Presentation is loading. Please wait.

Presentation is loading. Please wait.

These slides used to be a Cybersecurity Pre-work Assignment (No longer a Pre-work Assignment) TST 204 Pre-work Reading Assignment March, 2014 version.

Published byLuke Terry Modified over 6 years ago

Similar presentations

Presentation on theme: "These slides used to be a Cybersecurity Pre-work Assignment (No longer a Pre-work Assignment) TST 204 Pre-work Reading Assignment March, 2014 version."— Presentation transcript:

1 These slides used to be a Cybersecurity Pre-work Assignment (No longer a Pre-work Assignment) TST 204 Pre-work Reading Assignment March, 2014 version          

2 Overview DoD missions increasingly depend upon complex, interconnected IT environments. These environments are inherently vulnerable, providing opportunities for adversaries to negatively impact DoD missions. DoD policies and procedures are changing to help DoD mitigate risks. This lesson provides an overview of policy and guidance changes for cybersecurity Note: Some definitions can be found in the backup slides

3 Cybersecurity The DoD implements cybersecurity to protect information, communications, data, and equipment from cyber-attack. The DoD is updating Information Assurance and Acquisition policy to address cybersecurity.   Cybersecurity is the prevention of damage to, the protection of, and the restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure their availability, integrity, authentication, confidentiality, and nonrepudiation. DoD Instruction

4 Cybersecurity Policy The DoD CIO updated several of its 8500-series publications to transition from information assurance to cybersecurity. The updated policy provides a more holistic, adaptive, resilient and dynamic approach for implementing cybersecurity across the full spectrum of IT & cyber operations. Published Versions DoDD E, DoDI DoDI Updated Versions DoDI , DoDI Information Assurance (IA) Mission Assurance Cat. (MAC) Confidentiality Level (CL) DoD Specific IA Definitions DoD IA Controls Cybersecurity Security Objective: Confidentiality, Integrity, Availability Impact Value: Low/Moderate/High CNSSI 4009 Glossary of Terms CNSSI 1253 is used to Categorize Systems to Select NIST SP Security Controls Joint Taskforce Transformation Initiative C&A Process Risk Management Framework (RMF)

5 Why Change Policy? The new policy is more consistent with established disciplines and best practices for effective systems engineering, systems security engineering, and program protection planning outlined in DoDI & DAG. The new policy leverages and builds upon numerous existing Federal policies and standards so we have less DoD policy to write and maintain. DoD participates in development of CNSS and NIST documents ensuring DoD equities are met DoD leverages CNSS and NIST policies and filters requirements to meet DoD needs DoD participates in CNSS and NIST policy development as a vested stakeholder with the goals of a more synchronized cybersecurity landscape and to protect the unique requirements of DoD Missions and warfighters

6 From Information Assurance to Cybersecurity
DoD CIO updated and combined DoDD E and DoDI , “Information Assurance,” into DoDI , “Cybersecurity.” Key elements of the new policy are: Extends applicability to all DoD information technology (IT), including platform IT (PIT), Emphasizes operational resilience, integration and interoperability Adopts common Federal cybersecurity terminology, consistent with the Intelligence Community (IC) and National Institute of Standards and Technology (NIST). Incorporates security early and continuously within the acquisition lifecycle Transitions to the newly revised NIST Special Publication Security Control Catalog for use in the DoD.

7 DoD Information Technology (IT)
DoDI “Cybersecurity” Extends applicability to all DoD IT processing DoD information DoD Information Technology (IT) Platform IT (PIT) Services Products Information Systems Internal External Software Hardware Applications PIT Systems PIT Major Applications Enclaves Cybersecurity applies to all IT that receives, processes, stores, displays, or transmits DoD information

8 DoDI “Cybersecurity” Emphasizes operational resilience, integration, and interoperability Operational Resilience Information and computing services are available to authorized users whenever and wherever needed Security posture is sensed, correlated, and made visible to mission owners, network operators, and to the DoD Information Enterprise Hardware and software have the ability to reconfigure, optimize, self-defend, and recover with little or no human intervention Integration and Interoperability Cybersecurity must be fully integrated into system life cycles and will be a visible element of IT portfolios. Interoperability will be achieved through adherence to DoD architecture principles All interconnections of DoD IT will be managed to minimize shared risk

9 DoDI “Cybersecurity” Adopts common Federal cyber terminology so we all speak the same language DoD IC Civil CNSS Streamlines processes and allows for easier interconnection and sharing of information

