ICT Supply Chain Risk Management

Similar documents
FREQUENTLY ASKED QUESTIONS

Notional Supply Chain Risk Management Practices for Federal Information Systems

Supply Chain Risk Management Practices for Federal Information Systems and Organizations

Get Confidence in Mission Security with IV&V Information Assurance

Towards a standard approach to supply chain integrity. Claire Vishik September 2013

GAO. IT SUPPLY CHAIN Additional Efforts Needed by National Security- Related Agencies to Address Risks

Cyber Security Risk Management: A New and Holistic Approach

Managing Risk in the Supply Chain

Suggested Language to Incorporate System Security Engineering for Trusted Systems and Networks into Department of Defense Requests for Proposals

Security Controls Assessment for Federal Information Systems

Information and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework

NIST A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich

Information Security for Managers

Piloting Supply Chain Risk Management Practices for Federal Information Systems

Security and Privacy Controls for Federal Information Systems and Organizations

Piloting Supply Chain Risk Management Practices for Federal Information Systems

FISMA Implementation Project

Minimum Security Requirements for Federal Information and Information Systems

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Looking at the SANS 20 Critical Security Controls

Software & Supply Chain Assurance: Mitigating Risks Attributable to Exploitable ICT / Software Products and Processes

Security Control Standard

DIVISION OF INFORMATION SECURITY (DIS)

Opening Up a Second Front for Cyber Security and Risk Management

Security Control Standard

Department of Defense INSTRUCTION

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

Cybersecurity Throughout DoD Acquisition

Dr. Ron Ross National Institute of Standards and Technology

CTR System Report FISMA

Implementing Program Protection and Cybersecurity

Managing Security and Privacy Risk in Healthcare Applications

Do You Have The Right Practices In Your Cyber Supply Chain Tool Box? NDIA Systems Engineering Conference October 29, 2014

FFIEC Cybersecurity Assessment Tool

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Cloud Security for Federal Agencies

Security Risk Management For Health IT Systems and Networks

NASA OFFICE OF INSPECTOR GENERAL

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

Information Security Program Management Standard

CMS POLICY FOR THE INFORMATION SECURITY PROGRAM

The Software Supply Chain Integrity Framework. Defining Risks and Responsibilities for Securing Software in the Global Supply Chain.

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

Cybersecurity The role of Internal Audit

NIST National Institute of Standards and Technology

IT Security Management Risk Analysis and Controls

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Middle Class Economics: Cybersecurity Updated August 7, 2015

Managing Security Risk In a World of Complex Systems and IT Infrastructures

FY14 Q2 Chief Information Officer Federal Information Security Management Act Reporting Metrics v1.0

Information Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

FEDERAL HOUSING FINANCE AGENCY OFFICE OF INSPECTOR GENERAL

Public Law th Congress An Act

Adding a Security Assurance Dimension to Supply Chain Practices

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

INFORMATION SECURITY STRATEGIC PLAN

Trusted Systems and Networks (TSN) Analysis

April 28, Ms. Hada Flowers Regulatory Secretariat Division General Services Administration 1800 F Street, NW, 2 nd Floor Washington, DC

COUNTERINTELLIGENCE. Protecting Key Assets: A Corporate Counterintelligence Guide

CYBER SECURITY GUIDANCE

NARA s Information Security Program. OIG Audit Report No October 27, 2014

DEPARTMENT OF VETERANS AFFAIRS VA HANDBOOK INCORPORATING SECURITY AND PRIVACY INTO THE SYSTEM DEVELOPMENT LIFE CYCLE

Altius IT Policy Collection Compliance and Standards Matrix

The Comprehensive National Cybersecurity Initiative

National Information Assurance Certification and Accreditation Process (NIACAP)

Mission Assurance and Security Services

PROJECT BOEING SGS. Interim Technology Performance Report 1. Company Name: The Boeing Company. Contract ID: DE-OE

GAO IT SUPPLY CHAIN. National Security- Related Agencies Need to Better Address Risks. Report to Congressional Requesters

Enterprise Security Tactical Plan

State of Oregon. State of Oregon 1

Legislative Language

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS

Security Control Standard

Policy on Information Assurance Risk Management for National Security Systems

Developing Secure Software in the Age of Advanced Persistent Threats

Advancing Access to Restricted Data: Regulations, Compliance, Continuous Monitoring. OH MY!!!

