ISA 201 Intermediate Information Systems Acquisition

Transcription

1 ISA 201 Intermediate Information Systems Acquisition 1

2 Lesson 8 (Part A) 2

3 Learning Objectives Today we will learn to: Overall: Apply cybersecurity analysis throughout acquisition lifecycle phases. Analyze factors that drive cybersecurity requirements. Recognize programs should consider in risk management activities. Demonstrate cybersecurity integration into the Source Selectin and Solicitation processes. Examine cybersecurity considerations in system security engineering (SSE) / systems engineering (SE) reviews Recognize planning aspects for cybersecurity testing and evaluation Discuss cybersecurity lifecycle support and maintenance considerations Recognize software assurance protections Examine continuous monitoring of cybersecurity risk Recognize key aspects of cybersecurity incident handling 3

4 Requirements Exercise 1 Risk Management Integration Exercise 2 in Solicitation Processes in SSE / SE Processes Software Assurance Exercise 3 Planning for Testing and Evaluation Lifecycle Support and Maintenance Continuous Monitoring Incident Handling Exercise 4 Summary Lesson Overview Lesson Plan 4

5 In-Class Quiz Team 1 and are two areas of emphasis that differentiate the definition of from the previous definition of IA (Information Assurance). Team 2 Confidentiality, Integrity, Availability, Non-repudiation, and Authentication are often referred to as Team 3 True or False: The Risk Management Framework (RMF) for DoD Information Technology is included in DoDI Team 4 Team 5 The ensures all appropriate RMF tasks are initiated and completed, with appropriate documentation, for assigned ISs and PIT systems. Monitors and tracks overall execution of system-level POA&Ms, promotes reciprocity, signs Security Plan. True or False: Assigning MAC levels is one of the 6 steps of the Risk Management Framework (RMF) DoD Cloud Computing 5

6 in the Defense Acquisition System New Enclosure 14 Overarching Tenets will be fully considered and implemented in all aspects of acquisition programs across the life cycle Responsibility for cybersecurity extends to all members of the acquisition workforce is a requirement for all DoD Programs Program Managers are responsible for the cybersecurity of their programs, systems and information applies to systems that reside on networks and stand alone systems that are not persistently connected to networks during tactical and strategic operations Effective 10 August,

7 Framework Integration 7

8 High-level Requirements Factors Authorization Boundary influences cybersecurity requirements; e.g., protection of system access points, information flows, interfaces and dependencies among subsystems and external systems Criticality Analysis and Vulnerability Analysis - Cyber assets most critical to mission accomplishment crown jewels Mission, operating environment and threats to system RMF System Categorization: Potential impact values for information types processed, stored or transmitted by the system if Confidentiality, Integrity, and/or Availability were jeopardized System design features (KPPs, KSAs) that promote security and survivability RMF Is One Requirement Factor! 8

9 System Authorization Boundary / Interfaces / Dependencies Weapon System Ground Support Equipment Removable Media (CD, PC-MCIA, et al) Moderate to High Risk Areas Highest Likelihood Weapon System Accreditation Boundary/Entry Points - Team Focus Area Air Gap Hard Connection System of Systems First.What am I Responsible for Protecting? 9

10 System Authorization Boundary Determination The Authorizing Official (AO) authorizes a system to operate based upon cybersecurity risk determination Prior to an authorization to operate, the system s security boundary is determined this is the Authorization Boundary The Authorization Boundary is the security perimeter of what you are protecting. Establishing an Authorization Boundary and the associated risk management implications is an organization-wide activity - Includes careful negotiation among all key stakeholders. Who are some key stakeholders? 10

11 Considerations for Determining the Scope of an Authorization Boundary Authorization Boundary all components of an information system to be authorized for operation by an authorizing official Resources are generally under the same direct management control (e.g., budgetary, programmatic, operational authority) Resources generally support the same mission/business objectives or functions and require similar cyber security requirements Resources generally reside in the same general operating environment (or in the case of a distributed system, reside in various locations with similar operating environments) Ref: NIST SP R1 Guide for Applying RMF to Federal Information Systems 11

12 Choose Your Boundary Carefully Larger Boundary More Centralized Oversight/Control of: Patching Configuration Management System-of-System Testing Cost / Budget Continuous Monitoring Supply Chain Risk Management Lifecycle Maintenance Communications at key internal boundaries among subsystems May economize processes / documentation Smaller Boundary Increased coordination (e.g., Service Level Agreements) with subsystems in separate boundaries to ensure system-ofsystems can work together in a secure and functional manner. Considerations where dependencies and/or impacts may exist among subsystems include: Patching Configuration Management System-of-Systems Testing Cost / Budget Dependencies Continuous Monitoring Supply Chain Risk Management Lifecycle Maintenance Monitoring and controlling communications at key internal boundaries among subsystems May facilitate targeted application of security controls potentially lending a more cost-effective risk management approach Increased Level of Coordination 12

