Transcription
Cybersecurity & Resiliency:Early Actions Required inthe T&E ProcessProfessor Edward A. AdkinsDefense Acquisition University (DAU)Engineering, Test and CybersecurityEdward.Adkins@dau.milSystem of Systems in a 3rd Offset Environment
Why the Big Deal?“The DoD should expect cyber attacks tobe part of all conflicts in the future, andshould not expect competitors to play byour version of the rules” (p. 5)DTM 17-001, signed1-11-17: Cybersecurityin the DefenseAcquisition System:Resilient Systems and AdvancedCyber Threats“Responsibility forcybersecurity extendsto all members of theacquisition workforce.”
Overview Considering the Third Offset Strategy Focus Areas DAU Cybersecurity & Acquisition Lifecycle Integration Tool1. Understanding Requirements: Cybersecurity & Resilience2. Characterizing Attack Surface3. Using Threat Products DAU Cybersecurity Activities Summary
Third Offset Strategy Focus Areas “The new [for 2017] strategy is an attempt to offset shrinkingU.S. military force structure and declining technologicalsuperiority in an era of great power competition ” Term driven by Secretary of Defense Ashton Carter for 2017 Third Offset Investments Focus on Six Critical Areas:1.2.3.4.5.6.Anti-access and area denial (A2/AD)Guided munitionsUndersea warfareCyber and electronic warfare (offensive cyber and cybersecurity)Human-machine teamingWargaming and concepts developmentWhat is the Third Offset Strategy? Feb 16, 02/16/what is the third offset strategy 109034.html
Cybersecurity and Acquisition IntegrationCybersecurity in theDefenseAcquisition System– DTM17-001
Requirement: CybersecurityWhat is Cybersecurity? . “The prevention of damage to,protection of, and restoration of computers, electroniccommunications systems, electronic communications services,wire communication, and electronic communication, includinginformation contained therein, to ensure its availability,integrity, authentication, confidentiality, and nonrepudiation.”(Source: National Security Presidential Directive-54 / HomelandSecurity Presidential Dir-23, “Cybersecurity Policy,” January 8, 2008)Cybersecurity applies to all IT that receives, processes,stores, displays, or transmits DoD information
Cybersecurity PolicyThe DoD CIO updatedseveral 8500-seriespublications to transitionfrom informationassurance (IA) tocybersecurity.These policies employa more holistic, adaptive,resilient and dynamicapproach to implementcybersecurity acrossthe full spectrum of ITand cyber operations.Published VersionsDoDD 8500.01E, DoDI 8500.2DoDI 8510.01Updated VersionsDoDI 8500.01, DoDI 8510.01Information Assurance (IA)CybersecuritySecurity Objective: Confidentiality,Mission Assurance Cat. (MAC)Integrity, AvailabilityConfidentiality Level (CL)JointImpact Value: Low/Mod/HighTask ForceTransformationDoD Specific IA Definitions InitiativeCNSSI 4009 Glossary of TermsDoD IA ControlsC&A ProcessCNSSI 1253 - CategorizesSystems to Select NIST SP800-53 Security ControlsRisk Management Framework(RMF)
Cybersecurity Policy vs LawCybersecurity StrategyDODI 5000.02, TABLE 2MDA ApprovesSection 811, Public Law 106-398DOD CIO roles,IA (Cyber)StrategySection 2223(a), Title 1040 U.S.C 11312DoDI 8500.01, CybersecurityProgram Protection PlanDoD or ServiceCybersecurity StrategyCIO approvesSection 3506(h), Title 44Senior CybersecurityOfficialsChapter 35, Subchapter III, Title 44Sections 3505(c), 3542, 3545, 3547 Independent Evaluations, DefinitionsSecurity Protections & Cybersecurity RiskAgency CIOsDoDI 8510.01, RMFCybersecurity StrategyAOApprovesSecurity Plan *Appendix III,OMB CircularSystem Security Plan* Per NIST: Security Plan System Security Plan.In DODI 5000.02, it is called a RMF Security Plan
Risk Management Framework (RMF)
