CYBER LAB
EXPERT IN CYBERSECURITY COMPLIANCE
CYBER LAB is a thought leader with in the cybersecurity industrial control systems (ICS) supporting many federal agencies. We have experienced staffs that know the cybersecurity and operational technology (OT) environment well. Our personnel have extensive knowledge and credentials, as well as comprehensive and current practical Information Operation experience.
MEET THE EVER-EXPANDING REQUIREMENTS OF CYBER OFFENSE AND DEFENSE ACTIVITIES
CYBER LAB meets the expanding requirements of cyber offense/defense activities, including full-spectrum Information Operations (IO) and security engineering. We have developed integrative solutions to help other organizations to meet Defense Federal Acquisition Regulation (DFAR) Supplement (DFARS) 252.204-7012, specifically focusing on OT networks that include ICS. This DFARS forms the basis of the new Cybersecurity Maturity Model Certification (CMMC) and requires DoD contractor information systems to be rated compliant by an independent third-party assessment organization like Peregrine, per NIST Special Publication (SP) 800-171 controls.
CYBER LAB’s subject matter experts (SMEs) possess the required credentials, training, and certifications, as well as many years of Federal and DoD Information Assurance (IA) and Risk Management Framework (RMF) experience. Our commitment to quality is grounded in core management principles and experience – staff with significant IT experience, who knows the IA environment well, and use sound methodologies and superior task management.
CYBER LAB’s staff has over 10 years of experience in supporting cyber security tasking starting with Certification and Accreditation (C&A) tasking in the 1990s. The Chief Technology Officer and Staff all hold the requisite certifications, including GICSP, CISSP, CDFE, and PMP based on DoD Directive 8570.1, which support the level IAT III within the Cyber Security Work Force requirements. CYBER LAB’s expertise, organizational agility, credentials, and experience make us low risk.
Over the years we have expanded our clientele and capabilities, but we remain a cyber security company at heart. Innovation and imagination are key features of CYBER LAB. CYBER LAB is dedicated to process and quality in everything we do.
* DoDI’s 8500 Cybersecurity (DoD Directive, DoD Instruction)
** DoDI’s 8510 Risk Management Frameworks (RMF) for Information Technology
Our staff is made up of experienced IT and cybersecurity professionals and possesses the required credentials, training and certifications, as well as many years of Federal and DoD IT and cybersecurity experience. CYBER LAB’s commitment to quality is grounded in our core management principles of experience where CYBER LAB staff members have significant IT experience, know the IA environment well, and use sound methodologies as well as superior task management.
WHO WE ARE
EXPERIENCED IT AND CYBERSECURITY PROFESSIONALS
With a primary focus on the Federal Government including US Air Force, Navy, and Army, CYBER LAB is in the Washington DC National Capital Region and Guam, Asia-Pacific, but operates globally with associates and consultants.
Team Leader: has over 35 years of consulting experience in Program and Project Management in the areas of Cybersecurity, Energy, Environmental and Sustainable Design (LEED, Energy Star and Carbon Footprint); Critical Infrastructure Protection and Analysis; Building Information Modeling (BIM) Technology; and Emergency Management/Disaster Recovery. He is trained as a SANS Global Industrial Control Systems Professional, a Project Management Professional, and a LEED Accredited Professional.
He has a depth and breadth of experience with federal contracts and grants; has managed and directed both small and large and complex IT and OT engineering projects and has advanced skills using cloud/virtual/mobile, project management, MS Office suite, geospatial, building information modeling, emergency management, and financial accounting applications software. He has been an active member as a chair or board member in local professional societies and universities, teaches seminars and courses on IT and OT, security, and buildings systems convergence.
He is the creator and instructor of the DHS Cybersecuring Building Control Systems and Cybersecuring DoD Control Systems Workshops, author of the Whole Building Design Guide Cybersecurity Resource page, author of the DoD Cybersecurity Resource page, and author of numerous DHS Building Infrastructure Protection Series (BIPS) publications.
