DoDD DoDI

Size: px
Start display at page:

Download "DoDD DoDI"

Transcription

1 DoDD DoDI Tutorial Lecture for students pursuing NSTISSI 4011 INFOSEC Professional 1

2 Scope of DoDD Information Classes: Unclassified Sensitive information Classified All ISs to include: All DoD owned or controlled information systems Information systems under contract to DoD Outsourced information based processes (ex. Those supporting e-commerce or e-business) Information systems of non-appropriated fund (NAF) activities Stand-alone information systems Mobile computing devices (i.e. laptop, PDA, handheld) 2

3 DoDD Policy Information Assurance Requirements and new/upgraded systems According to this directive, IA requirements will be identified and included in the design, acquisition, installation, upgrade, or replacement of any information system within DoD. Also, Public Key Infrastructure (PKI) certificates and biometrics will be incorporated into all new and upgraded systems whenever possible. All DoD information systems shall maintain an appropriate level of confidentiality, integrity, authentication, non-repudiation, and availability that reflects a balance among: the importance and sensitivity of the information and information assets documented threats and vulnerabilities the trustworthiness of users and interconnected systems the impact or destruction of the system cost effectiveness For IA purposes, all DoD Systems are organized and managed within 4 categories Automated Information Systems (AIS) applications Enclaves (includes networks) outsourced IT-based processes Platform IT interconnections IA readiness is a critical element of overall mission readiness. It will be monitored, reported, and evaluated throughout DoD and validated by the DoD CIO. 3

4 DoDD Information Assurance DoDD became effective on 24 October (Certified current as of 21 Nov 2003). Its purpose is to establish policy and assign responsibilities in order to achieve Department of Defense (DoD) information assurance (IA). It accomplishes this by utilizing a defense-in-depth approach that integrates the capabilities of personnel, operations, and technology, and supports the evolution to network-centric warfare. This directive supercedes the following documents: DoD Directive Security Requirements for Automated Information Systems DoD M -- ADP Security Manual DoD STD -- DoD Trusted Computer Security Evaluation Criteria DoD Chief Information Officer (CIO) Memorandum It designates the Secretary of the Army as the Executive Agent for the integration of common biometric technologies throughout the Department of Defense. 4

5 DoDD COTS IA Compliance National Security Telecommunications and Information Systems Security Policy Number 11 NSTISSP #11 is a national security community policy governing the acquisition of information assurance (IA) and IA enabled information technology products. The policy was issued by the Chairman of the National Security Telecommunications and Information Systems Security Committee (NSTISSC), now known as the Committee on National Security Systems (CNSS) in January 2000 and revised in June The policy mandates, effective 1 July 2002, that departments and agencies within the Executive Branch shall acquire, for use on national security systems, only those COTS products or cryptographic modules that have been validated with the International Common Criteria for Information Technology Security Evaluation, the National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS), or by the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) The objective of NSTISSP #11 is to ensure that COTS IA and IA-enabled IT products acquired by the U.S. Government for use in national security systems perform as advertised by their respective manufacturers, or satisfy the security requirements of the intended user. To achieve this objective, the policy requires COTS products be evaluated and validated in accordance with either the International Common Criteria for Information Technology Security Evaluation, or the National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) Supportive of the intent and implementation of NSTISSP #11, the NSA and NIST have collaborated to establish the following two evaluation and validation programs: National Information Assurance Partnership's (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS) Program NIST Federal Information Processing Standard (FIPS)Cryptographic Module Validation Program (CMVP) 5

6 Compliance Decision Tree ** Compliance with applicable guidance in the 8500 series is recommended for all other systems with embedded IT assets Series IA

7 IA Compliance by Acq. Program Type 7

8 DoDI Overview Multi-Echelon Management Structure 8

9 DoDI Overview Multi-Echelon Management Structure 9

10 IA Controls (Enclosure 4, DoDI ) IA Control Subject Area. One of eight groups indicating the major subject or focus area to which an individual IA Control is assigned. (Next Slide) IA Control Number. A unique identifier comprised of four letters, a dash, and a number. The first two letters are an abbreviation for the subject area name and the second two letters are an abbreviation for the individual IA Control name. The number represents a level of robustness in ascending order that is relative to each IA Control. (Next Slide) IA Control Name. A brief title phrase that describes the individual IA Control. IA Control Text. One or more sentences that describe the IA condition or state that the IA Control is intended to achieve. 10

11 Another IA Control Example 11

12 IA Control Subject Areas Enclosure 4, DoDI In the example to the right --> the control level is two (2), which means there is a related IA Control, ECCT-1, that provides less robustness. There may also be an IA Control, ECCT-3, that provides greater robustness. 12

