On December 21, 2018 the National Security Agency (NSA) and National Cross Domain Strategy Management Office (NCDSMO) released the official Raise the bar (RTB) guidelines. The initiative offers strategies for architecture design improvement and sets requirements to considerably improve cross domain solution (CDS) security and capabilities to stay ahead of the adversary. So, one year later, where are we?
RTB has provided invaluable guidance and is a HUGE undertaking
Cross Domain Solutions make information sharing more efficient and secure. Because of this, and favorably, they have become interwoven in our national security infrastructure. Cross domain solutions have been deployed nearly three decades on the ground, afloat, in the air and at the tactical edge. In other words, there are a lot of legacy solutions in place. Replacing these solutions is a heavy, expensive lift. This, understandably, makes agencies hesitant to rip and replace solutions even if those solutions do not currently meet Raise the Bar (RTB) guidelines. Instead agencies are relying on hope that those solutions will become RTB compliant before December 2020.
Hope is working for at least a few solutions that, despite not meeting all the RTB requirements, have been added to the NCDSMO RTB list with the mandate that they meet guidelines by December 2020.
Unfortunately, because of RTB testing timelines, developers of CDS not already in testing will likely not meet the December 2020. This will ultimately force a rip and replace with little lead time to accomplish the mammoth task, inevitably resulting in higher costs.
The testing conundrum
Many vendors have risen to the call to become RTB ready, several vendor solutions are RTB ready with several more ready to enter the government labs for testing. The problem is there just aren’t enough labs. There are only two government labs qualified to do cross domain testing which has resulted in a 6-8 month wait list just to enter testing. Once testing begins simple regression testing takes 2-3 months and full testing 5-7 months.
With 6-8 months just to get into the lab and another 5-7 for a complete test, at best, if a CDS is “in line” for testing today the solution will probably not make the December 2020 deadline. If an agency’s CDS is not RTB by the deadline, the DoD CIO has threatened to shut down the agency’s CDS program. On top of the lengthy testing timetable, testing comes with a hefty price tag for vendors and the cost keeps rising. A year ago, one month of testing was $100k, today, it has nearly doubled and is now $180k. In addition, the NCDSMO continues to release new RTB requirements, which require, you guessed it, more lab testing.
Not only are testing times lengthy, requirements continue to be added—not a bad thing, but before products are finished with one test, it is time to get back in line for the next test to meet the new requirements. AND the testing takes so long sometimes hardware is obsolete by the time the test is complete, requiring additional regression testing.
Lastly, providers of cross domain solutions that are RTB ready have found the government very slow to adopt approved products. Many agencies are complacent or lack funding and resources to perform RTB upgrades.
How do we win the race?
With all of that said, steps can be taken to improve the situation and get Cross Domain Solutions RTB tested and ready to go before the December 2020 deadline.
Improved testing conditions
The Government can take the following steps to improve the testing process:
- Increase the number of Government labs and/or test teams
- Expand the number of labs and quality of testing by allowing commercial companies to become independent CDS test labs
- Require vendors to perform framework and RMF control testing instead of doing it in the NCDSMO approved labs, which will cut down on CDS lab testing time
- Government CDS labs perform selective validation testing only
- Set better testing definitions
- Allow for better communication channels
Know your solution
As a CDS consumer you should:
- Know which vendors and solutions are NCDSMO RTB listed
- Know RTB requirements
- Discuss the requirements with your current vendor, request they demonstrate how they meet each requirement
- If your solutions don’t meet RTB requirements and they are not in testing by December 2019, consider finding a new option
- For more information about RTB visit https://info.forcepoint.com/raise-the-bar-cds/
To sum up where we are one year later: RTB is a necessary, good thing for CDS and our national security. With just over a year to go to meet guidelines, RTB:
- Provides invaluable guidance that has already produced more secure, efficient solutions
- Is a huge undertaking
- Needs some adjustments to the testing approach
There is a lot to know, a lot to be done and a lot that has been done. For the most comprehensive RTB coverage and information visit: https://info.forcepoint.com/raise-the-bar-cds/