U.S. FLEET CYBER COMMAND U.S. TENTH FLEET Managing Cybersecurity Risk

Similar documents
Streamlined FISMA Compliance For Hosted Information Systems

Cybersecurity in Acquisition

Synergistic Efforts Between Financial Audit and Cyber Security

The NIST Cybersecurity Framework

FPM-IT-420B: FAC-P/PM-IT Planning & Acquiring Operations of IT Systems Course Details

INFORMATION ASSURANCE DIRECTORATE

FISMAand the Risk Management Framework

Risk Management Framework for DoD Medical Devices

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

Why you should adopt the NIST Cybersecurity Framework

External Supplier Control Obligations. Cyber Security

Meeting RMF Requirements around Compliance Monitoring

INFORMATION ASSURANCE DIRECTORATE

Cybersecurity & Privacy Enhancements

INFORMATION ASSURANCE DIRECTORATE

RISK MANAGEMENT FRAMEWORK COURSE

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

SAC PA Security Frameworks - FISMA and NIST

DOD Medical Device Cybersecurity Considerations

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Developed by the Defense Information Systems Agency (DISA) for the Department of Defense (DoD)

Cybersecurity for Security Personnel

TEL2813/IS2820 Security Management

Security Management Models And Practices Feb 5, 2008

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

Cyber Security Awareness for SmallSat Ground Networks

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

INFORMATION ASSURANCE DIRECTORATE

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Defense Information Systems Agency (DISA) Department of Defense (DoD) Cloud Service Offering (CSO) Initial Contact Form

NIST SP , Revision 1 CNSS Instruction 1253

DIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C)

INFORMATION ASSURANCE DIRECTORATE

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

DRAFT DEPARTMENT OF DEFENSE (DOD) CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE (SRG) Version 1, Release December, 2014

Do You Know Your Organization's Top 10 Security Risks?

NCSF Foundation Certification

INFORMATION ASSURANCE DIRECTORATE

New Guidance on Privacy Controls for the Federal Government

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Cybersecurity Test and Evaluation Achievable and Defensible Architectures

MINIMUM SECURITY CONTROLS SUMMARY

UW-Madison Cybersecurity Risk Management Policy

Information Assurance 101

Advanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin

Providing Cybersecurity Inventory, Compliance Tracking, and C2 in a Heterogeneous Tool Environment

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

NIST Security Certification and Accreditation Project

INFORMATION ASSURANCE DIRECTORATE

Dr. Steven J. Hutchison Principal Deputy Developmental Test and Evaluation

INFORMATION ASSURANCE DIRECTORATE

Introducing Cyber Observer

Cybersecurity Planning Lunch and Learn

ISA 201 Intermediate Information Systems Acquisition

Evolving Cybersecurity Strategies

Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy. August 10, 2017 version

Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER

Cyber Security Update Recent Events in the Wild and How Can We Prepare?

Executive Order 13556

CISO as Change Agent: Getting to Yes

K12 Cybersecurity Roadmap

INFORMATION ASSURANCE DIRECTORATE

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

DEFENSE LOGISTICS AGENCY

Information Warfare Industry Day

Take Risks in Life, Not with Your Security

Affordable Security. Sarah Pramanik April 10, 2013

DATABASE SECURITY REQUIREMENTS GUIDE (SRG) TECHNOLOGY OVERVIEW. Version 2, Release October Developed by DISA for the DoD

Developing a Model for Cyber Security Maturity Assessment

Risk Management Framework Today

Vulnerability Assessments and Penetration Testing

INFORMATION ASSURANCE DIRECTORATE

Fidelis Overview. 15 August 2016 ISC2 Cyber Defense Forum

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

HITRUST CSF: One Framework

DoDD DoDI

Business continuity management and cyber resiliency

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

10 FOCUS AREAS FOR BREACH PREVENTION

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

HELLO, MOSCOW. GREETINGS, BEIJING. ADDRESSING RISK IN YOUR IT SUPPLY CHAIN

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

A Better Space Mission Systems threat assessment by leveraging the National Cyber Range

HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS

FDA & Medical Device Cybersecurity

Department of Management Services REQUEST FOR INFORMATION

Agency Guide for FedRAMP Authorizations

Cryptologic and Cyber Systems Division

SYSTEMS ASSET MANAGEMENT POLICY

Systems Engineering and System Security Engineering Requirements Analysis and Trade-Off Roles and Responsibilities

