ATD session 2: compliancy versus mission assurance 17 October 2017 DAU Cybersecurity Enterprise Team

learning objectives Implement cybersecurity regulatory, statutory, and best practices to achieve mission assurance Apply Risk Management Framework (RMF) process Compliment with NIST Cybersecurity Framework Validate using Independent Operational Test

Cybersecurity problem Panelist Testimony Cybersecurity problem Testimony of Dr. Ron Ross, National Institute of Standards and Technology “… increasing complexity and attacks guarantees a number of weaknesses and vulnerabilities will continue to grow.” Available at https://www.nist.gov/sites/default/files/August_23_panelist_statements.pdf

Current strategy: Compliancy DoDI 5200.39 Critical Program Information DoDI 5200.44 Protection of Mission Critical Functions DoDI 8582.01 Security of Unclassified DoD Information on Non-Information Systems DoDI 5000.02 Defense Acquisition DoDI 8500.01 Cybersecurity DoDI 8510.01 Risk Management Framework (RMF) DoDI 5230.24 Distribution Statements on Technical Documents DFARS 252.204‐7008 – Compliance with Safeguarding Covered Defense Information Controls DFARS 252.204‐7009 – Limitations on the Use or Disclosure of Third‐Party Contractor Information DFARS 252.204‐7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting DFARS 252.239‐7009 – Representation of Use of Cloud Computing DFARS 252.239‐7010 – Cloud Computing Services DFARS 252.239‐7017 – Notice of Supply Chain Risk DFARS 252.239‐7018 – Supply Chain Risk

Linkage to “secure enough” Does Compliancy equal Secure Enough? Will Compliancy achieve Mission Assurance?

Changes in Compliancy Policies … Includes Security Resiliency Mission Assurance

Transition to resiliency Make systems and networks more penetration-resistant; capable of limiting damage from cyber-attacks by reducing adversaries’ time on target or lateral movement; and sufficiently resilient to support critical missions and operations The West Top 10.

Operational resiliency DoDI 8500.01 “Operational Resilience” Operational resilience requires three conditions to be met: Information resources are trustworthy; Missions are ready for information resources degradation or loss; Network operations have the means to prevail in the face of adverse events.” (p. 31) Trustworthy, Ready for Degradation, Prevail 17

Tools to Help with Compliancy NIST Cybersecurity Framework RMF Process

Cybersecurity framework Federal agencies now are encouraged to use the Cybersecurity Framework … would bring immediate benefits, driving agencies to shift approaches away from simple compliance and toward thinking more holistically about cybersecurity risk management.” REF: https://www.nist.gov/sites/default/files/documents/2017/01/30/draft-cybersecurity-framework-v1.1.pdf

NIST Cybersecurity framework Core Function Explanation Identify Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. Protect Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. Detect Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. Respond Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. Recover Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology. Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes. Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements. • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications. Framework for Improving Critical Infrastructure Cybersecurity, v 1.0, NIST, February 2014

RMF: NIST Special Publications 800-53 Revision 5 Draft “… make information systems more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable” “… promoting integration with different risk management … including Cybersecurity Framework” “ … determine required level of assurance that the selected security controls are effective …” “… provide a flexible catalog of security to meet current protection needs and the demands of future needs based on changing threats, requirements, and technologies”

Risk diagram “The five Functions also balance prevention and reaction, including preparatory activities to enable the best possible outcome from that reaction” (p. 28)

Ways to Validate Compliancy Independent Operational Test Simulation/Table Tops

Contested environment “Training scenarios and exercises should reflect advanced contested environments” “Maintain operational effectiveness while absorbing successful attacks” (p. 4) 13

Cybersecurity Survivability System Survivability KPP SS KPP = Kinetic, EW & Cyber - for IS and PIT Cyber Survivability Endorsement (CSE) v1.01a, 10 CSAs, JCS Guide JROCM 009-17, 27 Jan 2017

Tabletop exercises Objectives: Identification of material and non-material gaps and overlaps within the program as they relate to the successful completion of the mission Development of courses of (corrective) action (COA) based on threat and risk identification and assessment REF: Defense AT&L: November-December 2017

Formula for “Secure Enough” Compliancy = Security + Resiliency = Mission Assurance

Compliancy Check & balance Implement security controls through RMF process Implement controls that incorporate security and resiliency capabilities Uses NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, and Recover) Conduct independent Operational Test Measure systems’ Operation Effectiveness, Suitability, and Security Uses System Survivability Key Performance Parameters to validate security controls

Cybersecurity Framework Integration

cybersecurity trade-space Security and Functionality - How skilled, trained and experienced do you want the Users to be? $$$ People Policy/Process Technology PPT Model When you start reviewing cybersecurity and associating with acquisition issues, the two areas of trade-space that must be considered and analyzed are functionality and security. When incorporating cybersecurity principles into networks or systems, one must determine the type and purpose of the system; whether supporting Platform or Weapons, Information Technology Communications, or Business (non-tactical) operations. The type and purpose will determine the level of functionality and security to ensure successfully mission accomplishment or mission assurance.   Safety is a critical trade-off that must be resolved. Any issues associated with potential loss of life will be mitigated. Industrial Control Systems, Weapons, and Platform Information Technology seem to lean toward availability. Information Technology Communications and Defense Business Systems seem to lean toward accessibility and interoperability.

Cost, schedule & performance trade-offs Do my measurements and analysis allow me to: Know if I am secure enough? Am I spending my money correctly? Should increase my cybersecurity spending? What is my return on investment?

Recap learning objectives Implement cybersecurity regulatory, statutory, and best practices to achieve mission assurance Apply Risk Management Framework (RMF) process Compliment with NIST Cybersecurity Framework Validate using Independent Operational Test

summary Focus on mission assurance instead of compliancy Manage outcomes and cybersecurity risk management Field cybersecurity capabilities that promote mission assurance & support operational requirements We may not get a Second Chance – when Hostilities Start!!!

Questions