Presentation is loading. Please wait.

Presentation is loading. Please wait.

ATD session 2: compliancy versus mission assurance

Published byあきとし いりぐら Modified over 6 years ago

Similar presentations

Presentation on theme: "ATD session 2: compliancy versus mission assurance"— Presentation transcript:

1 ATD session 2: compliancy versus mission assurance
17 October 2017 DAU Cybersecurity Enterprise Team

2 learning objectives Implement cybersecurity regulatory, statutory, and best practices to achieve mission assurance Apply Risk Management Framework (RMF) process Compliment with NIST Cybersecurity Framework Validate using Independent Operational Test

3 Cybersecurity problem
Panelist Testimony Cybersecurity problem Testimony of Dr. Ron Ross, National Institute of Standards and Technology “… increasing complexity and attacks guarantees a number of weaknesses and vulnerabilities will continue to grow.” Available at

4 Current strategy: Compliancy
DoDI Critical Program Information DoDI Protection of Mission Critical Functions DoDI Security of Unclassified DoD Information on Non-Information Systems DoDI Defense Acquisition DoDI Cybersecurity DoDI Risk Management Framework (RMF) DoDI Distribution Statements on Technical Documents DFARS ‐7008 – Compliance with Safeguarding Covered Defense Information Controls DFARS ‐7009 – Limitations on the Use or Disclosure of Third‐Party Contractor Information DFARS ‐7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting DFARS ‐7009 – Representation of Use of Cloud Computing DFARS ‐7010 – Cloud Computing Services DFARS ‐7017 – Notice of Supply Chain Risk DFARS ‐7018 – Supply Chain Risk

5 Linkage to “secure enough”
Does Compliancy equal Secure Enough? Will Compliancy achieve Mission Assurance?

6 Changes in Compliancy Policies … Includes
Security Resiliency Mission Assurance

7 Transition to resiliency
Make systems and networks more penetration-resistant; capable of limiting damage from cyber-attacks by reducing adversaries’ time on target or lateral movement; and sufficiently resilient to support critical missions and operations The West Top 10.

8 Operational resiliency
DoDI “Operational Resilience” Operational resilience requires three conditions to be met: Information resources are trustworthy; Missions are ready for information resources degradation or loss; Network operations have the means to prevail in the face of adverse events.” (p. 31) Trustworthy, Ready for Degradation, Prevail 17

9 Tools to Help with Compliancy
NIST Cybersecurity Framework RMF Process

10 Cybersecurity framework
Federal agencies now are encouraged to use the Cybersecurity Framework … would bring immediate benefits, driving agencies to shift approaches away from simple compliance and toward thinking more holistically about cybersecurity risk management.” REF:

11 NIST Cybersecurity framework
Core Function Explanation Identify Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. Protect Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. Detect Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. Respond Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. Recover Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology. Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes. Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements. • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications. Framework for Improving Critical Infrastructure Cybersecurity, v 1.0, NIST, February 2014

12 RMF: NIST Special Publications 800-53 Revision 5 Draft
“… make information systems more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable” “… promoting integration with different risk management … including Cybersecurity Framework” “ … determine required level of assurance that the selected security controls are effective …” “… provide a flexible catalog of security to meet current protection needs and the demands of future needs based on changing threats, requirements, and technologies”

13 Risk diagram “The five Functions also balance prevention and reaction, including preparatory activities to enable the best possible outcome from that reaction” (p. 28)

14 Ways to Validate Compliancy
Independent Operational Test Simulation/Table Tops

15 Contested environment
“Training scenarios and exercises should reflect advanced contested environments” “Maintain operational effectiveness while absorbing successful attacks” (p. 4) 13

16 Cybersecurity Survivability
System Survivability KPP SS KPP = Kinetic, EW & Cyber - for IS and PIT Cyber Survivability Endorsement (CSE) v1.01a, 10 CSAs, JCS Guide JROCM , 27 Jan 2017

17 Tabletop exercises Objectives:
Identification of material and non-material gaps and overlaps within the program as they relate to the successful completion of the mission Development of courses of (corrective) action (COA) based on threat and risk identification and assessment REF: Defense AT&L: November-December 2017

18 Formula for “Secure Enough”
Compliancy = Security + Resiliency = Mission Assurance

19 Compliancy Check & balance
Implement security controls through RMF process Implement controls that incorporate security and resiliency capabilities Uses NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, and Recover) Conduct independent Operational Test Measure systems’ Operation Effectiveness, Suitability, and Security Uses System Survivability Key Performance Parameters to validate security controls

20 Cybersecurity Framework Integration

21 cybersecurity trade-space
Security and Functionality - How skilled, trained and experienced do you want the Users to be? $$$ People Policy/Process Technology PPT Model When you start reviewing cybersecurity and associating with acquisition issues, the two areas of trade-space that must be considered and analyzed are functionality and security. When incorporating cybersecurity principles into networks or systems, one must determine the type and purpose of the system; whether supporting Platform or Weapons, Information Technology Communications, or Business (non-tactical) operations. The type and purpose will determine the level of functionality and security to ensure successfully mission accomplishment or mission assurance. Safety is a critical trade-off that must be resolved. Any issues associated with potential loss of life will be mitigated. Industrial Control Systems, Weapons, and Platform Information Technology seem to lean toward availability. Information Technology Communications and Defense Business Systems seem to lean toward accessibility and interoperability.

22 Cost, schedule & performance trade-offs
Do my measurements and analysis allow me to: Know if I am secure enough? Am I spending my money correctly? Should increase my cybersecurity spending? What is my return on investment?

23 Recap learning objectives
Implement cybersecurity regulatory, statutory, and best practices to achieve mission assurance Apply Risk Management Framework (RMF) process Compliment with NIST Cybersecurity Framework Validate using Independent Operational Test

24 summary Focus on mission assurance instead of compliancy
Manage outcomes and cybersecurity risk management Field cybersecurity capabilities that promote mission assurance & support operational requirements We may not get a Second Chance – when Hostilities Start!!!

25 Questions

Download ppt "ATD session 2: compliancy versus mission assurance"

Similar presentations

EMS Checklist (ISO model)

EMS Checklist (ISO model)
Tenace FRAMEWORK and NIST Cybersecurity Framework Block IDENTIFY.

Tenace FRAMEWORK and NIST Cybersecurity Framework Block IDENTIFY.
NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
BENEFITS OF SUCCESSFUL IT MODERNIZATION

BENEFITS OF SUCCESSFUL IT MODERNIZATION
DHS, National Cyber Security Division Overview

DHS, National Cyber Security Division Overview
National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]

National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]
Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.

Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Unit 8: Tests, Training, and Exercises Unit Introduction and Overview Unit objectives:  Define and explain the terms tests, training, and exercises. 

Unit 8: Tests, Training, and Exercises Unit Introduction and Overview Unit objectives:  Define and explain the terms tests, training, and exercises. 
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
The Information Systems Audit Process

The Information Systems Audit Process
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)

EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)
Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.

Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
THE REGIONAL MUNICIPALITY OF YORK Information Technology Strategy & 5 Year Plan.

THE REGIONAL MUNICIPALITY OF YORK Information Technology Strategy & 5 Year Plan.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

Similar presentations

Ads by Google