Also, he was an author of DoDI’s 8500 and 8510 for the PIT and control systems language; a Special Contributor to NIST SP 800-182; developed and teach the DoD FRCS (Facility Related Control Systems) Cybersecurity Workshop for gov and private sector, Cyber SME support to the OSD (The Office of the Secretary of Defense) Cyber Physical Advisors Office, OSD Energy Office and DoD ESTCP Installation and Environment Program Office.
* DoDI’s 8500 Cybersecurity (DoD Directive, DoD Instruction)
** DoDI’s 8510 Risk Management Frameworks (RMF) for Information Technology
Performance ratings from government
He has been on contract with OSD (The Office of the Secretary of Defense) since 2009 supporting the CPA, Energy and ESTCP offices. He is on the Noblis Team (https://noblis.org/defense/) recently award the DTRA Counter Terror contract to provide Cyber SME services to teach how to attack and defend control systems.
DTRA: Defense Threat Reduction Agency
DTRA enables the Department of Defense, the US Government, and International partners to counter and deter Weapons of Mass Destruction (WMD) and Emerging Threats.
DFARS 252-204-7012
CYBER LAB can help you to develop and update an integrative solution to meet the DFARS 252.204-7012, specifically focusing on networks that include FRCS, ICS as well as commercial Internet of Things (IoT) products using the subset of 110 RMF security controls.
It would meet the Unified Facilities Guide Specifications (UFGS) 25 05 11 Cybersecurity of FRCS and contains the following artifacts:
Contractor Computer Cybersecurity Compliance Statement, Cybersecurity Schedules, Inventory Spreadsheet, Contractor Temporary Network Cybersecurity Compliance Statement, FRCS Facility Acceptance Task (FAT) and Site Acceptance Test (SAT) Checklist, ACI TTP Fully-Mission Capable (FMC) Baseline, Information Systems Contingency Plan (ISCP), System Security Plan (SSP), Security Audit Plan (SAP), and a Security Monthly Audit Report (SMAR).
We support the implementation of RMF for all DoD IT/OT systems utilizing a multi-tiered cybersecurity risk management approach as described in DoDI 8510.01, with the Purdue Model for Control Hierarchy as a logical framework. Consisting of five zones and six levels of operations, CYBER LAB can ensure all RMF security controls are implemented technically, administratively, and physically, per NIST SP 800-53 as well as the ICS addendum NIST SP 800-82.
We also help companies be ready for the Cybersecurity Maturity Model Certification (CMMC), which is the next stage in the DoD efforts to properly secure the Defense Industrial Base (DIB). In the simplest of terms, the DoD announced in June 2019 that it is creating a new cybersecurity assessment model and certification program. This signals to industry an end to the honeymoon period. Unlike prior years, contracting authorities will not accept only an SSP and POA&M as compliance for DFARS 252.204-7012. Contractors will instead be evaluated based upon the implementation of actual technical controls in addition to their documentation and policies. These evaluations will lead to a level certification of 1 to 5, with the latter being the most secure.
WHAT WE DO
COMPREHENSIVE CYBERSECURITY & COMPLICANCE SUPPORT
As a firm with extensive DoD expertise, we provide specialized services in the areas of compliance, vulnerability management, cybersecurity strategies, and engineering.
Projects
Guam / Hawaii / United Sates
-
CONTRACT NO. N62742-21-C-1342, J-032 BACHELOR ENLISTED QUARTERS (BEQ) E, J‐036 BEQ C, J‐038 BEQ J, J‐039 BEQ K, AND J‐037 BEQ G, MARINE CORPS BASE GUAM,FINEGAYAN, GUAM.
-
JFY14 J-755 Urban Combat Training, Andersen Air Force Base, Joint Region Marianas, Guam.
-
N62742-21-C-1334 J-023 BACHELOR OFFICER QUARTERS-A, US NAVSUPPACT Marine Corps Base, Guam.
