OASYS, INC.: Cybersecurity Adherence from Design to Deployment

OASYS, INC.: Cybersecurity Adherence from Design to Deployment

Follow OASYS, INC. on :

Shellie Mitchell, CEO, OASYS, INC.Shellie Mitchell, CEO Driving through the city of Huntsville—located in Madison County in the Appalachian region of northern Alabama—will remind one of the advancements that humankind has achieved with space explorations and defense. Nicknamed “The Rocket City,” Huntsville is home to the Saturn V rocket that launched man to the moon. The city has since then evolved into a major technology hub with innovative companies pushing the proverbial envelope. One such ‘above the curve’ company is OASYS, INC. Riding on a successful track record of delivering comprehensive capabilities across the full spectrum of cybersecurity— ranging from compliance, database hardening, securing data transfers, vulnerability detection, and static and dynamic source code analysis to name a few—OASYS, INC. helps its clients accomplish their missions in a safe and secure manner. “We assist our customers with being proactive about cybersecurity vulnerability prevention: to ‘Shift Left’ the security engineering into earlier phases of the software engineering process,” says Greg Bacon, president of OASYS, INC.

In traditional processes, security is left till the end where the software developer builds the system and hands it to another organization to perform cybersecurity analysis on the infrastructure requirements, design, source code, and penetration testing. At this stage, latent defects will be expensive with little to no room in the schedule to perform necessary rework. An agile concept where the development team considers essential security considerations early on, Shift Left methodology allows OASYS, INC. to resolve issues inexpensively and avoid future expenses rather than deferring them to later phases. “As the complexity of software systems grows, every new feature or interface in the system may interact with any of the system’s existing features in a way that creates vulnerabilities. Our systems engineering team meticulously considers cybersecurity requirements along with the system’s other functional requirements, during design, implementation, and test,” mentions Bacon.

Covering the Full Spectrum of Cybersecurity Assurance

OASYS, INC. delivers its expertise at all points on the cybersecurity spectrum whether its adhering to National Institute of Standards and Technology (NIST) standards, or spearheading the process for customers to obtain formal accreditation for Authority to Operate (ATO), Cybersecurity Framework, Risk Management Framework (RMF), Certificate of Networthiness (CoN), Security Technical Implementation Guide (STIG), and Plan of Action & Mitigation (POA&M). Bacon informs, “We provide Oracle database hardening; RMF support; STIG support across Windows, Linux, and Unix platforms; adjudication of static analysis findings; defect and vulnerability repair; systems engineering; software architecture and design; data tuning; and denial of service (DoS) prevention. The benefit to our customers is that during all phases, from design through test and deployment, OASYS, INC. is there to ensure the accreditation process runs smoothly.”

We help our customers to be proactive about cybersecurity vulnerability prevention: to “Shift Left” the security engineering into earlier phases of the software engineering process

Further, the company has a team of experts with certifications in Security+, Certified Ethical Hacker (CEH) and Certified Information Systems Security Professional (CISSP).

OASYS, INC.’s competent team possesses extensive knowledge and experience in fielding, using, and managing Information Systems (IS) on the Army Enterprise ArchitectureLandWarNet, to include Commercial Off-the-Shelf and Government Off-the-Shelf systems. Consequently, the team is also well versed in the DoD Certification and Accreditation (C&A) processes. Their certified cybersecurity subject matter experts, along with systems and software engineers and functional specialists possess the knowledge and experience to successfully implement C&A methodologies which facilitate the preparation and delivery of CoN and RMF artifacts and documentation. “The end result is a secure system that our customers, the warfighters who trust their lives to our products, can depend on,” comments Bacon. OASYS, INC. has implemented these processes to receive favorable accreditation for multiple U.S. Army Enterprise systems.

Competence, Delivered.

