Shift Left: Putting the Process Into Action

Similar documents
Dr. Steven J. Hutchison Principal Deputy Developmental Test and Evaluation

Test and Evaluation Methodology and Principles for Cybersecurity

Cybersecurity Test and Evaluation Achievable and Defensible Architectures

The Perfect Storm Cyber RDT&E

T&E Workforce Development

Cybersecurity vs. Cyber Survivability: A Paradigm Shift

April 25, 2018 Version 2.0

The Operational Test & Evaluation Cybersecurity Terrain

Air Force Test Center

INFORMATION ASSURANCE DIRECTORATE

6/18/ ACC / TSA Security Capabilities Workshop THANK YOU TO OUR SPONSORS. Third Party Testing Program Overview.

DoD Strategy for Cyber Resilient Weapon Systems

Cybersecurity in Acquisition

AMRDEC CYBER Capabilities

Avionics Cyber T&E Examples Testing Cyber Security Resilience to support Operations in the 3rd Offset Environment

A Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management

DOE and Test Automation for System of Systems T&E

Data Management & Test Scenarios Exercise

Cybersecurity is a team sport that requires Program Management, Cyber/ Including Cybersecurity in the Contract Mix

Risk Management Framework for DoD Medical Devices

INFORMATION ASSURANCE DIRECTORATE

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

Looking Forward: USACE MILCON Cybersecurity Integration

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Title: Integrated Program Protection

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER (DON CIO) CYBERSECURITY STRATEGY TEMPLATE

OFFICE OF THE SECRETARY OF DEFENSE DEFENSE PENTAGON WASHINGTON, DC MEMORANDUM FOR MEMBERS OF THE ACQUISITION WORKFORCE

Test & Evaluation of the NR-KPP

Cybersecurity Planning Lunch and Learn

ISA 201 Intermediate Information Systems Acquisition

New DoD Approach on the Cyber Survivability of Weapon Systems

RISK MANAGEMENT FRAMEWORK COURSE

Cybersecurity T&E and the National Cyber Range Top 10 Lessons Learned

Structured Cyber Resiliency Analysis Methodology (SCRAM) Deborah Bodeau, Richard Graubart, The MITRE Corporation

Joint Federated Assurance Center (JFAC): 2018 Update. What Is the JFAC?

THE UNDER SECRETARY OF DEFENSE 3010 DEFENSE PENTAGON WASHINGTON, DC ACQUISITION, TECHNOLOGY AND LOGISTICS January 11, 2017

Program Protection Implementation Considerations

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

Achieving DoD Software Assurance (SwA)

Cybersecurity is one of the most important challenges for our military today. Cyberspace. Cybersecurity. Defending the New Battlefield

Section One of the Order: The Cybersecurity of Federal Networks.

ManTech Advanced Systems International 2018 Security Training Schedule

Introducing Cyber Resiliency Concerns Into Engineering Education

NDAA Section 804 Accelerated Test, Evaluation and Certification What is it and How Will it Impact IT Acquisitions?

2 nd Cybersecurity Workshop Test and Evaluation to Meet the Advanced Persistent Threat

Systems Engineering and System Security Engineering Requirements Analysis and Trade-Off Roles and Responsibilities

Protecting Buildings Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities

Cybersecurity and Program Protection

Advancing the Role of DT&E in the Systems Engineering Process:

Revitalizing Education and Training in Systems Engineering

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

U.S. Air Force. Digital Engineering Applications to Developmental Test & Evaluation. Dr. Ed Kraft. October 24, 2016

DoDD DoDI

Information Technology Branch Organization of Cyber Security Technical Standard

Physical Security Reliability Standard Implementation

Appendix 12 Risk Assessment Plan

FISMAand the Risk Management Framework

Cybersecurity Testing

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

Test and Evaluation. The Key to Successful Acquisition Outcomes. Steve Hutchison. 3 October Director Office of Test and Evaluation

UNCLASSIFIED R-1 ITEM NOMENCLATURE FY 2013 OCO

Terms, Methodology, Preparation, Obstacles, and Pitfalls. Vulnerability Assessment Course

Briefing Date. Purpose

Network and Information Security Directive

DIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C)

Framework for Improving Critical Infrastructure Cybersecurity

DoD Joint Federated Assurance Center (JFAC) Update

INFORMATION ASSURANCE DIRECTORATE

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

ERO Enterprise Strategic Planning Redesign

Appendix 12 Risk Assessment Plan

Cybersecurity Metrics: A Red Team Perspective

INFORMATION ASSURANCE DIRECTORATE

Space Cyber: An Aerospace Perspective

PCTE Program Management Update. Liz Bledsoe Acting Product Manager Cyber Resiliency and Training

