What is Operation Vulcan Logic?

  • The ATO execution process in general, to date, has been very resource and time intensive. While the ATO approval process is an important contributor to implementing cybersecurity and managing risk, delays in fielding new systems and capabilities can bring their own risks by extending the use of legacy (often less secure) capabilities.
  • DODs RMF implementation intent is to deliver secure, resilient, and survivable mission functionality, where the system design achieves the right balance between mission and cyber functionality such that the system can perform all necessary mission functions, in a cyber-contested environment, with an appropriate level of risk.
  • Operation Vulcan Logic (OVL) is a risk centric, agile, authorization Ecosystem where the Authorizing Official (AO), the programs, and the systems/capabilities seeking authorization have clear outlined Criteria, Observables, and Behavior (COB) expectations and templates to leverage, based on over 2,000 successful implementations.
  • OVL is rooted in the tenants outlined in NIST SP 800-160 and the innate responsibility of practicing Systems/Systems Security Engineering – which are Cyber Security and Resiliency Enablers, throughout the system development lifecycle (SDLC). It is this same Systems/Systems Security Engineering that will be relied upon to produce the evidentiary data, and analysis.
  • OVL is rooted in the tenants outlined in NIST SP 800-160 and the innate responsibility of practicing Systems/Systems Security Engineering – which are Cyber Security and Resiliency Enablers, throughout the system development lifecycle (SDLC). It is this same Systems/Systems Security Engineering that will be relied upon to produce the evidentiary data, and analysis.
  • For the AO to assess, determine, and articulate the risk of use for systems/capabilities withing their boundary, a flexible process flow has been outlined to assist the programs and CRAs (Cyber Risk Assessor play a similar role as Security Control Assessor (SCA) in communicating with a common frame of reference.

Purpose of Training

  • The Cyber Risk Assessor (CRA) is responsible for providing the Authorizing Official (AO) with an independent “Cyber Risk Analysis” and acceptable “Risk of Use” for the system or capability throughout the entire Operation Vulcan Logic (OVL) Ecosystem Agile Authorization process while focusing on criteria, observables, and overall behaviors. This training provisions the CRA with the knowledge, skill and ability to perform security assessments utilizing the Operation Vulcan Logic (OVL) processes and templates to conduct a comprehensive analysis and make a risk recommendation to the AO.
  • This training required for all appointed CRA’s, and strongly recommended for Information System Security Managers (ISSMs), Program Mangers (PMs), System Security Engineers (SSEs) and any key stakeholder that wants to learn more about the process.
An Authorizing Official’s Perspective on Agile Authoriation

In this video, Danny discusses his approach to authorizations using Operation Vulcan Logic (OVL). Click to learn more.

Let’s Talk Continuous Authorizations

Danny speaks with the Air Force’s former Chief Software Officer, Nicholas Chaillan, about what it takes to achieve a cATO in the DoD.

So you want a cATO

In this video Danny, Lonye Ford and other experts provide their insights on obtaining a Continuous Authority To Operate in the DoD.