Home : Media : News : Saved News Module
NEWS | May 21, 2020

Norfolk Naval Shipyard receives full Authorization to Operate IT systems through March 2023

By Gene Christopher, C109.21 Cybersecurity Division Assessment and Authorization Branch Manager

Norfolk Naval Shipyard’s (NNSY) IT Department recently received a full Authorization To Operate (ATO) its information technology (IT) systems through March 2023. 


Security and compliance are primary considerations to ensure continued safeguarding of IT systems within America’s Shipyard. 


With an ATO issued by the Navy Authorizing Official (NAO), NNSY cyber IT and cybersecurity functions throughout the shipyard are permitted to operate safely and securely. 


“This means our legacy Shipyard Local Area Network (SYLAN) is given permission to provide the computing services our NNSY staff need to roll out the finest services to the fleet,” said Kevin Williams, NNSY Cybersecurity Division Head (Code 109.2).  “Without the ATO, the SYLAN network would be issued a denial to operate and no cyber IT services would be available on the shipyard.  This would mean no payroll data would be transmitted to DFAS.  No data collaboration between NNSY and the other shipyards would be permitted.  Every SYLAN function on the base would cease to exist, until the effort to attain a good ATO was executed.”


The action of ensuring our DoD/DON/NNSY computing devices, which include sites, systems, and applications, operate without risk of compromise, or loss of data, is known as Cyber Risk Management.  


Central to this is the Risk Management Framework (RMF).  The RMF provides a vehicle to evaluate the security posture of our NNSY computing devices and provide an assessment to the officials who permit operation of these devices within the DoD Information Networks (DoDIN). 


The authorizing officials, both at the NAVSEA Functional level and at the Navy level, provide RMF oversight permitting the NNSY staff, with NAVSEA 04 ECH II support, to request the ATO be granted for a three-year period.


Once that process is complete and an ATO is granted, the NNSY staff will roll efforts into the RMF process known as Continuous Monitoring. 


This involves ensuring correct Cyber IT Lifecycle Management strategies are in place and continue to be used, as well as a function Information Assurance Vulnerability Management (IAVM) program is utilized to correctly support the continued operation of the computing devices.


At the core of the success is the combined efforts of many NNSY branches and divisions, working in unison to provide the correct presentation of the ATO request. 


From the Cyber IT engineers within the C109.1 division, led by Gary LaFon, who replaced over 450 NNSY SYLAN legacy desktop within a one week period, to the C109.3 division, led by  Becky Yates, who manages the acquisition processes in the Cyber Lifecycle, including the procurement and warehousing of the 450 desktops that were deployed, to the C109.2 division, led by Kevin Williams, who hosts the C109.21 Assessment and Authorization team, led by Gene Christopher, made up of many Security Control Assessors (ISSE), as well as the embedded RMF Fully Qualified Navy Validators (NQV),  who provided the glue merging RMF pieces together. 


NAVSEA 04 efforts, led by Eric Mallo, effectively coordinated with Code 109 on the ability to present three separate ATO requests at the same time.


Commending the efforts of Acting Chief Information Officer Bobby McClure, NNSY senior civilian Curt Hart said, “Bobby came in and has done remarkable things to improve staffing, training and operations which have allowed him to get us to this point. Huge BZ to Code 109 and Mr. McClure!”