Cybersecurity in Acquisition

Similar documents
Cybersecurity and Program Protection

Department of Defense (DoD) Joint Federated Assurance Center (JFAC) Overview

Engineering Cyber Resilient Weapon Systems

Program Protection Implementation Considerations

System Security Engineering for Program Protection and Cybersecurity

Systems Engineering and System Security Engineering Requirements Analysis and Trade-Off Roles and Responsibilities

NDIA SE Conference 2016 System Security Engineering Track Session Kickoff Holly Dunlap NDIA SSE Committee Chair Holly.

Acquisition and Intelligence Community Collaboration

Achieving DoD Software Assurance (SwA)

A Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management

THE UNDER SECRETARY OF DEFENSE 3010 DEFENSE PENTAGON WASHINGTON, DC ACQUISITION, TECHNOLOGY AND LOGISTICS January 11, 2017

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

ISA 201 Intermediate Information Systems Acquisition

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.

DoD Joint Federated Assurance Center (JFAC) Update

DoD Software Assurance Initiative. Mitchell Komaroff, OASD (NII)/DCIO Kristen Baldwin, OUSD(AT&L)/DS

Joint Federated Assurance Center (JFAC): 2018 Update. What Is the JFAC?

CYBER RESILIENT AND SECURE WEAPON SYSTEMS ACQUISITION / PROPOSAL DISCUSSION

Cybersecurity Challenges

G-12 Space Subcommittee - Space Concerns

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

Cyber Security Challenges

Systems Engineering for Software Assurance

AMRDEC CYBER Capabilities

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

Systems Security Engineering: A Framework to Protect Hardware Down to the Last Tactical Inch

DFARS Cyber Rule Considerations For Contractors In 2018

Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management

DoD Strategy for Cyber Resilient Weapon Systems

Advanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin

ROADMAP TO DFARS COMPLIANCE

Get Compliant with the New DFARS Cybersecurity Requirements

DoD Systems Engineering Update: Engineering Enterprise Initiatives

Cybersecurity Risk Management

Defense Engineering Excellence

DoD Systems Engineering Update

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

DFARS , NIST , CDI

DoD Software Assurance (SwA) Update

Safeguarding Unclassified Controlled Technical Information

Systems Engineering Update/SD-22

Avionics Cyber T&E Examples Testing Cyber Security Resilience to support Operations in the 3rd Offset Environment

Safeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer

align security instill confidence

UNCLASSIFIED R-1 ITEM NOMENCLATURE FY 2013 OCO

Systems 2020 Strategic Initiative Overview

2017 SAME Small Business Conference

Cyber Security For Business

Cybersecurity (CS) (as a Risk Based Approach) & Supply Chain Risk Management (SCRM) (Levels of Assurance for HwA, SwA & Assured Services?

Shaping the Department of Defense Engineering Workforce

INFORMATION ASSURANCE DIRECTORATE

Managing Supply Chain Risks for SCADA Systems

SECURITY & PRIVACY DOCUMENTATION

Cyber Attacks & Breaches It s not if, it s When

Information and Communication Technology (ICT) Supply Chain Security Emerging Solutions

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET Managing Cybersecurity Risk

Supplier Training Excellence Program

Section One of the Order: The Cybersecurity of Federal Networks.

Safeguarding unclassified controlled technical information (UCTI)

The Perfect Storm Cyber RDT&E

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

Protecting Your Facility s Technology

Supply Chain Information Exchange: Non-conforming & Authentic Components

Implementing a Modular Open Systems Approach (MOSA) to Achieve Acquisition Agility in Defense Acquisition Programs

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

Cyber Security Challenges

Quality Collaboration Across Government and Industry in a Time of Profound Changes

TEL2813/IS2621 Security Management

CYBER ASSISTANCE TEAM OVERVIEW BRIEFING

T&E Workforce Development

Shift Left: Putting the Process Into Action

RiskSense Attack Surface Validation for IoT Systems

New DoD Approach on the Cyber Survivability of Weapon Systems

Protecting the Nation s Critical Assets in the 21st Century

April 25, 2018 Version 2.0

NIST Special Publication

External Supplier Control Obligations. Cyber Security

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

INFORMATION ASSURANCE DIRECTORATE

DFARS Defense Industrial Base Compliance Information

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

ICT Supply Chain Risk Management Nadya Bartol, CISSP, CGEIT UTC Senior Cybersecurity Strategist

DEFENSE LOGISTICS AGENCY

Preparing for NIST SP January 23, 2018 For the American Council of Engineering Companies

Secure Development Lifecycle

Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)

Cyber Security Summit 2014 USCENTCOM Cybersecurity Cooperation

Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

Cyber (In)Security. What Business Leaders Need To Know. Roy Luebke Innovation and Growth Consultant. Presented by:

Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Cyber Intelligence Professional Certificate Program Booz Allen Hamilton 2-Day Seminar Agenda September 2016

PilieroMazza Webinar Preparing for NIST SP December 14, 2017

Supply Chain Attacks and Resiliency Mitigations

Transcription:

Kristen J. Baldwin Acting Deputy Assistant Secretary of Defense for Systems Engineering (DASD(SE)) Federal Cybersecurity Summit September 15, 2016 Sep 15, 2016 Page-1

Acquisition program activities must take responsibility for cybersecurity from earliest research and technology development through system concept, design, development, test and evaluation, production, fielding, sustainment, and disposal Scope of program cybersecurity includes: Program information Data about acquisition, personnel, planning, requirements, design, test data, and support data for the system. Also includes data that alone might not be classified or damaging, but in combination with other information could allow an adversary to compromise, counter, clone, or defeat warfighting capability Organizations and Personnel Government program offices, prime and subcontractors, along with manufacturing, testing, depot, and training organizations Networks Government and Government support activities, unclassified and classified networks, contractor unclassified and classified networks, and interfaces among Government and contractor networks Systems and Supporting Systems The system being acquired, system interfaces, and associated training, testing, manufacturing, logistics, maintenance, and other support systems Cybersecurity is a requirement for all DoD programs Sep 15, 2016 Page-2

Ensuring Cyber Resilience in Defense Systems Threat Adversary who seeks to exploit vulnerabilities to: Acquire program and system information Disrupt or degrade system performance Obtain or alter US capability Access points are throughout the acquisition lifecycle Vulnerabilities Found in programs, organizations, personnel, networks, systems, and supporting systems Inherent weaknesses in hardware and software can be used for malicious purposes Weaknesses in processes can be used to intentionally insert malicious hardware and software Unclassified design information within the supply chain can be aggregated US capability that provides a technological advantage can be lost or sold Consequences Loss of technological advantage System impact corruption and disruption Mission impact capability is countered or unable to fight through and across numerous supply chain entry points - Government - Prime, subcontractors - Vendors, commercial parts manufacturers - 3 rd party test/certification activities Sep 15, 2016 Page-3

Spectrum of Supply Chain Risks Quality Escape Reliability Failure Fraudulent Product Malicious Insertion Reverse Engineering Information Losses Product defect/ inadequacy introduced either through mistake or negligence during design, production, and post-production handling resulting in the introduction of deficiencies, vulnerabilities, and degraded life-cycle performance. Mission failure in the field due to environmental factors unique to military and aerospace environment factors such as particle strikes, device aging, hot-spots, electromagnetic pulse, etc. Counterfeit and other than genuine and new devices from the legally authorized source including relabeled, recycled, cloned, defective, out-of-spec, etc. Intentional insertion of malicious hard/soft coding, or defect to enable physical attacks or cause mission failure; includes logic bombs, Trojan kill switches, backdoors for unauthorized control and access to logic and data. Unauthorized extraction of sensitive intellectual property using reverse engineering, side channel scanning, runtime security analysis, embedded system security weakness, etc. Stolen data provides potential adversaries extraordinary insight into US defense and industrial capabilities and allows them to save time and expense in developing similar capabilities. DoD Program Protection focuses on risks posed by malicious actors Sep 15, 2016 Page-4