13 Baseline Information Assurance Levels Mandated DoDD , described in DoDI All DoD information systems shall be assigned a mission assurance category. The mission assurance category reflects the importance of information relative to the achievement of DoD goals and objectives, particularly the warfighters' combat mission. DOD has three defined mission assurance categories: Mission Assurance Category I (MAC I) Systems handling information that is determined to be vital to the operational readiness or mission effectiveness of deployed and contingency forces in terms of both content and timeliness. The consequences of loss of integrity or availability of a MAC I system are unacceptable and could include the immediate and sustained loss of mission effectiveness. MAC I systems require the most stringent protection measures. 13

14 DOD has three defined mission assurance categories: (cont.) Mission Assurance Category II (MAC II) Systems handling information that is important to the support of deployed and contingency forces. The consequences of loss of integrity are unacceptable. Loss of availability is difficult to deal with and can only be tolerated for a short time. The consequences could include delay or degradation in providing important support services or commodities that may seriously impact mission effectiveness or operational readiness. MAC II systems require additional safeguards beyond best practices to ensure adequate assurance. Mission Assurance Category III (MAC III) Systems handling information that is necessary for the conduct of day-today business, but does not materially affect support to deployed or contingency forces in the short term. The consequences of loss of integrity or availability can be tolerated or overcome without significant impacts on mission effectiveness or operational readiness. The consequences could include the delay or degradation of services or commodities enabling routine activities. MAC III systems require proactive measures, techniques, or procedures generally commensurate with commercial best practices. 14

15 Mission Assurance Category Summary DoDI Enclosure 3 The baseline sets of IA controls are pre-defined based on the determination of the Mission Assurance Category (MAC) and Confidentiality Levels as specified in the formal requirements documentation or by the info owner. IA Controls addressing availability, confidentiality, integrity, authentication and nonrepudiation requirements are keyed to the system s MAC based on the importance of the information to the mission, particularly the warfighters' combat mission, and on the sensitivity or classification of the information. 15

16 Mission Assurance Category Levels for IA Controls IA Controls addressing confidentiality requirements are based on the sensitivity or classification of the information. There are three MAC levels and three confidentiality levels with each level representing increasingly stringent information assurance requirements. 16

17 Determining Baseline IA Controls 17

18 JCIDS Process and Acquisition Decisions CJCSI E 18

19 JCIDS and Information Assurance Information Assurance - Information operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality and nonrepudiation. This includes providing for restoration of information systems by incorporating protection, detection and reaction capabilities. Net-ready Key Performance Parameter (NR-KPP) - (see following) 19

DIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C)

DIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C) DIACAP and the GIG IA Architecture 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) 210-9252417 (C) 210-396-0254 jwierum@cygnacom.com OMB Circular A-130 (1996) OMB A-130 required systems and applications

More information

This is to certify that. Chris FitzGerald. has completed the course. Systems Security Engineering _eng 2/10/08

This is to certify that. Chris FitzGerald. has completed the course. Systems Security Engineering _eng 2/10/08 This is to certify that Chris FitzGerald has completed the course Systems Security Engineering - 206760_eng on 2/10/08 Systems Security Engineering About This Course Overview/Description To define the

More information

Committee on National Security Systems. CNSS Policy No. 14 November 2002

Committee on National Security Systems. CNSS Policy No. 14 November 2002 Committee on National Security Systems CNSS Policy No. 14 November 2002 National Policy Governing the Release of Information Assurance (IA) Products and Services to Authorized U.S. Persons or Activities

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.

More information

Department of Defense INSTRUCTION

Department of Defense INSTRUCTION Department of Defense INSTRUCTION NUMBER 8551.1 August 13, 2004 ASD(NII)/DoD CIO SUBJECT: Ports, Protocols, and Services Management (PPSM) References: (a) DoD Directive 8500.1, "Information Assurance (IA),"

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS IA Policies, Procedures, The Information Assurance (IA) Policies, Procedures, encompasses existing policies, procedures,

More information

10th International Command and Control Research and Technology Symposium The Future of C2

10th International Command and Control Research and Technology Symposium The Future of C2 10th International Command and Control Research and Technology Symposium The Future of C2 Defense Information Assurance Certification and Accreditation Process (DIACAP) and the Global Information Grid

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Signature Repository A Signature Repository provides a group of signatures for use by network security tools such

More information

Appendix 12 Risk Assessment Plan

Appendix 12 Risk Assessment Plan Appendix 12 Risk Assessment Plan DRAFT December 13, 2006 Revision XX Qwest Government Services, Inc. 4250 North Fairfax Drive Arlington, VA 22203 A12-1 RFP: TQC-JTB-05-0001 December 13, 2006 REVISION HISTORY

More information

Appendix 12 Risk Assessment Plan

Appendix 12 Risk Assessment Plan Appendix 12 Risk Assessment Plan DRAFT March 5, 2007 Revision XX Qwest Government Services, Inc. 4250 North Fairfax Drive Arlington, VA 22203 A12-i RFP: TQC-JTB-05-0002 March 5, 2007 REVISION HISTORY Revision

More information

An Introduction to Department of Defense IA Certification and Accreditation Process (DIACAP)

An Introduction to Department of Defense IA Certification and Accreditation Process (DIACAP) An Introduction to Department of Defense IA Certification and Accreditation Process (DIACAP) Solutions Built On Security Prepared for The IT Security Community and our Customers Prepared by Lunarline,

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Key Management Key Management is a service and process that provides, controls, and maintains the cryptographic keys,

More information

NIST Security Certification and Accreditation Project

NIST Security Certification and Accreditation Project NIST Security Certification and Accreditation Project An Integrated Strategy Supporting FISMA Dr. Ron Ross Computer Security Division Information Technology Laboratory 1 Today s Climate Highly interactive

More information

Streamlined FISMA Compliance For Hosted Information Systems

Streamlined FISMA Compliance For Hosted Information Systems Streamlined FISMA Compliance For Hosted Information Systems Faster Certification and Accreditation at a Reduced Cost IT-CNP, INC. WWW.GOVDATAHOSTING.COM WHITEPAPER :: Executive Summary Federal, State and

More information

Progress Report National Information Assurance Partnership

Progress Report National Information Assurance Partnership Progress Report 2012-2015 National Information Assurance Partnership Executive Summary The National Information Assurance Partnership (NIAP) has made significant progress in three primary mission areas:

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Port Security Port Security helps to control access to logical and physical ports, protocols, and services. This

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Network Boundary and The Network Boundary and for an Enterprise is essential; it provides for an understanding of

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Deployment Deployment is the phase of the system development lifecycle in which solutions are placed into use to

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Host Intrusion The Host Intrusion employs a response to a perceived incident of interference on a host-based system

More information

MICROSOFT (MS) WINDOWS DEFENDER ANTIVIRUS SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW. Version 1, Release 4 27 APRIL 2018

MICROSOFT (MS) WINDOWS DEFENDER ANTIVIRUS SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW. Version 1, Release 4 27 APRIL 2018 MICROSOFT (MS) WINDOWS DEFENDER ANTIVIRUS SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW Version 1, Release 4 27 APRIL 2018 Developed by for the DoD Trademark Information Names, products, and

More information

Test & Evaluation of the NR-KPP

Test & Evaluation of the NR-KPP Defense Information Systems Agency Test & Evaluation of the NR-KPP Danielle Mackenzie Koester Chief, Engineering and Policy Branch March 15, 2011 2 "The information provided in this briefing is for general

More information

National Information Assurance (IA) Policy on Wireless Capabilities

National Information Assurance (IA) Policy on Wireless Capabilities Committee on National Security Systems CNSS Policy No. 17 National Information Assurance (IA) Policy on Wireless Capabilities This document prescribes minimum standards. Your department or agency may require

More information

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION Briefing for OFPP Working Group 19 Feb 2015 Emile Monette GSA Office of Governmentwide Policy emile.monette@gsa.gov Cybersecurity Threats are

More information

Executive Order 13556

Executive Order 13556 Briefing Outline Executive Order 13556 CUI Registry 32 CFR, Part 2002 Understanding the CUI Program Phased Implementation Approach to Contractor Environment 2 Executive Order 13556 Established CUI Program

More information

Achieving a FIPS Compliant Wireless Infrastructure using Intel Centrino Mobile Technology Clients

Achieving a FIPS Compliant Wireless Infrastructure using Intel Centrino Mobile Technology Clients Achieving a FIPS Compliant Wireless Infrastructure using Intel Centrino Mobile Technology Clients This document is provided as is with no warranties whatsoever, including any warranty of merchantability,

More information

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA CYBER SECURITY BRIEF Presented By: Curt Parkinson DCMA September 20, 2017 Agenda 2 DFARS 239.71 Updates Cybersecurity Contracting DFARS Clause 252.204-7001 DFARS Clause 252.239-7012 DFARS Clause 252.239-7010

More information

DATABASE SECURITY REQUIREMENTS GUIDE (SRG) TECHNOLOGY OVERVIEW. Version 2, Release October Developed by DISA for the DoD

DATABASE SECURITY REQUIREMENTS GUIDE (SRG) TECHNOLOGY OVERVIEW. Version 2, Release October Developed by DISA for the DoD DATABASE SECURITY REQUIREMENTS GUIDE (SRG) TECHNOLOGY OVERVIEW Version 2, Release 5 28 October 2016 Developed by for the DoD 28 October 2016 Developed by for the DoD Trademark Information Names, products,

More information

CNSS Advisory Memorandum Information Assurance December 2010 Advisory Memorandum

CNSS Advisory Memorandum Information Assurance December 2010 Advisory Memorandum December 2010 Advisory Memorandum Reducing the Risk of Removable Media in National Security Systems NATIONAL MANAGER FOREWORD 1. Using removable media presents serious risks to the security of National

More information

Building an Assurance Foundation for 21 st Century Information Systems and Networks

Building an Assurance Foundation for 21 st Century Information Systems and Networks Building an Assurance Foundation for 21 st Century Information Systems and Networks The Role of IT Security Standards, Metrics, and Assessment Programs Dr. Ron Ross National Information Assurance Partnership

More information

MICROSOFT SQL SERVER 2016 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW. Version 1, Release March 2018

MICROSOFT SQL SERVER 2016 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW. Version 1, Release March 2018 MICROSOFT SQL SERVER 2016 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW Version 1, Release 1 09 March 2018 Developed by Microsoft and for the DoD Trademark Information Names, products, and services

More information

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System Slide 1 RMF Overview RMF Module 1 RMF takes into account the organization as a whole, including strategic goals and objectives and relationships between mission/business processes, the supporting information

More information

National Policy Governing the Use of High Assurance Internet Protocol Encryptor (HAIPE) Products

National Policy Governing the Use of High Assurance Internet Protocol Encryptor (HAIPE) Products Committee on National Security Systems CNSS Policy No. 19 February 2007 National Policy Governing the Use of High Assurance Internet Protocol Encryptor (HAIPE) Products This document prescribes minimum

More information

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? A brief overview of security requirements for Federal government agencies applicable to contracted IT services,

More information

Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)

Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1) https://www.csiac.org/ Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP800-171 Revision 1) Today s Presenter: Wade Kastorff SRC, Commercial Cyber Security

More information

National Information Assurance Partnership (NIAP) 2017 Report. PPs Completed in CY2017

National Information Assurance Partnership (NIAP) 2017 Report. PPs Completed in CY2017 National Information Assurance Partnership (NIAP) 2017 Report NIAP continued to grow and make a difference in 2017 from increasing the number of evaluated products available for U.S. National Security

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Network Mapping The Network Mapping helps visualize the network and understand relationships and connectivity between

More information

COTS, Subversions, and the Foreign Supply Chain issues for DoD Systems. Dr. Ben A. Calloni, P.E. Lockheed Martin Fellow, Software Security

COTS, Subversions, and the Foreign Supply Chain issues for DoD Systems. Dr. Ben A. Calloni, P.E. Lockheed Martin Fellow, Software Security Superior Products Through Innovation COTS, Subversions, and the Foreign Supply Chain issues for DoD Systems Dr. Ben A. Calloni, P.E. Lockheed Martin Fellow, Software Security Research Program Manager and

More information

SIPRNet Contractor Approval Process (SCAP) December 2011 v2. Roles and Responsibilities

SIPRNet Contractor Approval Process (SCAP) December 2011 v2. Roles and Responsibilities Roles and Responsibilities PARTICIPANT RESPONSIBILITIES Defense Security Service (DSS) DAA for Information Systems (IS) used to process classified information in the National Industrial Security Program

More information

Cybersecurity in Acquisition

Cybersecurity in Acquisition Kristen J. Baldwin Acting Deputy Assistant Secretary of Defense for Systems Engineering (DASD(SE)) Federal Cybersecurity Summit September 15, 2016 Sep 15, 2016 Page-1 Acquisition program activities must

More information

FiXs - Federated and Secure Identity Management in Operation

FiXs - Federated and Secure Identity Management in Operation FiXs - Federated and Secure Identity Management in Operation Implementing federated identity management and assurance in operational scenarios The Federation for Identity and Cross-Credentialing Systems

More information

TABLE OF CONTENTS. Page REFERENCES 5 DEFINITIONS 8 ABBREVIATIONS AND/OR ACRONYMS 18 C1. CHAPTER 1 - INTRODUCTION 20

TABLE OF CONTENTS. Page REFERENCES 5 DEFINITIONS 8 ABBREVIATIONS AND/OR ACRONYMS 18 C1. CHAPTER 1 - INTRODUCTION 20 1 2 FOREWORD TABLE OF CONTENTS Page REFERENCES 5 DEFINITIONS 8 ABBREVIATIONS AND/OR ACRONYMS 18 C1. CHAPTER 1 - INTRODUCTION 20 C1.1. BACKGROUND 20 C1.2. TECHNOLOGY OVERVIEW 21 C1.3. DITSCAP OBJECTIVE