13 Early in the Lifecycle Added Cyber Survivability as key element of the mandatory System Survivability KPP 13

14 Cyber Survivability Endorsement to the System Survivability KPP The Joint Staff and DoD CIO developed Cyber Survivability Endorsement (CSE) criteria to assess requirements for key attributes that increase cyber survivability. Ref: 14

15 Cyber Survivability Attributes SS KPP Pillars Prevent Mitigate Recover Cyber Survivability Attributes (CSA) CSA 01 - Control Access CSA 02 - Reduce Cyber Detectability CSA 03 - Secure Transmissions and Communications CSA 04 - Protect Information from Exploitation CSA 05 - Partition and Ensure Critical Functions at Mission Completion Performance Levels CSA 06 - Minimize and Harden Cyber Attack Surfaces CSA 07 Baseline & Monitor Systems, and Detect Anomalies CSA 08 - Manage System Performance if Degraded by Cyber Events CSA 09 - Recover System Capabilities CSA 10 - Actively Manage System s Configuration to Counter Vulnerabilities at Tactically Relevant Speeds Prevent Design requirements that protect weapon system s functions from most likely and greatest risk cyber threats. Mitigate Design requirements that detect and respond to cyber-attacks; enabling weapon systems functions resiliency to complete the mission. Recover Design requirements that ensure minimum cyber capability available to recover from cyber attack and enable weapon system quickly restore full functionality Ref: 15

16 CSE 5 Step Approach Determine the Mission Impact of Loss For All Mission Critical Functions Due to a Cyber Event Determine the Level of Most Capable Cyber Threat Actor to the System What is a System s Cyber Dependence to Perform its Mission Critical Functions? The CSE 5 step risk managed approach takes into account several variables the resulting CSRC provides consistency between levels of Cyber Survivability requirements, development and testing Determining the System Mission Type helps define the required cyber survivability protection for the capability 16

17 DoD Policy Requirements Exercise 1 Risk Management Integration Exercise 2 in Solicitation Processes in SSE / SE Processes Software Assurance Exercise 3 Planning for Testing and Evaluation Lifecycle Support and Maintenance Continuous Monitoring Incident Handling Exercise 4 Summary Lesson Overview Lesson Plan 17

18 Exercise 1 : JTAMS Requirements Analysis For the JTAMS Program 1. Identify advantages/challenges of the proposed Authorization Boundary 2. Identify the Cyber Security Risk Category* 3. Identify the three most critical Cyber Survivability Attributes (CSAs)* for JTAMS and explain your rationale for selecting the three CSA s you chose 4. Brief Your Results *Use Volume I: Survivability Endorsement Guide available on the RMFKS (pp 11-29): 18

19 DoD Policy Requirements Exercise 1 Risk Management Integration Exercise 2 in Solicitation Processes in SSE / SE Processes Software Assurance Exercise 3 Planning for Testing and Evaluation Lifecycle Support and Maintenance Continuous Monitoring Incident Handling Exercise 4 Summary Lesson Overview Lesson Plan 19

20 - Risk Management Framework (RMF) The Authorizing Official (AO) authorizes a system s operation based upon risk determination RMF The AO is involved throughout the system s lifecycle 20

21 The & Acquisition Lifecycle Integration Tool (CALIT) 21

22 Some Key DoD Tenets is risk-based, mission-driven, and addressed early and continually. requirements are treated like other system requirements. System security architecture and data flows are developed early, and are continuously updated to maintain the desired security posture is implemented to increase a system s capability to protect, detect, react, and restore, even when under attack from an adversary risk assessments are conducted early and often, and integrated with other risk management activities Reciprocity is used where possible through sharing and reuse of test and evaluation products i.e., test once and use by all is a Significant Risk to DoD Systems! 22

23 Risk Management Integration Risk, Issue, and Opportunity Management Risks probability of an undesired event or condition and the impact were it to occur Issues events or conditions with negative effect that have occurred Opportunities future benefits to the program s cost, schedule and/or performance baseline

24 Risk Management Integration Risk, Issue, and Opportunity Management Program Protection and Trusted Systems & Networks (TSN) TSN Analysis

25 Risk Management Integration Risk Management Framework (RMF) Program Protection and Trusted Systems & Networks (TSN) Risk, Issue, and Opportunity Management TSN Analysis

26 Elements of Risks Cyber vulnerabilities provide potential exploitation points for adversaries to steal, alter, or destroy system functionality, information, or technology they seek. Program managers will pay particular attention to the program and system elements that are vulnerable and can be exposed to targeting. ¹At a minimum, PM s technical risk and opportunity management will consider - Government Program Organization - Poor cybersecurity practices - Insider threat - Untrained personnel - Contractor Organizations and Environments - Design, development, production environments - Supply Chain - Software and Hardware - System Interfaces - Enabling and Support Equipment, Systems and Facilities - Fielded Systems ¹Ref: DoDI , Update, Enclosure 14, Incorporated 2 Feb