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

EPA Classification No.: CIO P-01.1 CIO Approval Date: 06/10/2013 CIO Transmittal No.: Review Date: 06/10/2016

Building Security In:

Deriving Software Security Measures from Information Security Standards of Practice

Supply Chain Risk Management. Operating ahead of the threat, not behind the vulnerabilities

3 rd Party Application Analysis: Best Practices and Lessons Learned. Chris Wysopal Founder and CTO Veracode

Dean C. Garfield President & CEO, Information Technology Industry Council (ITI) Committee on Energy and Commerce

Risk Management Guide for Information Technology Systems. NIST SP Overview

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

NIST Special Publication (SP) , Revision 2, Security Considerations in the System Development Life Cycle

PUTTING NIST GUIDELINES FOR INFORMATION SECURITY CONTINUOUS MONITORING INTO PRACTICE

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

Security Authorization Process Guide

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Human Resource (HR) and Security Awareness v1.0 September 25, 2013

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014

Certification and Accreditation: A Program for Practitioner Education

The introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

Tim Denman Systems Engineering and Technology Dept Chair/ Cybersecurity Lead DAU South, Huntsville

Cyber Security Governance

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

IoT & SCADA Cyber Security Services

Transcription:

ICT Supply Chain Risk Management Celia Paulsen Computer Security Division IT Laboratory Manager s Forum June 4, 2013

General Problem Definition Scope of Supplier Expansion and Foreign Involvement graphic in DACS www.softwaretechnews.com Secure Software Engineering, July 2005 article Software Development Security: A Risk Management Perspective synopsis of May 2004 GAO-04-678 report Defense Acquisition: Knowledge of Software Suppliers Needed to Manage Risks 2

ICT SCRM Problem Definition ICT Supply Chain Risk Manag ement Growing sophistication of ICT Number and scale of information systems Government s increasing reliance on COTS Speed and scale of globalization Complex supply chain (logically long and geographically diverse) Significant increase in the number of entities who touch products and services Natural disasters, poor product/service quality and poor security practices Lack of visibility and understanding: how technology is developed, integrated and deployed and practices to assure security. A lack of control of the decisions impacting the inherited risks and ability to effectively mitigate those risks.

ICT Supply Chain Risk Threats Adversarial: e.g.: insertion of counterfeits, tampering, theft, and insertion of malicious software. Non-adversarial: e.g.: natural/man-made disaster, poor quality products/services and poor practices (engineering, manufacturing, acquisition, management, etc). Vulnerabilities Internal: e.g. information systems and components, organizational policy/processes (governance, procedures, etc.) External: e.g. weaknesses to the supply chain, weaknesses within entities in the supply chain, dependencies (power, comms, transportation, etc.) Likelihood (probability of a threat exploiting a vulnerability(s)) Adversarial: capability and intent Non-adversarial: occurrence based on statistics/history Impact - degree of harm To: mission/business function From: data loss, modification or exfiltration From: unanticipated failure rates or loss of system availability From: reduced availability of components

ICT Supply Chain Risk Management National Institute of of Standards and Technology

ICT SCRM Approach SDLC Design, development, acquisition, integration, operation, and disposal Enterprise Risk Management Risk can be managed, but not eliminated. Holistic approach, involving all stakeholders in an enterprise and identifying risk to and through the supply chain. 6

Effective SCRM = Many Disciplines Legal Information Security System and Software Engineering Contracting ICT SCRM Management Software Assurance Logistics Acquisition Other 7

Existing and Emerging Activity Government Comprehensive National Cybersecurity Initiative Stood Up DoD ICT SCRM Key Practices Document Cyberspace Policy Review NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems The President s International Strategy for Cyberspace GAO Report NIST SP 800-161 PMOs developed in DOJ and DOE H.R. 933, Sec 516(a)(b) 2008 2009 2010 2011 2012 2013 Industry DHS Vendor Procurement Language SAFECode Software Supply Chain Integrity papers Common Criteria Technical Open Trusted Technology Document Framework ISF Supplier Assurance Framework IEC 62443-2-4 Industrial-process measurement, control and automation ISO/IEC 27036 Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) 8

Federal Government Drivers CNCI 11 Develop a multi-pronged approach for global supply chain risk management (January 2008) FAR - Federal Acquisition Regulations (FAR) that require supply chain practices; (NIST SUPPORT) INFO SHARING - A means to share supplier-related threat information; CONTINUOUSLY MANAGE SUPPY CHAIN RISK - Increased ability of Federal agencies to manage supply chain risks once an information system is in place; STANDARDS - Standards (preferably widely-used and/or international) on supply chain practices for integrators and suppliers; and, (NIST ROLE) TOOLS AND TECHNOLOGIES - Current and new technologies and tools incorporated into supply chain practices. (NIST ROLE)

