CRANE, Ind. – A Naval Surface Warfare Center, Crane Division (NSWC Crane) information technologist developed a software tool projected to provide over $8 million in cost avoidance annually and increase NSWC Crane’s cybersecurity posture. Dan Ireland combined and expanded sample code provided by colleagues Nick Hurley and Rickey Beem to create the Evaluate-STIG (Security Technical Implementation Guide) tool, a Windows Powershell tool with the ability to highly automate the process of documenting system compliance.
“Compliance with security requirements is a core step in obtaining an authority to operate (ATO) for any computing system,” said Ireland. “But, more importantly, a strong cyber security posture is paramount in protecting DoD systems, intellectual property, and the Warfighter.”
In the NAVSEA Inspector General audit, Information Technology (IT) is required to check all computing assets for compliance. Benchmark scans can be performed for some of the STIGs to help with checklist documentation but can still result in many items marked as Not Reviewed. Administrators then need to review them manually for compliance. Furthermore, many STIGs do not have an associated benchmark, making compliance documentation completely manual.
“While the scans we have are a tremendous help, the remaining Not Reviewed items are labor intensive, prone to error, and cost prohibitive,” said Ireland. “Having to do this work manually makes day-to-day operations suffer.”
Ireland’s tool could produce over $8 million in cost avoidance annually and cut over 1500 man-hours by automating the otherwise manual process. The Evaluate-STIG tool also strengthens Crane’s cyber security posture by closing the gap left from the benchmark scans and producing accurate, more complete STIG compliance documentation through an automated and consistent process.
“I’m proud of Dan and the ITD team for what they’re bringing to the DoD with this tool. Crane is reducing administrative burden, achieving greater compliance through automation, and is more confident systems are properly configured and protected.” said Bill Carter, NSWC Crane’s Activity Chief Information Officer (ACIO). “This group has been a constant source of innovation, and I’m looking forward to seeing what else they can create in the future.”
The goal is for the Evaluate-STIG tool to be eventually utilized by the entire Warfare Center enterprise.
“I think all Warfare Centers experience similar pain points, and this tool could help,” said Ireland. “Eventually, I would like to see it saving the entire Department of Defense time and money.”
NSWC Crane is a naval laboratory and a field activity of Naval Sea Systems Command (NAVSEA) with mission areas in Expeditionary Warfare, Strategic Missions and Electronic Warfare. The warfare center is responsible for multi-domain, multi- spectral, full life cycle support of technologies and systems enhancing capability to today's Warfighter.