Cyber Risk Assessor (CRA) onboarding for Operation Vulcan Logic provides the essential information a CRA needs to help a Program achieve and sustain an Authority to Operate (ATO) OVL addresses a system’s RISK instead of simply a compliance check the box approach. Below you will find a description of the onboarding agenda and the components that are addressed.
Training Agenda
Module 1: Authorizing Official’s (AO) Perspective
- Mr. Holtzman introduction video
- Terminology
Module 2: Operation Vulcan Logic
- Background
- What is it?
- Elements
- What is System Security Engineering
- Authorization Determinations
Module 3: Authorizing Official (AO)
- Introduction
- AODR’s
- AO Objectives, Enablers, and Collaboration
- AO Playbook v1.0
- OVL Agile Authorizations and Systems Engineering
Module 4: Cyber Risk Assessor (CRA)
- CRA Roles and Responsibilities
- CRA Objectives v1.0
- CRA Onboarding v1.0
- CRA Playbook v1.0
Module 5: Body of Evidence, Artifacts – Information Tools
- IT Categorization and Selection Checklist (ITCSC)
- AO Determination Brief
- Risk Analysis Report
- CRA Recommendation Letter
- Draft AO Authorization Letter
- DevSecOps (DSOP) CONOPs (If applicable)
- AO Determination Brief Guide
- Documentation A&A Lifecycle
Module 6: CRA Assessments
- CRA Risk Recommendation
- Body of Evidence
- Connection Package Required Documemntation
- Assess Only
- Assessment Tools
- Security Assessment Plan (SAP)
- Security Assessment Report (SAR)
- Cyber Hygiene
- Risk Assessment Report (RAR)
- Conditions and Residual Risk
- Plan of Actions & Milestone (POA&M)
- No Security Impact (NSI)
Module 7: Continuous Execution
- Continuous Monitoring Plan (ConMon)
- Conditions/Residual Risks
Module 8: Reciprocity
- What is it?
- Agreement and Conditions
- Joint Responsibility
- Originating Organization Responsibility
- Receiving Orgainzation Responsibility
- Change Management Requirements
- eMASS Requirements
Module 9: Agile Authorization Ecosystem
- Putting all of this together
- Phased Approach
- Summary