Federal Government Drivers 10

H.R. 933 Sec. 516 (a)(b) Sec. 516(a) - None of the funds appropriated or otherwise made available under this Act may be used by the Departments of Commerce and Justice, the National Aeronautics and Space Administration, or the National Science Foundation to acquire an information technology system unless the head of the entity involved, in consultation with the Federal Bureau of Investigation or other appropriate Federal entity, has made an assessment of any associated risk of cyber-espionage or sabotage associated with the acquisition of such system, including any risk associated with such system being produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People s Republic of China. 11

EO Cybersecurity Framework Supply chain one of the most mentioned phrases found in responses to NIST s public request for information (RFI). Supply chain called out as the Common Point Understanding Your Threat Environment, during the RFI analysis. Supply chain identified as a Gap (insufficient information) under Dependencies. 12

NIST IR 7622 SCRM PRACTICES FOR FEDERAL INFORMATION SYSTEMS 13

NIST IR 7622 Guidance and recommended practices to manage supply chain risk to a level commensurate with the criticality of information systems or networks for the acquiring federal agency only High-Impact Level Systems (FIPS 199) medium-impact dependent upon risk management approach System Development Life Cycle (SDLC) (COTS & GOTS.) Design, development, acquisition, integration, operation, and disposal Broad Audience System owners, acquisition staff, system security personnel, system engineers, etc. 14

Implementing ICT SCRM: Roles & Responsibilities Plan Procurement Oversee Oversee Oversee Lead Approve Lead Define/Develop Requirements Oversee Oversee Oversee Advise Advise Lead Identify Potential Suppliers and/or Perform Market Analysis Oversee Oversee Oversee Advise Advise Lead Complete Procurement Oversee Oversee Approve Lead Approve Lead Operations and Maintenance Oversee Oversee Oversee Advise Advise Lead PROCESS Risk Executive (Function) Chief Information Officer (CIO) Senior Information Security Officer (SISO) Contracting Officer(CO) Legal Mission Business Owner 15

NISTIR 7622 ICT SCRM Practices Format Practices formatted by role, activities, and requirements. Practice Format Role Type of Action Description of Action Acquirer Programmatic Activities Practices that an acquirer will undertake within their programs, including requirements to be included in contractual documents, as well as internal policies and procedures. Integrator Supplier Integrator Supplier Acquirer Integrator Supplier General Requirements General Requirements Technical Implementation Requirements Technical Implementation Requirements Validation and Verification Activities Validation and Verification Requirements Validation and Verification Requirements General practices that an integrator will implement within programs that are either in response to contractual requirements or to document existence of programmatic activities that reduce supply chain risk. General practices that a supplier will implement within programs to document existence of programmatic activities that reduce supply chain risk. Detailed technical practices that an integrator will implement within programs to document technical capabilities to manage supply chain risk. Detailed technical practices that a supplier will implement within programs to document technical capabilities to manage supply chain risk. Suggestions for how an acquirer can ascertain that integrators or suppliers have implemented ICT SCRM. Suggestions on how an integrator can demonstrate that they have implemented ICT SCRM. Suggestions on how a supplier can demonstrate that they have implemented ICT SCRM. 16

NISTIR 7622 ICT SCRM Practices Uniquely Identify Supply Chain Elements, Processes, and Actors Limit Access and Exposure within the Supply Chain Create and Maintain the Provenance of Elements, Processes, Tools and Data Share Information within Strict Limits Perform SCRM Awareness and Training Use Defensive Design for Systems, Elements, and Processes Perform Continuous Integrator Review Strengthen Delivery Mechanisms Assure Sustainment Activities and Processes Manage Disposal and Final Disposition Activities Throughout the System or Element Lifecycle 17

Special Publication 800-53 R4 Security and Privacy Controls for Federal Information Systems and Organizations 18

