U.S. FLEET CYBER COMMAND U.S. TENTH FLEET Managing Cybersecurity Risk Neal Miller, Navy Authorizing Official December 13, 2016 UNCLASSIFIED 1
Some Inconvenient Truths The bad guys and gals still only work as hard as we make them (Verizon DBIR, 2015) 23% people opened phishing messages & 11% clicked on attachments 25% reported breaches could have been prevented by multi-factor authentication and patching at the internet boundary The bad guys and gals may already be inside the wire (CyberArk threat report, 2014) Attacks can stay hidden for months or years Attacks increasingly focusing on accounts with privileged access We are increasingly reliant on each other A risk assumed by one is still a risk assumed by many Poll the audience What keeps you up at night? 2
Bottom Line First We cannot expect that IT/C4I systems and networks will operate in a risk free environment no such thing as a walled garden or T-shirt environment Operating in cyberspace therefore requires accepting a degree of risk who gets that vote and what kind of information is needed to make an educated decision? Multiple concurrent approaches are intended to improve understanding of risk and to take appropriate action to maintain risk at an acceptable level Today s conversation aimed at observations of trends in cybersecurity risk management 4
Risk Management Strategies Probability Reduce / Mitigate (prevent, detect, respond or remediate) Accept Avoid Transfer (insure / hedge) Impact P (bad event) and I (bad event) are challenging to estimate with much fidelity and also dynamic in terms of duration and extent and need regular re-assessment
An Analogy We re All Familiar With How is it that most states allow a 16 year old with limited experience to be issued a driver s license? People Driver training under supervision must pass minimum criteria & a road test Training & qualifications for public safety officers & health care providers Processes Technical standards are published Operating standards / rules of the road are published Legal processes set up in case there are offenders Roads and vehicles designed for safety Requirement to buy insurance as a risk transfer mechanism Technology Roads and vehicles tested / verified for safety Red lights, traffic cameras, speed limit signs Police presence Mechanism to call first responders in event of accident 6
Risk Management Tiers 7
People Trends and Observations Exercises more robust and including phishing acknowledge importance of basic blocking and tackling by regular users AND by privileged users New cyber-it and cybersecurity work force certifications Processes Technical standards published across Navy Tech Authorities Mission area assessments with critical warfighting (space, nuclear command & control) and business (financial management) capabilities Identification and protection of key cyber terrain and critical infrastructure Changes to cybersecurity inspections driven at USCYBERCOM & DISA Reciprocity and information sharing across Services and Agencies Technology Big data analytics in defensive cyber movement in network operations Efforts to automate continuous monitoring & scan-patch-scan Joint Information Environment / Joint Regional Security Stack Increasing emphasis on platform IT and industrial control systems 8
Questions? 9
Transition from the DIACAP to DoD RMF DoD is transforming IA policies and practices to improve IT categorization and control selection, and risk management procedures Previous versions of DoDD 8500.01, DoDI 8500.2 and DoDI 8510.01 for DIACAP New revisions of DoDD 8500.01, DoDI 8500.2 and DoDI 8510.01 for RMF Mission Assurance Category (MAC)/Confidentiality Level (CL) 9 possible MAC/CL combinations IS Definitions Joint Task Force Transformation Initiative Impact Value: Low / Moderate / High Security Objectives: Confidentiality / Integrity / Availability 27 possible baseline combinations Expanded IT definition to align with CNSSI 4009 and encompasses new and emerging capabilities DoD Defined IA Security Controls Using NIST SP 800-53 Security Control Catalog. Creating DoD Assignment Values, validation procedures, and implementation guidance. 10
DoD Risk Management Framework 11
RMF Overview The basic process steps are similar to DIACAP but there are significant differences in several of the RMF process steps: Brings Platform IT & Control Systems under common framework Categorization using impact levels associated with the three security objectives of Confidentiality, Integrity, and Availability (CIA) vice Mission Assurance Category (MAC) and Confidentiality Level (CL) RMF has two process options Assess Only and Assess and Authorize RMF has added Overlays for special assessment categories (e.g., Space, Cross Domain Solution, Privacy, Classified) and are attachments to the CNSSI 1253. An overlay is a specification of security controls, control enhancements, supplemental guidance, and other supporting information employed during the tailoring process, that is intended to complement (and further refine) security control baselines There is a significant increase in the number of security controls and validation procedures 12