ISA 201 Intermediate Information Systems Acquisition
|
|
- Theresa Lewis
- 5 years ago
- Views:
Transcription
1 ISA 201 Intermediate Information Systems Acquisition 1
2 Lesson 8 (Part A) 2
3 Learning Objectives Today we will learn to: Overall: Apply cybersecurity analysis throughout acquisition lifecycle phases. Analyze factors that drive cybersecurity requirements. Recognize programs should consider in risk management activities. Demonstrate cybersecurity integration into the Source Selectin and Solicitation processes. Examine cybersecurity considerations in system security engineering (SSE) / systems engineering (SE) reviews Recognize planning aspects for cybersecurity testing and evaluation Discuss cybersecurity lifecycle support and maintenance considerations Recognize software assurance protections Examine continuous monitoring of cybersecurity risk Recognize key aspects of cybersecurity incident handling 3
4 Requirements Exercise 1 Risk Management Integration Exercise 2 in Solicitation Processes in SSE / SE Processes Software Assurance Exercise 3 Planning for Testing and Evaluation Lifecycle Support and Maintenance Continuous Monitoring Incident Handling Exercise 4 Summary Lesson Overview Lesson Plan 4
5 In-Class Quiz Team 1 and are two areas of emphasis that differentiate the definition of from the previous definition of IA (Information Assurance). Team 2 Confidentiality, Integrity, Availability, Non-repudiation, and Authentication are often referred to as Team 3 True or False: The Risk Management Framework (RMF) for DoD Information Technology is included in DoDI Team 4 Team 5 The ensures all appropriate RMF tasks are initiated and completed, with appropriate documentation, for assigned ISs and PIT systems. Monitors and tracks overall execution of system-level POA&Ms, promotes reciprocity, signs Security Plan. True or False: Assigning MAC levels is one of the 6 steps of the Risk Management Framework (RMF) DoD Cloud Computing 5
6 in the Defense Acquisition System New Enclosure 14 Overarching Tenets will be fully considered and implemented in all aspects of acquisition programs across the life cycle Responsibility for cybersecurity extends to all members of the acquisition workforce is a requirement for all DoD Programs Program Managers are responsible for the cybersecurity of their programs, systems and information applies to systems that reside on networks and stand alone systems that are not persistently connected to networks during tactical and strategic operations Effective 10 August,
7 Framework Integration 7
8 High-level Requirements Factors Authorization Boundary influences cybersecurity requirements; e.g., protection of system access points, information flows, interfaces and dependencies among subsystems and external systems Criticality Analysis and Vulnerability Analysis - Cyber assets most critical to mission accomplishment crown jewels Mission, operating environment and threats to system RMF System Categorization: Potential impact values for information types processed, stored or transmitted by the system if Confidentiality, Integrity, and/or Availability were jeopardized System design features (KPPs, KSAs) that promote security and survivability RMF Is One Requirement Factor! 8
9 System Authorization Boundary / Interfaces / Dependencies Weapon System Ground Support Equipment Removable Media (CD, PC-MCIA, et al) Moderate to High Risk Areas Highest Likelihood Weapon System Accreditation Boundary/Entry Points - Team Focus Area Air Gap Hard Connection System of Systems First.What am I Responsible for Protecting? 9
10 System Authorization Boundary Determination The Authorizing Official (AO) authorizes a system to operate based upon cybersecurity risk determination Prior to an authorization to operate, the system s security boundary is determined this is the Authorization Boundary The Authorization Boundary is the security perimeter of what you are protecting. Establishing an Authorization Boundary and the associated risk management implications is an organization-wide activity - Includes careful negotiation among all key stakeholders. Who are some key stakeholders? 10
11 Considerations for Determining the Scope of an Authorization Boundary Authorization Boundary all components of an information system to be authorized for operation by an authorizing official Resources are generally under the same direct management control (e.g., budgetary, programmatic, operational authority) Resources generally support the same mission/business objectives or functions and require similar cyber security requirements Resources generally reside in the same general operating environment (or in the case of a distributed system, reside in various locations with similar operating environments) Ref: NIST SP R1 Guide for Applying RMF to Federal Information Systems 11
12 Choose Your Boundary Carefully Larger Boundary More Centralized Oversight/Control of: Patching Configuration Management System-of-System Testing Cost / Budget Continuous Monitoring Supply Chain Risk Management Lifecycle Maintenance Communications at key internal boundaries among subsystems May economize processes / documentation Smaller Boundary Increased coordination (e.g., Service Level Agreements) with subsystems in separate boundaries to ensure system-ofsystems can work together in a secure and functional manner. Considerations where dependencies and/or impacts may exist among subsystems include: Patching Configuration Management System-of-Systems Testing Cost / Budget Dependencies Continuous Monitoring Supply Chain Risk Management Lifecycle Maintenance Monitoring and controlling communications at key internal boundaries among subsystems May facilitate targeted application of security controls potentially lending a more cost-effective risk management approach Increased Level of Coordination 12
