Title: Integrated Program Protection
|
|
- Kathryn Collins
- 5 years ago
- Views:
Transcription
1 Title: Integrated Program Protection Date: 12 Dec 2018 Presenters: Steve Kern, CENG, NAVAIR Cyber Warfare Detachment and Vincent Lamolinara, Prof.of Acquisition Cybersecurity, Defense Acquisition University, Mid-Atlantic Region Moderator: Jim Davis, Logistics Department Chair, Defense Acquisition University, Mid-Atlantic Region
2 Objectives Show that Cybersecurity is a principal integrating factor in System Security Engineering and Program Protection Planning (PPP) Show that Integrated Cybersecurity / PPP properly characterizes and prioritizes residual weapon system risk Discuss how to improve DoD acquisition outcomes and achieve higher mission success and survivability in a cyber-contested environment through integrated PPP across the system lifecycle by: Transformational approaches Reducing / eliminating redundancy Building on existing Systems Engineering processes
3 Integrated System Security Engineering: Cybersecurity is the Common Link Across Functional Areas System Critical Program Information Anti-tamper Mission Critical Components & Functions TSN / SCRM Security HW/SW/FW Assurance Phys/Op/Info/Pers/ComSEC Information Cybersecurity C, I, A Resilience Survivability Engineering 3
4 Cybersecurity & the Acquisition Lifecycle Integration Tool (CALIT) CALIT Ver 3.0 Aug 2018
5 Integrated Program Protection Vision Presented to: Acquisition Community 11/2018 Presented by: Steve Kern, Cyber Warfare Chief Engineer Senior Scientific Technical Manager (SSTM)
6 Vision An integrated Program Protection Process to protect advanced technology, safety of flight, mission critical functions, and components throughout the acquisition lifecycle, apply countermeasures and protections from malicious adversarial intent, illuminate and balance cyber risk and maximize resilience in a cyber contested environment. 6
7 Program Protection Instructions Slide from DASD(SE) Melinda Reed briefing to NDIA on 25 Oct
8 Observations 1. Process and organizational structure has been developed to address the individual program protection instructions. There are redundancies and overlaps in tasks among the processes. 2. There is an imbalance of Program Office effort across the processes. RMF and CPI/AT receive significant emphasis TSN/CA and the cyber part of SCRM receive less emphasis 3. An integrated Program Protection Process will identify opportunities to include technical and procedural security measures at the beginning of Systems Engineering and throughout the lifecycle during updates and engineering changes, as opposed to selecting controls after susceptibilities have been designed into the system. 4. One of the first steps in many processes is to decompose the mission of the platform/system into critical systems that are required to execute that mission. RMF from the data protection perspective (if NIST Control RA-3 is selected) CRA Step 1 is to Decompose Mission Essential Functions CPI Steps 1 & 2 are Identify Mission Capability and Decompose System into components TSN/CA Step 1 process is ID principle mission threads and mission system functions CYBERSAFE is to implement TSN/CA and is based on Mission Essential Functions 8
9 Observations (cont.) 5. The second (or third/fourth) step in many of the processes is to conduct some sort of criticality analysis/judgement of the identified subcomponents RMF Step 2 is to Select Controls judge criticality of the data CRA Step 3 is to Develop Attack Surface/ Attack Trees CPI Step 3 process is to Evaluate Criticality of each component (at least 3 levels) TSN/CA Step 4 process is to Assign criticality failure levels (I, II, III, IV) to components 6. An adversarial-based assessment is required by all of the processes RMF does NOT require a Threat Assessment but NIST control RA-3 could be implemented and is part of a Common Control Package (CCP) CRA s require an intelligence-driven Threat Assessment CPI requires a intelligence (and Counter-Intelligence) driven Threat Assessment TSN/CA requires a (vendor) supply chain assessment (and CI assessment) for sources for components that are deemed critical level I/II components (not an adversarial based Threat Assessment ) 7. We can do better 9
10 Integrated Program Protection Vision SYSTEMS ENGINEERING PROCESS Step 2 Step 3 Step 5 Step 9 Step 10 System Requirements High-Level Design H/W S/W Development System Validation Changes/Upgrades FUNCTIONAL ANALYSIS AND ALLOCATION DESIGN SYNTHESIS VERIFICATION DEPLOYMENT PROCESS STEP CRA Viewpoint 1 RMF Step 1 Intel Threat Assessment AT Step 1 CPI Assessment T&E Cybersecurity Requirements Analysis CRA Viewpoint 2 RMF Step 2 CTT CPI Assessment AT Steps 2 Intel Threat Assessment T&E Attack Surface Characterization CRA Viewpoint 3 RMF Step 2/3 AT Steps 3 & 4 TSN/Criticality Analysis SCRM Illumination Intel Threat Assessment CYBERSAFE Planning T&E Cooperative Vulnerability Identification CRA Viewpoint 4 RMF Step 4/5 SCRM Assessment Developmental Testing CYBERSAFE OQE & Risk Review Board OT CVPA OT Adversarial Assessment RMF Continuous Monitoring CYBERSAFE continuous Monitoring OUTPUTS Cyber Attack Trees Cyber Risk Cube Categorization Letter PM Signature CPI Memo Intel Production Requests Threat Model Cyber VOLT Cyber T&E Strategy Cyber Attack Trees Cyber Risk Cube Initial RMF Control Selection & Security Assessment Plan AT Mission Essential Function AT Level of Protection Requirement AT Letter of Concurrence CYBERSAFE Mission Criticality Critical Intelligence Parameters Intel Production Requests Threat Model Cyber Attack Trees Cyber Risk Cube RMF Control Selection & Control Design Plan Initial/ Final AT Plan AT Attack Trees Critical ICT Components SCRM-TAC Request DT Test Plan CYBERSAFE EDRAP Intel Production Requests Threat Model Critical Component CVI Reports Cyber Attack Trees Cyber Risk Cube RMF Risk Assessment Report, Security Assessment Report, FSCA Endorsement & Authorization to Operate SCRM Supply Chain AT Implemented DT Test Report OT Test Report FINTEL CYBERSAFE Certification
11 System Security Engineering (SSE) 24 System Engineering Design Considerations Performance Requirements Structure Maintainability Propulsion Security Safety Power Reliability Other System Engineering System Security Engineering DCs Anti-Tamper (AT) Defense Exportabilty Features (DEF) Software Assurance (SwA) Hardware Assurance (HwA) Cybersecurity Supply Chain Risk Management (SCRM) Other Security (OPSEC, INFOSEC, PERSEC, COMSEC) Survivability / Resilience Source: Defense Acquisition Guidebook (DAG) 11
12 SSE Produces Common Sets of Artifacts Cyber Survivability Endorsement CYBERSAFE Certification Requirements Design Implementation Assessment Artifacts Authority to Operate Anti-tamper Approval ATEA DT / OT Blue & Red Team Test Common set of artifacts tailored into separate approval packages for CYBERSAFE, Cyber Survivability Endorsement, ATO and AT Approval 12
13 System Security Working Group T&E Intel AT Training Ad Hoc Ad Hoc includes as needed: PM, BFM, CON, et. al. POPL SSWG Cyber Team ISSM ISSO ISSE LOG User SE S/W Engr Security Developer The IPT Model Integrates Cybersecurity across Competencies 13
14 System Security Working Group System Security Working Group (SSWG) Charter Inputs CDD Acq Strat DODAF DoDI (enclosure 14) DoDI DoDI DoDI NIST SP DoD Cybersecurity T&E Guide CNSS 505 CNSSI 1253 Security Technical Implementation Guides (STIGs) SSWG Outputs Program Protection Plan (PPP) Cybersecurity Strategy Criticality Analysis Test & Evaluation Master Plan (TEMP) Appendix E Anti-Tamper (AT) Plan Security Engineering Inputs System Engineering Plan (SEP) System Design Software Development Plan (SDP) Request for Proposal (RFP) Program Security Classification Guide (SCG) Supply Chain Risk Management (SCRM) Plan Life Cycle Support Plan (LCSP) Software Assurance Plan Program Budget How do we make these Outputs living documents? 14
15 Test as a Cyber Integrator T&E links the Risk Management Framework (RMF) & Program Protection Plan (PPP) Analysis Mission-Based Cyber Risk Assessment (MBCRA) CTT, CRA, SCA-V, CJA, etc. Institute for Defense Analyses comparative study provides a decision diagram
16 Cyber Risk Assessment (CRA) Shows mission risk, recommends test, justifies fixes, tradeoffs Re-assess selected Cybersecurity Controls Mission Critical Functions Mapped to Subsystems Attack Tree Nodal Analysis Combining All Risk Aspects Mission Based Risk 16 CRA comprehensively Assesses People, Processes & Technology (PPT)
17 Joint Staff Survivability KPP provides a Framework for Integrated Cybersecurity Requirements Why do we need CYBERSAFE, Trusted Systems and Networks, etc.? 17
18 Continuous Red & Blue Testing is the New Normal Exposing Engineers to Failures More Frequently Incentivizes Them to Build Resilient Services. *Chaos Monkey is a service which identifies groups of systems and randomly terminates one of the systems in a group. 18
19 Case Study of Warfighter Information Network Tactical (WIN-T) Inc 2 Passed Adversarial Cyber FOT&E! Cybersecurity Integrates into systems engineering vice separate solution % Fix Effectiveness was key metric! Assumption of breach Continuous Testing & Fixes with JHU APL & Developer Threat models, with > 10 million threat sims
20 Summary Integrated PPP / Cybersecurity requires transformational SSE / RMF Threat and Complexity require continuous monitoring & update MBCRA / Test / PPP update never ends in cyber-contested environment Cyber Survivability offers Rosetta stone approach to unifying / translating RMF Security Controls and Systems (Security) Engineering methods SSWG is paramount helps end Stovepipes PPP brings it all together - can highlight redundant and conflicting issues 20
