CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills DAU-South



Similar documents
CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills Professor of Information Technology

Cybersecurity Throughout DoD Acquisition

DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, D.C

Tim Denman Systems Engineering and Technology Dept Chair/ Cybersecurity Lead DAU South, Huntsville

RMF. Cybersecurity and the Risk Management. Framework UNCLASSIFIED

1 July 2015 Version 1.0

AF Life Cycle Management Center

DoD Software Assurance (SwA) Overview

Risk Management Framework (RMF): The Future of DoD Cyber Security is Here

Building Security In:

Cybersecurity in Test & Evaluation. James S. Wells Deputy Director, Cyberspace & HSE Programs Office of Test & Evaluation

Interim DoDI The Cliff Notes Version --

WORKFORCE COMPOSITION CPR. Verification and Validation Summit 2010

System Security Engineering

FREQUENTLY ASKED QUESTIONS

Department of Defense INSTRUCTION

DoD CIO s 10-Point Plan for IT Modernization. Ms. Teri Takai DoD CIO

Cybersecurity: Mission integration to protect your assets

Cybersecurity is one of the most important challenges for our military today. Cyberspace. Cybersecurity. Defending the New Battlefield

Implementing Program Protection and Cybersecurity

SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK

How To Become A Senior Contracting Official

Security Control Standard

SYSTEMS SECURITY ENGINEERING

Update: OSD Systems Engineering Revitalization Efforts

WHITE PAPER. Attack the Attacker HOW A MANAGED SECURITY SERVICE IMPROVES EFFICIENCY AND SAVES COST

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems

Human Resources Management. Portfolio Management Concept of Operations

National Initiative for Cyber Security Education

Policy on Information Assurance Risk Management for National Security Systems

OFFICE OF THE SECRETARY OF DEFENSE 1700 DEFENSE PENTAGON WASHINGTON, DC

Defense Healthcare Management Systems

DoD Strategy for Defending Networks, Systems, and Data

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

UNITED STATES AIR FORCE. Air Force Product Support Enterprise Vision

NICE and Framework Overview

Information Security Risk and Compliance Series Risking Your Business

Cyber Workforce Training

Department of Defense INSTRUCTION

IG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY

Security Risk Management For Health IT Systems and Networks

The Comprehensive National Cybersecurity Initiative

Department of Defense INSTRUCTION

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET DoD RMF Transition

U.S. Defense Priorities OSD PA&E

Managing Security Risk In a World of Complex Systems and IT Infrastructures

Department of Defense NetOps Strategic Vision

Statement. Mr. Paul A. Brinkley Deputy Under Secretary of Defense for Business Transformation. Before

Middle Class Economics: Cybersecurity Updated August 7, 2015

Joint Interoperability Certification

System Security Engineering and Comprehensive Program Protection

How do you give cybersecurity the highest priority in your organization? Cyber Protection & Resilience Solutions from CGI

Empowering IT Acquisitions

Department of Defense DIRECTIVE

Continuous Monitoring in a Risk Management Framework. US Census Bureau Oct 2012

FOUNDATION: Material Solution Analysis Is More Than Selecting an Alternative

DoD CIO ITSM Overview Enterprise Architecture Conference

Proposed Cybersecurity T&E Process

Department of Defense DIRECTIVE

How To Write A Cybersecurity Framework

How to use the National Cybersecurity Workforce Framework. Your Implementation Guide

Automate Risk Management Framework

Strategy and Management Services (SAMS), Inc.

IEEE-Northwest Energy Systems Symposium (NWESS)

Software Engineering Framing DoD s Issues

Department of Defense INSTRUCTION

Cybersecurity in the States 2012: Priorities, Issues and Trends

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program

September 24, Mr. Hogan and Ms. Newton:

Cloud Security for Federal Agencies

Click to edit Master title style

CYBER SECURITY GUIDANCE

How SPAWAR s Information Technology & Information Assurance Technical Authority Support Navy Cybersecurity Objectives

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Obtaining Enterprise Cybersituational

Department of Defense Net-Centric Services Strategy

Turning Portfolio Management into Decisions

THE UNDER SECRETARY OF DEFENSE DEFENSE PENTAGON WASHINGTON, DC

DOD DIRECTIVE CLIMATE CHANGE ADAPTATION AND RESILIENCE

BlacKnight. Cyber Security international A BUSINESS / MARKETING PRESENTATION

Re-Issuance of DOD Instruction

NICE Cybersecurity Workforce Framework Tutorial

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

NASA OFFICE OF INSPECTOR GENERAL

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Information Security for Managers

National Institute of Standards and Technology Smart Grid Cybersecurity

Information Technology Strategic Plan

STATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

The Information Technology Program Manager s Dilemma

Transcription:

CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS Steve Mills DAU-South 1

Overview Questions Cybersecurity Owners and Stakeholders Cybersecurity Why It Matters to DoD Program Managers Defense Science Board Observations Cybersecurity Policy Overview Cybersecurity in the DoD Acquisition Lifecycle Sustainment vs Cybersecurity DAU CyberSecurity Courses Take Aways How DAU Can Help 2

Questions How vulnerable and resilient are DoD systems against the Cyber threat? Should Cybersecurity be treated as a design consideration in DoD acquisition programs? Who in the acquisition workforce needs to be involved in addressing the Cyber threat? 3

Cybersecurity Owners & Stakeholders G2 - Intel It s Hacking! It s Network Defense! G3 - Ops PM SE G6 CIO Cybersecurity is Operational! It s Electronic Warfare! Cybersecurity It s Program Protection! IT T&E LOG CON 4

Defense Science Board CyberSecurity Observations Current DoD actions, though numerous are fragmented. Thus DoD is not prepared to defend against this threat. DoD Red Teams, using cyber attack tools which can be downloaded from the internet, are very successful at defeating our systems With present capabilities and technology it is not possible to defend with confidence against the most sophisticated cyber attacks. It will take years for the Department to build an effective response to the cyber threat. 5 Source: DoD Defense Science Board Task Force Report: Resilient Military Systems and the Advanced Cyber Threat. (January 2013)

DoDI 8500.01 Cybersecurity Adopts the term Cybersecurity in lieu of Information Assurance Extends applicability to all DoD information technology processing DoD information Emphasizes operational resilience, integration, and interoperability Leverages and builds upon numerous existing Federal policies and standards so we have less DoD policy to write and maintain Adopts common Federal Cybersecurity terminology so we are all speaking the same language Transitions to the newly revised NIST SP 800-53 Security Control Catalog Incorporates Cybersecurity early and continuously throughout the acquisition lifecycle 6

Operational Resilience, Integration, and Interoperability Operational Resilience 1. Information and computing services are available to authorized users whenever and wherever needed 2. Security posture is sensed, correlated, and made visible to mission owners, network operators, and to the DoD Information Enterprise 3. Hardware and software have the ability to reconfigure, optimize, selfdefend, and recover with little or no human intervention Integration and Interoperability 1. Cybersecurity must be fully integrated into system life cycles and will be a visible element of IT portfolios. 2. Interoperability will be achieved through adherence to DoD architecture principles 3. All interconnections of DoD IT will be managed to minimize shared risk 7

DoDI 8510.01 Risk Management Framework (RMF) for DoD IT New approach for DoD to manage Cybersecurity risk RMF adds another dimension to the DoD Risk Management Process A 6 step process that emphasizes continuous monitoring and timely correction of deficiencies Adopts NIST s Risk Management Framework, used by Civil and Intelligence communities Moves from a checklist-driven process to a risk based approach Embeds the RMF steps and activities in the DoD Acquisition Lifecycle Promotes DT&E and OT&E integration Implements Cybersecurity via security controls vice numerous policies and memos Supports and encourages use of automated tools Enclosure 8 defines the timeline to transition from DIACAP to RMF 8

RMF and Cybersecurity Reciprocity Definition: Mutual agreement among participating enterprises to accept each other s security assessments in order to reuse information system resources and/or to accept each other s assessed security posture in order to share information. If applied appropriately, reciprocity will reduce: Redundant testing Redundant assessment and documentation Overall costs in time and resources 9

Cybersecurity & DoDI 5000.02 Prevention of damage to, protection of, and restoration of computers, electronic communications systems, wire communication, and electronic communication, including information contained therein DoDI 8500.01 Required by DoDI 5000.02 Enclosure 11, Section 6. Cybersecurity All acquisitions of systems containing IT will have a Cybersecurity Strategy. Beginning at Milestone A, the PM will submit the Cybersecurity Strategy STATUTORY for all programs containing IT, including NSS. Also cited in DODI 5000.02 - Table 9. Clinger-Cohen Act Ensure that the program has a Cybersecurity Strategy that is consistent with DoD policies, standards and architectures 10 Cybersecurity = Everything that processes 1 s and 0 s. This is new! Cybersecurity effort spans the entire acquisition process A team sport with impacts to all Acquisition Career Fields