27 DoD Policy Requirements Exercise 1 Risk Management Integration Exercise 2 in Solicitation Processes in SSE / SE Processes Software Assurance Exercise 3 Planning for Testing and Evaluation Lifecycle Support and Maintenance Continuous Monitoring Incident Handling Exercise 4 Summary Lesson Overview Lesson Plan 27

28 Exercise 2 - Identify Risks Col Dau is the new Program Manager for an new unmanned aerial bomber system (UABS). The mission is to fly the unmanned aerial bombers to a target and drop bombs to destroy those targets. To execute the mission, air tasking orders are issued using a ground-based information system through an encrypted interface. The unmanned aerial bomber is remotely controlled and operated using a ground-based system. The bomber includes SW & HW components that are essential to real time operation of the bomber itself the IT is critical to loading air tasking orders, flying the aircraft, guiding it to its target, commanding it to release bombs, etc. Col Dau is standing up her Program Office and wants to make sure she has the right expertise for her team. Upandaway, the prime contractor, is also standing up their Program Office and bringing on subcontractors. M&S will be used to reduce risk. Some legacy systems will be incorporated into the final system-of-systems. Extensive testing and crew training will be integral to the success of the Program. Using DoDI Enclosure 14, what potential cybersecurity risks (consider the whole eco system) should Col Dau consider in this scenario? 28

29 UABS Risks Team 1 Team 2 Team 3 Team 4 Team 5 Organizations and Environments Software / Hardware System Interfaces Enabling and Support Equipment, Systems, and Facilities Fielded Systems 29

30 DoD Policy Requirements Exercise 1 Risk Management Integration Exercise 2 in Solicitation Processes in SSE / SE Processes Software Assurance Exercise 3 Planning for Testing and Evaluation Lifecycle Support and Maintenance Continuous Monitoring Incident Handling Exercise 4 Summary Lesson Overview Lesson Plan 30

31 Contracting for is not Cookie Cutting Early involvement is key! Ensure cybersecurity requirements are incorporated in contracts Help contracting officers understand program cybersecurity requirements and risks so that: - appropriate contract type is selected - trade-space decisions are informed Source Selection Discriminators - Include cybersecurity evaluation factors and subfactors tied to RFP cybersecurity requirements and objectives that will impact source selection - NDAA 2011, Section 806 permits consideration of supply chain risk in source selection 31

32 FAR / DFAR Clauses Integrate cybersecurity into contracting language FAR/DFAR clauses - One size does not fit all TAILOR to your program requirements DoDI , Change 2, Table 12: Resources and Publications FAR Clause This clause applies to the extent that the contract involves access to information classified Confidential, Secret, or Top Secret. FAR Clause This clause applies to information not intended for public release that is provided by or generated for the Government under a contract. DFARS Clause The clause requires a company to safeguard CDI, as defined in the Clause, and to report to the DoD the possible exfiltration, manipulation, or other loss or compromise. Section 933 of the National Defense Authorization Act for Fiscal Year 2013, Public Law Requires use of appropriate automated vulnerability analysis tools in computer software code. 32

33 Some Best Practices Does the RFP require the contractor to? Mitigate Supplier Risk Process to establish trusted suppliers Obtain DoD-specific computer microchips from a ¹DMEA approved supplier Use secure shipping methods for critical components Ensure tech manuals are printed by a trusted supplier Use blind buys for critical function components Mitigate Software Risk Conduct/support penetration testing Correct errors in contractor developed software within an agreed upon timeframe Conduct regression tests following changes to function code Ensure software patch integrity is maintained in transit thru encryption and authentication Statement Of Work ¹Defense Microelectronics Activity (DMEA) References: DoDI , Trusted Systems and Networks (TSN) Analysis, June

34 Contract Considerations - Sample RFP Language - Section C Description/Spec/SOW - Identify the categorization of the system - Provide a list of applicable security controls - Ensure all CDRLs adequately address cybersecurity execution support (e.g., data rights, test data, test plans, source code deliveries, etc. - Section L, Instructions to Offerors - Describe experience of cybersecurity staff - Identify any cybersecurity-related DIDs contractors must provide Annex H Request for Proposal Considerations

35 Summary Today we learned to: Overall: Apply cybersecurity analysis throughout acquisition lifecycle phases. Analyze factors that drive cybersecurity requirements. Recognize programs should consider in risk management activities. Demonstrate cybersecurity integration into Source Selection and Solicitation processes. Examine cybersecurity considerations in system security engineering (SSE) / systems engineering (SE) reviews. Recognize planning aspects for cybersecurity testing and evaluation. Discuss cybersecurity lifecycle support and maintenance considerations. Recognize software assurance protections. Examine continuous monitoring of cybersecurity risk. Recognize key aspects of cybersecurity incident handling. 35

36 JRATS with JTAMS OV-1 STAMIS DODIN FUAV SW Module SATCOM SW Module GPS SW Module FUAV SW Module FUAV SW Module JTAMS GS SW Module JUGV SW Module JOINT COMMAND CENTER THRU HORIZONTAL Shooters TECHNOLOGY INSERTION JUGV JUGV 36