An Urgent National Imperative Building Trustworthy, Secure Systems for the United States Critical Infrastructure An Urgent National Imperative

It’s a dangerous world in cyberspace… The Current Landscape. It’s a dangerous world in cyberspace…

Cyber Risk. Function (threat, vulnerability, impact, likelihood) Energy Cyber Risk. Function (threat, vulnerability, impact, likelihood) Transportation Defense Manufacturing

Defense Science Board Reports Resilient Military Systems and the Advanced Cyber Threat Cyber Supply Chain Cyber Deterrence Make statement about ALL controls being monitoring – it is only the frequency that varies Defense Science Board Reports

Complexity.

Our appetite for advanced technology is rapidly exceeding our ability to protect it.

Data. Data. Everywhere.

Houston, we have a problem.

Protecting critical systems and assets— The highest priority for the national and economic security interests of the United States.

Defending cyberspace in 2018 and beyond.

Simplify. Innovate. Automate.

Federal Government’s Modernization Strategy Identify and develop federal shared services. Move to FedRAMP-approved cloud services. Isolate and strengthen protection for high value assets. Reduce and manage the complexity of systems and networks… Engineer more trustworthy, secure, and resilient solutions.

Limit damage to the target Reducing susceptibility to cyber threats requires a multidimensional strategy. System Harden the target First Dimension Limit damage to the target Second Dimension Make the target resilient Third Dimension

Cyber Resiliency. The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.

Resilience and Survivability Reliability Fault Tolerance Privacy Cyber resiliency relationships with other specialty engineering disciplines. Security Safety Resilience and Survivability

CREF Constructs CYBER RESILIENCY ENGINEERING FRAMEWORK Goals protection. Damage limitation. Resiliency. Goals Objectives Techniques Approaches Strategic Design Principles Structural Design Principles Risk Management Strategy Constructs

Relationship among cyber resiliency constructs.   TECHNIQUES Approaches Structural Design Principles Strategic Design Principles Why OBJECTIVES Understand Prevent/Avoid Prepare Continue Constrain Reconstitute Transform Re-architect What GOALS Anticipate Withstand Recover Adapt Risk Management Strategy How Inform selection and prioritization Inform selection and prioritization Inform selection and prioritization Inform selection prioritization Inform selection

CREF Techniques CYBER RESILIENCY ENGINEERING FRAMEWORK protection. Damage limitation. Resiliency. Adaptive Response Analytic Monitoring Coordinated Protection Substantiated Integrity Privilege Restriction Dynamic Positioning Dynamic Representation Non-Persistence Diversity Realignment Redundancy Segmentation Deception Unpredictability Techniques

Cyber Resiliency Constructs in System Life Cycle. Business or mission analysis Stakeholder needs and requirements definition System requirements definition Architecture definition Design definition System analysis Implementation Integration Verification Transition Validation Operation Maintenance Disposal ISO/IEC/IEEE 15288:2015 Systems and software engineering — System life cycle processes NIST SP 800-160

NIST SP 800-37, Revision 2 Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy Make statement about ALL controls being monitoring – it is only the frequency that varies

Just released for public review and comment. Risk Management Framework (RMF) 2.0 Just released for public review and comment. CATEGORIZE   ASSESS AUTHORIZE MONITOR PREPARE IMPLEMENT SELECT

Communication between C-Suite and Implementers and Operators A unified framework for managing security, privacy, and supply chain risks. Communication between C-Suite and Implementers and Operators RMF 2.0 Security Risk Management Privacy Risk Management Alignment with NIST Cybersecurity Framework Alignment with Security Engineering Processes Supply Chain Risk Management

Transparency. Traceability. Trust.

On the Horizon… NIST Special Publication 800-37, Revision 2 Risk Management Framework for Information Systems and Organizations Final Publication: October 2018 NIST Special Publication 800-53, Revision 5 Security and Privacy Controls for Information Systems and Organizations Final Publication: December 2018 NIST Special Publication 800-53A, Revision 5 Assessing Security and Privacy Controls in Information Systems and Organizations Final Publication: September 2019

On the Horizon… NIST Special Publication 800-160, Volume 2 Systems Security Engineering Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems Final Publication: October 2018 NIST Special Publication 800-160, Volume 3 Software Assurance Considerations for the Engineering of Trustworthy Secure Systems Final Publication: December 2019 NIST Special Publication 800-160, Volume 4 Hardware Assurance Considerations for the Engineering of Trustworthy Secure Systems Final Publication: December 2020

Some final thoughts.

Work smarter, not harder.

The ultimate objective for security and privacy. Institutionalize. The ultimate objective for security and privacy. Operationalize.

The essential partnership. Government Academia The essential partnership. Industry

Security. Privacy. Freedom.

RMF RISK MANAGEMENT FRAMEWORK Simplify. Innovate. Automate. 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930 Email Mobile ron.ross@nist.gov 301.651.5083 LinkedIn Twitter www.linkedin.com/in/ronross-cybersecurity @ronrossecure Web Comments csrc.nist.gov sec-cert@nist.gov