SA-12: Supply Chain Protection Control: The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy. Supplemental Guidance: Information systems (including system components that compose those systems) need to be protected throughout the system development life cycle (i.e., during design, development, manufacturing, packaging, assembly, distribution, system integration, operations, maintenance, and retirement). Protection of organizational information systems is accomplished through threat awareness, by the identification, management, and reduction of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to respond to risk. Organizations consider implementing a standardized process to address supply chain risk with respect to information systems and system components, and to educate the acquisition workforce on threats, risk, and required security controls. Organizations use the acquisition/procurement processes to require supply chain entities to implement necessary security safeguards to: (i) reduce the likelihood of unauthorized modifications at each stage in the supply chain; and (ii) protect information systems and information system components, prior to taking delivery of such systems/components. This control enhancement also applies to information system services. Security safeguards include, for example: (i) security controls for development systems, development facilities, and external connections to development systems; (ii) vetting development personnel; and (iii) use of tamper-evident packaging during shipping/warehousing. Methods for reviewing and protecting development plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements. 19

SA-12: Supply Chain Protection 1. Acquisition Strategies / Tools / Methods 2. Supplier Reviews 3. Limitation Of Harm 4. Assessments Prior To Selection / Acceptance / Update 5. Use Of All-source Intelligence 6. Operations Security 7. Validate As Genuine And Not Altered 8. Penetration Testing / Analysis Of Supply Chain Elements, Processes and Actors 9. Inter-organizational Agreements 10. Critical Information System Components 11. Identity And Traceability 12. Processes To Address Weaknesses Or Deficiencies 20

Related SA Controls SA-3 System Development Life Cycle SA-4 Acquisition Process SA-8 Security Engineering Principles SA-9 External Information System Services SA-10 Developer Configuration Management SA-11 Developer Security Testing and Evaluation SA-14 Criticality Analysis SA-15 Development Process, Standards and Testing SA-18 Tamper Resistance and Detection SA-19 Component Authenticity SA-20 Customized Development of Critical Components 21

Supply Chain-related Controls (non-sa) AT-3 Security Training CM-8 Information System Component Inventory IR-4 Incident Handling PE-16 Delivery and Removal PL-8 Information Security Architecture SC-29 Heterogeneity SC-30 Concealment and Misdirection SC-38 Operations Security SI-7 Software, Firmware and Information Integrity 22

Draft Special Publication 161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations 23

Draft SP 161, SCRM Practices For Federal Information Systems Goals and Scope Ability to implement and assess Enterprise Risk Management System Development Life Cycle Tied to JTF Unified Framework and other publications o Enterprise Supply Chain Risk Management Guidance (800-39; Organization, mission/business, operations/system) o Supply Chain Risk Assessment Guidance (800-30) o Risk Mitigation and Control Selection Guidance 800-53 R4 and 800-53A Enhanced Overlay 24

Three Tiered Risk Management Approach STRATEGIC RISK -Traceability and Transparency of Risk-Based Decisions -Organization-Wide Risk Awareness TIER 1 organization TIER 2 mission / business processes -Inter- Tier and Intra-Tier Communications -Feedback Loop for Continuous Improvement TIER 3 information systems TACTICAL RISK 25

Organizational Roles and Activities Tiers Tier Name Type of Role Activities 1 Organization Executive Leadership CEO, CIO, COO, CFO Risk executive 2 Mission Business Management (includes PM, R&D, and Engineering/SDLC oversight) Procurement Cost Accounting Reliability / safety / quality management 3 Operation Systems Management architects, developers, QA/QC, testing Contracting/procurement approving selection, payment and approach for obtaining, Maintenance Disposal Corporate Strategy Policy Actionable policies and procedures Guidance Constraints Policy implementation Requirements Constraints Implementation 26

Monitor Frame Assess Operations Requirements (full SDLC) Vulnerability Analysis Mission Requirements (definition of critical mission threads) Criticality Analysis Likelihood (exploitability) Impact Analysis/Assessment Organization Requirements/ Constraints Threat Analysis Frame Assess Monitor Respond Accept, Reject, Transfer, Share, Mitigate Risk Respond