10 Security Control Family
Access Control Awareness and Training Audit and Accountability Security Assessment & Authorization Configuration Management Contingency Planning Identification and Authentication Incident Response Maintenance Media Protection Physical and Environmental Protection Planning Personnel Security Risk Assessment System and Services Acquisition System & Communications Protection System and Information Integrity Program Management DoDI “Cybersecurity” Transitions to the newly revised NIST SP Security Control Catalog Major Areas Enhanced By New Security Controls Advanced Persistent Threat Insider Threat (Removable Media) Supply Chain Cross Domain Identity Management

11 DoDI “Cybersecurity” Incorporates security early and continuously within the acq. lifecycle DoD CIO coordinates with USD(AT&L) to ensure that cybersecurity responsibilities are integrated into processes for DoD acquisition programs DoD CIO coordinates with the DOT&E to ensure that cybersecurity responsibilities are integrated into the operational testing and evaluation for DoD acquisition programs USD(AT&L) ensures the DoD acquisition process incorporates cybersecurity planning, implementation, testing, and evaluation and ensures acquisition community personnel are qualified DoD COMPONENT HEADS ensure that system security engineering and trusted systems and networks processes, tools and techniques are used in the acquisition of all applicable IT under their purview. “Policy: Cybersecurity requirements must be identified and included throughout the lifecycle of systems to include acquisition, design, development, developmental testing, operational testing, integration, implementation, operation, upgrade, or replacement of all DoD IT supporting DoD tasks and missions”

12 Transitioning from DoD Information Assurance Certification and Accreditation Process (DIACAP) to the Risk Management Framework (RMF) The DoD CIO revised DoDI , “DIACAP” to DODI , “Risk Management Framework for DoD IT.” The RMF moves from the DIACAP checklist-driven process, to a risk based approach.

13 Summary of Changes to Cybersecurity Roles & Responsibilities
DIACAP role DODI , RMF role DODI Responsibilities (Reference DoDI for a complete definition of roles and responsibilities) Designated Accrediting Authority  (DAA) Authorizing Official (AO) The AO ensures all appropriate RMF tasks are initiated and completed, with appropriate documentation, for assigned ISs and PIT systems, monitor and track overall execution of system-level POA&Ms, Promote reciprocity. Certifying Authority Security Control Assessor (SCA) The SCA is the senior official with authority and responsibility to conduct security control assessments. No explicit role Information System Owner (ISO) In coordination with the information owner (IO), the ISO categorizes systems and documents the categorization in the appropriate JCIDS document (e.g., CDD). Information Assurance Manager (IAM) Information System Security Manager (ISSM) The ISSM maintains and reports IS and PIT systems assessment and authorization status and issues, provides ISSO direction, and coordinates with the security manager to ensure issues affecting the organization's overall security are addressed appropriately. Information Assurance Officer Information System Security Officer (ISSO) The ISSO is responsible for maintaining the appropriate operational security posture for an information system or program .

14 Risk Management Framework (RMF)
DoDI March, 2014 Adopts NIST’s Risk Management Framework, used by Civil and Intelligence communities. Directs the use of CNSSI 1253 for Security Control Categorization and Selection Promotes DT&E and OT&E integration Codifies reciprocity to reduce redundant testing, assessing, and documentation, and the associated costs in time and resources Emphasizes information system continuous monitoring and timely correction of deficiencies

15 Categorization & Security Control Selection Tools
The RMF Knowledge Service To assist in implementation of the Risk Management Framework (RMF), the DoD CIO established the RMF Knowledge Service: A web-based, DoD PKI-enabled resource at ( Will have information to support the transition from DoD Information Assurance Certification and Accreditation Process (DIACAP) to the RMF. An information repository and collaboration forum for the RMF TAG and corresponding TAG Working Groups; A collaboration workspace for the RMF user community to develop, share and post lessons learned and best practices. A library of tools, diagrams, process maps, documents, etc., to support and aid in execution of the RMF. A source for cybersecurity news and events and other cybersecurity-related information resources. Reference Documents Categorization & Security Control Selection Tools

16 RMF Process Overview

17 RMF Step One – Categorize the System
Systems are categorized in accordance with CNSSI 1253 by the Information System Owner, with support from the Authorizing Official. CNSSI 1253: Is required by DoD for all information systems & platform IT systems Builds on and is a companion document to NIST Special Publication SP Adopts FIPS 199, “Categorize NSS,” using three security objectives (confidentiality, integrity, and availability) with one impact value (low, moderate, or high) for each of the security objectives . The most severe rating from any category becomes the overall security categorization. ISO, AO Categorize the system as high, moderate, or low for confidentiality, integrity, availability Input Mission, Strategic Goals and Objectives, Priorities, Resources, and Supply Chain Considerations Input Architecture Description, Reference Models, Information System Boundaries, etc. Confidentiality is unauthorized disclosure of information. Integrity is unauthorized modification of information. Availability is denial of service.

