C3 Networx provides a full spectrum of System and Software Engineering Services and Solutions, with the Risk Management Framework (RMF) fully integrated into all processes

SSC Pacific Code 532 Rapid Integration and Test Environment (RITE) Support

C3 Networx personnel are trained on the RITE agile process for incremental deliveries of contractor developed code, unlike traditional methods which only have one final delivery of code. RITE offers a flexible process perfectly suited for programs whose requirements are not fully defined at the beginning of the project and when requirements can change during the development and integration cycle. RITE’s incremental deliveries help important tasks get accomplished first giving the program usable product capability sooner and testing takes place almost continuously allowing issues to be identified and fixed when they are least costly and have minimal impact on the program schedule. We are at the vanguard of the development of the emerging SecDevOps practices.

RITE processes include:

  • Systems/Software Integration
  • Security Testing
  • Independent Verification and Validation
  • Operational Test & Evaluation (OT&E) and Developmental Test & Evaluation (DT&E)
  • Configuration Management (CM)
  • Quality Assurance (QA)
  • Certification & Accreditation

 

Requirements Analysis

C3 Networx requirements engineers manage the requirements development process through the Requirements Engineering Master Plan (REMP), while controlling the Requirements Traceability Matrix (RTM) and feed newly developed system level requirements to the Lead Systems Developer for final review and implementation. The process identifies the requirements needing verification and identifies personnel responsible for verification and validation. Specific details about testing were developed and are contained in the Software Test Plan (STP) for each release. The overall mapping of software requirements to methods of verification is identified in the Verification Cross Reference Matrix (VCRM), which ensures that delivered software code is in compliance with functional, design, performance, and interface requirements. This process encompasses planning, requirement definition, and compliance activities.

Systems Engineering

C3 Networx designs, develops and document database and network prototype hardware and software components. Our software engineers understand how to create Unified Modeling Language (UML) providing a standard visualization design of the system and software subsystems. We can create the entire system database design used for agile testing processing consistent with the Rapid Integration Test Environment (RITE) and the emerging SecDevOps standards; we have successfully used this in the CANES application integration process. As members of an ACAT I Design Engineering Working group (DEWG), we provide critical system level design inputs on the overall system design. C3 Networx Systems Engineers configure hardware and software suites and support hardware configuration for the systems under test (SUTs) and established evolutionary testing process of escalation between security enclaves, to include UNCLASS, SECRET and TOP SECRET. We also provide architecture, system design and program requirements definition recommendations using commercial best practices like Software Engineering Institute (SEI).

Software Integration Engineering

C3 Networx supports software integration and testing, including automated testing, Our engineers provide the control, verification, integration, and testing of new functional capabilities into the system or program. We ensure that the software developers deliver source code and other work products into the integration and test environment that are free of obvious and critical performance errors and omissions. Through the process of Software Quality Integration (SQI), we ensure that no vulnerabilities are present in the software; verifies classification markings; conducts static analysis; builds software executables for integration testing. All of these functions are provided within an iterative delivery model during a 30-day SCRUM/Sprint cycle. Scrum is an iterative and incremental agile software development framework for managing product development. It’s also the leading agile development methodology, used by Fortune 500 companies around the world.

Test and Evaluation

C3 Networx software engineers serve as the functional and operational experts providing Test and Evaluation (T&E) support during systems infrastructure testing. C3 Networx recognizes that the engineering T&E processes are a significant element in the decision-making process. We provide detailed deficiencies reports to the customer supporting trade-off analysis, performance verification, risk reduction, and requirements refinement. This information is used by the Program Manager to make programmatic decisions on system performance maturity and readiness to advance to the next phase of development. Our engineers work directly with the customer in the test planning and test procedure development as part of the agile development process. We conduct test result data collection as a result of every test run and include that data as part of the test report, which includes an analysis of the performance metrics (i.e. Key Performance Parameters (KPP), Key System Attributes (KSA) and Other System Attributes (OSA)), lessons learned, and recommended fix actions for regression testing.

