N-Wave Shareholders Meeting May 23, 2012 N-Wave Security Update Lisa

For Official Use Only  System is categorized as Low for Confidentiality, Integrity, and Availability  Full ATO received December 7, R e s ul ts R e s ul ts

For Official Use Only Continually Communicate with Stakeholders across the Enterprise and Continually Assess Risk Continually Communicate with Stakeholders across the Enterprise and Continually Assess Risk  Continually monitor  Adversaries  Threats  Vulnerabilities  Countermeasures  Mission changes  POA&M status  Continually monitor  Adversaries  Threats  Vulnerabilities  Countermeasures  Mission changes  POA&M status Monitor  Identify mission, business, and information sharing needs  Conduct initial risk assessment  Identify mission, business, and information sharing needs  Conduct initial risk assessment Categorize  Select minimum required risk mitigation controls based on impact levels  Refine controls based on updated risk assessment  Select minimum required risk mitigation controls based on impact levels  Refine controls based on updated risk assessment Select  Ensure risk assessment and countermeasures are documented for required essential information Document  Implement countermeasures in developed systems (technical) or environment (admin, physical, operational) Implement  Conduct assessment to determine effectiveness of countermeasures  Determine residual risk  Conduct assessment to determine effectiveness of countermeasures  Determine residual risk Assess  Add/Remove countermeasures based on risk assessment  Confirm all countermeasures are selected  Add/Remove countermeasures based on risk assessment  Confirm all countermeasures are selected Supplement  Review residual risk  Determine acceptability of residual risk  Accept risk or require POA&M, or deny  Review residual risk  Determine acceptability of residual risk  Accept risk or require POA&M, or deny Decide

For Official Use Only Committed to providing excellent service Security = boring

For Official Use Only  Proactive versus reactive  Based on Strategic, Tactical and Operational Goals  Strategic – Considered Long term (2-3 yrs)  Tactical – Mid Term (6 months-2 years)  Operational – Short Term (0-6 months) Strategic Tactical Operational O&M Change Management Continuous Monitoring New connections Extension of Backbone Limited Pen Testing IPv6 Full C&A – 2014 Complete Multicast

For Official Use Only Acquisition Life cycle System Development Life cycle A&A Life cycle Risk Management Life cycle Mission and Business Plan Budget Acquisition Plan Management and MeasurementProcurement Operations and Maintenance Disposal Test and Evaluation Develop- ment DesignConceptRequirements DecideMonitorAssess Docu- ment Supple- ment CategorizeSelectImplement Certification Initiation Monitoring Accredi- tation

For Official Use Only Operational Controls Physical Configuration Management Contingency Planning Personnel Security System & Information Integrity Management Controls Risk Management Policies and Procedures Planning System & Services Acquisitions Technical Controls Boundary Protections Access Controls, I&A Auditing

For Official Use Only Managing Risks is Key  Balancing Risks against cost  Accept  Mitigate  Transfer  Avoid Risk Cost

For Official Use Only User Group ERB CCB NNC CIO Council Funding Oversight Strategic Planning Financial Mgmt Requirements CONOPS System Architecture System Design Change Mgmt Configuration Mgmt Requirement Fulfillment System Monitoring Problem Mgmt Members Executive Level (CIO’s, CFO’s, etc) NWave PM NNC Rep NWave User Rep System IT Managers Technical Staff (ISSO, SA’s, Network Admins, etc) System Owners LO Project Management IT Managers Body Decision Domain LO Representatives CIO Reps LO NOC Rep NN System Owner IT Principles Investment & Prioritization IT Principles Investment & Prioritization IT Infrastructure Strategy IT Architecture IT Infrastructure Strategy IT Architecture Service Management Sub Committee

For Official Use Only  Consists on inputs from the Engineer, COTR, and ISSO. – Other participants are NNC LO’s representatives: 4 types of changes which require NNC review – Budget, Operations costs – Security – Peering to other organizations – ERB changes where consensus is not reached

For Official Use Only

 Changes within CCB scope are: ◦ Server configuration changes ◦ Network device changes ◦ Patching ◦ User access ◦ Other administrative changes required to maintain the network

For Official Use Only  Performance - tests and demonstrates performance requirements such as bandwidth, latency, etc  Functional - tests and demonstrates usability of system applications and tools  Security - verifies specific NIST security controls are implemented satisfactorily