Advanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin

Transcription

1 Advanced Technology Academic Research Council Federal CISO Summit Ms. Thérèse Firmin Acting Deputy DoD CIO Cyber Security Department of Defense 25 January 2018

2 2 Overview Secretary Mattis Priorities Cybersecurity Focus Areas

3 3 Secretary Mattis Priorities Restore military readiness as we build a more lethal force Strengthen alliance and attract new partners Bring business reforms to the Department of Defense

4 4 Cybersecurity Focus Areas Manage cybersecurity risk to highest priority missions, systems and networks Streamline processes and policies throughout CIO Grow the cyber workforce

5 5 Focus Area 1 Manage Cybersecurity Risk to Highest Priority Missions, Systems and Networks

6 6 Phishing Attacks DOD CYBERSECURITY LANDSCAPE Malware INNOVATION PACE OFCHANGE INTERNET OFTHINGS CLOUD TECHNOLOGY CULTURE LEADERSHIP KNOWLEDGE ACCOUNTABILITY RISKMGMT TRAINING Exfiltration of Intellectual Property DEPENDABLE MISSION EXECUTIONINTHE FACE OF CYBER WARFARE Hactivism CYBERFORCES USERS INDUSTRY GOVTPARTNERS PEOPLE & PARTNERS Insider Threat SYSTEMS & NETWORKS CYBERSECURITY ARCH OPERATINGSYSTEMS/ NETWORKCOMPONENTS MAJOR DOD PROGRAMS Threats from Non-state Adversaries Threats from State Adversaries CYBERSCORECARD CYBERBASICS DISCIPLINE IMPLEMENTAION PLAN MONITORING AND METRICS COMPLIANCE NSCSAR

7 Cyber Executive Order Heads of executive departments and agencies have ultimate responsibility for cybersecurity. CIO/CISO chains of command still responsible, but also includes the non- CIO executive leaders. Within DoD, the Cybersecurity Scorecard is being used as a mechanism to begin to drive this accountability.

8 DIB Cybersecurity Program The DIB Cybersecurity Program is a public-private partnership that: Provides a collaborative environment for sharing unclassified and classified cyber threat information Offers analyst-to-analyst exchanges, mitigation and remediation strategies Increases U.S. Government and industry understanding of cyber threat Eligibility: A contractor must be a Cleared Defense Contractor to participate in this program. Mission: Enhance and supplement Defense Industrial Base (DIB) participants capabilities to safeguard DoD information that resides on, or transits, DIB unclassified information systems S U P P O R T T H E W A R F I G H T E R 8

9 9 Focus Area 2 Streamline Processes and Policies Throughout CIO

10 Protecting the DoD s Unclassified Information Contractor s Internal System Security requirements from NIST SP , DFARS Clause , and/or FAR Clause apply Federal Contract Information Controlled Unclassified Information (USG-wide) Covered Defense Information (includes Unclassified Controlled Technical Information) Controlled Unclassified Information Internal Cloud External Cloud/CSP CSP CSP DoD Owned and/or Operated Information System Unclassified S U P P O R T T H E W A R F I G H T E R System Operated on Behalf of the DoD Controlled Unclassified Information Cloud Service Provider When cloud services are used to process data on the DoD's behalf, DFARS Clause and DoD Cloud Computing SRG apply DoD Information System Security requirements from CNSSI 1253, based on NIST SP , apply Cloud Service Provider When cloud services are provided by DoD, the DoD Cloud Computing SRG applies 10

11 11 Transition from CIO Scorecard 1.0 to 2.0 Scorecard 1.0 provides aggregation of existing data o o o Extensive survey to produce scorecard Limited to compliance (Yes and No) Tabular Data view Scorecard 2.0 shifts to Risk Management Heat Map o o o o Eliminate the human in the loop Integration of threat and impact with current vulnerability data Heat Map View Facilitates agility and rapid decision making by the CISO/CIOs Assists commander as a risk assessment tool for missions Scorecard : Threat / Risk View

12 12 Integrating the Cybersecurity Framework with the Risk Management Framework CS risk only part of organizational risk management procedures Cybersecurity Framework Risk Management Framework Organizational risk management requires multi-disciplinary teams Taxonomy allows IT/CS/Business personnel to communicate Implementation will vary between orgs based on their needs Goal: allocate scarce resources to address CS needs most efficiently Focus on Critical Assets First

13 13 Focus Area 3 Grow the Cyber Workforce

14 Cyber Workforce Trends & Challenges: - Growing Reliance on Technology - Increasingly Complex Operating Environment - Evolution of Skills and Expectations - Lack of Cyber Workforce Standards S U P P O R T T H E W A R F I G H T E R 14

15 15 End State Increased Senior-level advocacy for cybersecurity as a mission imperative. Improved cybersecurity in organic and outsourced systems. Use of tools based on common standards that allow us to exploit power of big data analytics. Increased collaboration with our partners within DoD, other government agencies, industry and our academic partners. Proactive, anticipatory and responsive to cyber threats.

16 16