Independent Verification & Validation

C3 Networx supports all phases of IV&V system development and modification through a series of software verification and validation tests, to include software gating and requirements verification acceptance processes. Through these IV&V processes, we determine software suitability for integration. The objective is two-fold: First, to determine a developmental item’s (Government or Commercial software) ability to fulfill system requirements at a cost-effective price. Second, for those products positively assessed, we ensure that source code and other software work products are introduced into the integration and test environment free of obvious or critical performance errors or omissions. C3 Networx engineers manage the requirements development process through the Requirements Engineering Master Plan (REMP), while controlling the Requirements Traceability Matrix (RTM), feeding the newly developed system level requirements to the Lead Systems Developer for final review and implementation. Specific details about testing are developed and maintained in the Software Test Plan (STP) for each release. The overall mapping of software requirements to methods of verification is identified in the Verification Cross Reference Matrix (VCRM). The VCRM uses a process of confirming that delivered software code is in compliance with functional, design, performance, and interface requirements. This process encompasses planning, requirement definition, and compliance activities. C3 Networx personnel use this process to verify the completion of requirements during integration and delivery to the system prior to DT&E.

Configuration Management

C3 Networx supports the Configuration Management (CM) functions in SSC Pac Code 532 RITE infrastructure including the receipt and control of incoming software deliveries and delivery of completed integrated system products. All documents and products received or generated by programs are adequately documented, stored and managed. Any changes to those work products are documented and controlled through a CM change process where all of the changes are appropriately recorded and reported. C3 Networx personnel ensure compliance with existing CM policies is verified. CM establishes and maintains the integrity of work products throughout the life of a project. Our CM experts work hard identifying the configuration of products that are delivered to the customer, as well as those used in development of products and/or services, systematically controlling changes to the configuration and maintaining the integrity and traceability of the configuration. The CM Team tracks changes to baselines and documents them in difference reports. All approvals of configuration changes are achieved through the establishment and operation of the CM lead Configuration Control Board (CCB).

CM performs Configuration Status Accounting (CSA) and a reports to provide visibility into the status of functional, allocated, developmental, and product baselines for each CI throughout its lifecycle. The reports are published quarterly to address status and history of controlled products, library and software/hardware baseline contents, change requests, CCB decisions, implementation of approved changes, deviations and waivers, deficiencies, and audits. Email notification is sent to all affected stakeholders that the report is available for review.

Security Engineering

Our Cybersecurity engineers are experts at analyzing, troubleshooting, and investigating security-related; information systems’ anomalies based on security platform reporting, network traffic, log files, host-based and automated security alerts and automated code scans.  We maintain, configure, and analyze network and host-based security platforms using:  Vulnerability scanning systems and tools, network-based Intrusion Detection/Prevention Systems (IDS/IPS), Host-based Intrusion Detection/Prevention Systems (HIDS/HIPS), Application (Layer 7) Firewall, physical access control systems, implementing automated test applications in a microcomputer environment, integrating software and LAN applications to ensure security engineering compliance.

C3 Networx security engineers contribute to system cybersecurity design requirements.  We develop Information Assurance (IA) Developers Guides to aid the developers so that security is built into the products and fully compliant with DISA STIGs. C3 Networx personnel also support the risk assessment process by using Host Based Security System (HBSS) to support commercial-off-the-shelf (COTS) suite of software applications used within the DoD to monitor, detect, and defend computer networks and systems. We provide security assurance support at the various steps in the development process, including the conduct and analysis of static and dynamic code for each version of software delivered by the independent developers.  We also evaluate commercially available security test tools and ensure that the test environment is maintained in a secure manner. This evaluation includes Gold Disk and/or Retina scans on the individual software builds to ensure that the test environments were STIG compliant. We also use the Assured Compliance Assessment Solution (ACAS) as an integrated software solution supporting DoD enhanced enterprise security solutions.

Certification and Accreditation

C3 Networx understands the process of comprehensively evaluating technical and non-technical security features of an information system in the intended environment. We assist the customer to deliver all artifacts that the Authorizing Official requires for system approval. Each time developer software code is added to our build cycle, our Cybersecurity, Quality Assurance (QA) and System Administrators’(SA) run automated Cybersecurity tools against the build to identify threats, vulnerabilities and risks to ensure the software is compliant with Risk Management Framework (RMF) guidelines.  The Cybersecurity team reviews IA compliance and vulnerability scans to compare the build results before and after the integration effort.  Cybersecurity will also work with other teams to ensure Security Technical Implementation Guide (STIG) compliance of the build environments.  The SA team is responsible for maintaining the secure configuration and implementation fixes identified by the Cybersecurity team.  C3 Networx personnel also review disconnected security scans and STIG compliance for test environments after the software has been loaded.  Cybersecurity delivers a completed RMF package and/or Interface Control Document (ICD) package to the Program’s Information System Security Manager (ISSM) along with necessary artifacts for review and further submission to the Designated Approval Authority (DAA) and to get the approved Authority to Operate (ATO).