OASYS, INC. successfully achieved ATO for an Army big-data archiving and processing system. ATO is mandatory before connecting with operational DoD systems. The company’s team that supported this system had in-depth experience utilizing the RMF methodology to categorize systems, select, implement, assess, and monitor security controls, and generate artifacts necessary to achieve ATO. “Our approach was to prepare and deliver all application CoN and RMF artifacts and documentation in accordance with C&A artifacts and was based on methodologies we have successfully used across multiple systems and solutions falling within our C&A responsibility,” states Bacon. The OASYS, INC. the team ensured compliance with the Army’s Networthiness Program for all applications intended for deployment within the LandWarNet per Army Regulation 25-1, Army Information Technology. Specifically, in preparation for CoN submission, OASYS, INC. identified and assessed software and components as to their utility, risk of network disruption, requirements to protect data at rest and in transit, and potential for vulnerability risk using relevant Defense Information Systems Agency (DISA) published STIGs. OASYS, INC. also performed targeted analysis of systems and applications proposed for deployment upon the LandWarNet in order to gather the system information and attributes required for the development of the CoN request. With results of the analysis in hand, OASYS, INC. used tools available from the U.S. Army Network Enterprise Technology Command (NETCOM) to develop and collaborate with NETCOM analysts to ensure any questions or issues were promptly addressed to facilitate on-time delivery.

For this project, OASYS, INC. implemented a cybersecurity lifecycle focused upon four activity areas.

Firstly, cybersecurity C&A was initiated and planned which included registration of the system with the DoD Component Information Assurance (IA) Program, assignment of IA controls, assembly of the cybersecurity team, and initiation of the implementation plan. The company also validated assigned cybersecurity controls, conducted validation activities, prepared the POA&M, and compiled the results in the security scorecard. Next, comprehensive documentation package pertinent to the receipt of a favorable accreditation decision was developed and finalized which involved the implementation of system identification profile, security strategy, implementation plan, security controls requirements, and additional relevant artifacts. Finally, OASYS, INC. maintained ATO by developing situational awareness, cybersecurity posture, and performing annual reviews of cybersecurity controls.

"Customers notice and comment on how we take care of our people with frequent visits to the various sites, which also gives us opportunities to hear about growth and new business opportunities"

In another example, the OASYS, INC.’s team implemented an RMF methodology that aligned with the NIST Special Publication 800-37, Guide for Applying the RMF to Federal Information Systems, and provided technical advice, guidance, and direction as systems use the RMF framework. This helped DoD to complete its transformation from the DoD Information Assurance Certification and Accreditation Process (DIACAP) to the NIST RMF.

An Ingrained Focus on Expertise and Innovation

As a company that takes pride in its deep technical expertise, OASYS, INC. has always strived to innovate and push the envelope. Founded by former research professor Dr. Anthony Orme, OASYS, INC. works like a university environment in which different people have different strengths and research interests. The company brings in experts who, with years of experience, have trained their discernment to spot underserved niches or those that its competitors lack the know-how to tackle. The team also provides clients with the support and resources to carry the innovative ideas from concept to reality. For example, Bacon mentions, “Our automation of Oracle database hardening was developed by one of our in-house experts in response to an unmet customer need. Another customer’s product was buckling under user-load in a way that could have become a DoS vulnerability. In these cases, the customers reached out to us because of our well-respected expertise around the DoD community to resolve problems before they become emergency vulnerabilities.”

Further, the company has always ensured that its senior management team has strong technical qualifications that give them a unique ability to understand both the business and technical sides of their customers’ work. “Customers notice and comment on how we take care of our people with frequent visits to various sites, which also gives us opportunities to hear about growth and new business opportunities,” says Bacon.

So, what can be expected of OASYS, INC. in the future? CEO Shellie Mitchell answers, “2018 was a record year for us in which we finished at an all-time high for both the number of employees and revenue. We expect the demand for handheld cybersecurity to grow more rapidly and deeper understanding of root causes of software vulnerabilities to become a necessity.”

- Shiv Shanker
    March 20, 2019