DOD Medical Device Cybersecurity Considerations

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

FOUNDATION CERTIFICATE IN INFORMATION SECURITY v2.0 INTRODUCING THE TOP 5 DISCIPLINES IN INFORMATION SECURITY SUMMARY

Cybersecurity Test and Evaluation at the National Cyber Range

Information Security Continuous Monitoring (ISCM) Program Evaluation

Cyber Semantic Landscape Ontology and Taxonomy

UNCLASSIFIED R-1 ITEM NOMENCLATURE FY 2013 OCO

Cybersecurity Test and Evaluation

Critical Cyber Asset Identification Security Management Controls

Security analysis and assessment of threats in European signalling systems?

Product Versioning and Back Support Policy

Cybersecurity (CS) (as a Risk Based Approach) & Supply Chain Risk Management (SCRM) (Levels of Assurance for HwA, SwA & Assured Services?

Vol. 1 Technical RFP No. QTA0015THA

Information and Communication Technology (ICT) Supply Chain Security Emerging Solutions

Industry role moving forward

HITRUST CSF: One Framework

STUDENT LEARNING OUTCOMES Beacom College of Computer and Cyber Sciences

DoD Internet Protocol Version 6 (IPv6) Contractual Language

Providing Cybersecurity Inventory, Compliance Tracking, and C2 in a Heterogeneous Tool Environment

NY DFS Cybersecurity Regulations August 8, 2017

Title: Cyber Table Top

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Navy Cyber Resilience

FiXs - Federated and Secure Identity Management in Operation

Transcription:

U.S. ARMY EVALUATION CENTER Shift Left: Putting the Process Into Action March 30, 2017

Agenda The Evaluator s Motivation Where We Were Guidance and Policy Putting it into Action 2

The Evaluator s Motivation What is the Outcome of the T&E Process Requirements for Cybersecurity/EW We Owe Decision Makers Key Answers Does the system maintain its critical capabilities under applicable threat environments? (Cyber and EW) Does the system provide robustness and resiliency against hostile activity? Does the system meet all Federal and Department of Defense cybersecurity regulations, guidelines, and best practices? Does the system introduce new exploitable cyber vulnerabilities to the systems and networks with which it interoperates? Does the system provide the ability to detect the loss of system or data integrity, and to restore the system and data to a known good (trusted) state? Cyber/EW Survivability as a key element of the mandatory System Survivability (SS) Key Performance Parameter (KPP). 3

In the Beginning (U) Army Not Resourced (U) Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) / Risk Management Framework (RMF) Pre-Milestone A to Retirement Duration of a System Lifecycle - Continuous Process Establish Security Architecture Early T&E of Major Software Drop in DT and OT Software Changes in Sustainment Underpinned by policy, standards, and discipline Threat Shift Left To discover cybersecurity issues earlier in the acquisition lifecycle 4

A Breakdown in the Process? Hmm do you see what I see? Looks like an ostrich is trying to protect itself. Oh well, guess we have to aim for the unprotected parts Whew I m compliant, I m cybergood! Cyber Survivability is more than Compliance The threat continues to grow and evolve Understanding system capability vs. evolving threat as system matures is critical 5

Test & Evaluation Policy Compliance Training Personnel Materiel Doctrine Guidance is Available Army Regulation 73-1 Test and Evaluation Policy (16 November 2016) DOD Program Manager s Guidebook for Integrating the Cybersecurity Risk Management Framework (RMF) into the System Acquisition Lifecycle, version 1.0 (September 2015) DOD Directive 8140 Cyberspace Workforce Management (11 August 2015) DOD Instruction 8500.01 Cybersecurity (14 March 2014) DOD Instruction 5000.02, Operation of the Defense Acquisition System (2 February 2017) Army Secure Networks Secure Infrastructure Cyber Survivability Endorsement Implementation Guide (26 January 2017) DOD Cybersecurity Test and Evaluation Guidebook, version1.0 (1 July 2015) OSD Procedures for Operational Test and Evaluation of Cybersecurity in Acquisition Programs (1 August 2014) Department of Defense Instruction (DODI) 8510.01, Risk Management Framework (RMF) for DOD Information Technology (IT) (12 March 2014) 6

