NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-1 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Trusted Defense Systems Kristen Baldwin Director, Systems Analysis DDRE/Systems Engineering

NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-2 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Trusted Defense Systems Strategy Report on Trusted Defense Systems USD(AT&L) ASD(NII)/DoD CIO Delivering Trusted Systems

NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-3 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Elements of the Strategy CPI Identification –Critical Components –Critical Technology System Security Engineering –Anti-Tamper, SPI –System Assurance Supply Chain Risk Mitigation –Trusted Foundry, DMEA –Threat and vulnerability assessments DIB Cyber Security Standards for Secure Products and Networks Damage Assessments Technology Investment Strategies –DARPA TRUST –NSA Center for Assured SW, Air Force Application SW Assurance CoE –IA/HW/SW Assurance Focus on Mission Critical Systems Identify Critical Components for Trust Protect Critical Technology

NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-4 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. 4 Increased Priority for Program Protection Threats: Nation-state, terrorist, criminal, rogue developer who: –Gain control of systems through supply chain opportunities –Exploit vulnerabilities remotely Vulnerabilities: All systems, networks, applications –Intentionally implanted logic (e.g., back doors, logic bombs, spyware) –Unintentional vulnerabilities maliciously exploited (e.g., poor quality or fragile code) Consequences: Stolen critical data & technology; corruption, denial of critical warfighting functionality Then Standalone systems >>> Some software functions >>> Known supply base >>> Now Networked systems Software-intensive Prime Integrator, hundreds of suppliers Today’s acquisition environment drives the increased emphasis:

NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-5 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Challenges Being Addressed Policy and guidance for security is not streamlined There is a lack of useful methods, processes and tools for acquirers and developers Criticality is usually identified too late to budget and implement protection Horizontal protection process is insufficiently defined Lack of consistent method for measuring cost and success of “protection” Intelligence data is not available to programs for risk awareness Security not typically identified as an operational requirement, and is therefore lower priority Data Source: GAO report, white papers, military service feedback

NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-6 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Major Efforts being executed by DDRE/SE Implementing and Program Protection Policy –Review/Coordination of PPPs for ACAT I programs –Program protection assessment methodology –Guidance and best practice countermeasures, education and training, industry outreach, to assist programs with CPI identification and protection Supply Chain Risk Management –Procedures, capability to utilize threat information in acquisition –Commercial standards for secure components (ISO/IEC, The Open Group) Horizontal Protection Procedures –Acquisition Security Database (ASDB) oversight and implementation Advancing the practice: System Security Engineering –SERC Research Topic – “Security Engineering” –INCOSE Working Group on System Security Engineering –DoD/NSA Criticality Analysis Working Group DoD Anti-Tamper Executive Agent –Anti-Tamper IPT, AT policy, guidance advocate –Legislative Proposal – Defense Exportability Fund Pilot Program Countering Counterfeits Tiger Team –Lifecycle strategy to reduce counterfeits, esp microelectronics

NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-7 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Program Protection Policy DoD Policy: DODI “Critical Program Information Protection Within the DoD” –Provide uncompromised and secure military systems to the warfighter by − performing comprehensive protection of CPI − through the integrated and synchronized application of CI, Intelligence, Security, systems engineering, and other defensive countermeasures to mitigate risk… –“CPI. Elements or components of an RDA program that, if compromised, could cause significant degradation in mission effectiveness; − Includes information about applications, capabilities, processes, and end-items. − Includes elements or components critical to a military system or network mission effectiveness. − Includes technology that would reduce the US technological advantage if it came under foreign control…”

NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-8 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies.

NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-9 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. DoD 5000 Lifecycle Approach to Early, Designed-In Program Protection Identify candidate CPI in TDS, and potential countermeasures Milestone Decision Authority approves PPP in addition to PM Acquisition Strategy, RFP, SEP, and TEMP reflect PPP relevant information Obtain threat assessments from Intel/CI, assess supplier risks Develop design strategy for CPI protection Submit PPP to Acquisition Security Database (ASDB) Enhance countermeasure information in Program Protection Plan (PPP) Evaluate that CPI Protection, RFP requirements have been met Full Rate Prod DR MS CMS B MS A Technology Development CDD Engineering and Manufacturing Development CPD Production & Deployment O&S MDD Materiel Solution Analysis Streamlined Program Protection Plan One-stop shopping for documentation of acquisition program security (ISP, IA, AT appendices) Living document, data driven, easy to update, maintain Contractor adds detail to Program Protection Plan Preliminary verification and validation that design meets assurance plans S&T Programs

NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-10 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Multifaceted Approach to Program Protection Requests for Proposals (RFP) DoDI DoDM DoDI DoDM Program Protection Plan (PPP) Map to CPI being protected & location in Use to contract for security in SCRM Key Practices SCRM Key Practices Requires Other countermeasures (INFOSEC, IA, ITAR, FMS, etc.) Best Practices Systems Security Engineering (risk mitigation) Systems Security Engineering (risk mitigation) Specific tools and practices (e.g. Malicious code checks, software assurance techniques) DoDM Requires use of Supply Chain Risk Management (SCRM) and System Security Engineering Best Practice Countermeasures to protect Critical Program Information (CPI)  

NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-11 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Systems Security Engineering (SSE): Early Engineering Emphasis Identify components that need protection –Perform criticality analysis based on mission context and system function − Evaluate CONOPS, threat information, notional system architecture to identify critical components (hardware, software and firmware) − Identify rationale for inclusion or exclusion from candidate CPI list –Perform trade-offs of design concepts and potential countermeasures to minimize vulnerabilities, weaknesses, and implementation costs Establish System Security Engineering Criteria –Ensure preferred concept has preliminary level security requirements derived from candidate CPI countermeasures –Ensure system security is addressed as part of Systems Engineering Technical Reviews We have begun to apply these practices with major acquisition programs

NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-12 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Systems Security Engineering Systems Security Engineering Definition : –An element of system engineering that applies scientific and engineering principles to identify security vulnerabilities and minimize or contain risks associated with these vulnerabilities (MIL-HDBK-1785: Systems Security Engineering Program Management Requirements) Codify guidance and best practice –To identify software, hardware vulnerabilities –To support program protection planning –To support secure systems design Work is needed to fully expand this discipline –Foundational science and engineering, competencies (as compared to other SE Specialties: reliability, safety, etc) –Methods and tools: V&V, architecting for security –Community and design team recognition of SSE as a key design consideration

NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-13 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Systems Security Engineering Research Roadmap Joint DDRE/SE and NSA funded SE Research Center task –Goal: Develop a research roadmap to grow Systems Security Engineering as a key discipline of SE Workshop in March 2010 to collect input –50 attendees from industry, government, and academia Proposed research modules in key areas: –Definitions: What is the scope of Systems Security Engineering? –Metrics: How much security is enough? How do we compare? –Frameworks: What is the trade space for making security engineering decisions? Are there architectural commonalities to leverage? –Workforce: How do we train researchers, developers, and acquisition professionals to do this? What do they need to know? –Methods, Processes, and Tools: How might practitioners actually do this? What can we learn from related disciplines (e.g. Safety, Reliability, Surety)? Final report in September 2010

NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-14 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Standardization Efforts Buying with Confidence –Open Group engagement to develop secure commercial product standards –Technology supply chain security standard through ISO –Supply Chain Risk Mitigation –Countering Counterfeits Tiger Team –DFAR for safeguarding unclassified DoD information on DIB networks –Object Management Group software assurance frameworks Building with Integrity –NDIA System Assurance Guidebook, adopted by NATO Standardization Agency –ISO 15026: Standard for Systems and Software Assurance –Criticality Analysis Working Group –Systems Security Engineering research roadmap –DHS Software Assurance Horizontal Protection –DoD-wide Critical Program Information identification process –Acquisition Security Database adoption and implementation

NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-15 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. In Summary Holistic approach to assurance is critical –To focus attention on the threat –To avoid risk exposure from gaps and seams Program Protection Policy provides overarching framework for trusted systems –Common implementation processes are beneficial Stakeholder integration is key to success –Acquisition, Intelligence, Engineering, Industry, Research Communities are all stakeholders Systems engineering brings these stakeholders, risk trades, policy, and design decisions together –Informing leadership early; providing programs with risk-based options

NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-16 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Backup Slides

NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-17 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Key Enablers of the Strategy The requirement for assurance is allocated among the right systems and their critical components DoD understands its supply chain risks DoD systems are designed and sustained at a known level of assurance Commercial sector shares ownership and builds assured products Technology investment transforms the ability to detect and mitigate system vulnerabilities Prioritization Supplier Assurance Engineering- In-Depth Industry Outreach Technology Investment Assured Systems Vision of Success *Reference: DoD System Assurance CONOPS, 2004

NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-18 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Desired Outcome Program Benefit Coherent direction and integrated policy framework to respond to security requirements Risk-based approach to implementing security Provision of expert engineering and intelligence support to our programs Streamline process to remove redundancy; focus on protection countermeasures DoD Benefit Reduced risk exposure to gaps/seams in policy and protection activity Improved oversight and focus on system assurance throughout the lifecycle Ability to capitalize on common methods, instruction and technology transition opportunities Cost effective approach to “building security in” where most appropriate

NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-19 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. SE PPP and Assessment Criteria Program Criticality Analysis uses a collection of techniques to identify the critical functions / capabilities that need protection –Mission thread analysis –Vulnerability analysis –WBS analysis (What are the major cost elements) –Domain specific knowledge –COTS design vulnerabilities and supply chain Design and assurance techniques –Defense in Depth –Draft PDR Exit Criteria –Draft CDR Exit Criteria –Configuration management access control SW Development assurance techniques –Static code analyzers –Design and code walkthroughs / inspections for assurance

NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-20 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Systems Security Engineering: Integration of Security Resources 20

NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-21 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. CPI Formats and Example Protections Information Systems –Information Assurance (controls for applications, networks, IT processes and platform IT interconnections) –Communications Security (Encryption, decryption) End Items –Anti-Tamper (deter, prevent, detect, respond) –Information Assurance –Supply Chain Risk Management (assessing supplier risk) –Software Assurance (tools, processes to ensure SW function) –System Security Engineering –Trusted Foundry (integrated circuit providers) Hard Copy Documents –Information Security (Document markings, handling instructions) –Foreign Disclosure (restrict/regulate foreign access) –Physical Security (gates, guards, guns) Ideas/Knowledge –Personnel Security (trustworthy, reliable people) –Access Controls