-
N62742-21-C-1333 J-025 GOJ MEDICAL DENTAL CLINIC, FINEGAYAN, MARINE CORPS BASE, GUAM.
-
N6274-21-C-1322 J-015 Enlisted Dining Facility, Marine Corps Base, Guam.
-
N401921802803 REPLACE SUBSATION TRANSFORMERS T-11 (CNR-5931) & T-12 Navy Base, Guam.
-
N62742-21-C-1331 J-017 U&SI Distribution Nodes and Site Telecom (2Buildings), Marine Corps Base, Guam.
-
FY18 P-013 COMMUNICATIONS/CRYPTO FACILITY NCTAMS Wahiawa, JOINT BASE PEARL HARBORIHICKAM, OAHU, Hawaii.
-
FY21 MCON PROJECT P-803 INDIVIDUAL COMBAT SKILLS TRAINING, Marine Corps Base, Guam.
-
WON 1647272 DB REPAIR/RENOVATE BLDGs 6003, A, B, and C, NAVAL BASE GUAM.
-
WON 1652509 Replace Pumps Motors and Valves at SLS-28 Camp Covington, Naval Base Guam.
-
WON 1720999 Peal Harbor Naval Shipyard (PHNSY) Detachment Gaum Interim Facility Project Adjacent to B6060 Naval Base Guam.
-
WON 1605193 REPAIR BLDG 1706SV and MODERNIZE FUELS LAB at LOWER SASA VALLEY, PITI, GUAM.
-
N4019222D2706 T.O.N4019223F4100 WON 1702007 BUILDING 309 GENERATOR, MARINE CORPS CAMP BLAZ, GUAM.
-
N6274223F9922 P-309 Ground Combat Element – Infantry Battalions 1 & 2 Facilities, Marine Corps Base, Camp Blaz, Guam.
-
FY23 SPECIAL PROJECT RM 14-1423 REPAIR/MODERNIZE MIKE AND NOVEMBER WHARVES, Naval Base Guam, Guam.
-
N62742-21D-2325 Task Order. No. N6274223F9930 JFY22 J-014 Physical Training Complex, Marine Corps Base.
-
J-011 Marine Admin Building, Marine Corps Base, Guam.
-
P-802 Base Warehouse, Marine Corps Base, Guam.
-
P-3000 Airfield Damage Repair Warehouse, Andersen Air Force Base.
-
Repair Building 502 Fort Shafter, U.S. Army Corps, Oahu Hawaii.
-
Shaw Air Force Base MCT, South Carolina.
-
FY23 P-871U CBRNE Training At the USNAVSUPPACT MCB CAMP BLAZ GUAM.
-
P-927 Whiskey Panda Radio Barrigada, Navy Guam.
-
WON 1756834, Replace 3 Raptor Screens, Connected Systems, and Install Catwalk Waste Water Treatment Plant (WWTP), NAVAL BASE GUAM APRA HARBOR (NBGAH).
-
WON 1792693 Upgarde Fluoride & Chlorine Injection System Building 576 & 588, Naval Base Guam Naval Magazine
-
WON 1799643 Repair Haputo Trail At Finegayan, Marine Corps Base Camp Blaz, Guam
-
WON 1807265 Repair Various Facilities Damaged by Typhoon Mawar, Marine Corps Base Camp Blaz, Guam
-
WON 1810967 Replace Multiple Pole Mounted Transformers w/ Pad Mounted Transformers P-129 & P-527, Naval Base Guam (NBG)
-
WON 1810963 Naval Base Guam Facilities (TO#07) - Remote Buildings
02
24/7 Support
CYBER COMPLIANCE FRAMEWORKS
Risk Management Framework (RMF) Assessment & Authorization (A&A)
We have extensive experience with enclaves such as SIPRNet, NIPRNet, and Classified WANs (CWAN) will partner with you to identify and manage the unique requirements of these networks.
