Cybersecurity Planning Lunch and Learn

Transcription

1 Cybersecurity Planning Lunch and Learn Mr. Tyrone Ty Theriot, CNE May 2017 Presenter: Ty Theriot Moderator: LtCol Stephani Hunsinger LtCol Stephani Hunsinger USAF, CNE Stephani.Hunsinger@dau.mil

2 DoDI , RMF 6 Step Process We will only focus on these 2 for the Lunch and Learn This iterative process parallels the system life cycle, with the RMF activities being initiated at program or system inception 2

3 RMF Integration across the Acquisition Lifecycle IOC A B C Materiel Solution Analysis Technology Maturation & Risk Reduction Engineering & Manufacturing Development LRIP Sustainment Materiel Development Decision DRFPRD Build 1.1 Build 3.1 FRP Decision Operations & Support Build 1.2 ICD Draft CDD Build 0.1 CDD-V CDD Build 1.3 Build 1.4 Build 2.1 CPD Build 3.2 Production & Deployment FOC Disposal SRR 1 CATEGORIZE System Establish Cybersecurity WIPT 2 SELECT Security Controls CSS SP, CMS Influence Design/RFP AS SEP, TEMP SYSTEM SECURITY ENGINEERING (SSE) SSE - MSA Phase Include System Security in Design Trades Leverage Threat Data Evaluate CONOPS Perform initial Criticality Analysis

4 Cybersecurity & the Acquisition Lifecycle Integration Tool (CALIT) CALIT Ver 2.02

5 PM and Cybersecurity The PM is responsible for meeting cybersecurity requirements throughout the lifecycle of the program. Cybersecurity defined as: Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation PMs and Chief Engineers/Lead Systems Engineers who are unfamiliar with the details of the DoD cybersecurity regulations and policies should consider the following three security objectives when trying to balance specific cybersecurity requirements with the other requirements that apply to their system: Confidentiality, Integrity and Availability DoD Program Manager s Guidebook for Integrating the Cybersecurity Risk Management Framework (RMF) into the System Acquisition Lifecycle Sept

6 Cybersecurity Requirements RMF Step 1: Categorize System Categorize the system in accordance with the CNSSI 1253 Initiate the Security Plan Register system with DoD Component Cybersecurity Program Assign qualified personnel to RMF roles OSD RMF Knowledge Service 6

7 Cybersecurity Requirements RMF Step 1: Categorize System For NSS, the Security Categorization Task (RMF Step 1, Task 1-1) is a two-step process: 1. Determine impact values: (i) for the information type(s) processed, stored, transmitted, or protected by the information system; and (ii) for the information system. 2. Identify overlays that apply to the information system and its operating environment to account for additional factors (beyond impact) that influence the selection of Security controls. 7

8 Categorization Definitions (44 U.S.C., Section 3542) CONFIDENTIALITY: Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information. INTEGRITY: Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity. AVAILABILITY: Ensuring timely and reliable access to and use of information. OSD RMF Knowledge Service 8

9 Confidentiality Factors Answers to the following questions will help in the evaluation process: How can a malicious adversary use the unauthorized disclosure of information to do limited/serious/severe harm to agency operations, agency assets, or individuals? How can a malicious adversary use the unauthorized disclosure of information to gain control of agency assets that might result in unauthorized modification of information, destruction of information, or denial of system services that would result in limited/serious/severe harm to agency operations, agency assets, or individuals? Would unauthorized disclosure/dissemination of elements of the information type violate laws, executive orders, or agency regulations? NIST Special Publication Volume I Revision 1 9

10 Integrity Factors Answers to the following questions will help in the evaluation process: How can a malicious adversary use the unauthorized modification or destruction of information to do limited/serious/severe harm to agency operations, agency assets, or individuals? Would unauthorized modification/destruction of elements of the information type violate laws, executive orders, or agency regulations? NIST Special Publication Volume I Revision 1 10

11 Availability Factors Answers to the following questions will help in the evaluation process: How can a malicious adversary use the disruption of access to or use of information to do limited/serious/severe harm to agency operations, agency assets, or individuals? Would disruption of access to or use of elements of the information type violate laws, executive orders, or agency regulations? NIST Special Publication Volume I Revision 1 11

12 Confidentiality, Integrity and Availability Impact Levels Potential Impact Definitions from CNSSI 1253, Section 3.1: LOW: If the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. MODERATE: If the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals and exceeds mission expectations. HIGH: If the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals and exceeds mission expectations. 12

13 NIST Special Publication Volume I Revision 1 13

14 RMF Step 1: Categorize System (example) Determine system categorization impact level for Confidentiality, Integrity and Availability by determining impact values for each information type and rolling up into a high water mark. Information Type Impact Values C I A Logistics L L L Intelligence L M L Targeting M L L Surveillance L L L Reconnaissance L L L Mine Detection L L L System Categorization M M L Defense-in-Depth Functional Implementation Architecture (DFIA) Defense Level MML High Water Mark. Work with your Security Control Assessor to tailor. 14

15 Confidentiality, Integrity and Availability Impact Levels EXAMPLE 1: A law enforcement organization managing extremely sensitive investigative information determines that the potential impact from a loss of confidentiality is high, the potential impact from a loss of integrity is moderate, and the potential impact from a loss of availability is moderate. Defense-in-Depth Functional Implementation Architecture (DFIA) Defense Level HMM EXAMPLE 2: A financial organization managing routine administrative information (not privacy related information) determines that the potential impact from a loss of confidentiality is low, the potential impact from a loss of integrity is low, and the potential impact from a loss of availability is low. Defense-in-Depth Functional Implementation Architecture (DFIA) Defense Level LLL NIST Special Publication Volume I Revision 1 15

16 Identify Overlay Security categorization is a two-step process: Step 1. Determine potential impact values for the information type(s) processed, stored or transmitted or protected by the information system; and for the information system. Step 2. Identify overlays that apply to the information system and its operating environment to account for additional factors (beyond impact) that influence the selection of security controls. OSD RMF Knowledge Service 16

17 Identify Overlay Attachments to Appendix F (Formerly Appendix K) CNSS Published Overlays: Attachment 1: Overlay Template (1 Aug 13) Attachment 2: Space Platform Overlay (6 Jun 13) Attachment 3: Cross Domain Solution Overlay (27 Sep 13) Attachment 4: Intelligence Overlay (23 Oct 12) (Document is U//FOUO) Attachment 5: Classified Information Overlay (9 May 14) Attachment 6: Privacy Overlay (20 Apr 15) 17

18 Identify Overlay 18

19 Cybersecurity Requirements RMF Step 2: Select Security Controls Common Control Identification Select security controls Develop system-level continuous monitoring strategy Review and approve the security plan and continuous monitoring strategy Apply overlays and tailor OSD RMF Knowledge Service 19

20 Security Control Family Each family contains security controls related to the general security topic of the family Security Controls and Control Enhancements organized into 18 RMF Security Control Families with over 900 controls Control Flexibility Assignment and selection statements embedded within controls to allow organizations to define these values 20

21 OSD RMF Knowledge Service SELECT 21

22 OSD RMF Knowledge Service SELECT 22

23 OSD RMF Knowledge Service 23

24 OSD RMF Knowledge Service SELECT 24

25 OSD RMF Knowledge Service Work with your Security Control Assessor to tailor controls. 25

26 Cybersecurity Planning Lunch and Learn Questions? Mr. Tyrone Ty Theriot, CNE May 2017 Presenter: Ty Theriot Moderator: LtCol Stephani Hunsinger LtCol Stephani Hunsinger USAF, CNE Stephani.Hunsinger@dau.mil