More information

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC 20301-3000 ACQUISITION, TECHNO LOGY. A N D LOGISTICS SEP 2 1 2017 MEMORANDUM FOR COMMANDER, UNITED ST A TES SPECIAL OPERATIONS

More information

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency Mr. Ed Brindley Acting Deputy Cyber Security Department of Defense 7 March 2018 SUPPORT THE WARFIGHTER 2 Overview Secretary Mattis Priorities

More information

Cybersecurity Challenges

Cybersecurity Challenges Cybersecurity Challenges Protecting DoD s Information NAVSEA Small Business Industry Day August 8, 2017 1 Outline Protecting DoD s Information DFARS Clause 252.204-7012 Contractor and Subcontractor Requirements

More information

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report National Information Assurance Partnership TM Common Criteria Evaluation and Validation Scheme Validation Report Blue Ridge Networks BorderGuard Centrally Managed Embedded PKI Virtual Private Network (VPN)

More information

DIACAP IA CONTROLS. Requirements Document. Sasa Basara University of Missouri-St. Louis

DIACAP IA CONTROLS. Requirements Document. Sasa Basara University of Missouri-St. Louis DIACAP IA CONTROLS Requirements Document 10.13.2015 Sasa Basara University of Missouri-St. Louis 1 1 University Blvd St. Louis, MO 63121 Overview This task is creating threshold (shall) requirements for

More information

Cybersecurity (CS) (as a Risk Based Approach) & Supply Chain Risk Management (SCRM) (Levels of Assurance for HwA, SwA & Assured Services?

Cybersecurity (CS) (as a Risk Based Approach) & Supply Chain Risk Management (SCRM) (Levels of Assurance for HwA, SwA & Assured Services? Cybersecurity (CS) (as a Risk Based Approach) & Supply Chain Risk Management (SCRM) (Levels of Assurance for HwA, SwA & Assured Services?) Don Davidson Deputy Director, CS Implementation and CS/Acquisition

More information

DOD INSTRUCTION COMMERCIAL WIRELESS LOCAL-AREA NETWORK (WLAN) DEVICES, SYSTEMS, AND TECHNOLOGIES

DOD INSTRUCTION COMMERCIAL WIRELESS LOCAL-AREA NETWORK (WLAN) DEVICES, SYSTEMS, AND TECHNOLOGIES DOD INSTRUCTION 8420.01 COMMERCIAL WIRELESS LOCAL-AREA NETWORK (WLAN) DEVICES, SYSTEMS, AND TECHNOLOGIES Originating Component: Office of the Chief Information Officer of the Department of Defense Effective:

More information

Department of Defense INSTRUCTION. DoD Information Assurance Certification and Accreditation Process (DIACAP)

Department of Defense INSTRUCTION. DoD Information Assurance Certification and Accreditation Process (DIACAP) Department of Defense INSTRUCTION NUMBER 8510.01 November 28, 2007 ASD(NII)/DoD CIO SUBJECT: References: DoD Information Assurance Certification and Accreditation Process (DIACAP) (a) Subchapter III of

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Network Intrusion The Network Intrusion helps to detect malicious activity incoming to, outgoing from, and on the

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Network Hunting The Network Hunting is employed to proactively look for indicators of an active threat or exploitation

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Network Intrusion Network Intrusion Prevention employs a response to perceived anomalous activity on the network.

More information

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

existing customer base (commercial and guidance and directives and all Federal regulations as federal) ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of

More information

UNICOS/mp Common Criteria Evaluation

UNICOS/mp Common Criteria Evaluation UNICOS/mp Common Criteria Evaluation Janet Lebens, Cray Inc. Cray Proprietary Agenda Definitions NIAP CCEVS Common Criteria CC vs TCSEC Why Evaluate? Steps of Evaluation Details of Steps for Cray / Progress

More information

International Standard ISO/IEC 17799:2000 Code of Practice for Information Security Management. Frequently Asked Questions

International Standard ISO/IEC 17799:2000 Code of Practice for Information Security Management. Frequently Asked Questions November 2002 International Standard ISO/IEC 17799:2000 Code of Practice for Information Security Management Introduction Frequently Asked Questions The National Institute of Standards and Technology s

More information

Safeguarding Unclassified Controlled Technical Information

Safeguarding Unclassified Controlled Technical Information Safeguarding Unclassified Controlled Technical Information (DFARS Case 2011-D039): The Challenges of New DFARS Requirements and Recommendations for Compliance Version 1 Authors: Justin Gercken, TSCP E.K.

More information

Department of Defense (DoD) Joint Federated Assurance Center (JFAC) Overview

Department of Defense (DoD) Joint Federated Assurance Center (JFAC) Overview Department of Defense (DoD) Joint Federated Assurance Center (JFAC) Overview Kristen Baldwin Principal Deputy, Office of the Deputy Assistant Secretary of Defense for Systems Engineering (DASD(SE)) 17

More information

We are releasing 7 pages of responsive documents. Pursuant to FOIA, certain information has been redacted as it is exempt from release.

We are releasing 7 pages of responsive documents. Pursuant to FOIA, certain information has been redacted as it is exempt from release. Description of document: Requested date: Released date: Posted date: Source of document: President's Council on Integrity and Efficiency Information (PCIE) Information Technology Investigations Sub- Committee

More information

Defining IT Security Requirements for Federal Systems and Networks

Defining IT Security Requirements for Federal Systems and Networks Defining IT Security Requirements for Federal Systems and Networks Employing Common Criteria Profiles in Key Technology Areas Dr. Ron Ross 1 The Fundamentals Building more secure systems depends on the

More information

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

UNCLASSIFIED. FY 2016 Base FY 2016 OCO Exhibit R-2, RDT&E Budget Item Justification: PB 2016 Defense Security Service Date: February 2015 0400: Research, Development, Test & Evaluation, Defense-Wide / BA 7: Operational Systems Development COST

More information

CYBER RESILIENT AND SECURE WEAPON SYSTEMS ACQUISITION / PROPOSAL DISCUSSION

CYBER RESILIENT AND SECURE WEAPON SYSTEMS ACQUISITION / PROPOSAL DISCUSSION CYBER RESILIENT AND SECURE WEAPON SYSTEMS ACQUISITION / PROPOSAL DISCUSSION Integrated Defense Systems Holly Dunlap October 2017 Copyright 2017, Raytheon Company All rights reserved Perception, Expectations

More information

Net-Centric Systems Design and Requirements Development in today s environment of Cyber warfare

Net-Centric Systems Design and Requirements Development in today s environment of Cyber warfare Net-Centric Systems Design and Requirements Development in today s environment of Cyber warfare 2015 NDIA Systems Engineering Conference Dr. Craig Arndt Defense Acquisition University 1 Agenda Requirements

More information

T&E IN CYBERSPACE (UCR TESTING)

T&E IN CYBERSPACE (UCR TESTING) T&E IN CYBERSPACE (UCR TESTING) TRACK CHAIR COL Joe Puett CDR, JITC PRESENTER Richard Delgado Jr. TECHNOLOGY for RAPID ACQUISITION AND TEST Unified Capabilities Requirements (UCR) Testing Mr. Richard Delgado

More information

DoDI IA Control Checklist - MAC 1-Classified. Version 1, Release March 2008

DoDI IA Control Checklist - MAC 1-Classified. Version 1, Release March 2008 DoDI 8500-2 IA Control Checklist - MAC 1-Classified Version 1, Release 1.4 Developed by DISA for the DOD UNTILL FILLED IN CIRCLE ONE FOR OFFICIAL USE ONLY (mark each page) CONFIDENTIAL and SECRET (mark

More information

DoD Mobility Mobility Product Security Certification Processes

DoD Mobility Mobility Product Security Certification Processes DoD Mobility Mobility Product Security Certification Processes Greg Youst DISA Chief Mobility Engineer 25 May 2017 Agenda DoD Mobility Unclassified Mobility Certification Process Main DoD Approved Product

More information

Forensics and Biometrics Enterprise Reference Architecture (FBEA)

Forensics and Biometrics Enterprise Reference Architecture (FBEA) Forensics and Biometrics Enterprise Reference (FBEA) Overview and Summary Information (AV-1) Final Draft Version 2.6 Aug 2016 Version History Version# Date Page(s) Changed Change Description 1.0 Feb 2016

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE Digital Policy Management consists of a set of computer programs used to generate, convert, deconflict, validate, assess

More information

DoD ANNEX FOR PROTECTION PROFILE FOR APPLICATION SOFTWARE V1.2. Version 1, Release February Developed by DISA for the DoD

DoD ANNEX FOR PROTECTION PROFILE FOR APPLICATION SOFTWARE V1.2. Version 1, Release February Developed by DISA for the DoD DoD ANNEX FOR PROTECTION PROFILE FOR APPLICATION SOFTWARE V1.2 Version 1, Release 1 21 February 2018 Developed by for the DoD 21 February 2018 Developed by for the DoD Trademark Information Names, products,