RMF ATO Services for DoD Agencies
The Risk Management Framework (RMF) enables Department of Defense agencies to effectively manage cybersecurity risk and make more informed, risk-based decisions.
Department of Defense Agencies
Do you need to assess your information systems to DoD RMF standards in order to receive a DoD Authority to Operate (ATO)? With our DoD RMF certification and accreditation service, we can help you assess your information systems to DoD RMF standards. We utilize NIST Special Publication (SP) 800-53, the 6 steps of the RMF framework (see below), and our extensive experience to provide the Department of Defense agencies with RMF support.
THE SIX-STEP DOD RMF PROCESS
Our experience with DoD RMF compliance gives you the guidance you need to navigate every stage of the process. From setting up new systems to monitoring your ongoing risk, we are here to proactively support your data security on your path to RMF compliance. Learn more about the 6 step process from NIST here.
1. Categorize the System
This occurs in conjunction with the governing body or agency who is issuing the ATO and is based on CNSSI 1253.
2. Select Controls
Based on the categorization of the system and identified information types, we support the selection specific sets of controls, common controls, and applied overlays and tailoring of controls document of an implementation plan draft and prepare the RMF Continuous Monitoring Strategy.
3. Implement Controls
We support documentation boundaries, initiate the Risk Assessment Report (RAR), draft interconnection agreements, register systems, and articulate /designate security controls for enclaves, systems, and applications. We will support the documentation of the security control implementation within the Security Plan and support the implementation of control solutions consistent with DoD component cybersecurity architectures.
4. Assess Controls
Our team will assess the effectiveness of the security controls with a Security Test and Evaluation (ST&E) practices and support the Security Assessment Plan. We also support the development and approval of the Security Assessment Report (SAR) and provide a pre-assessment where we review the security posture of the Information System(s). In addition, we support the creation of a Plan of Action and Milestones (POA&Ms) as required and draft documents as articles of evidence for processes for review and acceptance by the Security Control Assessor (SCA) and Authorization Official (AO).
5. Authorize System
We are here to support your team during the authorization process with updates and changes as required by the AO during your review to receive your Authority to Operate.
6. Monitor Controls
As required by your system and ATO, we will work with your team to manage the weekly, monthly, quarterly, semi-annual, and annual monitoring reports.
COMPLETE RMF A&A PROJECT PACKAGE
Steps 1 & 2 of RMF Process
-
Complete the Information System (Tier 3) Risk Assessment Report (RAR).
-
Determine overall security categorization of Information System using the completed RAR, associated government contract(s), and relevant mission/business information.
-
Assist with finalizing Information System categorization and security control selection using the NISP eMASS Information System (IS) registration process.
-
Tailor security controls, as needed, by supplementing, modifying, and tailoring controls to effectively manage risk for any unique system conditions and handling requirements.
-
Identify where each security control will be documented, based on existing policies and procedures.
Steps 3 & 4 of RMF Process
-
Use STIG Viewer to assess software implementation and configuration for technical security control implementation.
-
Document security controls that cannot be implemented either temporarily or permanently, based on the assessment and implementation results within the Plan of Action and Milestones (POA&M) and provide mitigation recommendations
-
Identify all documentation required for complete package submission.
Step 5 – Receive RMF ATO from DoD
We support you during the ATO review process and required checkpoints
-
Upload artifacts to eMASS.
-
Any potential issues will be flagged by the AO or provided as a re-work plan.
-
Resolve issues presented by AO.
-
Receive ATO
Step 6 – Monitor Security Controls
Maintaining your ATO requires meeting the continuous monitoring requirements. An Embedded Defense Cyber Plan will help ensure you are maintaining your RMF and meeting your continuous monitoring requirements.
Our all-inclusive Embedded Defense Plan will provide consistent and predictable cybersecurity support on a fixed budget. The Embedded Defense Package brings our entire breadth of capabilities to your team, which enables you to approach your ATO maintenance and renewal from a holistic perspective. Whether you need a fresh perspective, custom training, or just some extra knowledge and hands, our service ensures you stay in a cyber ready status.