DOD Program Manager s Guidebook for Integrating the Cybersecurity Risk Management Framework (RMF) into the System Acquisition Lifecycle, version 1.0 (September 2015) Putting it all Together Department of Defense Instruction (DODI) 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT) (12 March 2014) Army Regulation 73-1 Test and Evaluation Policy (16 November 2016) DOD Directive 8140 Cyberspace Workforce Management (11 August 2015) OSD Procedures for Operational Test and Evaluation of Cybersecurity in Acquisition Programs (1 August 2014) DOD Cybersecurity Test and Evaluation Guidebook, version1.0 (1 July 2015) Cyber Survivability Endorsement Implementation Guide (26 January 2017) DOD Instruction 8500.01 Cybersecurity (14 March 2014) DOD Instruction 5000.02, Operation of the Defense Acquisition System (2 February 2017) 7

Cybersecurity T&E Process Survivability KPP Endorsement RMF A better cyber survivable system, but that said 8

An Evaluator s Thoughts Policy and guidance provide strong foundation for a strong program Descriptive vs. Prescriptive Recommendations: Language in RFP beyond compliance and accreditation Plan and design to the intended contested environment Develop DODAF views of intended network architecture, logical and physical connections and interfaces Identify security aspects required for any system to integrate, embed, or connect to your system Embed cybersecurity SMEs architecture, process, hacker mentality with Systems Engineering Team early in the design process Engage Research, Development and Engineering Centers to assist with design Conduct Cybersecurity Table Top Exercise prior to Preliminary Design Review GOAL: A cyber survivable system by Milestone C Corrections are costly to implement closer to production 9

Red Text = Products generated by test providers (ARL/SLAD, TSMO) and/or OTA -360 OT Cybersecurity Documentation Timeline OTRR- OTRR- 1-270 -180-120 2-60 OTRR- 3 0 +60-180 -150 AA Documentation (Required) -90-30 TTSP Part 1 Approval (Info Only) 0 +60 TTSP Part 2 Approval (Info Only) PDRR Test Plan Outbrief, Draft Report AA Execution AA+PDRR Test Report Publication OTA-TPA Approval (DOT&E) Begin OTA-TP Staffing (OTC CG Approval) Test Plan Development CVPA Documentation (Required) CVPA Documentation (Requested) Begin CVPA Test Plan Staffing Outbrief, Draft Report CVPA Execution CVPA Test Plan Approval (DOT&E) CVPA 1. Security Classification Guide 2. Test timeframe, location, unit 3. Test and Evaluation Master Plan 4. System Evaluation Plan (SEP) and Data Source Matrix (DSM) 5. Statement of Work, Initial Capabilities Document (ICD), CDD, CPD, ONS/JUONS 6. Concept of Operations (CONOPS) 7. DODAF Views 8. Physical and Logical Architecture Diagrams 9. Systems Engineering Plan (SEP) 10. Program Protection Plan (PPP) 11. User (Technical and Operator's) Manuals 12. Preliminary Design Review (PDR) and/or Critical Design Review (CDR) 13. Interface Control Document (ICD) 14. System Threat Assessment Report (STAR) / VOLT and Information Operations Capstone Threat Assessment (CTA) CVPA Test Report Publication 1. Threat Test Support Package (TTSP) Parts 1 & 2 2. Trusted agent(s) 3. Signed ROEs 4. OTA-TP or Modified Cybersecurity OTA-TP 5. PDRR Test Plan 6. AA Test Report 7. PDRR Test Report AA 15. Risk Management Framework (RMF) Artifacts 16. Previous Test Reports and/or Scheduled Test Plans 17. Most recent vulnerability scans 18. DOD Ports, Protocols, and Services Worksheet 19. HW & SW list/inventory 20. IP list (white/blacklisted) 21. Unit SOPs 22. IRP, COOP, and DRP (Unit and SUT) 23. PDRR Scoping Questionnaire 24. User role provisioning forms for System Under Test (SUT) 25. On-site support and classified storage requirements document 26. Copy of approved Radio Frequency Authorizations (RFA) 27. CVPA Test Plan 28. CVPA Test Report

Test & Evaluation Policy Compliance Training Personnel Materiel Doctrine Final Thoughts A cyber survivable system can be built Guidance is there; execution is key Build cyber survivability into the system from the initial concept Pre-Milestone A to Retirement Unity Of Effort Duration of a System Lifecycle - Continuous Process Establish Security Architecture Early T&E of Major Software Drop in DT and OT Software Changes in Sustainment Must have a baseline to enable integration Defined Cybersecurity Architecture and Standards Discipline Centralized Management of Continuous Integration Cybersecurity T&E Approach Cybersecurity T&E spans the entire material life cycle of the program, and each phase builds off the completion of the prior phase. (DODI 5000.02, 2 Feb 2017) Army Secure Networks Secure Infrastructure Do not find vulnerabilities in operational systems that should have been discovered early and designed out during system development. 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback