The challenge
This MOD delivery team needed security advice and guidance on an operationally important project. Specifically, the team needed a security architect and a Security Assurance Coordinator (SAC). The project classification and subject matter demanded highly specialised capability. Using the Framework Agreement for Technical Support (FATS), the MOD contracted Ascentor via one of the framework suppliers.
The solution
Ascentor assigned two CESG Certified Professional (CCP) consultants; a principal security architect to lead on the technical security solution for the system, and an information assurance (IA) consultant to fulfil the role of the SAC and manage all the accreditation aspects and the formal security deliverables.
Throughout the Assessment Phase (the second phase of the MOD’s acquisition lifecycle), the security architect and the SAC worked with the users, system engineers and requirements manager, to develop a coherent and pragmatic, appropriate and cost-effective set of security requirements for inclusion in the System Requirement Document (SRD), part of an Invitation to Tender (ITT) for prime contractors.
By developing an optimised set of security requirements, the prime contractors could develop a costed security solution in their proposals. The Ascentor consultants then supported the client team in assessing the suppliers’ tender responses in accordance with MOD procurement best practice. After contract award, due to the niche technical aspects of the security requirements, the security architect was responsible for providing advice and guidance to the equipment providers (OEMs). This enabled them to produce a secure solution, that was documented in the Security Aspects of the Design (SAD) for their respective equipment.
The result
The consultants successfully delivered: an OEM Security Guide; threat and vulnerability assessments; technical risk assessments; risk treatment plans; implementation and assurance plans; PDR and CDR technical security requirements reviews.
The equipment providers received appropriate advice on how to design and develop their solutions to comply with the security requirements, as well as the technical security requirements and appropriate configuration that would support the accreditation requirements.
Ascentor’s advice and guidance ensured the accreditor and information asset owner (IAO) were able to grant approval for ‘main gate’ submission (business case approval) and successful transition into the subsequent Demonstration and Manufacture Phases.
The accreditor and the IAO commended Ascentor’s approach and the format of the evidence presented at the end of the Assessment Phase.
The accreditor commented that the Ascentor SAC consultant was: “One of the best SACs I have worked with.”