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

DEFENSE HEALTH AGENCY 7700 ARLINGTON BOULEVARD, SUITE 5101 FALLS CHURCH, VIRGINIA

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

CRITICAL INFRASTRUCTURE AND CYBER THREAT CRITICAL INFRASTRUCTURE AND CYBER THREAT

Updates to the NIST Cybersecurity Framework

Transcription:

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET Managing Cybersecurity Risk Neal Miller, Navy Authorizing Official December 13, 2016 UNCLASSIFIED 1

Some Inconvenient Truths The bad guys and gals still only work as hard as we make them (Verizon DBIR, 2015) 23% people opened phishing messages & 11% clicked on attachments 25% reported breaches could have been prevented by multi-factor authentication and patching at the internet boundary The bad guys and gals may already be inside the wire (CyberArk threat report, 2014) Attacks can stay hidden for months or years Attacks increasingly focusing on accounts with privileged access We are increasingly reliant on each other A risk assumed by one is still a risk assumed by many Poll the audience What keeps you up at night? 2

Bottom Line First We cannot expect that IT/C4I systems and networks will operate in a risk free environment no such thing as a walled garden or T-shirt environment Operating in cyberspace therefore requires accepting a degree of risk who gets that vote and what kind of information is needed to make an educated decision? Multiple concurrent approaches are intended to improve understanding of risk and to take appropriate action to maintain risk at an acceptable level Today s conversation aimed at observations of trends in cybersecurity risk management 4

Risk Management Strategies Probability Reduce / Mitigate (prevent, detect, respond or remediate) Accept Avoid Transfer (insure / hedge) Impact P (bad event) and I (bad event) are challenging to estimate with much fidelity and also dynamic in terms of duration and extent and need regular re-assessment

An Analogy We re All Familiar With How is it that most states allow a 16 year old with limited experience to be issued a driver s license? People Driver training under supervision must pass minimum criteria & a road test Training & qualifications for public safety officers & health care providers Processes Technical standards are published Operating standards / rules of the road are published Legal processes set up in case there are offenders Roads and vehicles designed for safety Requirement to buy insurance as a risk transfer mechanism Technology Roads and vehicles tested / verified for safety Red lights, traffic cameras, speed limit signs Police presence Mechanism to call first responders in event of accident 6

Risk Management Tiers 7

People Trends and Observations Exercises more robust and including phishing acknowledge importance of basic blocking and tackling by regular users AND by privileged users New cyber-it and cybersecurity work force certifications Processes Technical standards published across Navy Tech Authorities Mission area assessments with critical warfighting (space, nuclear command & control) and business (financial management) capabilities Identification and protection of key cyber terrain and critical infrastructure Changes to cybersecurity inspections driven at USCYBERCOM & DISA Reciprocity and information sharing across Services and Agencies Technology Big data analytics in defensive cyber movement in network operations Efforts to automate continuous monitoring & scan-patch-scan Joint Information Environment / Joint Regional Security Stack Increasing emphasis on platform IT and industrial control systems 8

Questions? 9

Transition from the DIACAP to DoD RMF DoD is transforming IA policies and practices to improve IT categorization and control selection, and risk management procedures Previous versions of DoDD 8500.01, DoDI 8500.2 and DoDI 8510.01 for DIACAP New revisions of DoDD 8500.01, DoDI 8500.2 and DoDI 8510.01 for RMF Mission Assurance Category (MAC)/Confidentiality Level (CL) 9 possible MAC/CL combinations IS Definitions Joint Task Force Transformation Initiative Impact Value: Low / Moderate / High Security Objectives: Confidentiality / Integrity / Availability 27 possible baseline combinations Expanded IT definition to align with CNSSI 4009 and encompasses new and emerging capabilities DoD Defined IA Security Controls Using NIST SP 800-53 Security Control Catalog. Creating DoD Assignment Values, validation procedures, and implementation guidance. 10

DoD Risk Management Framework 11

RMF Overview The basic process steps are similar to DIACAP but there are significant differences in several of the RMF process steps: Brings Platform IT & Control Systems under common framework Categorization using impact levels associated with the three security objectives of Confidentiality, Integrity, and Availability (CIA) vice Mission Assurance Category (MAC) and Confidentiality Level (CL) RMF has two process options Assess Only and Assess and Authorize RMF has added Overlays for special assessment categories (e.g., Space, Cross Domain Solution, Privacy, Classified) and are attachments to the CNSSI 1253. An overlay is a specification of security controls, control enhancements, supplemental guidance, and other supporting information employed during the tailoring process, that is intended to complement (and further refine) security control baselines There is a significant increase in the number of security controls and validation procedures 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback