Title: Integrated Program Protection

Transcription

1 Title: Integrated Program Protection Date: 12 Dec 2018 Presenters: Steve Kern, CENG, NAVAIR Cyber Warfare Detachment and Vincent Lamolinara, Prof.of Acquisition Cybersecurity, Defense Acquisition University, Mid-Atlantic Region Moderator: Jim Davis, Logistics Department Chair, Defense Acquisition University, Mid-Atlantic Region

2 Objectives Show that Cybersecurity is a principal integrating factor in System Security Engineering and Program Protection Planning (PPP) Show that Integrated Cybersecurity / PPP properly characterizes and prioritizes residual weapon system risk Discuss how to improve DoD acquisition outcomes and achieve higher mission success and survivability in a cyber-contested environment through integrated PPP across the system lifecycle by: Transformational approaches Reducing / eliminating redundancy Building on existing Systems Engineering processes

3 Integrated System Security Engineering: Cybersecurity is the Common Link Across Functional Areas System Critical Program Information Anti-tamper Mission Critical Components & Functions TSN / SCRM Security HW/SW/FW Assurance Phys/Op/Info/Pers/ComSEC Information Cybersecurity C, I, A Resilience Survivability Engineering 3

4 Cybersecurity & the Acquisition Lifecycle Integration Tool (CALIT) CALIT Ver 3.0 Aug 2018

5 Integrated Program Protection Vision Presented to: Acquisition Community 11/2018 Presented by: Steve Kern, Cyber Warfare Chief Engineer Senior Scientific Technical Manager (SSTM)

6 Vision An integrated Program Protection Process to protect advanced technology, safety of flight, mission critical functions, and components throughout the acquisition lifecycle, apply countermeasures and protections from malicious adversarial intent, illuminate and balance cyber risk and maximize resilience in a cyber contested environment. 6

7 Program Protection Instructions Slide from DASD(SE) Melinda Reed briefing to NDIA on 25 Oct

8 Observations 1. Process and organizational structure has been developed to address the individual program protection instructions. There are redundancies and overlaps in tasks among the processes. 2. There is an imbalance of Program Office effort across the processes. RMF and CPI/AT receive significant emphasis TSN/CA and the cyber part of SCRM receive less emphasis 3. An integrated Program Protection Process will identify opportunities to include technical and procedural security measures at the beginning of Systems Engineering and throughout the lifecycle during updates and engineering changes, as opposed to selecting controls after susceptibilities have been designed into the system. 4. One of the first steps in many processes is to decompose the mission of the platform/system into critical systems that are required to execute that mission. RMF from the data protection perspective (if NIST Control RA-3 is selected) CRA Step 1 is to Decompose Mission Essential Functions CPI Steps 1 & 2 are Identify Mission Capability and Decompose System into components TSN/CA Step 1 process is ID principle mission threads and mission system functions CYBERSAFE is to implement TSN/CA and is based on Mission Essential Functions 8

9 Observations (cont.) 5. The second (or third/fourth) step in many of the processes is to conduct some sort of criticality analysis/judgement of the identified subcomponents RMF Step 2 is to Select Controls judge criticality of the data CRA Step 3 is to Develop Attack Surface/ Attack Trees CPI Step 3 process is to Evaluate Criticality of each component (at least 3 levels) TSN/CA Step 4 process is to Assign criticality failure levels (I, II, III, IV) to components 6. An adversarial-based assessment is required by all of the processes RMF does NOT require a Threat Assessment but NIST control RA-3 could be implemented and is part of a Common Control Package (CCP) CRA s require an intelligence-driven Threat Assessment CPI requires a intelligence (and Counter-Intelligence) driven Threat Assessment TSN/CA requires a (vendor) supply chain assessment (and CI assessment) for sources for components that are deemed critical level I/II components (not an adversarial based Threat Assessment ) 7. We can do better 9

10 Integrated Program Protection Vision SYSTEMS ENGINEERING PROCESS Step 2 Step 3 Step 5 Step 9 Step 10 System Requirements High-Level Design H/W S/W Development System Validation Changes/Upgrades FUNCTIONAL ANALYSIS AND ALLOCATION DESIGN SYNTHESIS VERIFICATION DEPLOYMENT PROCESS STEP CRA Viewpoint 1 RMF Step 1 Intel Threat Assessment AT Step 1 CPI Assessment T&E Cybersecurity Requirements Analysis CRA Viewpoint 2 RMF Step 2 CTT CPI Assessment AT Steps 2 Intel Threat Assessment T&E Attack Surface Characterization CRA Viewpoint 3 RMF Step 2/3 AT Steps 3 & 4 TSN/Criticality Analysis SCRM Illumination Intel Threat Assessment CYBERSAFE Planning T&E Cooperative Vulnerability Identification CRA Viewpoint 4 RMF Step 4/5 SCRM Assessment Developmental Testing CYBERSAFE OQE & Risk Review Board OT CVPA OT Adversarial Assessment RMF Continuous Monitoring CYBERSAFE continuous Monitoring OUTPUTS Cyber Attack Trees Cyber Risk Cube Categorization Letter PM Signature CPI Memo Intel Production Requests Threat Model Cyber VOLT Cyber T&E Strategy Cyber Attack Trees Cyber Risk Cube Initial RMF Control Selection & Security Assessment Plan AT Mission Essential Function AT Level of Protection Requirement AT Letter of Concurrence CYBERSAFE Mission Criticality Critical Intelligence Parameters Intel Production Requests Threat Model Cyber Attack Trees Cyber Risk Cube RMF Control Selection & Control Design Plan Initial/ Final AT Plan AT Attack Trees Critical ICT Components SCRM-TAC Request DT Test Plan CYBERSAFE EDRAP Intel Production Requests Threat Model Critical Component CVI Reports Cyber Attack Trees Cyber Risk Cube RMF Risk Assessment Report, Security Assessment Report, FSCA Endorsement & Authorization to Operate SCRM Supply Chain AT Implemented DT Test Report OT Test Report FINTEL CYBERSAFE Certification

11 System Security Engineering (SSE) 24 System Engineering Design Considerations Performance Requirements Structure Maintainability Propulsion Security Safety Power Reliability Other System Engineering System Security Engineering DCs Anti-Tamper (AT) Defense Exportabilty Features (DEF) Software Assurance (SwA) Hardware Assurance (HwA) Cybersecurity Supply Chain Risk Management (SCRM) Other Security (OPSEC, INFOSEC, PERSEC, COMSEC) Survivability / Resilience Source: Defense Acquisition Guidebook (DAG) 11

12 SSE Produces Common Sets of Artifacts Cyber Survivability Endorsement CYBERSAFE Certification Requirements Design Implementation Assessment Artifacts Authority to Operate Anti-tamper Approval ATEA DT / OT Blue & Red Team Test Common set of artifacts tailored into separate approval packages for CYBERSAFE, Cyber Survivability Endorsement, ATO and AT Approval 12

13 System Security Working Group T&E Intel AT Training Ad Hoc Ad Hoc includes as needed: PM, BFM, CON, et. al. POPL SSWG Cyber Team ISSM ISSO ISSE LOG User SE S/W Engr Security Developer The IPT Model Integrates Cybersecurity across Competencies 13

14 System Security Working Group System Security Working Group (SSWG) Charter Inputs CDD Acq Strat DODAF DoDI (enclosure 14) DoDI DoDI DoDI NIST SP DoD Cybersecurity T&E Guide CNSS 505 CNSSI 1253 Security Technical Implementation Guides (STIGs) SSWG Outputs Program Protection Plan (PPP) Cybersecurity Strategy Criticality Analysis Test & Evaluation Master Plan (TEMP) Appendix E Anti-Tamper (AT) Plan Security Engineering Inputs System Engineering Plan (SEP) System Design Software Development Plan (SDP) Request for Proposal (RFP) Program Security Classification Guide (SCG) Supply Chain Risk Management (SCRM) Plan Life Cycle Support Plan (LCSP) Software Assurance Plan Program Budget How do we make these Outputs living documents? 14

15 Test as a Cyber Integrator T&E links the Risk Management Framework (RMF) & Program Protection Plan (PPP) Analysis Mission-Based Cyber Risk Assessment (MBCRA) CTT, CRA, SCA-V, CJA, etc. Institute for Defense Analyses comparative study provides a decision diagram

16 Cyber Risk Assessment (CRA) Shows mission risk, recommends test, justifies fixes, tradeoffs Re-assess selected Cybersecurity Controls Mission Critical Functions Mapped to Subsystems Attack Tree Nodal Analysis Combining All Risk Aspects Mission Based Risk 16 CRA comprehensively Assesses People, Processes & Technology (PPT)

17 Joint Staff Survivability KPP provides a Framework for Integrated Cybersecurity Requirements Why do we need CYBERSAFE, Trusted Systems and Networks, etc.? 17

18 Continuous Red & Blue Testing is the New Normal Exposing Engineers to Failures More Frequently Incentivizes Them to Build Resilient Services. *Chaos Monkey is a service which identifies groups of systems and randomly terminates one of the systems in a group. 18

19 Case Study of Warfighter Information Network Tactical (WIN-T) Inc 2 Passed Adversarial Cyber FOT&E! Cybersecurity Integrates into systems engineering vice separate solution % Fix Effectiveness was key metric! Assumption of breach Continuous Testing & Fixes with JHU APL & Developer Threat models, with > 10 million threat sims

20 Summary Integrated PPP / Cybersecurity requires transformational SSE / RMF Threat and Complexity require continuous monitoring & update MBCRA / Test / PPP update never ends in cyber-contested environment Cyber Survivability offers Rosetta stone approach to unifying / translating RMF Security Controls and Systems (Security) Engineering methods SSWG is paramount helps end Stovepipes PPP brings it all together - can highlight redundant and conflicting issues 20

21 Questions? 21

22 Resources Cybersecurity in the Defense Acquisition System. Enclosure 14 of Department of Defense Instruction (DoDI) , Operation of the Defense Acquisition System, pp , February 2, 2017, Incorporating Change 3, August 10, 2017 DoD Instruction , Critical Program Information (CPI) Identification and Protection Within Research, Development, Test, and Evaluation (RDT&E), May 28, 2015, Incorporating Change 1, November 17, 2017 DoD Directive E, Anti-Tamper (AT), September 4, 2015, Incorporating Change 1, August 28, 2017 DoD Instruction , Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN), November 5, 2012, Incorporating Change 2, July 27, 2017 USD(AT&L) Memorandum, Document Streamlining Program Protection Plan (PPP), July 18, 2011 Cyber Survivability Endorsement Implementation Guide Vol II & Vol III (Classified) Cyber Table Top Facilitator Site: 22

23 Additional Resources Additional Resources & Tools such as CALIT and ACQuipedia articles and videos and can be found at DAU Cybersecurity Community of Practice Page: port%20tools.aspx Tools: Cybersecurity & Acquisition Lifecycle Integration Tool - CALIT Quick Reference Card - Cybersecurity Black Card Videos: Ongoing Efforts to Protect the DoD s Unclassified Information, 13 Jan 17 (duration: 12 min) Cybersecurity Implementation, Kevin Dulany (DoD CIO Office) - Duration: 90 Min Cybersecurity Risk Management Framework Overview Mar 2017 Articles: ACQuipedia - Cybersecurity & the DoD Acquisition Lifecycle ACQuipedia - RMF for DoD IT ACQuipedia - System Survivability KPP ACQuipedia - Supply Chain Risk Management Defense AT&L Magazine - Including Cybersecurity in the Contract Mix, Mar-Apr 2018 Defense AT&L Magazine - Supply Chain Risk Management: An Introduction to the Credible Threat, Jul-Aug 16 Defense AT&L Magazine - Cybersecurity; The Road Ahead for Defense Acquisition, May-Jun 16 Defense AT&L Magazine - Cyber Integrator Concept, Mar-Apr 15 Defense AT&L Magazine - Cybersecurity Challenges for Program Managers, Sep-Oct 14 Crowd Source Article - Fact Sheet Hack the Pentagon 23

24 Contact Info Vinny Lamolinara Steve Kern

25 BACKUP 25

26 Rosetta Stone: SS KPP CSAs to RMF to Systems Security Engineering (SSE) Translation SS KPP/CSE Implementation Guide Vol II Risk-Managed Performance Measures, Joint Staff J6/J8, DCIO, NSA IAC,

27 CSA to RMF to System Security Engineering (SSE) Mapping SS KPP to CSA to RMF (NIST Security Controls) to SSE Mapping Least Privilege Resistance to Attack Continuous Monitoring Prioritized Operations Data Segregation CSA to SSE Recover from a Trusted Source Periodically Save State Threat Evolution Failover Mesh Interrelation Focus on Weapon System germane controls Adapt controls for SSE which is more relevant to Weapon Systems Exemplar SSE Requirements Language for: ICD / CDD / CPD RFP SOW RMF - CSA RMF - SSE 27

28 *Facilitator Training Available via DAU & Ms. Standard, Sarah M CIV OSD OUSD ATL (US), Cyber Table Top (CTT) Risk Assessment Input to Controls Selection / Risk Assessment / Pre-Test User Reps / Focused Mission Areas Exercise Preparation ~ days Exercise Execution ~ 3-5 days Post Exercise Analysis ~ days Reporting Analyze Architecture, CONOPS, Intelligence Define Mission Define Attack Paths, & Vulnerabilities Analyze adversary attacks Determine Cyber Risk: Likelihood vs Consequence Mitigations Reports Color Code Operational Team OPFOR Team Develop Mission Plan Define Access Paths Describe Effects Execute Attacks Develop Mitigations Control / Analysis Teams Reporting Team