13 Early in the Lifecycle Added Cyber Survivability as key element of the mandatory System Survivability KPP 13
14 Cyber Survivability Endorsement to the System Survivability KPP The Joint Staff and DoD CIO developed Cyber Survivability Endorsement (CSE) criteria to assess requirements for key attributes that increase cyber survivability. Ref: 14
15 Cyber Survivability Attributes SS KPP Pillars Prevent Mitigate Recover Cyber Survivability Attributes (CSA) CSA 01 - Control Access CSA 02 - Reduce Cyber Detectability CSA 03 - Secure Transmissions and Communications CSA 04 - Protect Information from Exploitation CSA 05 - Partition and Ensure Critical Functions at Mission Completion Performance Levels CSA 06 - Minimize and Harden Cyber Attack Surfaces CSA 07 Baseline & Monitor Systems, and Detect Anomalies CSA 08 - Manage System Performance if Degraded by Cyber Events CSA 09 - Recover System Capabilities CSA 10 - Actively Manage System s Configuration to Counter Vulnerabilities at Tactically Relevant Speeds Prevent Design requirements that protect weapon system s functions from most likely and greatest risk cyber threats. Mitigate Design requirements that detect and respond to cyber-attacks; enabling weapon systems functions resiliency to complete the mission. Recover Design requirements that ensure minimum cyber capability available to recover from cyber attack and enable weapon system quickly restore full functionality Ref: 15
16 CSE 5 Step Approach Determine the Mission Impact of Loss For All Mission Critical Functions Due to a Cyber Event Determine the Level of Most Capable Cyber Threat Actor to the System What is a System s Cyber Dependence to Perform its Mission Critical Functions? The CSE 5 step risk managed approach takes into account several variables the resulting CSRC provides consistency between levels of Cyber Survivability requirements, development and testing Determining the System Mission Type helps define the required cyber survivability protection for the capability 16
17 DoD Policy Requirements Exercise 1 Risk Management Integration Exercise 2 in Solicitation Processes in SSE / SE Processes Software Assurance Exercise 3 Planning for Testing and Evaluation Lifecycle Support and Maintenance Continuous Monitoring Incident Handling Exercise 4 Summary Lesson Overview Lesson Plan 17
18 Exercise 1 : JTAMS Requirements Analysis For the JTAMS Program 1. Identify advantages/challenges of the proposed Authorization Boundary 2. Identify the Cyber Security Risk Category* 3. Identify the three most critical Cyber Survivability Attributes (CSAs)* for JTAMS and explain your rationale for selecting the three CSA s you chose 4. Brief Your Results *Use Volume I: Survivability Endorsement Guide available on the RMFKS (pp 11-29): 18
19 DoD Policy Requirements Exercise 1 Risk Management Integration Exercise 2 in Solicitation Processes in SSE / SE Processes Software Assurance Exercise 3 Planning for Testing and Evaluation Lifecycle Support and Maintenance Continuous Monitoring Incident Handling Exercise 4 Summary Lesson Overview Lesson Plan 19
20 - Risk Management Framework (RMF) The Authorizing Official (AO) authorizes a system s operation based upon risk determination RMF The AO is involved throughout the system s lifecycle 20
21 The & Acquisition Lifecycle Integration Tool (CALIT) 21
22 Some Key DoD Tenets is risk-based, mission-driven, and addressed early and continually. requirements are treated like other system requirements. System security architecture and data flows are developed early, and are continuously updated to maintain the desired security posture is implemented to increase a system s capability to protect, detect, react, and restore, even when under attack from an adversary risk assessments are conducted early and often, and integrated with other risk management activities Reciprocity is used where possible through sharing and reuse of test and evaluation products i.e., test once and use by all is a Significant Risk to DoD Systems! 22
23 Risk Management Integration Risk, Issue, and Opportunity Management Risks probability of an undesired event or condition and the impact were it to occur Issues events or conditions with negative effect that have occurred Opportunities future benefits to the program s cost, schedule and/or performance baseline
24 Risk Management Integration Risk, Issue, and Opportunity Management Program Protection and Trusted Systems & Networks (TSN) TSN Analysis
25 Risk Management Integration Risk Management Framework (RMF) Program Protection and Trusted Systems & Networks (TSN) Risk, Issue, and Opportunity Management TSN Analysis