21 Questions? 21
22 Resources Cybersecurity in the Defense Acquisition System. Enclosure 14 of Department of Defense Instruction (DoDI) , Operation of the Defense Acquisition System, pp , February 2, 2017, Incorporating Change 3, August 10, 2017 DoD Instruction , Critical Program Information (CPI) Identification and Protection Within Research, Development, Test, and Evaluation (RDT&E), May 28, 2015, Incorporating Change 1, November 17, 2017 DoD Directive E, Anti-Tamper (AT), September 4, 2015, Incorporating Change 1, August 28, 2017 DoD Instruction , Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN), November 5, 2012, Incorporating Change 2, July 27, 2017 USD(AT&L) Memorandum, Document Streamlining Program Protection Plan (PPP), July 18, 2011 Cyber Survivability Endorsement Implementation Guide Vol II & Vol III (Classified) Cyber Table Top Facilitator Site: 22
23 Additional Resources Additional Resources & Tools such as CALIT and ACQuipedia articles and videos and can be found at DAU Cybersecurity Community of Practice Page: port%20tools.aspx Tools: Cybersecurity & Acquisition Lifecycle Integration Tool - CALIT Quick Reference Card - Cybersecurity Black Card Videos: Ongoing Efforts to Protect the DoD s Unclassified Information, 13 Jan 17 (duration: 12 min) Cybersecurity Implementation, Kevin Dulany (DoD CIO Office) - Duration: 90 Min Cybersecurity Risk Management Framework Overview Mar 2017 Articles: ACQuipedia - Cybersecurity & the DoD Acquisition Lifecycle ACQuipedia - RMF for DoD IT ACQuipedia - System Survivability KPP ACQuipedia - Supply Chain Risk Management Defense AT&L Magazine - Including Cybersecurity in the Contract Mix, Mar-Apr 2018 Defense AT&L Magazine - Supply Chain Risk Management: An Introduction to the Credible Threat, Jul-Aug 16 Defense AT&L Magazine - Cybersecurity; The Road Ahead for Defense Acquisition, May-Jun 16 Defense AT&L Magazine - Cyber Integrator Concept, Mar-Apr 15 Defense AT&L Magazine - Cybersecurity Challenges for Program Managers, Sep-Oct 14 Crowd Source Article - Fact Sheet Hack the Pentagon 23
24 Contact Info Vinny Lamolinara Steve Kern
25 BACKUP 25
26 Rosetta Stone: SS KPP CSAs to RMF to Systems Security Engineering (SSE) Translation SS KPP/CSE Implementation Guide Vol II Risk-Managed Performance Measures, Joint Staff J6/J8, DCIO, NSA IAC,
27 CSA to RMF to System Security Engineering (SSE) Mapping SS KPP to CSA to RMF (NIST Security Controls) to SSE Mapping Least Privilege Resistance to Attack Continuous Monitoring Prioritized Operations Data Segregation CSA to SSE Recover from a Trusted Source Periodically Save State Threat Evolution Failover Mesh Interrelation Focus on Weapon System germane controls Adapt controls for SSE which is more relevant to Weapon Systems Exemplar SSE Requirements Language for: ICD / CDD / CPD RFP SOW RMF - CSA RMF - SSE 27
28 *Facilitator Training Available via DAU & Ms. Standard, Sarah M CIV OSD OUSD ATL (US), Cyber Table Top (CTT) Risk Assessment Input to Controls Selection / Risk Assessment / Pre-Test User Reps / Focused Mission Areas Exercise Preparation ~ days Exercise Execution ~ 3-5 days Post Exercise Analysis ~ days Reporting Analyze Architecture, CONOPS, Intelligence Define Mission Define Attack Paths, & Vulnerabilities Analyze adversary attacks Determine Cyber Risk: Likelihood vs Consequence Mitigations Reports Color Code Operational Team OPFOR Team Develop Mission Plan Define Access Paths Describe Effects Execute Attacks Develop Mitigations Control / Analysis Teams Reporting Team
Title: Cyber Table Top
Title: Cyber Table Top Date: 8 August 2018 Presenter: Roy Wilson, Professor of Acquisition Cybersecurity, Defense Acquisition University, Mid-Atlantic Region Moderator: Jim Davis, Logistics Department
More informationTitle: Cybersecurity as it Applies to the Survivability Key Performance Parameter
Title: Cybersecurity as it Applies to the Survivability Key Performance Parameter Date: 6 June 2018 Presenters: Vincent Lamolinara, Professors of Acquisition Cybersecurity, Defense Acquisition University,
More informationCybersecurity in Acquisition
Kristen J. Baldwin Acting Deputy Assistant Secretary of Defense for Systems Engineering (DASD(SE)) Federal Cybersecurity Summit September 15, 2016 Sep 15, 2016 Page-1 Acquisition program activities must
More informationProgram Protection Implementation Considerations
Program Protection Implementation Considerations Melinda Reed Deputy Director for Program Protection Office of the Deputy Assistant Secretary of Defense for Systems Engineering NDIA Program Protection
More informationSystems Engineering and System Security Engineering Requirements Analysis and Trade-Off Roles and Responsibilities
Systems Engineering and System Security Engineering Requirements Analysis and Trade-Off Roles and Responsibilities Melinda Reed Office of the Deputy Assistant Secretary of Defense for Systems Engineering
More informationT&E Workforce Development
T&E Workforce Development 2016 ITEA Cyber Security Workshop Mr. Thomas W. Simms Deputy Director, T&E Competency & Development Deputy Assistant Secretary of Defense (DT&E) March 17, 2016 Agenda Policy Overview
More informationShift Left: Putting the Process Into Action
U.S. ARMY EVALUATION CENTER Shift Left: Putting the Process Into Action March 30, 2017 Agenda The Evaluator s Motivation Where We Were Guidance and Policy Putting it into Action 2 The Evaluator s Motivation
More informationApril 25, 2018 Version 2.0
April 25, 2018 Version 2.0 Table of Contents Introduction... 1 1.1 Organization of This Guidebook... 1 1.2 Audience... 2 1.3 Applicability... 2 1.4 Terminology... 2 Cybersecurity Policies and Guidance
More informationTest and Evaluation Methodology and Principles for Cybersecurity
Test and Evaluation Methodology and Principles for Cybersecurity Andrew Pahutski Deputy Director; Cyber & Information Systems Office of the Secretary of Defense (OSD) Developmental Test and Evaluation
More informationNew DoD Approach on the Cyber Survivability of Weapon Systems
New DoD Approach on the Cyber Survivability of Weapon Systems Don Davidson, Acting Director Cybersecurity Risk Management In the Office of the Deputy DoD-CIO for Cybersecurity CAPT J. Steve Correia Chief,
More informationCybersecurity Test and Evaluation Achievable and Defensible Architectures
Cybersecurity Test and Evaluation Achievable and Defensible Architectures October 2015, ITEA Francis Scott Key Chapter Mr. Robert L. Laughman for COL Scott D. Brooks, Director, Survivability Evaluation
More informationCybersecurity and Program Protection
Cybersecurity and Program Protection Melinda K. Reed Office of the Deputy Assistant Secretary of Defense for Systems Engineering 19 th Annual NDIA Systems Engineering Conference Springfield, Virginia October
More informationUNCLASSIFIED. FY 2016 Base FY 2016 OCO
Exhibit R-2, RDT&E Budget Item Justification: PB 2016 Office of the Secretary Of Defense : February 2015 0400: Research, Development, Test & Evaluation, Defense-Wide / BA 7: Operational Systems Development
More informationCYBER RESILIENT AND SECURE WEAPON SYSTEMS ACQUISITION / PROPOSAL DISCUSSION
CYBER RESILIENT AND SECURE WEAPON SYSTEMS ACQUISITION / PROPOSAL DISCUSSION Integrated Defense Systems Holly Dunlap October 2017 Copyright 2017, Raytheon Company All rights reserved Perception, Expectations
More informationCybersecurity Planning Lunch and Learn
Cybersecurity Planning Lunch and Learn Mr. Tyrone Ty Theriot, CNE Tyrone.Theriot@dau.mil 703-805-4983 3 May 2017 Presenter: Ty Theriot Moderator: LtCol Stephani Hunsinger LtCol Stephani Hunsinger USAF,
More informationISA 201 Intermediate Information Systems Acquisition
ISA 201 Intermediate Information Systems Acquisition 1 Lesson 8 (Part A) 2 Learning Objectives Today we will learn to: Overall: Apply cybersecurity analysis throughout acquisition lifecycle phases. Analyze
More informationEngineering Cyber Resilient Weapon Systems
Engineering Cyber Resilient Weapon Systems Melinda K. Reed Office of the Deputy Assistant Secretary of Defense for Systems Engineering (DASD(SE)) 20th Annual NDIA Systems Engineering Conference Springfield,
More informationOFFICE OF THE SECRETARY OF DEFENSE DEFENSE PENTAGON WASHINGTON, DC MEMORANDUM FOR MEMBERS OF THE ACQUISITION WORKFORCE
OFFICE OF THE SECRETARY OF DEFENSE 1 000 DEFENSE PENTAGON WASHINGTON, DC 20301-1000 ocr 3 o 2015 MEMORANDUM FOR MEMBERS OF THE ACQUISITION WORKFORCE SUBJECT: Guidance on Cybersecurity Implementation in
More informationThe Perfect Storm Cyber RDT&E
The Perfect Storm Cyber RDT&E NAVAIR Public Release 2015-87 Approved for public release; distribution unlimited Presented to: ITEA Cyber Workshop 25 February 2015 Presented by: John Ross NAVAIR 5.4H Cyberwarfare
More informationTHE UNDER SECRETARY OF DEFENSE 3010 DEFENSE PENTAGON WASHINGTON, DC ACQUISITION, TECHNOLOGY AND LOGISTICS January 11, 2017
THE UNDER SECRETARY OF DEFENSE 3010 DEFENSE PENTAGON WASHINGTON, DC 20301-3010 ACQUISITION, TECHNOLOGY AND LOGISTICS January 11, 2017 MEMORANDUM FOR SECRETARIES OF THE MILITARY DEPARTMENTS CHAIRMAN OF
More informationDoD Strategy for Cyber Resilient Weapon Systems
DoD Strategy for Cyber Resilient Weapon Systems Melinda K. Reed Office of the Deputy Assistant Secretary of Defense for Systems Engineering NDIA Systems Engineering Conference October 2016 10/24/2016 Page-1
More informationCybersecurity (CS) (as a Risk Based Approach) & Supply Chain Risk Management (SCRM) (Levels of Assurance for HwA, SwA & Assured Services?
Cybersecurity (CS) (as a Risk Based Approach) & Supply Chain Risk Management (SCRM) (Levels of Assurance for HwA, SwA & Assured Services?) Don Davidson Deputy Director, CS Implementation and CS/Acquisition
More informationA Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management
A Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management D r. J o h n F. M i l l e r T h e M I T R E C o r p o r a t i o n P e t e r D. K e r t z n e r T h
More informationAchieving DoD Software Assurance (SwA)
Achieving DoD Software Assurance (SwA) Thomas Hurt Office of the Deputy Assistant Secretary of Defense for Systems Engineering 20th Annual NDIA Systems Engineering Conference Springfield, VA October 26,
More informationDepartment of Defense (DoD) Joint Federated Assurance Center (JFAC) Overview
Department of Defense (DoD) Joint Federated Assurance Center (JFAC) Overview Kristen Baldwin Principal Deputy, Office of the Deputy Assistant Secretary of Defense for Systems Engineering (DASD(SE)) 17
More informationTEL2813/IS2621 Security Management
TEL2813/IS2621 Security Management James Joshi Associate Professor Lecture 4 + Feb 12, 2014 NIST Risk Management Risk management concept Goal to establish a relationship between aggregated risks from information
More informationJoint Federated Assurance Center (JFAC): 2018 Update. What Is the JFAC?
21 st Annual National Defense Industrial Association Systems and Mission Engineering Conference Joint Federated Assurance Center (JFAC): 2018 Update Thomas Hurt Office of the Under Secretary of Defense
More informationSystems Engineering for Software Assurance
Systems Engineering for Software Assurance Kristen Baldwin Office of the Under Secretary of Defense Acquisition, Technology and Logistics Systems Engineering Software Assurance Scope: Software is fundamental
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.
More informationAMRDEC CYBER Capabilities
Presented to: HAMA AMRDEC CYBER Capabilities Distribution Statement A: Approved for public release: distribution unlimited 08 July 16 Presented by: Julie Locker AMRDEC Cyber Lead U.S. Army Aviation and
More informationAvionics Cyber T&E Examples Testing Cyber Security Resilience to support Operations in the 3rd Offset Environment
Avionics Cyber T&E Examples Testing Cyber Security Resilience to support Operations in the 3rd Offset Environment 26 January 2017 Presented by: Mr. Chad Miller NAVAIR Cyber T&E What: Replicate Cyber Battlespace
More informationDEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) CYBERSECURITY STRATEGY TEMPLATE
DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) CYBERSECURITY STRATEGY TEMPLATE AND INSTRUCTIONS MAY 2016 INTRODUCTION 1. Purpose: The Cybersecurity Strategy (CSS) ensures compliance with the
More informationDoD Software Assurance (SwA) Update
DoD Software Assurance (SwA) Update Systems and Software Technology Conference May 2, 2006 Ms. Kristen Baldwin OUSD(AT&L)/Defense Systems kristen.baldwin@osd.mil Briefing Agenda Problem Definition Vision
More informationSystem Security Engineering for Program Protection and Cybersecurity
System Security Engineering for Program Protection and Cybersecurity Melinda Reed Office of the Deputy Assistant Secretary of Defense for Systems Engineering 18th Annual NDIA Systems Engineering Conference
More informationDr. Steven J. Hutchison Principal Deputy Developmental Test and Evaluation
Nov 2012 Page-1 Dr. Steven J. Hutchison Principal Deputy Developmental Test and Evaluation November 2012 Nov 2012 Page-2 DT&E for Complex Systems Performance Reliability Interoperability Information Security
More informationNDIA SE Conference 2016 System Security Engineering Track Session Kickoff Holly Dunlap NDIA SSE Committee Chair Holly.
NDIA SE Conference 2016 System Security Engineering Track Session Kickoff Holly Dunlap NDIA SSE Committee Chair Holly. Dunlap@Raytheon.com This document does not contain technology or Technical Data controlled
More informationU.S. FLEET CYBER COMMAND U.S. TENTH FLEET Managing Cybersecurity Risk
U.S. FLEET CYBER COMMAND U.S. TENTH FLEET Managing Cybersecurity Risk Neal Miller, Navy Authorizing Official December 13, 2016 UNCLASSIFIED 1 Some Inconvenient Truths The bad guys and gals still only work
More informationStructured Cyber Resiliency Analysis Methodology (SCRAM) Deborah Bodeau, Richard Graubart, The MITRE Corporation
Structured Cyber Resiliency Analysis Methodology (SCRAM) Deborah Bodeau, dbodeau@mitre.org Richard Graubart, rdg@mitre.org The MITRE Corporation Abstract: The Structured Cyber Resiliency Analysis Methodology
More informationDoDD DoDI
DoDD 8500.1 DoDI 8500.2 Tutorial Lecture for students pursuing NSTISSI 4011 INFOSEC Professional 1 Scope of DoDD 8500.1 Information Classes: Unclassified Sensitive information Classified All ISs to include:
More informationSystems Security Engineering: A Framework to Protect Hardware Down to the Last Tactical Inch
Institute for Defense Analyses 4850 Mark Center Drive Alexandria, Virginia 22311-1882 Systems Security Engineering: A Framework to Protect Hardware Down to the Last Tactical Inch Brian Cohen, bcohen@ida.org
More informationSystems Engineering Update/SD-22
Systems Engineering Update/SD-22 Presented to the Parts Standardization & Management Committee October 30 - November 1, 2012 IDA 4850 Mark Center Drive Alexandria, Virginia 22311 Outline News from the
More informationAir Force Test Center
Air Force Test Center Avionics Cyber Range (ACR) Mark Erickson 46 TS/OGE 26 January 2017 DISTRIBUTION STATEMENT A: Approved for public release: distribution is unlimited. 96TW-2017-0005 1 What is the Avionics
