The basic foundation of Tapestry Technologies is built on our cyber defense capabilities. tapestry personnel have provided support to key cyber programs that have evolved how the DoD handles security.
Our team was instrumental in developing the DoD Vulnerability Management System (VMS) (previously VCTS, SRRDB, and IAVM), the DoD STIG process and through the years we have authored numerous technology and policy level STIGs and Checklists. Specific areas of cyber defense that we support include:
›› Policy Development
Tapestry Technologies develops and maintains Security Requirements and Security Technical Implementation Guidance for the DoD. In addition to authoring and publishing SRGs and STIGs, we support them by answering questions from system administrators, network administrators, IAOs, IAMs, and personnel performing assessments for Certification and Accreditation. We author Open Vulnerability Assessment Language (OVAL) tests to be included in the eXtensibile Configuration Checklist Description Format (XCCDF), which enables automatic security compliance checking.
Tapestry Technologies has also been an leader in the innovation of how security guidance is developed. The Tapesty team has been leading the efforts for the development of the SRG model for developing security guidance that include the SRGs and STIGs. This will allow the DoD to create guidance faster, and allow contributions of security guidance from vendors that meet DoD standards, to expedite the availability of coverage of more technologies.
›› Certification and Accreditation Assessments
Tapestry works with both the DoD and federal agencies to provide a variety of unique and vital security assessments. Since the inception of USCYBERCOM in 2009, our personnel have been intimately involved in not only completing Command Cyber Readiness Inspections (CCRI’s) on behalf of DISA FSO, but also assisting in the development and training of other military branches and services so that they too can go forward and conduct their own CCRIs in accordance with DoD instructions and directives. As the CCRI program evolves into Phase III, tapestry continues to provide input into the security processes as well as provide Site Assist Visits (SAVs) to aid sites in preparation for their upcoming CCRIs, offering definite advice on how to improve network security postures and inspection grades.
Certification and Accreditations (C&A) have always been among tapestry’s core competencies. Our company conducts C&A’s for the Department of Defense as well as federal and commercial customers using DIACAP 8500.2 and FISMA NIST 800 series IA control families and processes.
More recently Tapestry’s work has gone beyond assessing traditional networks and has been called upon to help some of the elite 3PAOs assess cloud service providers (CSPs) to prepare them for their FedRAMP certifications. Because tapestry works closely with NIST and the DoD IA communities in authoring, maintaining, and enhancing many of the DoD Security Technical Information Guides (STIGs), we are not only keenly aware of the intent of the security controls, but we also have a unique and thorough understanding of how the guidance should be applied to the systems or environment being assessed.
The attack surface and sophistication of cyber threats are dynamic and changing rapidly. Keeping user data confidential and networks secure requires a layered and defense-in-depth approach not only against today’s threats, but also against those lurking on the horizon. Our customers have entrusted us to help them navigate through these present and future cyber threats. We work closely with our customers to help them plan, manage, and secure their networks with proven, repeatable, and sustainable processes.
Tapestry delivers strategic and technical cyber security consulting services to help its clients mitigate their risks and vulnerabilities. We have had tremendous success providing expertise with the following services:
- FISMA Management & Certification and Accreditation (FISMA)
- Command Cyber Readiness Inspections (CCRIs) Site Assist Visits (SAVs)
- Vulnerability Assessments and Management
- Cloud Computing & Virtualization Security
- Independent Verification and Validation (IV&V)
- Network Security Architecture Review, Planning & Deployment
- IT Auditing & Compliance Program Management
- Network Access Control
- Wireless Security
- Multi-Platform Host Hardening
- End-Point Security
›› Vendor Product STIG and SRG Support
Based on our role writing STIG and SRG guidance and our work as compliance auditors, we are well positioned to help vendors meet DoD security guidance. We help vendors understand security vulnerabilities with their products and develop risk mitigation strategies.
Never before have we been faced with so much vulnerability to our devices, data and networks. With the advent of the smartphone, we are becoming less and less dependent on our desk and laptop computers and more so on our mobile devices. With these app-laden smartphones, tablets and pads that we have all adopted, we now live in a world where there’s quite literally an app for everything. The trouble with this is that if there’s an app for everything, there’s a threat to everything, which means your device, your data network and your personal safety and well being.
Tapestry Technologies has a deep understanding of the need for a more secure and safe environment for using our mobile devices in the enterprise. Having developed numerous mobility, technology, device and product Security Technical Implementation Guides and Security Requirements Guides for DISA, Tapestry is well versed and experienced in the realm of not just security, but vulnerability management and risk mitigation for implementing a mobile solution for the enterprise.
For mobile security, Tapestry did not start at desktop security and progress to mobility; we wiped the slate clean and started at the beginning and looked at every nuance and feature a mobile device exhibits to build a comprehensive picture of how a mobile solution should be implemented to an enterprise. Tapestry looked at the entire eco system that includes the Mobile OS, the Applications, the Mobile Device Manager, the Application Store, and policy.