MERC is well versed in network design, monitoring, and response for ensuring data security and integrity. We analyze customer requirements which are critical to the proper testing of hardware and software in our lab environment. Our cybersecurity experience includes the development and deployment of network monitoring “command centers” to allow quick identification and response to potential cyber threats.
Additionally, MERC is advancing its capabilities in cybersecurity areas such as:
- Avionics vulnerability assessment and mitigation
- Platform information technology accreditation
- Risk assessment and mission assurance
- Secure coding techniques
- System penetration
Experience that Matters
Our staff’s professional qualifications, combined with over two decades of experience in providing information security services, demonstrate our ability to provide world-class security services to our customers. Many of our personnel carry advanced degrees in computer science and engineering along with industry standard security certifications such as:
- CompTIA Security+ CE
- Certified Information Systems Security Professional (CISSP)
- Certified Secure Software Lifecycle Professional (CSSLP)
- Certified Ethical Hacker (CEH)
- Global Information Assurance Certification – Security Essentials (GIAC-GSFC)
MERC also has extensive experience with government information assurance/cybersecurity processes to obtain and maintain authority for systems to operate on government networks. We follow relevant guidelines such as NIST’s Risk Management Framework (RMF) (SP 800-37), NIST’s guidance for information security continuous monitoring (SP-800-137), the NIST Cyber Security Framework, and others.
MERC successfully manages the Information Assurance (IA) Certification and Accreditation (C&A) process for C-130 Structural Integrity Individual Aircraft Tracking Program – the AIRCAT system. This included the creation of all the RMF documentation necessary to achieve the initial Certificate of Networthiness (CoN) and Certificate to Operate (CTO) under the DoD Information Technology Security Certification and Accreditation Process (DITSCAP). We successfully transitioned the C&A package from the DITSCAP to the DoD Information Assurance Certification and Accreditation Process (DIACAP). The DIACAP certification included moving all of the existing documentation and artifacts into the Enterprise Information Technology Data Repository (EITDR).
Critical to maintaining a secure posture on the network is the performance of static software code analysis using the approved Department of Defense (DoD) toolsets. MERC performs these analyses regularly on developed software to ensure reliable, safe, and secure operation on the government networks.
MERC provides Computer Network Defense (CND), infrastructure support, and vulnerability management for two DoD systems. We proactively monitor network traffic, review threats/vulnerabilities and remediate unauthorized activities. Our testing includes analyzing, implementing, deploying, maintaining, and administering the infrastructure hardware and software that are required to effectively protect and harden the network. We conduct assessments of threats and vulnerabilities which include developing and recommending mitigation countermeasures.
Platform Information Technology (PIT)
MERC supports cyber initiatives as it relates to PIT through activities such as coordinating cybersecurity impact evaluations and related risk assessment analysis.
Our cybersecurity validation approach included mapping the PIT’s artifacts to the existing RMF controls. This allowed MERC to mitigate potential cyber risks. Our documentation support included authoring/reviewing, providing comments on, and/or modifying existing installation plans, security test plans, test procedures, and a variety of other documentation. The outcome of our cybersecurity assessment(s) helped to ensure the customer received the official Interim Authorization to Test (IATT).
Proactively, MERC addressed cybersecurity requirements within networked energy smart metering and industrial system controls. For large maintenance complexes with diverse process energy systems and facility enterprises, up-front cybersecurity assessment, design, and validation is key to ensuring program success by meeting cost, schedule, and technical requirements with components that have already been accredited into approved product lists (E-APL) or through previously approved type accreditations. In this way, the overall program impact from risk assessment and mission assurance, secure coding techniques, and system penetration testing is optimized.
Verification, Validation, and Software Assurance
As a CMMI DEV Level 3 appraised organization, MERC maintains a disciplined but agile process to ensure hardware and software are properly tested. Our standard processes require that a verification test plan and validation test plan be created and carried out for each release.
The verification test plan ensures that the product meets the requirements as stated in the software requirements specification, and the validation test plan ensures that the application functions to the customer’s satisfaction. As part of our Software Assurance program, MERC continuously seeks ways to minimize software vulnerabilities and exploitation.