FRCSW Commanding Officer Capt. Anthony Jaramillo, center, is joined by members of the Command Cyber Readiness Inspection (CCRI) team and FRCSW security personnel in front of the Building 94 quarterdeck following the conclusion of the CCRI February 14. The command passed the security inspection on its first try, and is the first NAVAIR facility to do so. (U.S. Navy photo)
Fleet Readiness Center Southwest (FRCSW) completed an extensive four-day Command Cyber Readiness Inspection (CCRI) February 14. And scoring an 80.5 percent, the command became the first Naval Air Systems Command facility to pass the inspection on its first try.
Overseen by the Defense Information Systems Agency (DISA), the CCRIs purpose is to evaluate, improve and strengthen a commands cybersecurity and computer network postures. The CCRI also ensures compliance to various DOD mandated cybersecurity and computer network directives. The inspection was conducted by nine members of the U.S. Fleet Cyber Command (USCYBERCOM), which is the DISA liaison.
Tamika Clay-Jefferson, command information systems security manager (CISSM), said "FRCSW was notified of the CCRI schedule in September 2018. Because we'd never had an inspection of this magnitude before, changing the command culture with regards to common access cards (CAC) cards and securing our personally identifiable information (PII) was major," she said. "To me, getting the command culture on track was the most rewarding because we did fairly well. And that was recognized by the traditional security inspector saying that for a command this size, he expected to find way more incidents and he found virtually none."
Of the commands 88 buildings, Clay-Jefferson said that five were identified as potential locations for the CCRI: Buildings 334, 94, 5, and 378 and 317 which house FRCSW's research, development, test and evaluation (RDT and E) labs.
"We provided a scoping document which tells them that these are the areas that we believe are in scope," she said. "They can agree, but everything is in play which is why it was so important for everyone in every building to comply with the things we were asking because they had the option to deviate from the five buildings we put on our scoping document. Not only was this important to the command and the commanding officer, but it is important to ensure that we are properly protecting the government's assets and in doing so, we are making sure that we are keeping our cyber threats down," she added.
USCYBERCOM uses three checklists to form the baseline of the inspection: Security Technical Implementation Guidelines (STIG); Computer Network Defense directives (CND); and contributing factors such as leadership engagement and STIG application. Overall, there are more than 200 points of action between the three lists.
"The STIG has 151 actions, and within those there are sub-compartments. Each directive may have an overall header and from there, there are separate actions that must be completed," Clay-Jefferson said. "Violations during inspections are divided into three levels: Category I, or the most severe, to Category III, or a minor violation. An unattended CAC, for example, would be a Category I violation; while failing to load a patch on a computer would be a Category III violation."
The next CCRI for FRCSW is in approximately 18 months.
"In the meantime," Clay-Jefferson said that "FRCSW employees should remain diligent of the operating standards and procedures observed during the last CCRI. We want to make sure that we continue with proper documentation of actions or deviations from any of the Navy's guidelines, and make sure that we continue with the command culture. Command culture sets the pace because if the culture is not adhering to the proper standards, then everything else is left wide open," she said.