DOE’s Office of Science relies on TDI’s A&A expertise to ensure its general support system remained operational.

TDI performed a Security Test and Evaluation (ST&E) effort, a critical element of the Certification and Accreditation (C&A) process, for the Department of Energy (DOE) Office of Science Headquarters (SC HQ). Our ST&E assessed the technical and non-technical implementation of the SC HQ IT General Support System (GSS) security design. The components of this GSS provide integrated support for the DOE Science major government-owned, contractor-operated laboratories and other facilities (multi-program and single purpose); service support for DOE Science government-owned, government-operated laboratory; and management of programs and projects, including assignments in high energy physics, environmental restoration and waste management, nuclear physics, basic energy sciences, reactor technology, conservation and energy efficiency, fusion energy science, and solar and alternate energy. TDI’s ST&E effort examined and analyzed security features of this operational environment to determine its security posture. TDI ascertained the effectiveness and proper performance of the security features affecting confidentiality, integrity, and availability that were designed and implemented by SC in accordance with DOE CIO Guidance CS-1, Management, Operational, and Technical Controls Guidance.

TDI determined SC HQ compliance with security requirements by examining technical, general and administrative controls that were in place as part of the system security design. As a starting point, we used the moderate baseline of controls in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53A: Guide for Assessing the Security Controls in Federal Information Systems, and NIST SP 800-53 Revision 1: Recommended Security Controls for Federal Information Systems. Additionally, DOE, Federal Information Processing Standards Publications (FIPS), and other NIST documents were used for both general process guidance and for interpreting the correct implementation of controls.

TDI developed our ST&E Procedures based on guidance provided by NIST SP 800-53A to govern the proper execution of the various tests we performed to validate the security controls in place at SC HQ. Adhering to the assessment procedures, we gathered information through documentation review, DOE employee/contractor interviews, hands-on systems demonstrations, screen captures, technical testing, and physical observation. Each test was methodically and carefully conducted, with the intent of revealing whether or not the controls specified in the planning task were instituted and effective. TDI relied on substantive evidence for ensuring a successful test. We compiled and analyzed data regarding each specification to determine if SC HQ met requirements for appropriate security measures. Finally, TDI assigned a status to each specification and provided recommendations that explain how to mitigate the identified security vulnerabilities. Recommendations were provided for all “Failed” and “Partial” findings. In some cases, even if the test case earned “Pass”, “N/A”, or “Incomplete” status, TDI provided recommendations on how to improve the security posture or strengthen the security control.

TDI’s ST&E efforts were part of a larger effort in support of the DOE. In concert, our work there provided the instrument through which the DOE SC HQ was able to push its full General Support System through the C&A process, ultimately obtaining an Authority to Operate (ATO). The DOE heavily relied upon our ST&E Report which included: the specification for the control as expressed in NIST SP 800-53; the expected results to meet this control as expressed in NIST SP 800-53; a description of TDI’s findings; a list of evidence collected to justify the results statements; the grade/status for the control and additional information as to how that grade was derived, if necessary; and any suggestions or recommendations TDI may have had regarding this control. Our deliverable for this effort provided the DOE with valuable insight into areas of focus they were able to address and remedy.

Testimonials

Don’t take it from us, hear what our clients have to say about TDI

“TDI’s approach to Managed Cybersecurity Performance (MCP) has been a game changer for us. We now have added visibility and insight to better understand risk and the ROI (return on investment) we’re receiving from our other security provider. Our security program continues to mature and we’re able to maintain continuous compliance. MCP gives me one less thing to worry about and frankly makes my job easier.””
Johnny Yang
Director Information Security & Compliance
“TDI always provides top notch personnel that meet or exceed the requirements of the contract. Their deliverables, reports, and technical aptitude are bar none. We will continue to hire TDI … they always come through for us and our end customers.”
Emilio Gonzalez
Joint Strike Fighter Program Manager
“[TDI Employee] You are the Man !! Thanks so much for the quick turn around.”
W.A. Harrison
USAJOBS Program Office Deputy Program Director
“The most appealing part of the engagement was the development of the 10-year strategic security plan for our mutual client. The quality of the thinking and input into the deliverables was exceptional.”
Bruce Gnatowski
Director Verizon Global Services
“On behalf of MCSC, PdM TFITS, Manpower Team, I would like to express our appreciation for the excellence in leadership & teamwork demonstrated by [TDI Staff] over the past 18 months. Her role as a lead IA professional was carried out in a manner above and beyond expectations.”
Beverly Walker
USMC Manpower Branch Manager
“Highly skilled and knows their work. . . exceptional at task preparation & reduced time to perform tasks by 90%. TDI brings quality & care to the table. Lots of companies have good people, but TDI employees really care about the work they do & the collective customers we support.”
Deron Burba
Smithsonian CIO
“TDI and its staff provided high quality testing engagements followed up by concise easy to understand reports. They clearly showed adherence to tasks schedule and offer adequate frequency of client/customer interaction resulting in a very satisfied customer.”
Carla Little-Kopach
Chief, DARPA SSO BPA
“TDI has proven an invaluable asset to the mission of the CTO…have strengthened the overall IA posture of the DEA Enterprise…and continues to further innovate and provide solutions that help sharpen the overriding information technology goals and mission of the Office of the CTO.”
Mark Shafernich
CTO, DEA

Related Case Studies

All Case Studies
TDI brings risk expertise to bear at USDA in RMF & supporting tasks

Across multiple tasks at the USDA TDI provides Risk Management Framework, A&A, continuous monitoring, risk visualization, compliance, and risk and project management.
HHS called in TDI to help restore its cyber-health & TDI delivered a cure

We performed many A&A tasks at HHS, including high-profile security assessments on eight of their general support systems (GSS). Penetration testing was a major component of our function there.
TDI helped USAC so they could help those in need in the U.S.

TDI provided a broad range of cybersecurity compliance and technical services to USAC so they could securely fund the mission of the FCC to support urban, poor, and educational communities.

nSights Report


X