More informationDoD Software Assurance Initiative. Mitchell Komaroff, OASD (NII)/DCIO Kristen Baldwin, OUSD(AT&L)/DS
DoD Software Assurance Initiative Mitchell Komaroff, OASD (NII)/DCIO Kristen Baldwin, OUSD(AT&L)/DS Agenda Background Software Assurance Definition Guiding Principles for SwA DoD SwA Strategy Elements»
More informationAcquisition and Intelligence Community Collaboration
Acquisition and Intelligence Community Collaboration Kristen Baldwin Deputy Director, Software Engineering and System Assurance Office of the Deputy Under Secretary of Defense (Acquisition and Technology)
More informationThe Operational Test & Evaluation Cybersecurity Terrain
The Operational Test & Evaluation Cybersecurity Terrain William Budman Redmond AFOTEC/ED Approved for public release; distribution is unlimited. AFOTEC Public Affairs Public Release Number 2018-03 1 BLUF:
More informationEngineering Practices for System Assurance
Engineering Practices for System Assurance NDIA System Assurance Committee Presented by Paul R. Croll Industry Co-Chair Computer Sciences Corporation pcroll@csc.com 1 Outline Definition Of The Problem
More informationCYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA
CYBER SECURITY BRIEF Presented By: Curt Parkinson DCMA September 20, 2017 Agenda 2 DFARS 239.71 Updates Cybersecurity Contracting DFARS Clause 252.204-7001 DFARS Clause 252.239-7012 DFARS Clause 252.239-7010
More informationInstructions for Completing a Key Leadership Position Joint Qualification Board Application
Instructions for Completing a Key Leadership Position Joint Qualification Board Application This guide provides instructions for completing the Key Leadership Position (KLP) Joint Qualification Board Application.
More informationUNCLASSIFIED R-1 ITEM NOMENCLATURE FY 2013 OCO
Exhibit R-2, RDT&E Budget Item Justification: PB 2013 Office of Secretary Of Defense DATE: February 2012 0400: Research,, Test & Evaluation, Defense-Wide BA 3: Advanced Technology (ATD) COST ($ in Millions)
More informationUNCLASSIFIED R-1 ITEM NOMENCLATURE FY 2013 OCO
Exhibit R-2, RDT&E Budget Item Justification: PB 2013 Office of Secretary Of Defense DATE: February 2012 COST ($ in Millions) FY 2011 FY 2012 Base OCO Total FY 2014 FY 2015 FY 2016 FY 2017 Cost To Complete
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Signature Repository A Signature Repository provides a group of signatures for use by network security tools such
More informationRocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency
Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency Mr. Ed Brindley Acting Deputy Cyber Security Department of Defense 7 March 2018 SUPPORT THE WARFIGHTER 2 Overview Secretary Mattis Priorities
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Network Mapping The Network Mapping helps visualize the network and understand relationships and connectivity between
More informationIntroducing Cyber Resiliency Concerns Into Engineering Education
Introducing Cyber Resiliency Concerns Into Engineering Education Mr. Tom McDermott Georgia Tech Research Institute Mr. Barry Horowitz University of Virginia NDIA 20 th Annual Systems Engineering Conference
More informationRethinking Cybersecurity from the Inside Out
Rethinking Cybersecurity from the Inside Out An Engineering and Life Cycle-Based Approach for Building Trustworthy Resilient Systems Dr. Ron Ross Computer Security Division Information Technology Laboratory
More informationRisk Management Framework (RMF) 101 for Managers. October 17, 2017
Risk Management Framework (RMF) 101 for Managers October 17, 2017 DoD Risk Management Framework (RMF) Process DoDI 8510.01, Mar 2014 [based on NIST SP 800-37] Architecture Description Components Firmware
More informationManTech Advanced Systems International 2017 Security Training Schedule
ManTech Advanced Systems International 2017 Security Training Schedule Risk Management Framework Course Course Dates Course Location Course Cost October 16 19, 2017 Joint Base Anacostia-Bolling, Washington,
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Deployment Deployment is the phase of the system development lifecycle in which solutions are placed into use to
More informationResilient Architectures
Resilient Architectures Jeffrey Picciotto 2 nd Annual Secure and Resilient Cyber Architectures Workshop Transformation of Thought CONOPS Use Cases End to End Flows Cyber Threats & Intelligence Prioritize
More informationAdvancing the Role of DT&E in the Systems Engineering Process:
Advancing the Role of DT&E in the Systems Engineering Process: An Update on the NDIA Systems Engineering Division DT&E Committee Co-Chair: Dr. George Ka iliwai, AFFTC Technical Advisor Co-Chair: John Lohse,
More informationMission Aware Cybersecurity
Mission Aware Cybersecurity Cody Fleming (UVA) Scott Lucero (OSD) Peter Beling, Barry Horowitz (UVA), Calk Elks (VCU) October 2016 1 Systems Engineering Research Center (SERC) Overview DoD and the Intelligence
More informationSynergistic Efforts Between Financial Audit and Cyber Security
DEPARTMENT OF THE NAVYCHIEF INFORMATION OFFICER Synergistic Efforts Between Financial Audit and Cyber Security Amira Tann, DON CIO IT Audit Readiness Lead Danny Chae, ASM FMC FMP IT Controls Lead June
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Network Hunting The Network Hunting is employed to proactively look for indicators of an active threat or exploitation
More informationCybersecurity Testing
Cybersecurity Testing Tim Palmer Chief Technical Advisor, SAS Business Unit Torch Technologies, Inc. EXPERTISE // INNOVATION // CUSTOMER FOCUS // EXCELLENCE // INTEGRITY // COOPERATION // RELIABILITY About
More informationSystem Security Engineering: Whose Job Is It Anyway?
