Significant decreased lifecycle cost of equipment through a reduction in man-hours for management of assets

• Supports attainment of “Public Clean” Audit as congressionally mandated.

• The Marine Corps learns from industry using best practices to better account for its equipment based on operational user observations and suggestions with an emphasis on understanding total ownership costs.

Technology Deployment

• All Marine Corps Operating Forces & Supporting Establishment Command are using GCSS MC LCM 1.1

• Deployed Globally

Project Team Participants

• Headquarters Marine Corps, DC I&L (LPV, LPC)

• Marine Corps Logistics Command

• Marine Corps Systems Command

• National Center for Manufacturing Sciences

• Anglicotech, LLC

CYBER SECURITY AND RISK MANAGEMENT FRAMEWORK PROJECT

Problem Statement

• Department of Defense (DoD) systems have become increasingly networked, software intensive, and dependent on a complicated global supply chain, which has increased the importance of security as a systems engineering design consideration. In response to these conditions and environment, the DoD has established Program Protection/System Security Engineering as a key discipline to protect technology, components, and information from compromise through the cost-effective application of countermeasures to mitigate risks posed by threats and vulnerabilities.

• The analysis, decisions, and plans of Acquisition Programs are documented in a Program Protection Plan, which is updated prior to every Milestone decision. DoD systems incorporate an extensive amount of software, and therefore defense programs must conduct early planning to impose software assurance countermeasures to counter adversarial threats that may target vulnerable software.

• Programs must ensure systems are securely supplied, designed, and tested to ensure mission success and to protect critical functions, associated components, and critical program information (CPI). Of particular interest are protection and assurance activities undertaken during the integration and development of commercial off-the-shelf (COTS) components; activities designed to mitigate attacks against the operational system (the fielded system); and activities that address threats to the development environment.

HOW TO DO THIS IN DOD OR PUBLIC SECTOR – ADHERE TO RMF ENGINEERING BUT

OPTIMIZE INDUSTRY ADVANCEMENTS IN SOFTWARE DEVELOPMENT (E.G. PAAS)

• The Contractor will support a major review of all systems, applications, environments in the GCSS MC Portfolio to include a continued institutionalization of the Risk Management Framework (RMF) assessment as a component requirement of Systems Engineering Technical Review (SETR) documentation within all systems in production and all pending and future developmental efforts.

• Continue RMF Security Plan assessments and analysis from current the Commercial Technologies for Maintenance Activities (CTMA) project with PaaS vendors and integrators implementing Class V Ground Ammunition OIS Retail Tactical roll out and support any ongoing Industry Software Environment and Development Assessments to include Architecture and Infrastructure

Technical Approach

Assist the GCSS MC PMO IA Team with a full integration

of RMF into the Software Development Life Cycle (SDLC)

and a full programmatic implementation to comply with

DoD, DON Policy and procedures as required by the

below references:•NIST SP 800-37r1 – Guide for Applying the Risk

Management Framework to Federal Information Systems

(incorporating the RMF into the SDLC)

•NIST SP 800-39 - Managing Information Security Risk

Organization, Mission and Information System View

•FISMA

•OMB Circular A-130, Appendix III

Overall Benefits Benefits to the Public and Industry

Allows for secure development and use of commercial software Increased responsiveness – DoD access to commercial products Decreased time to deploy technology – Implementation Savings Industry incentivized to do business with the Department Industry acquires Blueprint to be compliant

Benefits to DoD

Attain SwA requirements and integrate them into engineering process at all stages of the SDLC will reduce risk, vulnerabilities and increase Cyber Defense Posture.

Underwrites security requirements across aging IT Portfolios in need of modernization strategy.

Leverages Industry at all levels of SwA to take advantage of their R&D investment which enhances mission area capability for Government and DoD operations.

Minimizes burden on acquisition programs

Technology Deployment

• Previous Project Objective: System Engineers and Developers will ensure that the baselined security controls are evaluated and implemented during the Development and subsequent Implementation Phase of the SDLC.

• Metadata/annotations will be captured in the PaaS which will be harvested to help satisfy the security controls

• Vendor Team will generate a .csv file which details explicitly where the security control can be assessed for the control that has been implemented, similar to the RTM

– This gives a cross-reference where code and/or policies can be reviewed to ensure the security control has been implemented correctly.

BENEFITS: • Annotation of the security controls reduces time during Step 4: Assess

Security Control• Reduces time and subsequently the cost of personnel performing these tasks because

a direct path is given to the assessment of the control

• Security is baked into the PaaS early in the SDLC instead of bolted on.• Security Controls such as auditing, password policies, input validations are ‘turned on’

during the ‘Build Phase’• Build documentation is security focused

• Will enable seamlessly Reciprocity so that the Industry PaaS will be able to be shared by other DoD agencies

• Any changes made to the PaaS are documented and annotated thereby improving continuous monitoring activities

Project Team Participants

• Marine Corps Systems Command

• National Center for Manufacturing Sciences

• Anglicotech, LLC

Questions/Discussion