CS TPL Assessments
The CS TPL is provided in two distinct assessments: Capabilities and Compliance. The type of assessment can be selected by individual Offerors, though the Government will specify which criteria apply to individual programs in the future. To ensure a complete assessment, the testing process will include vulnerability assessment and penetration testing elements in addition to the base testing. Vulnerability assessment and penetration testing will be part of both the Capabilities and Compliance assessments (once if both assessments are performed), though vulnerability assessment and penetration testing will be limited to 16 staff-hours of test and assessment effort to control costs.
CS TPL Capabilities Assessment
The CS TPL Capabilities Assessment places focus on highlighting the capabilities of the component being tested in order to assist the system designer in determining components which will provide the necessary functionality and security posture in their system. During the Capability Assessment, the CS TPL will verify the Cybersecurity capabilities of the component being assessed. The Capability Assessment will be conducted to assist in the application of Unified Facilities Criteria 4-010-06 and Unified Facilities Guide Specifications 25-05-11.
CS TPL Compliance Assessment
The CS TPL Compliance Assessment is geared toward assessing a component through the DoD Risk Management Framework (RMF) and Control Correlation Identifier (CCI) perspective in support of RMF activities. CCIs are determined using National Institute of Standards and Technology (NIST) 800-53, with the understanding that the source material for applicable controls will be evolving over time as required by the DoD. This testing and assessment process will facilitate reuse by generating supporting documentation that can be referenced in security assessments and designs. The System Owner can select components that reside on the CS TPL to integrate into their system design with the knowledge of how the component will impact their system security posture correlating to RMF guidelines.
The CS TPL Cybersecurity test and assessment will use current RMF controls and apply the traditionally information-technology-focused criteria to Operational Technologies (OT). It is expected that this will leave gaps in the assessment of Cybersecurity on OT products, though the content within the Test and Assessment Framework document will address these gaps.
The CS TPL is provided in two distinct assessments: Capabilities and Compliance. The type of assessment can be selected by individual Offerors, though the Government will specify which criteria apply to individual programs in the future. To ensure a complete assessment, the testing process will include vulnerability assessment and penetration testing elements in addition to the base testing. Vulnerability assessment and penetration testing will be part of both the Capabilities and Compliance assessments (once if both assessments are performed), though vulnerability assessment and penetration testing will be limited to 16 staff-hours of test and assessment effort to control costs.
CS TPL Capabilities Assessment
The CS TPL Capabilities Assessment places focus on highlighting the capabilities of the component being tested in order to assist the system designer in determining components which will provide the necessary functionality and security posture in their system. During the Capability Assessment, the CS TPL will verify the Cybersecurity capabilities of the component being assessed. The Capability Assessment will be conducted to assist in the application of Unified Facilities Criteria 4-010-06 and Unified Facilities Guide Specifications 25-05-11.
CS TPL Compliance Assessment
The CS TPL Compliance Assessment is geared toward assessing a component through the DoD Risk Management Framework (RMF) and Control Correlation Identifier (CCI) perspective in support of RMF activities. CCIs are determined using National Institute of Standards and Technology (NIST) 800-53, with the understanding that the source material for applicable controls will be evolving over time as required by the DoD. This testing and assessment process will facilitate reuse by generating supporting documentation that can be referenced in security assessments and designs. The System Owner can select components that reside on the CS TPL to integrate into their system design with the knowledge of how the component will impact their system security posture correlating to RMF guidelines.
The CS TPL Cybersecurity test and assessment will use current RMF controls and apply the traditionally information-technology-focused criteria to Operational Technologies (OT). It is expected that this will leave gaps in the assessment of Cybersecurity on OT products, though the content within the Test and Assessment Framework document will address these gaps.