System Engineering: Whose Job Is It Anyway? NDIA SE Symposium SSE Track #18703 ctober 24, 2016 Ms Perri Nejib, Fellow, Northrop Grumman perri.nejib@ngc.com Approved For Public Release #16-1910; Unlimited
More informationTest & Evaluation of the NR-KPP
Defense Information Systems Agency Test & Evaluation of the NR-KPP Danielle Mackenzie Koester Chief, Engineering and Policy Branch March 15, 2011 2 "The information provided in this briefing is for general
More informationSTUDENT GUIDE Risk Management Framework Step 5: Authorizing Systems
Slide 1 - Risk Management Framework RMF Module 5 Welcome to Lesson 5 - RMF Step 5 Authorizing Systems. Once the security controls are assessed, the POA&M and security authorization package must be finalized
More informationCybersecurity vs. Cyber Survivability: A Paradigm Shift
U.S. ARMY EVALUATION CENTER Cybersecurity vs. Cyber Survivability: A Paradigm Shift March 8, 2018 BLUF The T&E community should stop using the term cybersecurity when what we mean is cyber survivability
More informationINFORMATION SECURITY ARCHITECTURE & RISK MANAGEMENT ADEYEMI DINA & SHITTU O. SHITTU
INFORMATION SECURITY ARCHITECTURE & RISK MANAGEMENT ADEYEMI DINA & SHITTU O. SHITTU HIGHLIGHTS WHAT IS INFORMATION SECURITY AND WHY DOES IT MATTER IT S ALL ABOUT BUSINESS RISKS SECURITY ARCHITECTURE FOR
More informationAntiterrorism / Force Protection (AT/FP) Assessment Tool Training. Module 1: Policy Drivers for MARMS & AT/FP Assessments
Antiterrorism / Force Protection (AT/FP) Assessment Tool Training Module 1: Policy Drivers for MARMS & AT/FP Assessments Supporting Joint Staff J33 via US Army Armament, Research, Development and Engineering
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Network Boundary and The Network Boundary and for an Enterprise is essential; it provides for an understanding of
More informationData Management & Test Scenarios Exercise
Data Management & Test Scenarios Exercise MDD CDD Validation Dev. RFP Release A B C FRP IOC FOC Materiel Solution Analysis Tech Maturation & Risk Reduction Engineering and Manufacturing Development Production
More informationTest and Evaluation. The Key to Successful Acquisition Outcomes DHS SCIENCE AND TECHNOLOGY. Steve Hutchison. 20 April 2017
DHS SCIENCE AND TECHNOLOGY Test and Evaluation The Key to Successful Acquisition Outcomes 20 April 2017 Steve Hutchison Director Office of Test and Evaluation Agile in Government - a brief look back First
More informationCybersecurity Test and Evaluation at the National Cyber Range
Cybersecurity Test and Evaluation at the National Cyber Range 17 November 2015 Dr. Robert N. Tamburello Deputy Director National Cyber Range robert.n.tamburello.civ@mail.mil 571-372-2753 What is a Cyber
More informationDOD Medical Device Cybersecurity Considerations
Enedina Guerrero, Acting Chief, Incident Mgmt. Section, Cyber Security Ops Branch 2015 Defense Health Information Technology Symposium DOD Medical Device Cybersecurity Considerations 1 DHA Vision A joint,
More informationUNCLASSIFIED R-1 ITEM NOMENCLATURE FY 2013 OCO
COST ($ in Millions) FY 2011 FY 2012 Base OCO Total FY 2014 FY 2015 FY 2016 FY 2017 Cost To Complete Total Cost Total Program Element 8.306 7.299 10.429-10.429 11.464 12.492 12.840 13.010 Continuing Continuing
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationAffordable Security. Sarah Pramanik April 10, 2013
Affordable Security Sarah Pramanik April 10, 2013 It s a Balancing Act Affordability Security 2 Overview Defining Cyber Security Defense in Depth Program Risk vs. Security Risk Life Cycle Phases Pre-proposal/Proposal
More informationBridging the Gap Between Security and Modularity
Bridging the Gap Between Security and Modularity Sponsor: DASD(SE) By Ms. Giselle M. Bonilla-Ortiz 6 th Annual SERC Doctoral Students Forum November 7, 2018 FHI 360 CONFERENCE CENTER 1825 Connecticut Avenue
More informationModularity and Open Systems: Meaningful Distinctions
Modularity and Open Systems: Meaningful Distinctions Philomena Zimmerman Office of the Deputy Assistant Secretary of Defense for Systems Engineering 18th Annual NDIA Systems Engineering Conference Springfield,
More informationIT Risk Management and Cybersecurity Summit
IT Risk Management and Cybersecurity Summit Dr. Bill Curtis Executive Director John Weiler Vice Chair 1 Seminar Objectives Latest developments in measurement standards: Software security IT software risk
More informationRevitalizing Education and Training in Systems Engineering
Revitalizing Education and Training in Systems Engineering Don S. Gelosh, PhD Sr. Systems Engineer Office of Deputy Director for Enterprise Development Systems and Software Engineering Office of the Deputy
More informationBalancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld
Balancing Compliance and Operational Security Demands Nov 2015 Steve Winterfeld What is more important? Compliance with laws / regulations Following industry best practices Developing a operational practice
More informationManTech Advanced Systems International 2018 Security Training Schedule
ManTech Advanced Systems International 2018 Security Training Schedule Risk Management Framework Course Dates Course Location Course Cost February 12 15, 2018 Las Vegas, NV $1,950.00 March 12 15, 2018
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity November 2017 cyberframework@nist.gov Supporting Risk Management with Framework 2 Core: A Common Language Foundational for Integrated Teams
More informationCybersecurity is one of the most important challenges for our military today. Cyberspace. Cybersecurity. Defending the New Battlefield
Cybersecurity Defending the New Battlefield Steven J. Hutchison, Ph.D. Cybersecurity is one of the most important challenges for our military today. Cyberspace is a new warfighting domain, joining the
More informationDoD Systems Engineering Update
DoD Systems Engineering Update Kristen Baldwin Principal Deputy, Office of the Deputy Assistant Secretary of Defense for Systems Engineering (ODASD(SE)) NDIA Systems Engineering Division Meeting March
More informationNaval Surface Warfare Center,
CAPT Brian R. Durant Commander NSWCDD Technical Director - (540) 653-8103 Dennis M. McLaughlin Technical Director Naval Surface Warfare Center, Dahlgren Naval Undersea DivisionWarfare Center The The Leader
More informationDOE and Test Automation for System of Systems T&E
DOE and Test Automation for System of Systems T&E Larry Harris, Navy SPAWAR PMW-120 APM T&E Luis Cortes, MITRE Corporation Jim Wisnowski, Adsurgo Darryl Ahner, OSD STAT COE Jim Simpson, JK Analytics Bottom
More informationSystems Engineering Division
Systems Engineering Division Bi-Monthly Meeting 16 August 2017 http://www.ndia.org/divisions/systems-engineering 1 Agenda (1 of 2) Time Topic Presenter(s) 0745 Coffee & Check-in 0830 1. Opening Remarks,
More informationHeadquarters U.S. Air Force. NDIA Division Planning Meeting AF Outlook for CY2016
Headquarters U.S. Air Force NDIA Division Planning Meeting AF Outlook for CY2016 Col(s) Colin Tucker SAF/AQRE 09 December 2015 Topics Rapid acquisition Intellectual Property and Data Rights Development
More informationI n t e g r i t y - S e r v i c e - E x c e l l e n c e
I n t e g r i t y - S e r v i c e - E x c e l l e n c e Headquarters U.S. Air Force I n t e g r i t y - S e r v i c e - E x c e l l e n c e AF Chief Information Security Officer (CISO) Mr. Pete Kim (SES)
More informationCNCI-SCRM US Comprehensive National Cybersecurity Initiative Supply Chain Risk Management
CNCI-SCRM US Comprehensive National Cybersecurity Initiative Supply Chain Risk Management Mr. Donald Davidson, Chief, Outreach & Standardization Trusted Mission Systems & Networks (formerly Globalization
More informationSTUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System
Slide 1 RMF Overview RMF Module 1 RMF takes into account the organization as a whole, including strategic goals and objectives and relationships between mission/business processes, the supporting information
More informationNIST SP , Revision 1 CNSS Instruction 1253
NIST SP 800-53, Revision 1 CNSS Instruction 1253 Annual Computer Security Applications Conference December 10, 2009 Dr. Ron Ross Computer Security Division Information Technology Laboratory Introduction
More informationISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION
ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION Cathy Bates Senior Consultant, Vantage Technology Consulting Group January 30, 2018 Campus Orientation Initiative and Project Orientation Project
More informationOperationalizing Cyber Security Risk Assessments for the Dams Sector
Operationalizing Cyber Security Risk Assessments for the Dams Sector Kevin Burns, Jason Dechant, Darrell Morgeson, and Reginald Meeson, Jr. The Problem To evaluate vulnerability to the postulated threat,
More informationRisk Management Framework for DoD Medical Devices
Risk Management Framework for DoD Medical Devices Session 136, March 7, 2018 Lt. Col. Alan Hardman, Chief Operations Officer, Cyber Security Division, Office of the DAD IO/J-6 William Martin, Deputy of
More informationWhat can an Acquirer do to prevent developers from make dangerous software errors? OWASP AppSec DC 2012 April 5, 2012
What can an Acquirer do to prevent developers from make dangerous software errors? OWASP AppSec DC 2012 April 5, 2012 Key questions Do acquirers know why they need include requirements for secure code?
More informationAdvanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin
Advanced Technology Academic Research Council Federal CISO Summit Ms. Thérèse Firmin Acting Deputy DoD CIO Cyber Security Department of Defense 25 January 2018 2 Overview Secretary Mattis Priorities Cybersecurity
More information