26 Elements of Risks Cyber vulnerabilities provide potential exploitation points for adversaries to steal, alter, or destroy system functionality, information, or technology they seek. Program managers will pay particular attention to the program and system elements that are vulnerable and can be exposed to targeting. ¹At a minimum, PM s technical risk and opportunity management will consider - Government Program Organization - Poor cybersecurity practices - Insider threat - Untrained personnel - Contractor Organizations and Environments - Design, development, production environments - Supply Chain - Software and Hardware - System Interfaces - Enabling and Support Equipment, Systems and Facilities - Fielded Systems ¹Ref: DoDI , Update, Enclosure 14, Incorporated 2 Feb
27 DoD Policy Requirements Exercise 1 Risk Management Integration Exercise 2 in Solicitation Processes in SSE / SE Processes Software Assurance Exercise 3 Planning for Testing and Evaluation Lifecycle Support and Maintenance Continuous Monitoring Incident Handling Exercise 4 Summary Lesson Overview Lesson Plan 27
28 Exercise 2 - Identify Risks Col Dau is the new Program Manager for an new unmanned aerial bomber system (UABS). The mission is to fly the unmanned aerial bombers to a target and drop bombs to destroy those targets. To execute the mission, air tasking orders are issued using a ground-based information system through an encrypted interface. The unmanned aerial bomber is remotely controlled and operated using a ground-based system. The bomber includes SW & HW components that are essential to real time operation of the bomber itself the IT is critical to loading air tasking orders, flying the aircraft, guiding it to its target, commanding it to release bombs, etc. Col Dau is standing up her Program Office and wants to make sure she has the right expertise for her team. Upandaway, the prime contractor, is also standing up their Program Office and bringing on subcontractors. M&S will be used to reduce risk. Some legacy systems will be incorporated into the final system-of-systems. Extensive testing and crew training will be integral to the success of the Program. Using DoDI Enclosure 14, what potential cybersecurity risks (consider the whole eco system) should Col Dau consider in this scenario? 28
29 UABS Risks Team 1 Team 2 Team 3 Team 4 Team 5 Organizations and Environments Software / Hardware System Interfaces Enabling and Support Equipment, Systems, and Facilities Fielded Systems 29
30 DoD Policy Requirements Exercise 1 Risk Management Integration Exercise 2 in Solicitation Processes in SSE / SE Processes Software Assurance Exercise 3 Planning for Testing and Evaluation Lifecycle Support and Maintenance Continuous Monitoring Incident Handling Exercise 4 Summary Lesson Overview Lesson Plan 30
31 Contracting for is not Cookie Cutting Early involvement is key! Ensure cybersecurity requirements are incorporated in contracts Help contracting officers understand program cybersecurity requirements and risks so that: - appropriate contract type is selected - trade-space decisions are informed Source Selection Discriminators - Include cybersecurity evaluation factors and subfactors tied to RFP cybersecurity requirements and objectives that will impact source selection - NDAA 2011, Section 806 permits consideration of supply chain risk in source selection 31
32 FAR / DFAR Clauses Integrate cybersecurity into contracting language FAR/DFAR clauses - One size does not fit all TAILOR to your program requirements DoDI , Change 2, Table 12: Resources and Publications FAR Clause This clause applies to the extent that the contract involves access to information classified Confidential, Secret, or Top Secret. FAR Clause This clause applies to information not intended for public release that is provided by or generated for the Government under a contract. DFARS Clause The clause requires a company to safeguard CDI, as defined in the Clause, and to report to the DoD the possible exfiltration, manipulation, or other loss or compromise. Section 933 of the National Defense Authorization Act for Fiscal Year 2013, Public Law Requires use of appropriate automated vulnerability analysis tools in computer software code. 32
33 Some Best Practices Does the RFP require the contractor to? Mitigate Supplier Risk Process to establish trusted suppliers Obtain DoD-specific computer microchips from a ¹DMEA approved supplier Use secure shipping methods for critical components Ensure tech manuals are printed by a trusted supplier Use blind buys for critical function components Mitigate Software Risk Conduct/support penetration testing Correct errors in contractor developed software within an agreed upon timeframe Conduct regression tests following changes to function code Ensure software patch integrity is maintained in transit thru encryption and authentication Statement Of Work ¹Defense Microelectronics Activity (DMEA) References: DoDI , Trusted Systems and Networks (TSN) Analysis, June
34 Contract Considerations - Sample RFP Language - Section C Description/Spec/SOW - Identify the categorization of the system - Provide a list of applicable security controls - Ensure all CDRLs adequately address cybersecurity execution support (e.g., data rights, test data, test plans, source code deliveries, etc. - Section L, Instructions to Offerors - Describe experience of cybersecurity staff - Identify any cybersecurity-related DIDs contractors must provide Annex H Request for Proposal Considerations