OSD Website the RMF TimelineCompleted DIACAP PackageSubmitted to AO for SignatureATO DatePresentthrough May 31, 2015June 1, 2015 through February 1,2016February 2, 2016 through October1, 2016Maximum Duration of ATO underDIACAP2.5 years from AO signature dateDetermined by AOSignature Date2 years from AO signature date1.5 years from AO signature dateWhat this means: Systems authorized under DIACAP shouldbe extinct by mid-year 2018. All systems will be authorizedfor test/fielding via the Risk Management Framework (RMF)
Requirement: Operational ResilienceWhat is Operational Resilience?– the ability of systems toanticipate, continue to operatecorrectly in the face of, recoverfrom, and evolve to better adaptto advanced cyber threats16
DODI 8500.01: Operational Resilience“Whenever possible, technologycomponents (e.g., hardware andsoftware) have the ability toreconfigure, optimize, self-defend,and recover with little or no humanintervention.” (p. 3)“Operational resilience requiresthree conditions be met: informationresources are trustworthy; missionsare ready for information resourcesdegradation or loss; and operationshave the means to prevail in theface of adverse events.” (p. 31)
DODI 5200.44: Operational ResilienceA system’s defensivecyberspace performance inthe operational environment:- To withstand representativecyber-attacks- To detect and react to thoseattacks and return tonormal operations in theevent of a successfulcyber-attack18
Cybersecurity and Acquisition IntegrationCybersecurity in theDefenseAcquisition System– DTM17-001
Characterize the Attack Surface“Future architectures will need to startwith the premise that each part of asystem must be designed to operate ina hostile environment.” (p. 3)Pick a Weapon “Cybersecurity requires a set ofprocesses that must continuouslycouple information about an evolvingthreat to defensive reactions andresponses.” (p. 6)
Cybersecurity & Acq Lifecycle IntegrationCybersecurity in theDefenseAcquisition System– DTM17-001
DoDI 5000.02: Threats/ Vulnerabilities 5000.02 - Enclosure 3. Testers (T&E)– “Countermeasures should include anti-tamper, exportabilityfeatures, security (including cybersecurity, operations security,information security, personnel security, and physical security),secure system design, supply chain risk management, softwareassurance, anti-counterfeit practices, procurement strategies,and other mitigations Countermeasures should mitigate orremediate vulnerabilities throughout the product life cycle,including developmental and operational testing, Incorporate software vulnerability analysis tools throughout thelife cycle and ensure remediation of software vulnerabilities isaddressed in PPPs, test plans, and contract requirements.
DoDI 5000.02: The ITEA 5000.02 - Table 2. Milestone and Phase Requirements– Acquisition and Intelligence communities to engage for theMilestone Development Decision (MDD)– “Initial Threat Environment Assessment (ITEA). Regulatoryfor anticipated MDAP and MAIS programs; optional for all otherprograms at the discretion of the MDA and in consideration ofIntelligence Community resources. Supports the MDD andthe AoA. Forms the basis for the initial STAR at Milestone A,and is superseded by the Milestone A STAR. The Initial ThreatEnvironment Assessment provides capability developers andPMs the ability to assess mission needs and capability gapsagainst likely adversary threat capabilities at IOC.”
DoDI 5000.02: The TTRA 5000.02 - Table 2. Milestone and Phase Requirements– Acquisition (with Test) and Intelligence communities toengage at Milestone A (MS A)– “Technology Targeting Risk Assessment (TTRA).Regulatory. Prepared by DoD Component Intelligenceanalytical centers per DoDI O-5240.24 and DoDI 5200.39.Forms the analytic foundation for Counterintelligenceassessments in the Program Protection Plan (PPP). DIAwill validate the report for ACAT ID and IAM; for ACAT IC,IAC, and below, DoD Component will be authority.”