18 RMF Step Two – Select Security Controls
Based on the system categorization from step one, controls are specified with guidance from the CIO and with the support of the AO, Systems Engineering, and Test and Evaluation. A standard set of controls are identified according to the categorization. Examples of controls: Computer passwords, firewalls, annual cybersecurity training, Intrusion detection software, antivirus software, “time-outs” on computer screens

19 Knowledge Service Security Controls Explorer
The Knowledge Service will provide tools for selecting controls and will contain DoD assignments and implementation guidance for each required control. Users can view control sets by Family, or establish a control set baseline using the High, Moderate, and Low impact search functionality. Users can view control details

20 RMF Steps Three and Four, Implement and Assess
In step 3, Implement Security Controls: The Information Systems Owner (ISO) is primarily responsible for ensuring that Security Controls are implemented. The ISO documents Security Control implementation in the Security Plan. Collaboration with Systems Engineering and with Test and Evaluation representatives assists in controls implementation. In step 4, Assess Security Controls: The Security Controls Assessor (SCA) is primarily responsible for assessment. The SCA prepares a Security Assessment Plan. The SCA assesses the implementation of the security controls in the system and prepares a Security Assessment Report (SAC). Security Plan ISO Security Assessment Plan Security Assessment Report SCA

21 RMF Steps Five and Six, Authorize and Monitor
In Step 5, Authorize: The ISO prepares the plan of action and milestones based on the findings & recommendations of the security assessment report excluding any remediation actions taken The ISO assembles the Security Authorization Package and provides it to the AO The AO conducts a final risk determination and makes an authorization decision. In step 6, Monitor, continuous monitoring is performed and documentation is updated as needed.

22 T&E Responsibilities in 8500.01 and 8510.01
For DASD(DT&E) and the developmental test community: Cybersecurity assessments must be integrated into DT&E, Cybersecurity planning, implementation, testing, and evaluation must be incorporated in the DoD acquisition process, with DASD(DT&E) responsible for ensuring that cognizant DT&E authorities for acquisition programs verify that adequate DT&E to support cybersecurity is planned, resourced, documented, and can be executed in a timely manner prior to approval of program documents, Coordination is required with the DoD Test Resource Management Center (TRMC) for establishment of developmental T&E (DT&E) specific cybersecurity architectures and requirements. For the operational test community, the policy: Requires that programs perform cybersecurity assessments as part of operational test assessments. Requires DOT&E to conduct independent cybersecurity assessments during operational test and evaluation (OT&E) for systems under acquisition and that DOT&E oversee cybersecurity assessments by test agencies during both acquisition and exercise events.

23 Additional information on RMF
DoDI , “Cybersecurity” DoDI , “Risk Management Framework for DoD IT” RMF Knowledge Service at for documentation, tools, and information about DoD implementation of the RMF. NIST Special Publication at rev1/sp rev1-final.pdf for information on RMF. CNSSI 1253 at pdf for information on system categorization NIST Special Publication at r4.pdf for security controls T&E Guidebook provides the details of what to do – 5000 and 8500 are the policy

24 Backup Slides

25 Definitions from DoDI Information Systems - A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Note: Information systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems. Major Application - An application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. All federal applications require some level of protection. Certain applications, because of the information in them, however, require special management oversight and should be treated as major. Adequate security for other applications should be provided by security of the systems in which they operate. Major applications include any application that is a product or deliverable of an Acquisition Category I through III program as defined in Enclosure 3 of DoDI

26 Definitions from DoDI Enclave - A collection of computing environments connected by one or more networks. Enclaves always assume the highest security category of the ISs that they host, and derive their security needs from those systems. Platform IT - IT, both hardware and software, that is physically part of, dedicated to, or essential in real time to the mission performance of special purpose systems. All PIT has cybersecurity considerations. Examples of platforms that may include PIT are: weapons systems, training simulators, diagnostic test and maintenance equipment, calibration equipment, equipment used in the research and development of weapons systems, medical devices and health information technologies, vehicles and alternative fueled vehicles, buildings and their associated control systems, utility distribution systems, telecommunications systems designed specifically for industrial control systems to include supervisory control and data acquisition, direct digital control, programmable logic controllers, other control devices and advanced metering or sub-metering, including associated data transport mechanisms (e.g., data links, dedicated networks). 

