Cybersecurity in Test & Evaluation James S. Wells Deputy Director, Cyberspace & HSE Programs Office of Test & Evaluation
Problem Statement Insufficient T&E information regarding a system s cybersecurity posture is available to support major acquisition decisions. Networked information technology is a major component of most major DHS acquisition programs As a result, our adversaries have unprecedented access to our data and the ability to disrupt our operations Current T&E policies and practices do not adequately incorporate cybersecurity considerations in order to inform acquisition decisions 2
Current Parallel Processes Programs already plan and conduct cybersecurity activities IAW the Risk Management Framework HOWEVER Cybersecurity and T&E communities do not routinely coordinate and synchronize activities separate plans and separate reports to separate decision makers AND Operational T&E does not include realistic, threatrepresentative cyber attacks 3
Current Parallel Processes 0 1 2A 3 Need Analyze/ Select 2B Obtain 2C Produce/Deploy/Support Test & Evaluation Input to Operational Develop T&E Strategy Refine T&E Strategy Conduct Developmental T&E OTEP Conduct Operational T&E OTER OTER Risk Management Framework Categorize System Select Controls Implement Controls SAP Assess Controls SAR POAM SAR Authorize Operation POAM ATO Monitor Controls Systems Engineering Life Cycle SPR SER Solution Engineering Planning PPR SDR CDR IRR PRR OTRR ORR PIR PDR Definition Design Development Integration and Test Implementation Operations & Maintenance Disposal 4
Cybersecurity-Informed Acquisition Decisions Is there a sound plan to collect adequate cybersecurity data to inform future production & deployment decisions? Is the system sufficiently cyber secure to enter initial production/deployment? Is the system sufficiently cyber secure to enter full production/deployment? 0 1 2A 3 Need Analyze/ Select 2B Obtain 2C Produce/Deploy/Support Test & Evaluation Risk Management Framework Input to Operational Categorize System Develop T&E Strategy Define Cybersecurity Threats & Environment Identify Cybersecurity Select Controls Refine T&E Strategy Add Cybersecurity T&E Strategy to based on RMF Planning Implement Controls SAP Conduct Developmental T&E Improve Fidelity of Cybersecurity DT&E and Synchronization with RMF Assess Controls SAR POAM OTEP Authorize Operation Conduct Operational T&E SAR OTER Add Cybersecurity to OT&E POAM ATO OTER Monitor Controls Systems Engineering Life Cycle SPR SER Solution Engineering Planning PPR SDR CDR IRR PRR OTRR ORR PIR PDR Definition Design Development Integration and Test Implementation Operations & Maintenance Disposal 5
Draft DOT&E Policy Programs will include cybersecurity in s Threat description, evaluation framework, integrated T&E objectives & resources OTAs will include cybersecurity in test plans, test concept briefs, and evaluation reports Realistic threat portrayal to determine mission effects DOT&E will include cybersecurity in s Effectiveness, Suitability, Interoperability, & Cybersecurity 6
Current Activities Iterative coordination with DHS OCIO Initial discussions with Components & programs Inventorying possible cybersecurity T&E assets Coordinating with several programs as pilots Investigating process for program threat assessments with DHS I&A 7
Next Steps Coordinate and publish initial DOT&E cybersecurity policy memo Start integrating cybersecurity into s Start including cybersecurity in OT&E plans, reports, and DOT&E s Continue coordination with OCIO, DHS I&A, and Components Coordinate with Joint Council Continue discussion with red teams for possible recurring acquisition program support Continue coordination with pilot programs 8
9