DoDI 5000.02: The LMDP 5000.02 - Table 2. Milestone and Phase Requirements– Acquisition and Intelligence communities to engage forMilestone B (MS B)– “Life-cycle Mission Data Plan (LMDP). Regulatory; onlyrequired if the system is dependent on Intelligence MissionData (IMD). A draft update is due for Development RFP Release[Decision]; approved at Milestone B.” IMD: From DoDD 5250.01 “includes EWIR, OOB and C&P”– Electronic Warfare Integrated Reprogramming: assessed radio frequencies– Order of Battle: assessed structure, strength, equipment of an armed force– Characteristics & Performance: assessed foreign military system capabilities
Threats: Becoming SophisticatedWe need toconsider thesetypes ofthreats when:1. Test Planningfor AcquisitionPrograms 2. Planningfuture testingcapabilities forthe MRTFB
Overview Considering the Third Offset Strategy Focus Areas DAU Cybersecurity & Acquisition Lifecycle Integration Tool1. Understanding Requirements: Cybersecurity & Resilience2. Characterizing Attack Surface3. Using Threat Products DAU Cybersecurity Activities Summary
New Cybersecurity/PPP Curriculum CLE 074 – Cybersecurity Throughout Acquisition – (Deployed)– Over 400 students enrolled in 1st month– 94% recommended, 85% positive job impact ISA 220 – Risk Management Framework for Practitioners– Course deployment on schedule for Q2 FY17 – Student Pilot Q2 FY17 ENG 160 – Program Protection Planning Awareness (Deployed)– Contractor programing of Lessons 1- 6 In Progress Review (IPR) - Sep 2015– Course deployed Q4 FY16 ENG 260 – Program Protection Planning (PPP) for Practitioners– Contractor Performance Work Statement currently being finalized– Course deployment on schedule for Q1 FY18 Software Assurance and Supply Chain Risk Management on-line courses inearly development - deployment on schedule for early FY18
DAU Cybersecurity Consulting (MA) Consulting for USAF AODAU / Lockheed MOU - Cybersecurity TrainingConsulting for Army Aviation & Missile Research,Development and Engineering Center (AMRDEC)Consulting for USAF (AFOTEC)DAU Meeting w Army Navy USAF CIO RepsTraining for DMCAWorkshops for Navy (NSWC & LCS PMO)Workshops for Navy (SPAWAR)Workshops for USAF (AFTC)since 2012since 2013since 20142015201520152015since 2015since 2015since long term and formal agreement established
DAU Cybersecurity Consulting (MA) Training for USAF Intelligence (AFLCMC)Workshop for Navy (Crane)Workshops for USMC (Quantico)Training for Navy (SPAWAR)Workshop for Army (JLTV PMO)Workshops for Joint Interop Test CommandWorkshops forNavy (NAVFAC)Training for Navy (COMOPTEVFOR)Workshops at Three DAU Regions (available)since 20152016since 2016since 2016since 2016since 2016since 2016Jan 2017Jan 2017 Can the DAU Team Help Your Organization?
Summary1. Understand how 2017 Third Offset Strategy Focus Areaswill impact your (DT/OT) test program and/or your test range2. Know and challenge each program’s Cybersecurity andResilience requirements for test and impacts to your Range3. Question each program’s Architecture and Attack Surfaceand then use all Threat Products for test planning4. The DAU team is here to help with Cybersecurity if needed
Questions?Professor Edward A. AdkinsDefense Acquisition University (DAU)Engineering, Test and CybersecurityEdward.Adkins@dau.mil
Completed DIACAP Package Submitted to AO for Signature ATO Date Maximum Duration of ATO under DIACAP Present through May 31, 2015 Determined by AO Signature Date 2.5 years from AO signature date June 1, 2015 through February 1, 2016 2 years from AO signature date February 2, 2016 through October 1, 2016 1.5 years from AO signature date