Program Protection in DoDI 5000.02 Acquisition Policy DoDI 5000.02 requires Program Managers to employ system security engineering practices and prepare a Program Protection Plan (PPP) to manage the security risks to the program and system elements that are vulnerable and can be exposed to targeting Critical Program Information Mission-critical functions and critical components Information about the program and within the system PPPs are required at all major milestones PPPs inform program acquisition strategies, engineering, and test and evaluation plans PMs incorporate appropriate PPP requirements into solicitations Sep 15, 2016 Page-5

What Are We Protecting? What: A capability element that contributes to the warfighters technical advantage (CPI) Key Protection Measure Types: Anti-Tamper Exportability Features Goal: Prevent the compromise and loss of CPI Program Protection & Cybersecurity http://www.acq.osd.mil/se/initiatives/init_pp-sse.html DoDI 5000.02 DoDM 5200.01, Vol. 1-4 DoDM 5200.45 DoDI 5200.39 DoDI 5200.44 DoDI 5230.24 Technology Components What: Mission-critical functions and components Key Protection Measure Types: Software Assurance Hardware Assurance/Trusted Microelectronics Supply Chain Risk Management Anti-counterfeits Goal: Protect key mission components from malicious activity DoDI 8500.01 DoDI 8510.01 Information What: Information about the program, system, designs, processes, capabilities and end-items Key Protection Measure Types: Classification Export Controls Information Security Goal: Ensure key system and program data is protected from adversary collection Protecting Warfighting Capability Throughout the Lifecycle Sep 15, 2016 Page-6

Program Protection Relationship to Other Formal Acquisition Activities PPP Systems Engineering Plan T&E Master Plan - Incorporation into technical baselines - SSE entry and exit criteria in SE tech reviews - SSE as a design consideration - Technical risks and mitigation plans - Data needed to ascertain cybersecurity requirements are met - Cooperative Vulnerability Identification and Penetration Assessments - Adversarial Assessments Anti-Tamper Plan Cybersecurity Strategy/ RMF Security Plan Acq Strategy - Trusted supplier requirements - Acquisition regulations (Safeguarding Covered Defense Information, Counterfeits, etc.) Tailored to specific program situations Sep 15, 2016 Page-7

Contract Regulation for Safeguarding Covered Defense Information DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting 2nd interim rule published December 30, 2015, to provide contractors with additional time to implement NIST 800-171 security requirements Purpose Establish minimum requirements for contractors and subcontractors to safeguard DoD unclassified covered defense information and report cyber incidents on their contractor owned and operated information systems Requires Contractors to Flow down only to Subcontractors where their efforts will involve covered defense information or where they will provide operationally critical support Fully comply with security requirements in the NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations NLT Dec 31, 2017 Report cyber incident and compromises affecting covered defense information Submit malware that they are able to discover and isolate in connection with a reported cyber incident Support DoD damage assessment as needed Final rule anticipated to be published in Fall 2016 Sep 15, 2016 Page-8

Joint Federated Assurance Center (JFAC) Federation of DoD software and hardware assurance (SwA/HwA) capabilities Support programs in addressing current and emerging threats and vulnerabilities Facilitate collaboration across the Department and throughout the lifecycle of acquisition programs Maximize use of available resources Assess and recommend capability and capacity gaps to resource Seek innovation in SW and HW inspection, detection, analysis, risk assessment, and remediation tools and techniques to mitigate risk of malicious insertion R&D is key component of JFAC operations Focus on improving tools, techniques, and procedures for SwA and HwA to support programs Federated Organizations Army, Navy, AF, NSA, DMEA DISA, NRO, MDA laboratories and engineering support organizations; and Department of Energy JFAC mission is to support programs with SwA and HwA needs Sep 15, 2016 Page-9

Summary Cybersecurity is an essential element of acquisition, engineering, test, and sustainment activities We will embed cybersecurity risk mitigation activities into the acquisition program lifecycle We must bring to bear policy, tools, and expertise to enable cyber resiliency in our systems Translate IT and network resiliency to weapon system resiliency Establish security as a fundamental discipline of systems engineering Opportunities for all of government, industry and academia to engage: Continue R&D efforts to determine technological approaches to reduce risk Develop engineering and design methods, standards, and tools to enable policy implementation Develop use case scenarios to help educate and train our community Sep 15, 2016 Page-10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback