Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management

Similar documents
Cybersecurity Technical Risk Indicators:

Supply Chain Information Exchange: Non-conforming & Authentic Components

Mitigating Software Supply Chain Risks

U.S. Department of Homeland Security Office of Cybersecurity & Communications

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Protecting the Nation s Critical Assets in the 21st Century

TEL2813/IS2621 Security Management

DHS Cybersecurity: Services for State and Local Officials. February 2017

Cybersecurity in Acquisition

Cybersecurity Technical Risk Indicators:

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

Statement for the Record

Seagate Supply Chain Standards and Operational Systems

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Cyber Security & Homeland Security:

Critical Infrastructure Sectors and DHS ICS CERT Overview

Gujarat Forensic Sciences University

Security by Default: Enabling Transformation Through Cyber Resilience

Software Assurance: Enabling Education and Training to better address needs of Security Automation and Software Supply Chain Risk Management

Department of Homeland Security Updates

What can an Acquirer do to prevent developers from make dangerous software errors? OWASP AppSec DC 2012 April 5, 2012

Control Systems Cyber Security Awareness

Water Information Sharing and Analysis Center

Medical Device Cybersecurity: FDA Perspective

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

We Cannot Blindly Reap the Benefits of a Globalized ICT Supply Chain!

Quadrennial Homeland Security Review (QHSR) Ensuring Resilience to Disasters

New Guidance on Privacy Controls for the Federal Government

Pillars of Cyber Risk as Competitive Advantage: Enabling Enterprise Resilience & Cyber Security Assurance through Software Supply Chain Management

June 5, 2018 Independence, Ohio

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

Federal Civilian Executive branch State, Local, Tribal, Territorial government (SLTT) Private Sector (PS) Unclassified / Business Networks

Engineering Your Software For Attack

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

Cyber Resilience. Think18. Felicity March IBM Corporation

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Acquisition and Intelligence Community Collaboration

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Bradford J. Willke. 19 September 2007

American Association of Port Authorities Port Security Seminar & Expo Cyber Security Preparedness and Resiliency in the Marine Environment

National Policy and Guiding Principles

Election Infrastructure Security: The How and Why of It

Cyber Hygiene: A Baseline Set of Practices

Tool-Supported Cyber-Risk Assessment

Awareness as a Cyber Security Vulnerability. Jack Whitsitt Team Lead, Cyber Security Awareness and Outreach TSA Office of Information Technology

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

Updates to the NIST Cybersecurity Framework

Engineering for System Assurance Legacy, Life Cycle, Leadership

Sage Data Security Services Directory

U.S. Customs and Border Protection Cybersecurity Strategy

Procurement Language for Supply Chain Cyber Assurance

Cyber Security Summit 2014 USCENTCOM Cybersecurity Cooperation

AMRDEC CYBER Capabilities

Synergies of the Common Criteria with Other Standards

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Measuring and Evaluating Cyber Risk in ICS Components, Products and Systems

Why you should adopt the NIST Cybersecurity Framework

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

Federal Mobility: A Year in Review

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

The NIST Cybersecurity Framework

Homeland Security Perspectives: Oregon Fire District Directors Association October 25, 2018

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

THE POWER OF TECH-SAVVY BOARDS:

Department of Defense (DoD) Joint Federated Assurance Center (JFAC) Overview

INFORMATION ASSURANCE DIRECTORATE

Cybersecurity and Program Protection

CYBERSECURITY. Protecting Against the Financial, Regulatory and Reputational Impacts of Cyber Attack

Cyber Security Program

Cybersecurity in Government

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

STANDARD INFORMATION SHARING FORMATS. Will Semple Head of Threat and Vulnerability Management New York Stock Exchange

Advanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin

Cybersecurity (CS) (as a Risk Based Approach) & Supply Chain Risk Management (SCRM) (Levels of Assurance for HwA, SwA & Assured Services?

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

DoD Software Assurance Initiative. Mitchell Komaroff, OASD (NII)/DCIO Kristen Baldwin, OUSD(AT&L)/DS

External Supplier Control Obligations. Cyber Security

Cybersecurity, safety and resilience - Airline perspective

2 nd Cybersecurity Workshop Test and Evaluation to Meet the Advanced Persistent Threat

Cybersecurity Risk Management:

White Paper. View cyber and mission-critical data in one dashboard

Managing Supply Chain Risks for SCADA Systems

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Monthly Cyber Threat Briefing

Siemens view and approach on critical infrastructure resilience against cyberthreats Joint OECD-JRC Workshop, Paris September 2018

Position Description. Computer Network Defence (CND) Analyst. GCSB mission and values. Our mission. Our values UNCLASSIFIED

The Office of Infrastructure Protection

Innovation policy for Industry 4.0

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

Transcription:

Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management Joe Jarzombek, PMP, CSSLP Director for Software & Supply Chain Assurance Stakeholder Engagement & Cyber Infrastructure Resilience Cyber Security & Communications

Homeland Security Commerce National Defense Public-Private Collaboration Efforts for Security Automation, Software Assurance, and Supply Chain Risk Management