Frame Assess Respond Monitor Enterprise Develop ICT SCRM Policy Conduct Baseline Criticality Determination Integrate ICT SCRM considerations into enterprise risk management Integrate ICT SCRM considerations into enterprise risk management Make enterprise risk decisions to avoid, mitigate, share, or transfer risk Select, tailor, and implement appropriate enterprise ICT SCRM controls Document controls in Enterprise ICT SCRM Plan Integrate ICT SCRM into agency Continuous Monitoring program Monitor and evaluate enterprise-level constraints and risks for change and impact Monitor effectiveness of enterprise-level risk response Mission/Business Process Define ICT SCRM Mission/business requirements Incorporate these requirements into mission/ business processes and enterprise architecture Establish ICT SCRM Risk Assessment Methodology Establish FIPS 199 impact levels Conduct Mission Function Baseline Criticality Determination Determine ICT SCRM risk assessment methodology Conduct Risk Assessment including Criticality Analysis for mission threads Determine current risk posture Make mission/business-level risk decisions to avoid, mitigate, share, or transfer risk Select, tailor, and implement appropriate mission/ businesslevel controls Document controls in Missionlevel ICT SCRM Plan Identify which mission functions need to be monitored for ICT supply chain change and assessed for impact Integrate ICT SCRM into Continuous Monitoring processes and systems Monitor and evaluate missionlevel risks and constraints for change and impact Monitor effectiveness of mission-level risk response System Define system-level ICT SCRM requirements Conduct ICT SCRM Risk Assessment including Criticality Analysis for individual systems Determine current risk posture Make mission/business-level risk decisions to avoid, mitigate, share, or transfer risk Select, tailor, and implement appropriate system-level controls Document ICT SCRM controls in System Security Plan Monitor and evaluate system-level requirements and risks for change and impact Monitor effectiveness of system-level risk response

Thank you!! Contact: Jon Boyens jon.boyens@nist.gov Celia Paulsen celia.paulsen@nist.gov http://scrm.nist.gov 29

Components of Risk Assessment Criticality Analysis Purpose: narrow the scope (and resources) issues most important for mission success FIPS 199 helps to scope which systems require SCRM Criticality analysis narrows the system and its functions to focus on those issues most important for mission success. Can contain: o Logic-bearing components which can be especially susceptible to malicious alteration throughout the system life cycle o Functional breakdown which is an effective method to identify functions, associated critical components, and supporting defensive functions o Dependency analysis which is used to identify these functions on which critical functions depend, which themselves become critical functions (e.g., defensive functions such as digital signatures used in software patch acceptance) o Identification of all access points and assessment to identify and protect unmediated access to critical function/components (e.g., least privilege implementation) 5/8/13 30

Components of Risk Assessment Threat Analysis: Specific and timely threat characterization of the identified suppliers, threat adversaries, and any natural disaster possibilities to inform management, acquisition, and engineering activities in an organization Includes the capture of data such as: o Changes to the systems/components or SDLC environment o Observation of attacks while they are occurring o Incident data collected post attack o Observation of tactics, techniques, and procedures used in specific attacks, whether observed or collected using audit mechanisms o Natural disasters in pre, during and post occurrence 5/8/13 National Institute of 31

Components of Risk Assessment Vulnerability: any weakness in system/component design, development, production, or operation that can be exploited by a threat to defeat a system s mission objectives or significantly degrade its performance. Vulnerability Analysis Analysis is focused on mission critical functions and systems/components identified by criticality analysis. Iterative process which can lead to adjustment in criticality, and threat analysis as well as informing risk assessment and countermeasure selection. The principal vulnerabilities to watch for in an overall review of SDLC are: o Access paths within the supply chain allowing malicious actors to introduce components causing system failure at some later time ( components here include hardware, software, and firmware). o Access paths through which malicious actors can trigger a component malfunction or failure during system operations. o Dependencies on supporting or associated components with easy access to subvert components that directly perform critical functions. o information gathering opportunities both on the supply chain and component/service (reverse engineering, weaknesses, etc) 5/8/13 National Institute of 32

Components of Risk Assessment Likelihood Likelihood is the possibility of an exploit occurrence. For Supply chain risk analysis, likelihood is a weighted factor based on a subjective analysis the probability that a given threat is capable of exploiting a given vulnerability. (CNSS-4009). Key knowledge required to evaluate likelihood: o Threat assumptions (man-made threats including natural disasters, cyber threats, etc) o Threat modeling of SDLC environment or the supply chain element. o Actual supply chain threat information (e.g. adversaries capabilities, tools, intentions, targets of desire) o Empirical data and static analysis to determine probabilities of supply chain threat occurrence o Vulnerabilities identified at the system, component, or process weakness. Impact Impact measures the magnitude of harm that can result from the consequences of unauthorized or unpredicted disclosure, modification, or destruction or loss of information or system availability. For supply chain this can mean the access to elements in the supply chain or the supply chain itself requiring organizational, mission/business and operational assessment. 5/8/13 National Institute of 33

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information