Cybersecurity in the DoD Acquisition Lifecycle Model 1: Hardware Intensive Program A B C IOC Materiel Solution Analysis Materiel Development Decision Technology Maturation & Risk Reduction. CDD-V DRFPRD Engineering & Manufacturing Development LRIP FRP Decision Sustainment Operations & Support ICD Draft CDD CDD PDR CDR CPD Production & Deployment FOC Disposal JCIDS Process Defense Acquisition System/JCIDS Process Warfighter/End User 11 To achieve positive acquisition outcomes, we must consistently bake in Cybersecurity into our acquisition programs

Cybersecurity in the DoD Acquisition Lifecycle Cybersecurity Requirements must be identified and included throughout the lifecycle of systems to include acquisition, design, development, developmental testing, operational testing, integration, implementation, operation, upgrade, or replacement of all DoD IT supporting DoD tasks and missions. Cybersecurity Integration: Cybersecurity must be fully integrated into system life cycles so that it will be a visible element of organizational, joint, and DoD Component architectures, capability identification and development processes, integrated testing, information technology portfolios, acquisition, operational readiness assessments, supply chain risk management, SSE, and operations and maintenance activities. 12

Cybersecurity and BBP 3.0 Vision Statement for BBP 3.0 Achieving Dominant Capabilities through Technical Excellence and Innovation Cybersecurity is a design consideration and a key enabler of this vision Key BBP 3.0 goals related to Cybersecurity Anticipate and plan for responsive and emerging threats There is no greater emerging threat to DoD acquisition programs than Cybersecurity Strengthen organic engineering capabilities. To be effective, Cybersecurity must be baked in as part of the design process Improve our leaders ability to understand and mitigate technical risk. Cybersecurity can be the greatest technical risk that programs face 13

Sustainment Vs. Cybersecurity Sustainment Recognized activity spanning the entire acquisition lifecycle Represents significant program risk(s) Impacts most/all functional areas Significant tactical & operational impacts Sustainment is a design consideration: Design Interface Sustainment Engineering Management Approach IAW with FY 2010 NDAA / PL 111-84 Mandated Plan Life Cycle Sustainment Plan (LCSP) Validated Measurement Sustainment KPP Mandated Plan Owners o Product Support Manager (PSM) o Product Support Integrator (PSI) Cybersecurity Recognized activity spanning the entire acquisition lifecycle Not yet! Represents significant program risk(s) not being addressed yet by many Impacts most/all functional areas Significant tactical & operational impacts Cybersecurity should be a design consideration! Design Interface Sustainment Engineering Management Approach IAW SEC. 811, P.L. 106-398 Mandated Plan Cybersecurity Strategy is requirement, but not a plan Validated Measurement None Mandated Plan Owners o No designated owner o Everyone has a part in cyber Cybersecurity represents a significant gap in the acquisition lifecycle

Take Aways DSB observations paint a grim picture of our current Cybersecurity posture Cybersecurity applies to all systems or subsystems that process 1 s and 0 s Cybersecurity is not just the network. It is part of the DNA of an acquisition program All acquisition career fields have a piece of Cybersecurity Industry Partners are a critical component of your cybersecurity efforts. They design and build our products! Cybersecurity is a design consideration which must be addressed throughout the entire acquisition lifecycle 15

DAU Cybersecurity Courses DAU is developing a Cybersecurity Online Course o Covers the RMF and Cybersecurity across acquisition career fields. Available CY15 DAU is developing a 100-level Program Protection (PP) Planning Online Course o Cybersecurity one element of PP. Available late CY14 DAU is developing a 200-level PP Planning Classroom Course o Cybersecurity one element of Program Protection. Available mid CY15 DAU is developing a 200-level RMF Online Course o Available late CY15 16

How DAU Can Help Ask A Professor (https://dap.dau.mil/aap/pages/pqsubmit.aspx) Contact DAU directly for : Tailored Assistance Targeted Training such as: Seminar Cybersecurity Challenges for DoD PMs Seminar Risk Management Framework (RMF) Seminar Cybersecurity Testing in DoD Acquisition DAU Capital & Northeast (Ft. Belvoir, VA) Karen Currey (703) 805-4978 DAU Mid-Atlantic (California, MD) Mike Paul (240) 895-7363 DAU Midwest (Kettering, OH) Vishnu Nevekar (937) 781-1029 DAU South (Huntsville, AL) Jack Cain (256) 922-8731 DAU West (San Diego, CA) Rob Tremaine (619) 524-4811 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information