KDP-1: Integrate supply chain knowledge into secure solutions concepts Evaluate supply chain threats with respect to the set of possible solutions under.

Slides:



Advertisements
Similar presentations
Achieve Benefit from IT Projects. Aim This presentation is prepared to support and give a general overview of the ‘How to Achieve Benefits from IT Projects’
Advertisements

Microsoft Operations Framework (MOF) 4.0
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration.
Course: e-Governance Project Lifecycle Day 1
<<Date>><<SDLC Phase>>
UNRESTRICTED Infrastructure Assessment as Viewed by Technology Holders IAEA Technical Meeting December 10-12, 2008 R. Godden.
U.S. General Services Administration Presentation to: Software and Supply Chain Assurance Forum Improving Cybersecurity through Acquisition December 17,
U.S. General Services Administration Presentation to: ACT-IAC Cybersecurity SIG Improving Cybersecurity through Acquisition Emile Monette Senior Advisor.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Oncor’s EIM Program.
Security Controls – What Works
Overarching Roles of Critical Partners In A Project 9:30 – 10:00 Rob Curlee, FMO Joseph Dominque, OCISO Mike Perry, EA.
CHAPTER 10 & 13 IS within the Organization & Acquiring IS and Applications.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Systems Engineering Approach to MPS Risk Management Kelly Mahoney Presented at the Workshop for Machine Protection in Linear Accelerators.
Opportunities & Implications for Turkish Organisations & Projects
Enterprise Architecture
Software Assurance Software Acquisition Working Group Chairs: Stan Wisseman Booz Allen Hamilton Mary L. Polydys National Defense University Information.
Complying With The Federal Information Security Act (FISMA)
Internal Auditing and Outsourcing
SDLC: System Development Life Cycle cs5493. SDLC Classical Model Linear Sequential – Aka waterfall model.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Consultancy.
A Security Training Program through Transformational Leadership and Practical Approaches Tanetta N. Isler Federal Information Systems Security Educators’
Security and Privacy Services Cloud computing point of view October 2012.
Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.
Information Systems Security Computer System Life Cycle Security.
Change Management “Getting from where you are, to where you want to be”
N-Wave Shareholders Meeting May 23, 2012 N-Wave Security Update Lisa
TEL2813/IS2820 Security Management
Federal Information System Security Educators Association
NIST Special Publication Revision 1
Federal IT Security Professional - Auditor
Roles and Responsibilities
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.
Alaska Staff Development Network – Follow-Up Webinar Emerging Trends and issues in Teacher Evaluation: Implications for Alaska April 17, :45 – 5:15.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Protecting Critical Information Assets and Records FIRM Forum.
Building Capability.  In order to successfully operate an architecture function within an enterprise, it is necessary to put in place appropriate organization.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
Liability Issues for TRIO Programs Managing Your Project’s Risk.
2 William P. McNally Assistant Administrator for Procurement NASA Procurement Tenets August 4, 2008 NCMA Conference.
Practical Investment Assurance Framework PIAF Copyright © 2009 Group Joy Pty. Ltd. All rights reserved. Recommended for C- Level Executives.
PMC Update on Cyber Sprint June 18, Overview: 30-Day Cyber Sprint 1.Interagency Cyber Sprint Team: Launched June 11 and executing against the.
Designing Services for Security: Information Security Management throughout the Service Lifecycle Sarah Irwin & Craig Haynal 2015 Penn State Security Conference,
SecSDLC Chapter 2.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process A course for the Department of Commerce contracting and contracting.
Evaluate Phase Pertemuan Matakuliah: A0774/Information Technology Capital Budgeting Tahun: 2009.
The Service Monitoring and Control Toolkit 1 Protect your business with an effective alert management system and high service availability.
The NIST Special Publications for Security Management By: Waylon Coulter.
Organizations of all types and sizes face a range of risks that can affect the achievement of their objectives. Organization's activities Strategic initiatives.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Department of Computer Science Introduction to Information Security Chapter 8 ISO/IEC Semester 1.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Presenter: Mohammed Jalaluddin
Cybersecurity - What’s Next? June 2017
JU September Stakeholder Engagement Conference Webinar #1
the actual procurement
DT249/4 Information Systems Engineering Lecture 0
Paul Woods Chair, MITIGATION: Ensuring we procure cloud services taking into account of the risks involved Paul Woods Chair, ISNorthEast.
Phase 4: Compelling Case for Change
Asset Governance – Integrated Strategic Asset Management
Gathering Systems Requirements
Portfolio, Programme and Project
Gathering Systems Requirements
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Presentation transcript:

KDP-1: Integrate supply chain knowledge into secure solutions concepts Evaluate supply chain threats with respect to the set of possible solutions under consideration. Make decisions about the level of acceptable supply chain risks and acceptable costs of security. Align the acquisition roadmap with the key decision points and require SCRM assessments. Example Laws, Regulations, and/or Standards: FISMA (§3544(b)(2)(C)) makes system owners accountable for information security throughout the lifecycle; FIPS 200 (3) requires minimum security standards for acquisitions; SP (3.2) designates security selected based on the system risk; KDP-1 maps to the SDLC Initiation phase as outlined in Section 3.1 of NIST SP KDP-2: Incorporate SCRM into Acquisition Requirements Determine the costs of supply chain security; maximize the requirements for low-cost, high-risk-reduction security measures. Comply with decisions from KDP-1. Make decisions about specific SCRM requirements (in context of KDP-1 decisions). Incorporate adequate SCRM into requirements to assure that responses address SCRM. Example Laws, Regulations, and/or Standards: SP (4.1): designates a requirements analysis (including security requirements) before selecting an information systems product; IR 7622 (4) designates supply chain controls; KDP-2 maps to the SDLC Development/Acquisition phase, as outlined in Section 3.2 of NIST SP KDP-3: Evaluate Proposals for SCRM Capabilities Evaluate proposals against supply chain security requirements from KDP-2. Determine the extent to which proposals satisfy SCRM-related acquisition requirements. Example Laws, Regulations, and/or Standards: SP (SA 12): The organization conducts a due diligence review of suppliers prior to entering into contractual agreements to acquire ICT components; KDP-3 maps to the SDLC Development/Acquisition phase, as outlined in Section 3.2 of NIST SP KDP-4: Incorporate Threat Assessments and Evaluate Capability to Mitigate Residual Risks Specify requirements for and incorporate threat assessments that provide the acquiring organization with information that guides the selection, with mitigations, or the elimination of proposals. Make decisions to reduce the risk that an offeror will expose the organization to ICT supply chain threats (based on KDP-3 results and threat assessments), by putting contracts, controls, and security in place that will monitor and add adequate resilience in spite of residual supply chain risk. Example Laws, Regulations, and/or Standards: SP (SA 5): Incorporate SCRM assessments into all requirements and processes to protect acquirer mission/business practices against compromise; KDP-4 maps to the SDLC Development/Acquisition and Implementation/Assessment phases, as outlined in Sections 3.2 and 3.3 of NIST SP KDP-5: Incorporate SCRM Measures into Overall ICT Security Ensure that metrics and information sharing protocols can identify threats with supply chain nexus. Perform acceptance testing and develop continuous certification and testing processes for maintenance, upgrades, and system augmentations. Ensure that systems acquisition and designs can be available to incident response or forensic teams investigating supply chain risks. Ensure proper disposal so that disposed items do not intentionally or inadvertently make their way back into the supply chain. Example Laws, Regulations, and/or Standards: SP (2.1) As risks of advanced persistent threats become more pronounced, organizations establish practices for sharing information related to the system development; KDP 5 maps to the SDLC Operations and Maintenance, and Disposal phases as outlined in Sections 3.4 and 3.5 of NIST SP … But The Risks Can Be Mitigated at Key Decision Points (KDPs) Supply Chain Risk Management (SCRM) is a decision making process that can reduce risks associated with ICT throughout the acquisition process. A lifecycle-based approach to SCRM requires risk decisions at key decision points in the acquirers’ system development and acquisition process. These KDPs are plotted on the ICT lifecycle in Figure 5 and summarized below. Each KDP addresses specific governance and operations across the lifecycle to cost-effectively manage supply chain risks. To be effective, acquirers, suppliers, service providers, and other stakeholders must share information about KDP outcomes to manage risk. Tools are created to implement these methods, reduce total lifecycle costs, and share information. Figure 5. KDPs extend consideration of SCRM concepts to earlier stages of the lifecycle to more effectively integrate systems risk and security operations RETURN ON SCRM INVESTMENT Early-in-lifecycle investments in SCRM decrease cyber risks that result from poorly/maliciously designed hardware and software, and will ultimately result in decreased expected costs of response, retrofit, and network reconstitution. Conversely, avoidance of SCRM costs in early system development stages will require more sophisticated monitoring and cyber intelligence capabilities to avoid loss of essential functions. To achieve best return on investment, SCRM activities must be embedded and aligned with overall network security strategy and operations. Software & Supply Chain Assurance As of Jan 2013 For more information see DHS NPPD CS&C SECIR Software & Supply Chain Assurance resources at

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.