27 Definitions from DoDI Platform IT Systems - A collection of PIT within an identified boundary under the control of a single authority and security policy. The systems may be structured by physical proximity or by function, independent of location. PIT systems are analogous to enclaves but are dedicated only to the platforms they support. Services - An IT service is a form of a DoD internet service . It consists of IT capabilities that are provided according to a formal agreement between the DoD and an entity within the DoD or external to the DoD. Capabilities may include, for example, information processing, storage, or transmission. An IT service is provided from outside the authorization boundary of the organizational IS using the IT service; and the using organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness. Product - Individual IT hardware or software items. Products can be commercial or government provided and include but are not limited to operating systems, office productivity software, firewalls, and routers.

28 Definitions from Federal Information Processing Standards (FIPS) 199
 In FIPS 199, confidentiality, integrity, and availability are defined as security objectives for information and information systems: Confidentiality: “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” A loss of confidentiality is the unauthorized disclosure of information. Integrity: “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…” A loss of integrity is the unauthorized modification or destruction of information. Availability: “Ensuring timely and reliable access to and use of information…” A loss of availability is the disruption of access to or use of information or an information system. Information is from a NIST March, 2004 Bulletin. (I was unable to obtain the actual FIPS 199 document).

29 Impact levels are defined in FIPS 199 as follows:
The potential impact is low if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. A limited adverse effect could mean that the loss of confidentiality, integrity, or availability might: Cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; Result in minor damage to organizational assets, minor financial loss, or minor harm to individuals. Information is from a NIST March, 2004 Bulletin. (I was unable to obtain the actual FIPS 199 document).

30 Impact levels defined in FIPS 199 (continued):
The potential impact is moderate if the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. A serious adverse effect could mean that the loss of confidentiality, integrity, or availability might: Cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; Result in significant damage to organizational assets, significant financial loss, or significant harm to individuals, but not loss of life or serious life threatening injuries. Information is from a NIST March, 2004 Bulletin. (I was unable to obtain the actual FIPS 199 document).

31 Impact levels defined in FIPS 199 (continued):
The potential impact is high if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. A severe or catastrophic adverse effect could mean that the loss of confidentiality, integrity, or availability might: Cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; Result in major damage to organizational assets, major financial loss, or severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries. Information is from a NIST March, 2004 Bulletin. (I was unable to obtain the actual FIPS 199 document).

32 Key Cybersecurity Artifacts
Security Plan (SP) - Provides an overview of the security requirements for the system, system boundary description, the system identification, common controls identification, security control selections, subsystems security documentation (as required), external services security documentation (as required). The plan can also contain, as supporting appendixes or as references, other key security-related documents such as a risk assessment, privacy impact assessment, system interconnection agreements, contingency plan, security configurations, configuration management plan, and incident response plan. Program Protection Plan (PPP) is the integrating process for managing risks to advanced technology and mission-critical system functionality from foreign collection, design vulnerability or supply chain exploit/insertion, and battlefield loss throughout the acquisition life cycle.

33 Key Cybersecurity Artifacts (cont.)
Security Assessment Plan (SAP) - Security assessment plan provides objectives for the security control assessment and a detailed roadmap of how to conduct an assessment. Cybersecurity Strategy (formerly Information Assurance Strategy (IAS) - The cybersecurity strategy includes cybersecurity requirements, approach, testing, shortfalls, and authorization for the system being acquired and the associated development, logistics, and other systems storing or transmitting information about that system. Documents the program’s overall CS requirements and approach. Helps facilitate consensus among PM, Component CIO and DoD CIO on pivotal issues. Security Assessment Report (SAR) Contains the assessment plan, controls to be assessed and actual assessment results as well as any artifacts produced during the assessment (e.g., output from automated test tools or screen shots that depict aspects of system configuration).

Download ppt "These slides used to be a Cybersecurity Pre-work Assignment (No longer a Pre-work Assignment) TST 204 Pre-work Reading Assignment March, 2014 version."

Similar presentations

BENEFITS OF SUCCESSFUL IT MODERNIZATION

BENEFITS OF SUCCESSFUL IT MODERNIZATION
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.

1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
Software Quality Assurance Plan

Software Quality Assurance Plan
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Cybersecurity and the Risk Management Framework

Cybersecurity and the Risk Management Framework
Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.

Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Information Assurance (IA) - Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication,

Information Assurance (IA) - Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication,
Security Controls – What Works

Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Information Security and Risk Management A Plan for Success.

Information Security and Risk Management A Plan for Success.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

Similar presentations

Ads by Google