35 Summary Today we learned to: Overall: Apply cybersecurity analysis throughout acquisition lifecycle phases. Analyze factors that drive cybersecurity requirements. Recognize programs should consider in risk management activities. Demonstrate cybersecurity integration into Source Selection and Solicitation processes. Examine cybersecurity considerations in system security engineering (SSE) / systems engineering (SE) reviews. Recognize planning aspects for cybersecurity testing and evaluation. Discuss cybersecurity lifecycle support and maintenance considerations. Recognize software assurance protections. Examine continuous monitoring of cybersecurity risk. Recognize key aspects of cybersecurity incident handling. 35
36 JRATS with JTAMS OV-1 STAMIS DODIN FUAV SW Module SATCOM SW Module GPS SW Module FUAV SW Module FUAV SW Module JTAMS GS SW Module JUGV SW Module JOINT COMMAND CENTER THRU HORIZONTAL Shooters TECHNOLOGY INSERTION JUGV JUGV 36
Cybersecurity in Acquisition
Kristen J. Baldwin Acting Deputy Assistant Secretary of Defense for Systems Engineering (DASD(SE)) Federal Cybersecurity Summit September 15, 2016 Sep 15, 2016 Page-1 Acquisition program activities must
More informationTHE UNDER SECRETARY OF DEFENSE 3010 DEFENSE PENTAGON WASHINGTON, DC ACQUISITION, TECHNOLOGY AND LOGISTICS January 11, 2017
THE UNDER SECRETARY OF DEFENSE 3010 DEFENSE PENTAGON WASHINGTON, DC 20301-3010 ACQUISITION, TECHNOLOGY AND LOGISTICS January 11, 2017 MEMORANDUM FOR SECRETARIES OF THE MILITARY DEPARTMENTS CHAIRMAN OF
More informationCYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA
CYBER SECURITY BRIEF Presented By: Curt Parkinson DCMA September 20, 2017 Agenda 2 DFARS 239.71 Updates Cybersecurity Contracting DFARS Clause 252.204-7001 DFARS Clause 252.239-7012 DFARS Clause 252.239-7010
More informationSystems Engineering and System Security Engineering Requirements Analysis and Trade-Off Roles and Responsibilities
Systems Engineering and System Security Engineering Requirements Analysis and Trade-Off Roles and Responsibilities Melinda Reed Office of the Deputy Assistant Secretary of Defense for Systems Engineering
More informationProgram Protection Implementation Considerations
Program Protection Implementation Considerations Melinda Reed Deputy Director for Program Protection Office of the Deputy Assistant Secretary of Defense for Systems Engineering NDIA Program Protection
More informationNew DoD Approach on the Cyber Survivability of Weapon Systems
New DoD Approach on the Cyber Survivability of Weapon Systems Don Davidson, Acting Director Cybersecurity Risk Management In the Office of the Deputy DoD-CIO for Cybersecurity CAPT J. Steve Correia Chief,
More informationSTUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System
Slide 1 RMF Overview RMF Module 1 RMF takes into account the organization as a whole, including strategic goals and objectives and relationships between mission/business processes, the supporting information
More informationexisting customer base (commercial and guidance and directives and all Federal regulations as federal)
ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of
More informationRocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency
Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency Mr. Ed Brindley Acting Deputy Cyber Security Department of Defense 7 March 2018 SUPPORT THE WARFIGHTER 2 Overview Secretary Mattis Priorities
More informationTEL2813/IS2621 Security Management
TEL2813/IS2621 Security Management James Joshi Associate Professor Lecture 4 + Feb 12, 2014 NIST Risk Management Risk management concept Goal to establish a relationship between aggregated risks from information
More informationInformation Warfare Industry Day
Information Warfare Industry Day 20180510 RDML Barrett, OPNAV N2N6G TRANSPORT COMMERCIAL INTERNET DISN SCI Coalition Networks ADNS TELEPORT NMCI & ONE-NET JRSS MOC GNOC NCDOC USMC ISNS / CANES / SUBLAN
More informationROADMAP TO DFARS COMPLIANCE
ROADMAP TO DFARS COMPLIANCE ARE YOU READY FOR THE 12/31/17 DEADLINE? In our ebook, we have answered the most common questions we receive from companies preparing for DFARS compliance. Don t risk terminated
More informationOFFICE OF THE SECRETARY OF DEFENSE DEFENSE PENTAGON WASHINGTON, DC MEMORANDUM FOR MEMBERS OF THE ACQUISITION WORKFORCE
OFFICE OF THE SECRETARY OF DEFENSE 1 000 DEFENSE PENTAGON WASHINGTON, DC 20301-1000 ocr 3 o 2015 MEMORANDUM FOR MEMBERS OF THE ACQUISITION WORKFORCE SUBJECT: Guidance on Cybersecurity Implementation in
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.
More informationCybersecurity and Program Protection
Cybersecurity and Program Protection Melinda K. Reed Office of the Deputy Assistant Secretary of Defense for Systems Engineering 19 th Annual NDIA Systems Engineering Conference Springfield, Virginia October
More informationCybersecurity Challenges
Cybersecurity Challenges Protecting DoD s Information NAVSEA Small Business Industry Day August 8, 2017 1 Outline Protecting DoD s Information DFARS Clause 252.204-7012 Contractor and Subcontractor Requirements
More informationCYBER SECURITY AIR TRANSPORT IT SUMMIT
CYBER SECURITY AIR TRANSPORT IT SUMMIT SHARING GOOD PRACTICES VIVIEN EBERHARDT, SITA CYBER SECURITY CYBER SECURITY AIR TRANSPORT IT SUMMIT SHARING GOOD PRACTICES VIVIEN EBERHARDT, SITA CYBER SECURITY CYBER
More informationUNCLASSIFIED. FY 2016 Base FY 2016 OCO
Exhibit R-2, RDT&E Budget Item Justification: PB 2016 Office of the Secretary Of Defense : February 2015 0400: Research, Development, Test & Evaluation, Defense-Wide / BA 7: Operational Systems Development
More informationDepartment of Defense Cybersecurity Requirements: What Businesses Need to Know?
Department of Defense Cybersecurity Requirements: What Businesses Need to Know? Why is Cybersecurity important to the Department of Defense? Today, more than ever, the Department of Defense (DoD) relies
More informationSafeguarding Unclassified Controlled Technical Information
Safeguarding Unclassified Controlled Technical Information (DFARS Case 2011-D039): The Challenges of New DFARS Requirements and Recommendations for Compliance Version 1 Authors: Justin Gercken, TSCP E.K.
More informationDFARS Cyber Rule Considerations For Contractors In 2018
Portfolio Media. Inc. 111 West 19 th Street, 5th Floor New York, NY 10011 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com DFARS Cyber Rule Considerations For Contractors
More informationCyber Security For Business
Cyber Security For Business In today s hostile digital environment, the importance of securing your data and technology cannot be overstated. From customer assurance, liability mitigation, and even your
More informationExternal Supplier Control Obligations. Cyber Security
External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place
More informationTitle: Cybersecurity as it Applies to the Survivability Key Performance Parameter
Title: Cybersecurity as it Applies to the Survivability Key Performance Parameter Date: 6 June 2018 Presenters: Vincent Lamolinara, Professors of Acquisition Cybersecurity, Defense Acquisition University,
More informationSafeguarding unclassified controlled technical information (UCTI)
Safeguarding unclassified controlled technical information (UCTI) An overview Government Contract Services Bulletin Safeguarding UCTI An overview On November 18, 2013, the Department of Defense (DoD) issued
More informationU.S. FLEET CYBER COMMAND U.S. TENTH FLEET Managing Cybersecurity Risk
U.S. FLEET CYBER COMMAND U.S. TENTH FLEET Managing Cybersecurity Risk Neal Miller, Navy Authorizing Official December 13, 2016 UNCLASSIFIED 1 Some Inconvenient Truths The bad guys and gals still only work
More informationDOD Medical Device Cybersecurity Considerations
Enedina Guerrero, Acting Chief, Incident Mgmt. Section, Cyber Security Ops Branch 2015 Defense Health Information Technology Symposium DOD Medical Device Cybersecurity Considerations 1 DHA Vision A joint,
More informationTechnical Conference on Critical Infrastructure Protection Supply Chain Risk Management
Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management Remarks of Marcus Sachs, Senior Vice President and the Chief Security Officer North American Electric Reliability
More informationThe Perfect Storm Cyber RDT&E
The Perfect Storm Cyber RDT&E NAVAIR Public Release 2015-87 Approved for public release; distribution unlimited Presented to: ITEA Cyber Workshop 25 February 2015 Presented by: John Ross NAVAIR 5.4H Cyberwarfare
More informationA Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management
A Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management D r. J o h n F. M i l l e r T h e M I T R E C o r p o r a t i o n P e t e r D. K e r t z n e r T h
More informationEnhancing the Cybersecurity of Federal Information and Assets through CSIP
TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3
More informationCybersecurity is a team sport that requires Program Management, Cyber/ Including Cybersecurity in the Contract Mix
Including Cybersecurity in the Contract Mix Kimberly L. Kendall William E. Long, Jr. Cybersecurity is a team sport that requires Program Management, Cyber/ Information Technology, Engineering, Test and
More informationSTRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE
STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby
More informationSystems Security Engineering: A Framework to Protect Hardware Down to the Last Tactical Inch
Institute for Defense Analyses 4850 Mark Center Drive Alexandria, Virginia 22311-1882 Systems Security Engineering: A Framework to Protect Hardware Down to the Last Tactical Inch Brian Cohen, bcohen@ida.org
More informationOFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC
OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC 20301-3000 ACQUISITION, TECHNO LOGY. A N D LOGISTICS SEP 2 1 2017 MEMORANDUM FOR COMMANDER, UNITED ST A TES SPECIAL OPERATIONS
More informationIMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION
IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION Briefing for OFPP Working Group 19 Feb 2015 Emile Monette GSA Office of Governmentwide Policy emile.monette@gsa.gov Cybersecurity Threats are
More informationApril 25, 2018 Version 2.0
April 25, 2018 Version 2.0 Table of Contents Introduction... 1 1.1 Organization of This Guidebook... 1 1.2 Audience... 2 1.3 Applicability... 2 1.4 Terminology... 2 Cybersecurity Policies and Guidance
More informationCybersecurity (CS) (as a Risk Based Approach) & Supply Chain Risk Management (SCRM) (Levels of Assurance for HwA, SwA & Assured Services?
Cybersecurity (CS) (as a Risk Based Approach) & Supply Chain Risk Management (SCRM) (Levels of Assurance for HwA, SwA & Assured Services?) Don Davidson Deputy Director, CS Implementation and CS/Acquisition
More informationDoes a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?
Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? A brief overview of security requirements for Federal government agencies applicable to contracted IT services,
More informationAchieving DoD Software Assurance (SwA)
Achieving DoD Software Assurance (SwA) Thomas Hurt Office of the Deputy Assistant Secretary of Defense for Systems Engineering 20th Annual NDIA Systems Engineering Conference Springfield, VA October 26,
More informationFPM-IT-420B: FAC-P/PM-IT Planning & Acquiring Operations of IT Systems Course Details
FPM-IT-420B: FAC-P/PM-IT Planning & Acquiring Operations of IT Systems Course Details 2 FPM IT 420B: FAC P/PM IT Planning & Acquiring Operations of IT Systems FPM-IT-420B: FAC-P/PM-IT PLANNING & ACQUIRING
More informationCybersecurity for Security Personnel
Cybersecurity for Security Personnel September 2017 Center for Development of Security Excellence Lesson 1: Course Introduction Introduction Welcome The world of security has many areas that require our
More informationDepartment of Defense (DoD) Joint Federated Assurance Center (JFAC) Overview
Department of Defense (DoD) Joint Federated Assurance Center (JFAC) Overview Kristen Baldwin Principal Deputy, Office of the Deputy Assistant Secretary of Defense for Systems Engineering (DASD(SE)) 17
More informationDFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions
DFARS 252.204.7012 Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions By Jonathan Hard, CEO And Carol Claflin, Director of Business Development H2L
More informationNDIA SE Conference 2016 System Security Engineering Track Session Kickoff Holly Dunlap NDIA SSE Committee Chair Holly.
NDIA SE Conference 2016 System Security Engineering Track Session Kickoff Holly Dunlap NDIA SSE Committee Chair Holly. Dunlap@Raytheon.com This document does not contain technology or Technical Data controlled
More informationDoD Strategy for Cyber Resilient Weapon Systems
DoD Strategy for Cyber Resilient Weapon Systems Melinda K. Reed Office of the Deputy Assistant Secretary of Defense for Systems Engineering NDIA Systems Engineering Conference October 2016 10/24/2016 Page-1
More informationDEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.
DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY Cyber Security Safeguarding Covered Defense Information 30-31 August 2016 WARFIGHTER FIRST PEOPLE & CULTURE STRATEGIC ENGAGEMENT FINANCIAL
More informationEvolving Cybersecurity Strategies
Evolving Cybersecurity Strategies NIST Special Publication 800-53, Revision 4 ISSA National Capital Chapter April 17, 2012 Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL
More informationJob Aid: Introduction to the RMF for Special Access Programs (SAPs)
Contents Terminology... 2 General Terminology... 2 Documents and Deliverables... 2 Changes in Terminology... 3 Key Concepts... 3 Roles... 4 Cybersecurity for SAPs: Roles... 5 Support/Oversight Roles...
More informationAdvanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin
Advanced Technology Academic Research Council Federal CISO Summit Ms. Thérèse Firmin Acting Deputy DoD CIO Cyber Security Department of Defense 25 January 2018 2 Overview Secretary Mattis Priorities Cybersecurity
More informationDATABASE SECURITY REQUIREMENTS GUIDE (SRG) TECHNOLOGY OVERVIEW. Version 2, Release October Developed by DISA for the DoD
DATABASE SECURITY REQUIREMENTS GUIDE (SRG) TECHNOLOGY OVERVIEW Version 2, Release 5 28 October 2016 Developed by for the DoD 28 October 2016 Developed by for the DoD Trademark Information Names, products,
More informationRisk-Based Cyber Security for the 21 st Century
Risk-Based Cyber Security for the 21 st Century 7 th Securing the E-Campus Dartmouth College July 16, 2013 Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL INSTITUTE OF
More informationCybersecurity Risk Management
Cybersecurity Risk Management NIST Guidance DFARS Requirements MEP Assistance David Stieren Division Chief, Programs and Partnerships National Institute of Standards and Technology (NIST) Manufacturing
More informationIncentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO
White Paper Incentives for IoT Security May 2018 Author: Dr. Cédric LEVY-BENCHETON, CEO Table of Content Defining the IoT 5 Insecurity by design... 5 But why are IoT systems so vulnerable?... 5 Integrating
More informationT&E Workforce Development
T&E Workforce Development 2016 ITEA Cyber Security Workshop Mr. Thomas W. Simms Deputy Director, T&E Competency & Development Deputy Assistant Secretary of Defense (DT&E) March 17, 2016 Agenda Policy Overview
More informationHandbook Webinar
800-171 Handbook Webinar Pat Toth Cybersecurity Program Manager National Institute of Standards and Technology (NIST) Manufacturing Extension Partnership (MEP) NIST MEP 800-171 Assessment Handbook Step-by-step
More informationShift Left: Putting the Process Into Action
U.S. ARMY EVALUATION CENTER Shift Left: Putting the Process Into Action March 30, 2017 Agenda The Evaluator s Motivation Where We Were Guidance and Policy Putting it into Action 2 The Evaluator s Motivation
More informationTACIT Security Institutionalizing Cyber Protection for Critical Assets
TACIT Security Institutionalizing Cyber Protection for Critical Assets MeriTalk Cyber Security Exchange Quarterly Meeting December 18, 2013 Dr. Ron Ross Computer Security Division Information Technology
More informationTest and Evaluation Methodology and Principles for Cybersecurity
Test and Evaluation Methodology and Principles for Cybersecurity Andrew Pahutski Deputy Director; Cyber & Information Systems Office of the Secretary of Defense (OSD) Developmental Test and Evaluation
More informationSYSTEMS ASSET MANAGEMENT POLICY
SYSTEMS ASSET MANAGEMENT POLICY Policy: Asset Management Policy Owner: CIO Change Management Original Implementation Date: 7/1/2017 Effective Date: 7/1/2017 Revision Date: Approved By: NIST Cyber Security
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)
ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update) June 2017 INSERT YEAR HERE Contact Information: Jeremy Dalpiaz AVP, Cyber and Data Security Policy Jeremy.Dalpiaz@icba.org ICBA Summary
More informationCYBER RESILIENT AND SECURE WEAPON SYSTEMS ACQUISITION / PROPOSAL DISCUSSION
CYBER RESILIENT AND SECURE WEAPON SYSTEMS ACQUISITION / PROPOSAL DISCUSSION Integrated Defense Systems Holly Dunlap October 2017 Copyright 2017, Raytheon Company All rights reserved Perception, Expectations
More informationChapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS
Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS The Saskatchewan Power Corporation (SaskPower) is the principal supplier of power in Saskatchewan with its mission to deliver power
More informationSystems Engineering for Software Assurance
Systems Engineering for Software Assurance Kristen Baldwin Office of the Under Secretary of Defense Acquisition, Technology and Logistics Systems Engineering Software Assurance Scope: Software is fundamental
More informationThe Insider Threat Center: Thwarting the Evil Insider
The Insider Threat Center: Thwarting the Evil Insider The CERT Top 10 List for Winning the Battle Against Insider Threats Randy Trzeciak 14 June 2012 2007-2012 Carnegie Mellon University Notices 2011 Carnegie
More informationDoDD DoDI
DoDD 8500.1 DoDI 8500.2 Tutorial Lecture for students pursuing NSTISSI 4011 INFOSEC Professional 1 Scope of DoDD 8500.1 Information Classes: Unclassified Sensitive information Classified All ISs to include:
More informationSecurity Management Models And Practices Feb 5, 2008
TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008 Objectives Overview basic standards and best practices Overview of ISO 17799 Overview of NIST SP documents related
More informationImplementing a Modular Open Systems Approach (MOSA) to Achieve Acquisition Agility in Defense Acquisition Programs
Implementing a Modular Open Systems Approach (MOSA) to Achieve Acquisition Agility in Defense Acquisition Programs Philomena Zimmerman Office of the Deputy Assistant Secretary of Defense for Systems Engineering
More informationCybersecurity vs. Cyber Survivability: A Paradigm Shift
U.S. ARMY EVALUATION CENTER Cybersecurity vs. Cyber Survivability: A Paradigm Shift March 8, 2018 BLUF The T&E community should stop using the term cybersecurity when what we mean is cyber survivability
More informationCyber Resilience. Think18. Felicity March IBM Corporation
Cyber Resilience Think18 Felicity March 1 2018 IBM Corporation Cyber Resilience Cyber Resilience is the ability of an organisation to maintain its core purpose and integrity during and after a cyber attack
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationThe Operational Test & Evaluation Cybersecurity Terrain
The Operational Test & Evaluation Cybersecurity Terrain William Budman Redmond AFOTEC/ED Approved for public release; distribution is unlimited. AFOTEC Public Affairs Public Release Number 2018-03 1 BLUF:
More informationEngineering Cyber Resilient Weapon Systems
Engineering Cyber Resilient Weapon Systems Melinda K. Reed Office of the Deputy Assistant Secretary of Defense for Systems Engineering (DASD(SE)) 20th Annual NDIA Systems Engineering Conference Springfield,
More informationSolutions Technology, Inc. (STI) Corporate Capability Brief
Solutions Technology, Inc. (STI) Corporate Capability Brief STI CORPORATE OVERVIEW Located in the metropolitan area of Washington, District of Columbia (D.C.), Solutions Technology Inc. (STI), women owned
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationCybersecurity for Department of Defense Microgrids: An Army Perspective
Cybersecurity for Department of Defense Microgrids: An Army Perspective Lori Ross O Neil with Cliff Glantz, David McKinnon, Fleur DePeralta, Mark Watson, Paul Boyd, Emily Barrett and Darlene Thorsen Pacific
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationCyber Security Program
Cyber Security Program Cyber Security Program Goals and Objectives Goals Provide comprehensive Security Education and Awareness to the University community Build trust with the University community by
More informationFunction Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments
Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments 1 ID.AM-1: Physical devices and systems within the organization are inventoried Asset Management (ID.AM): The
More informationGet Compliant with the New DFARS Cybersecurity Requirements
Get Compliant with the New DFARS 252.204-7012 Cybersecurity Requirements Reginald M. Jones ( Reggie ) Chair, Federal Government Contracts Practice Group rjones@foxrothschild.com; 202-461-3111 August 30,
More informationSpace Cyber: An Aerospace Perspective
Space Cyber: An Aerospace Perspective USAF Cyber Vision 2025 AFSPC 19-21 March 2012 Frank Belz and Joe Betser The Aerospace Corporation Computers and Software Division 20 March 2012 frank.belz@aero.org
More informationJoint Federated Assurance Center (JFAC): 2018 Update. What Is the JFAC?
21 st Annual National Defense Industrial Association Systems and Mission Engineering Conference Joint Federated Assurance Center (JFAC): 2018 Update Thomas Hurt Office of the Under Secretary of Defense
More informationCyber Security Challenges
Cyber Security Challenges Navigating Information System Security Protections Vicki Michetti, DoD CIO, Director, DIB Cybersecurity Program Mary Thomas, OUSD(AT&L), Defense Procurement and Acquisition Policy
More informationSystems 2020 Strategic Initiative Overview
Systems 2020 Strategic Initiative Overview Kristen Baldwin ODDR&E/Systems Engineering 13 th Annual NDIA Systems Engineering Conference San Diego, CA October 28, 2010 Oct 2010 Page-1 DISTRIBUTION STATEMENT
More informationCourses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X
4016 Points * = Can include a summary justification for that section. FUNCTION 1 - INFORMATION SYSTEM LIFE CYCLE ACTIVITIES Life Cycle Duties No Subsection 2. System Disposition/Reutilization *E - Discuss
More informationSystems Engineering Update/SD-22
Systems Engineering Update/SD-22 Presented to the Parts Standardization & Management Committee October 30 - November 1, 2012 IDA 4850 Mark Center Drive Alexandria, Virginia 22311 Outline News from the
More informationCyber Risk in the Marine Transportation System
Cyber Risk in the Marine Transportation System Cubic Global Defense MAR'01 1 Cubic.com/Global-Defense/National-Security 1 Cubic Global Defense Global Security Team Capabilities Program Management Integration
More informationSOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)
SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP) Adaptive Cybersecurity at the Speed of Your Business Attackers Evolve. Risk is in Constant Fluctuation. Security is a Never-ending Cycle.
More informationStrengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure Executive Order 13800 Update July 2017 In Brief On May 11, 2017, President Trump issued Executive Order 13800, Strengthening
More informationAvionics Cyber T&E Examples Testing Cyber Security Resilience to support Operations in the 3rd Offset Environment
Avionics Cyber T&E Examples Testing Cyber Security Resilience to support Operations in the 3rd Offset Environment 26 January 2017 Presented by: Mr. Chad Miller NAVAIR Cyber T&E What: Replicate Cyber Battlespace
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationStreamlined FISMA Compliance For Hosted Information Systems
Streamlined FISMA Compliance For Hosted Information Systems Faster Certification and Accreditation at a Reduced Cost IT-CNP, INC. WWW.GOVDATAHOSTING.COM WHITEPAPER :: Executive Summary Federal, State and
More informationSupplier Training Excellence Program
Supplier Training Excellence Program Cybersecurity Webinar February 9, 2017 Agenda Why must my company complete the Cyber Questionnaire(s)? What are the Cyber Questionnaire(s)? How do I get help? What
More informationDIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C)
DIACAP and the GIG IA Architecture 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) 210-9252417 (C) 210-396-0254 jwierum@cygnacom.com OMB Circular A-130 (1996) OMB A-130 required systems and applications
More informationCyber Hygiene: A Baseline Set of Practices
[DISTRIBUTION STATEMENT A] Approved for public Cyber Hygiene: A Baseline Set of Practices Matt Trevors Charles M. Wallen Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Copyright
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationDFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com
DFARS Compliance SLAIT Consulting SECURITY SERVICES Mike D Arezzo Director of Security Services Introduction 18+ year career in Information Technology and Security General Electric (GE) as Software Governance
More informationSeagate Supply Chain Standards and Operational Systems
DATA IS POTENTIAL Seagate Supply Chain Standards and Operational Systems Government Solutions Henry Newman May 9 2018 Supply Chain Standards and Results Agenda 1. 2. SUPPLY CHAIN REQUIREMENTS AND STANDARDS
More informationNIST Special Publication
NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Ryan Bonner Brightline WHAT IS INFORMATION SECURITY? Personnel Security
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity November 2017 cyberframework@nist.gov Supporting Risk Management with Framework 2 Core: A Common Language Foundational for Integrated Teams
More information