Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency Mr. Ed Brindley Acting Deputy Cyber Security Department of Defense 7 March 2018 SUPPORT THE WARFIGHTER
2 Overview Secretary Mattis Priorities CIO Cyber Top Priorities for 2018
3 Secretary Mattis Top 3 Priorities 1. Restore military readiness as we build a more lethal force. 2. Strengthen alliance and attract new partners. 3. Bring business reforms to the Department of Defense.
4 How do we establish and maintain Cyber Resiliency? Enterprise view of cybersecurity risk to highest priority missions, systems and networks. Streamline processes and policies throughout CIO Continue to grow the cyber workforce
5 Priority 1 Enterprise View of Cybersecurity Risk to Highest Priority Missions, Systems and Networks
6 Transition from CIO Scorecard 1.0 to 2.0 Scorecard 1.0 provides aggregation of existing data o o o Extensive survey to produce scorecard Limited to compliance (Yes and No) Tabular Data view Scorecard 2.0 shifts to Risk Management Heat Map o o o o Eliminate the human in the loop Integration of threat and impact with current vulnerability data Heat Map View Facilitates agility and rapid decision making by the CISO/CIOs Assists commander as a risk assessment tool for missions Scorecard 1.0 2.0: Threat / Risk View
DIB Cybersecurity Program The DIB Cybersecurity Program is a public-private partnership that: Provides a collaborative environment for sharing unclassified and classified cyber threat information Offers analyst-to-analyst exchanges, mitigation and remediation strategies Increases U.S. Government and industry understanding of cyber threat Eligibility: A contractor must be a Cleared Defense Contractor to participate in this program. Mission: Enhance and supplement Defense Industrial Base (DIB) participants capabilities to safeguard DoD information that resides on, or transits, DIB unclassified information systems SUPPORT THE WARFIGHTER 7
Protecting DoD s Unclassified Information DoD has a range of activities to include both regulatory and voluntary programs to improve the cybersecurity of the nation and protect U.S. interests including: Contractual requirements via the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting Leveraging security standards in National Institute of Standards and Technology (NIST) Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations DoD s DIB Cybersecurity Program for voluntary cyber threat information sharing Encouraging use of the voluntary NIST Cybersecurity Framework SUPPORT THE WARFIGHTER 8
9 Cyber Executive Order 13800 Cybersecurity responsibility is being placed on the heads of executive departments and agencies. This still holds the CIO/CISO chain of commands responsible, but also pivots and includes the non-cio executive leaders accountable. The Cybersecurity Scorecard is being used as a mechanism to begin to exert this accountability within DoD.
10 Priority 2 Streamline Processes and Policies Throughout CIO
11 Integrating the Cybersecurity Framework with the Risk Management Framework CS risk only part of organizational risk management procedures Cybersecurity Framework Organizational risk management requires multi-disciplinary teams Taxonomy allows IT/CS/Business personnel to communicate Risk Management Framework Implementation will vary between orgs based on their needs Goal: allocate scarce resources to address CS needs most efficiently Focus on Critical Assets First
12 Integrating CSF and RMF: Timeline of Activities CSF/RMF Fit Gap Analysis Nov. 17 Due to DEPSECDEF Highlights the areas of overlap and gaps Socialized via the RMF Technical Advisory Group (TAG) NIST Publish New RMF Jan. 18 Goal is to integrate the CSF and RMF to the greatest extent possible DoD Implementation Strategy March 18 Due to DEPSECDEF Simplify, Operationalize, and more effective Strategy socialized with: RMF TAG, DOD AO Summit and the ISRMC DoD Implementation Plan June 18 Due to DEPSECDEF Clarify roles and responsibilities Develop programmatic metrics and governance risk triggers Update DODI 8510.01 TBD Content will be developed with the input of the RMF TAG
13 Priority 3 Continue to Grow the Cyber Workforce
Cyber Workforce Trends & Challenges: - Growing Reliance on Technology - Increasingly Complex Operating Environment - Evolution of Skills and Expectations - Lack of Cyber Workforce Standards SUPPORT THE WARFIGHTER 14
15 Long-term Cyber Resiliency Increased Senior-level culture for cybersecurity as a mission imperative. Improve cloud security. Advocate use of tools based on common standards that allow us to exploit power of big data analytics. Increase collaboration with our partnerships within DoD, other government agencies, industry and our academic partners. Have more proactive, anticipatory and shortened response times.
16 What Needs to Change in 2018? Need to be more responsive move at speed of technology (or speed of need ) Continue to focus on long-term enterprise solutions and achievable outcomes. needs to accept more risk.
17