More information

STUDENT GUIDE Risk Management Framework Step 5: Authorizing Systems

STUDENT GUIDE Risk Management Framework Step 5: Authorizing Systems Slide 1 - Risk Management Framework RMF Module 5 Welcome to Lesson 5 - RMF Step 5 Authorizing Systems. Once the security controls are assessed, the POA&M and security authorization package must be finalized

More information

Advanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin

Advanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin Advanced Technology Academic Research Council Federal CISO Summit Ms. Thérèse Firmin Acting Deputy DoD CIO Cyber Security Department of Defense 25 January 2018 2 Overview Secretary Mattis Priorities Cybersecurity

More information

Helping Meet the OMB Directive

Helping Meet the OMB Directive Helping Meet the OMB 11-11 Directive March 2017 Implementing federated identity management OMB Memo 11-11 Meeting FICAM Objectives Figure 1: ICAM Conceptual Diagram FICAM Targets Figure 11: Federal Enterprise

More information

Securing Content in the Department of Defense s Global Information Grid

Securing Content in the Department of Defense s Global Information Grid Securing Content in the Department of Defense s Global Information Grid Secure Knowledge Workshop State University of New York - Buffalo 23-24 September 2004 Robert W. McGraw Technical Director IA Architecture

More information

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com. e info@ Mr. James Kavanagh Chief Security Advisor Microsoft Australia Level 4, 6 National Circuit, Barton, ACT 2600 19 August 2015 Microsoft CRM Online IRAP Assessment Letter of Compliance Dear Mr. Kavanagh,

More information

Forecast to Industry Program Executive Office Mission Assurance/NetOps

Forecast to Industry Program Executive Office Mission Assurance/NetOps Defense Information Systems Agency A Combat Support Agency Forecast to Industry Program Executive Office Mission Assurance/NetOps Mark Orndorff Director, PEO MA/NetOps 29 July 2010 What We Do We develop,

More information

TEL2813/IS2820 Security Management

TEL2813/IS2820 Security Management TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management

More information

Affordable Security. Sarah Pramanik April 10, 2013

Affordable Security. Sarah Pramanik April 10, 2013 Affordable Security Sarah Pramanik April 10, 2013 It s a Balancing Act Affordability Security 2 Overview Defining Cyber Security Defense in Depth Program Risk vs. Security Risk Life Cycle Phases Pre-proposal/Proposal

More information

Security Management Models And Practices Feb 5, 2008

Security Management Models And Practices Feb 5, 2008 TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008 Objectives Overview basic standards and best practices Overview of ISO 17799 Overview of NIST SP documents related

More information

DoD Internet Protocol Version 6 (IPv6) Contractual Language

DoD Internet Protocol Version 6 (IPv6) Contractual Language DoD Internet Protocol Version 6 (IPv6) Contractual Language 1. Purpose: Contents of this document shall be incorporated in Government Acquisition Programs, Procurements, Services, and Contracts (including

More information

Cyber Security Summit 2014 USCENTCOM Cybersecurity Cooperation

Cyber Security Summit 2014 USCENTCOM Cybersecurity Cooperation Cyber Security Summit 2014 USCENTCOM Cybersecurity Cooperation COL Michael R. Corpening Deputy Chief, Operations Division (CCJ6-O) 1 December 2014 The overall classification of this brief is UNCLASSIFIED

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Host Intrusion Detection The Host Intrusion Detection helps to detect malicious activity by monitoring for anomalies

More information

Cybersecurity & Privacy Enhancements

Cybersecurity & Privacy Enhancements Business, Industry and Government Cybersecurity & Privacy Enhancements John Lainhart, Director, Grant Thornton The National Institute of Standards and Technology (NIST) is in the process of updating their

More information

FISMA Cybersecurity Performance Metrics and Scoring

FISMA Cybersecurity Performance Metrics and Scoring DOT Cybersecurity Summit FISMA Cybersecurity Performance Metrics and Scoring Office of the Federal Chief Information Officer, OMB OMB Cyber and National Security Unit, OMBCyber@omb.eop.gov 2. Cybersecurity

More information

Cybersecurity Risk Management

Cybersecurity Risk Management Cybersecurity Risk Management NIST Guidance DFARS Requirements MEP Assistance David Stieren Division Chief, Programs and Partnerships National Institute of Standards and Technology (NIST) Manufacturing

More information

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Enhancing the Cybersecurity of Federal Information and Assets through CSIP TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3

More information

SYSTEMS ASSET MANAGEMENT POLICY

SYSTEMS ASSET MANAGEMENT POLICY SYSTEMS ASSET MANAGEMENT POLICY Policy: Asset Management Policy Owner: CIO Change Management Original Implementation Date: 7/1/2017 Effective Date: 7/1/2017 Revision Date: Approved By: NIST Cyber Security