Services
Facility Related Control Systems (FRCS), Operational Technology (OT), and Informational Technology (IT) Systems and Applications
We manage, monitor and control FRCS, OT, IT systems and applications to ensure systems and applications requirements are met, operate properly, and interruptions are minimized.
We support Government execution of the Cybersecurity Program for all FRCS, OT, and IT systems per NAVFAC P805 and the FRCS Cybersecurity, Government cybersecurity requirements.
We provide dedicated laptop computers for monitoring and troubleshooting systems and equipment. Laptop computers shall meet the Buy American Act and Government cybersecurity requirements.
We coordinate all software/hardware configuration changes to FRCS, OT, and IT systems (i.e. BCS, UCS, SCADA, EMCS, DDC, etc.), including software maintenance that is acquired as part of a system or system upgrade where practicable.
We continually monitor all systems during normal working hours and make adjustments as necessary to ensure all systems are operated in the most energy efficient manner. All adjustments must be in accordance with the Government’s Cybersecurity Configuration Management Guidance.
We work jointly with Government personnel to test and ensure systems are operational after cybersecurity activities.
We perform Configuration Management in accordance with UFC 4-010-06 Cybersecurity Program.
We respond to and address any FRCS, OT, and IT outage within one hour of notification (notification means either by automation, through pre-established alarms or by manual means (to include too hot/cold calls) after physically verifying an emergent field condition).
We inform the COR immediately upon identification of any issue that cannot be resolved within 24 hours of identification.
We provide a report for any system that is in override/bypass/manual or other methods to bypass full auto operation per Section F.
We provide a report for system alarms in FRCS, OT, and IT operation or incidence per Section F.
We perform a root cause analysis and report of any FRCS, OT, or IT failure that is repetitive in nature.
The term control systems encompass the following at:
-
Building Control System (BCS)
-
Direct Digital Controls (DDC)
-
Energy Management and Control System (EMCS)
-
Utility Control Systems (UCS)
-
Advanced Metering Infrastructure
-
Plant controls
-
Supervisory Control and Data Acquisition (SCADA)
We notify the Government immediately upon identification of any system access violations or intrusions to ensure Navy system network accreditation is maintained.
We coordinate with the Government to schedule and install firmware and software upgrades for all systems at no additional cost to the Government and within 30 days of release. All updates to software/firmware shall be approved by the Government prior to installation. All software updates shall be loaded onto a Government approved, Contractor provided, stand- alone laptop.
A listing of facility FRCS, OT, or IT systems in included in Sub-Annex 1502000, Attachment J-1502000-05.
Informational Note: Many of the new and planned facilities identified in J-1501000-02, Planned MILCON and Support Facilities, will have Johnson Controls Incorporated, METASYS Building Automation Systems and Schneider Electric, PowerLogic ION8650B electric utility revenue meters connected to the Area Wide Energy Management System.
There are four primary functional roles within the FEOC that include: FEOC Management, Control System operations, Smart Grid Advanced Analytics, and Cyber and Application Support.
WHO WE SERVE
WHO WE SERVE
Cybersecurity for Government Agencies
Government agencies have a duty to protect classified, personal, sensitive, and proprietary information. Adversaries and rogue actors are constantly on the lookout for vulnerabilities and can cause mass disruption within your organization if they are able to exploit vulnerability.
Government agencies and our Military Service Branches need cybersecurity solutions that are robust enough to meet mission-critical goals and strong enough to meet the required cyber compliance measures.
US DoD & INTEL AGENCIES
We are uncompromising in being our best in meeting our commitments to each other, our customers and our communities
FEDERAL, STATE & LOCAL GOVERNMENT
We believe that developing and leveraging individual strengths and contributions in highly collaborative environments ensures exceptional results.
CONTACT
Washington DC, United States
PO BOX 9132 TAMUNING
GUAM 96931
+1 671 649 1111