dod guidelines on cybersecurity t&e - dau sponsored...dod guidelines on cybersecurity t&e...
TRANSCRIPT
DoD Guidelines on Cybersecurity T&E
Kim [email protected] 256-922-8143
What is Cybersecurity
Defined as the prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communication services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and non-repudiation.
2
DoDI 8500.01 adopts the term “Cybersecurity” in lieu of “Information Assurance” (March 2014)
Five Aspects of Cybersecurity
3
Triad
DOT&E FY 2018 Annual Report
4
Despite improvements, cybersecurity capabilities are not advancing fast enough to stay ahead of the “onslaught of multipronged attacks”
“Recent advance in cyber technologies indicate that automation – and even artificial intelligence – are beginning to make profound changes”
Preparations must include realistic demonstrations of fight-through capabilities, resilience, and alternate modes
DODI 5000.02, Cybersecurity DT & OT in the Defense Acquisition System
• Identify T&E data to assess progress toward achieving cybersecurity requirements
• ... Support cybersecurity assessments & authorization (Encl 4)
• T&E strategy includes explicit cybersecurity requirements & key interfaces
• Design T&E scenarios based on probable adversary access (Attack Surface)
• Program Manager will develop a strategy & resources for cybersecurity testing:– At Milestone A, TEMP will document a strategy &
resources (Encl 5)– At Milestone B, TEMP will ensure evaluation of ability
to protect, detect, react, and restore to sustain continuity of operation (COOP). (Encl 5) 5
Procedures for Operational T&E of Cybersecurity in Acquisition Programs – Apr 03, 2018
6
• OT&E includes Cooperative Vulnerability and Penetration Assessment (CVPA) and an Adversarial Assessment (AA)
• Examine operational resilience attributes (Prevent, Mitigate, Recover)
• TEMP should define a test strategy that includes cybersecurity
• Input to OT&E should include the TEMP, Engineering & Program Protection Plans, threat documents-Validated Online Lifecycle Threat, system supply to critical missions
• The TEMP should identify resources required to execute CVPAs and AAs and include funding, organizations, test assets and threat documentation
DoD Cybersecurity T&E Guidebook• Version 2.0 published April 2018
– Describes each phase, inputs, outputs, tasks– Addresses RMF integration– Includes new appendices - FOUO appendices published separately 30JUN18– Publicly accessible links to the Guidebook
• https://www.acq.osd.mil/dte-trmc/docs/CSTE%20Guidebook%202.0_FINAL%20(25APR2018).pdf• For Official Use Only (FOUO) appendices are accessible to government and authorized contractor personnel
at the following link: https://intelshare.intelink.gov/sites/atlcoi/cyberTableTops/SitePages/Home.aspx
7
• Cybersecurity Requirements and Measures for DT&E• Using Cyber Threat Assessment for Cybersecurity T&E• Mission-Based Cybersecurity Risk Assessments• Cybersecurity Test Infrastructure and Environment Planning• Cybersecurity Test Considerations for Non-IP Systems
Cybersecurity T&E Acquisition Phases
8
Cybersecurity Early in the Lifecycle
9
Added Cyber Survivability as key element of the mandatory System Survivability KPP
Cybersecurity Early in the Lifecycle
10
Cyber Survivability is key element of the mandatory System Survivability KPP
• Elements of the System Survivability KPP are Kinetic, Cyber and EMS survivability
• Cyber Survivability. Ensures warfighter systems are designed to prevent, mitigate, and recover from cyber-attacks by applying a risk managed approach to building and maintaining systems through Cyber Survivability Attributes
Cyber Survivability Endorsement Implementation Guide (FOUO)
• The Joint Staff and DoD CIO developed Cyber Survivability Endorsement (CSE) criteria to assess requirements for key attributes that increase cyber survivability.
11https://intelshare.intelink.gov/sites/cybersurvivability/_layouts/15/start.aspx#/SitePages/Home.aspx
CJCS Cyber Survivability Attributes (CSA)
Cyber Survivability Endorsement (CSE) ensures CSAs addressed in:• Milestone A - Draft CDD / TEMP • Milestone B - Validated CDD at the Development RFP Decision Point• Milestone C - CPD
12
Where is the Focus?
13
THE BRIDGE IS OUT AHEAD
The Risk Management Framework• Required by policy
– DoDI 8500.01 3.a and 3.h requires cybersecurity risk management– DoDI 8510.01 Risk Management Framework (RMF) implements DoD’s Risk Management Policy
• RMF provides a structured, tailorable, and repeatable process that integrates security and risk management activities into the system development life cycle
– Considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations
• RMF helps ensure the appropriate “cyber hygiene” controls and security configurations are designed into the system
– Protections to help meet the goals of risk-managed Confidentiality, Integrity and Availability– Adds continuous monitoring to system life cycle management to ensure ongoing awareness of and risk
managed responses to changing threats and environments
RMF Does Not Replace Cybersecurity T&E14
Risk Management Framework (RMF) Process Overview
15
Interaction of RMF and T&E Cybersecurity Activites
16