More information

Information Technology Branch Organization of Cyber Security Technical Standard

Information Technology Branch Organization of Cyber Security Technical Standard Information Technology Branch Organization of Cyber Security Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 1 November 20, 2014 Approved:

More information

Information Assurance and DoD: A Partnership with Industry

Information Assurance and DoD: A Partnership with Industry Information Assurance and DoD: A Partnership with Industry Presented By: Robert Lentz Director, Information Assurance OASD(C3I) for the ITAA InfoSec Committee Meeting March 26, 2002 REPORT DOCUMENTATION

More information

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015 Cloud Computing Standard Effective Date: July 28, 2015 1.1 INTRODUCTION Cloud computing services are application and infrastructure resources that users access via the Internet. These services, contractually

More information

Information Systems Security Requirements for Federal GIS Initiatives

Information Systems Security Requirements for Federal GIS Initiatives Requirements for Federal GIS Initiatives Alan R. Butler, CDP Senior Project Manager Penobscot Bay Media, LLC 32 Washington Street, Suite 230 Camden, ME 04841 1 Federal GIS "We are at risk," advises the

More information

CIS 444: Computer. Networking. Courses X X X X X X X X X

CIS 444: Computer. Networking. Courses X X X X X X X X X 4012 Points Courses * = Can include a summary justification for that section. FUNCTION 1 - GRANT FINAL ATO A. Responsibilities 1. Aspects of Security *Explain the importance of SSM role in (IA) 2. Accreditation

More information

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET Managing Cybersecurity Risk

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET Managing Cybersecurity Risk U.S. FLEET CYBER COMMAND U.S. TENTH FLEET Managing Cybersecurity Risk Neal Miller, Navy Authorizing Official December 13, 2016 UNCLASSIFIED 1 Some Inconvenient Truths The bad guys and gals still only work

More information

Guide for Assessing the Security Controls in Federal Information Systems

Guide for Assessing the Security Controls in Federal Information Systems NIST Special Publication 800-53A Guide for Assessing the Security Controls in Federal Information Systems Ron Ross Arnold Johnson Stu Katzke Patricia Toth George Rogers I N F O R M A T I O N S E C U R

More information

DFARS Cyber Rule Considerations For Contractors In 2018

DFARS Cyber Rule Considerations For Contractors In 2018 Portfolio Media. Inc. 111 West 19 th Street, 5th Floor New York, NY 10011 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com DFARS Cyber Rule Considerations For Contractors

More information

Requirements for Building Effective Government WLANs

Requirements for Building Effective Government WLANs White Paper Government Requirements for Building Effective Government WLANs CJ Mathias Farpoint Group Introduction With governments just now beginning the adoption of wireless LANs as a key component of

More information

Courses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X

Courses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X 4016 Points * = Can include a summary justification for that section. FUNCTION 1 - INFORMATION SYSTEM LIFE CYCLE ACTIVITIES Life Cycle Duties No Subsection 2. System Disposition/Reutilization *E - Discuss

More information

Dr. Steven J. Hutchison Principal Deputy Developmental Test and Evaluation

Dr. Steven J. Hutchison Principal Deputy Developmental Test and Evaluation Nov 2012 Page-1 Dr. Steven J. Hutchison Principal Deputy Developmental Test and Evaluation November 2012 Nov 2012 Page-2 DT&E for Complex Systems Performance Reliability Interoperability Information Security

More information

Agenda. Bibliography

Agenda. Bibliography Humor 2 1 Agenda 3 Trusted Digital Repositories (TDR) definition Open Archival Information System (OAIS) its relevance to TDRs Requirements for a TDR Trustworthy Repositories Audit & Certification: Criteria

More information

GSAW Information Assurance in Government Space Systems: From Art to Engineering

GSAW Information Assurance in Government Space Systems: From Art to Engineering GSAW 2006 Information Assurance in Government Space Systems: From Art to Engineering Charles Lavine The Aerospace Corporation 310-336-1595 lavine@aero.org 1 Toward the Global Information Grid Toward the

More information

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008 Interagency Advisory Board HSPD-12 Insights: Past, Present and Future Carol Bales Office of Management and Budget December 2, 2008 Importance of Identity, Credential and Access Management within the Federal

More information

AMRDEC CYBER Capabilities

AMRDEC CYBER Capabilities Presented to: HAMA AMRDEC CYBER Capabilities Distribution Statement A: Approved for public release: distribution unlimited 08 July 16 Presented by: Julie Locker AMRDEC Cyber Lead U.S. Army Aviation and

More information