CIRI cybersecurity software completes DoD Iron Bank security testing program

Government and private sector organizations needing to conform to NIST and/or Department of Defense (DoD) cybersecurity standards and best practices can now access the Cyber Secure Dashboard (CSD) cyber risk management application from the DoD Iron Bank repository of tested and compliant software. The CSD eases, accelerates, and reduces the cost of conforming to various cybersecurity standards for both cloud-based and on-premises systems. The cybersecurity standards supported include: NIST 800-171 for protection of Controlled Unclassified Information (CUI), multiple NIST Cybersecurity Framework Profiles, and the DoD Cybersecurity Maturity Model Certification (CMMC).

The Critical Infrastructure Resilience Institute (CIRI) – with the help of private sector partners and through the sponsorship of the Office of University Programs in the Science and Technology Directorate of the Department of Homeland Security – has successfully completed the rigorous Iron Bank security testing program, with the CSD having been judged compliant by the DoD with the advanced hardening requirements enforced by the Iron Bank testing process. This significant designation has allowed the CSD software to be added to the DoD Iron Bank repository of tested and compliant software, where it is accessible to the broad Defense Industrial Base (DIB) and to any organization desiring to enhance their cyber risk management program to meet DoD or NIST standards.

The CSD operationalizes an effective cyber risk management process that helps organizations to easily understand the requirements of their target cybersecurity standard and empowers them to conduct a cybersecurity assessment according to NIST-standard assessment criteria; to establish and manage a Plan of Action & Milestones (POA&M) to achieve the organization’s target cybersecurity standard; to harmonize cybersecurity activities across the organization and with external cybersecurity partners; to monitor the cybersecurity status of members of its supply chain; and to report ongoing status and progress to internal and external stakeholders.

“Iron Bank helps you make informed risk decisions before deploying your software,” according to the Iron Bank website. Andrew McClintick, President of Heartland Science and Technology – the developer of the CSD – said the Iron Bank process put CSD through rigorous testing to check it for security vulnerabilities and potential defects. Issues identified during the testing had to be eliminated before the CSD containers could be marked as compliant and added to the Iron Bank repository. Going forward, this ‘test and fix’ process must be completed any time the software is subsequently updated or upgraded. In addition, according to the Iron Bank website, “Every container image is scanned daily for vulnerabilities, and vendors can update and patch images as risks are identified. This means that when the CSD in the Iron Bank repository has a ‘compliant’ status designation, your team can be assured that it has been tested against

the latest security vulnerabilities, and that we are continuously testing against new threats and vulnerabilities and fixing as necessary to maintain the ‘compliant’ status”, said McClintick.

CIRI - a unit of the Information Trust Institute (ITI) within the Grainger College of Engineering at the University of Illinois Urbana-Champaign - is a Department of Homeland Security, Science and Technology Directorate, Center of Excellence, which has been executing its mission to enhance the security and resilience of our nation’s critical infrastructure since 2015. Its three-fold mission is to conduct innovative, outputs-oriented research; sustainably transition those outputs to the field; and to educate and develop a security- and resilience-savvy workforce.

Completing the rigorous testing and achieving the Iron Bank compliant designation is a significant milestone for the institute. “It demonstrates the quality of the research and development at ITI and CIRI and the strong public/private partnerships that allow us to transition that research from the lab to the field so that it can deliver a positive impact where it is most needed,” said ITI and CIRI Director David Nicol, PhD.