DHS Cybersecurity and Communications Responsible for enhancing security, resiliency, and reliability of the nation's cyber and communications infrastructure; actively engages the public and private sectors as well as international partners to prepare for, prevent, and respond to catastrophic incidents that could degrade or overwhelm strategic assets. Works to prevent or minimize disruptions to our critical information infrastructure in order to protect the public, the economy, government services, and overall security of the United States by supporting a series of continuous efforts designed to further safeguard federal government systems by reducing potential vulnerabilities, protecting against cyber intrusions, and anticipating future threats. As the Sector-Specific Agency for the Communications and Information Technology (IT) sectors, CS&C coordinates national-level reporting consistent with the National Response Framework, and fulfills the mission through its five divisions: Office of Emergency Communications (OEC) Network Security Deployment (NSD) Federal Network Resilience (FNR) National Cybersecurity & Communications Integration Center (NCCIC) Stakeholder Engagement & Cyber Infrastructure Resilience (SECIR) Homeland Security Office of Cybersecurity and Communications

Interdependencies Between Physical & Cyber Infrastructures: Addressing Considerations for Resilience, Reliability, Safety, & Security -- Need for secure/resilient software and authentic parts Homeland Security Office of Cybersecurity and Communications

SwA & SCRM Imperative Homeland Security Increased risk from supply chain due to: Increasing dependence on commercial ICT for mission critical systems Increasing reliance on globally-sourced ICT hardware, software, and services Varying levels of development/outsourcing controls Lack of transparency in process chain of custody Varying levels of acquisition due-diligence Residual risk passed to end-user enterprise Counterfeit products Tainted products with malware, exploitable weaknesses and vulnerabilities Growing technological sophistication among our adversaries Internet enables adversaries to probe, penetrate, and attack us remotely Supply chain attacks can exploit products and processes throughout the lifecycle Office of Cybersecurity and Communications

DHS Software & Supply Chain Assurance Strategy Etc. Support Response Security Automation, Requirements Analysis & Risk Modeling Enable Automation Publications, Websites, FedVTE, Training & Education Working Groups, Forums Outreach & Collaborate Manage Software & Supply Chain Risks US Fed D/A Mgmt & IT Acquisition Homeland Security Influence Policy Policies implement standards Standards are a foundation of good policy Influence Standards ITU-T CYBEX ISO/IEC JTC1 The Open Group NIST Spec Pubs SP800-161 & 53 6 Office of Cybersecurity and Communications

Defects, Counterfeits & Tainted Components Mitigating exploitable risks attributable to non-conforming constructs in ICT Enable scalable detection and reporting of defective, counterfeit and tainted ICT components Leverage/mature related existing standardization efforts Provide Taxonomies, schema & structured representations with defined observables & indicators for conveying information: o Authenticity o Counterfeit o Defect o Tainted constructs: Malicious logic/malware (MAEC), Exploitable Weaknesses (CWE); Vulnerabilities (CVE) o Attack Patterns (CAPEC) Catalogue Diagnostic Methods, Controls, Countermeasures, & Mitigation Practices Exploitable weakness TAINTED [exploitable weakness, vulnerability, or malicious construct] Unpatched Vulnerability COUNTERFEIT Malware Exploitable weakness Unpatched Vulnerability AUTHENTIC DEFECTIVE Components can become tainted intentionally or unintentionally throughout the supply chain, SDLC, and in Ops & sustainment *Text demonstrates examples of overlap Presenter s Name June 17, 2003

Mitigating Risks Attributable to Exploitable Software and Supply Chains Enterprises seek comprehensive capabilities to: Avoid accepting software with MALWARE pre-installed. Determine that no publicly reported VULNERABILITIES remain in code prior to operational acceptance, and that future discoveries of common vulnerabilities and exposures can be quickly patched. Determine that exploitable software WEAKNESSES that put the users most at risk are mitigated prior to operational acceptance or after put into use. Determine that components traversing thru Supply Chain are not Counterfeit or Defective and have not been Tainted MAEC CVE CWE

Challenges in Mitigating Risks Attributable to Exploitable Software, Counterfeits & Supply Chains Several needs arise: Need internationally recognized standards to support security automation and processes to provide transparency for informed decision-making in mitigating enterprise risks. Need comprehensive diagnostic capabilities to provide sufficient evidence that code behavior can be understood to not possess exploitable or malicious constructs. Need scalable means for detecting & reporting counterfeits. Need Assurance to be explicitly addressed in standards & capability benchmarking models for organizations involved with security/safety-critical applications. Need rating schemes for ICT/software products and supplier capabilities.

ICT/software security risk landscape is a convergence between defense in depth and defense in breadth Enterprise Risk Management and Governance are security motivators Acquisition could be considered the beginning of the lifecycle; more than development Software & Supply Chain Assurance provides a focus for: -- Resilient Software and ICT Components, -- Security in the Component Life Cycle, -- Software Security in Services, and -- Supply Chain Risk Management (mitigating risks of counterfeit & tainted products)

Risk Management (Enterprise <=> Project): Shared Processes & Practices Different Focuses Enterprise-Level: Regulatory compliance Changing threat environment Business Case Program/Project-Level: Cost Schedule Performance Who makes risk decisions? Who owns residual risk from tainted/counterfeit products? * Tainted products are those that are corrupted with malware, or exploitable weaknesses & vulnerabilities that put users at risk

https://buildsecurityin.us-cert.gov/swa Provides resources for stakeholders with interests in Software Assurance, Supply Chain Risk Management, and Security Automation https://buildsecurityin.us-cert.gov Focuses on making security a normal part of software engineering

Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance, and Supply Chain Risk Management Joe Jarzombek, PMP, CSSLP Director for Software & Supply Chain Assurance Stakeholder Engagement & Cyber Infrastructure Resilience Cyber Security & Communications

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback