Presentation is loading. Please wait.

Presentation is loading. Please wait.

NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-1 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984.

Published byLeonel Hasler Modified over 9 years ago

Similar presentations

Presentation on theme: "NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-1 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984."— Presentation transcript:

1 NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-1 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Trusted Defense Systems Kristen Baldwin Director, Systems Analysis DDRE/Systems Engineering

2 NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-2 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Trusted Defense Systems Strategy Report on Trusted Defense Systems USD(AT&L) ASD(NII)/DoD CIO Delivering Trusted Systems

3 NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-3 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Elements of the Strategy CPI Identification –Critical Components –Critical Technology System Security Engineering –Anti-Tamper, SPI –System Assurance Supply Chain Risk Mitigation –Trusted Foundry, DMEA –Threat and vulnerability assessments DIB Cyber Security Standards for Secure Products and Networks Damage Assessments Technology Investment Strategies –DARPA TRUST –NSA Center for Assured SW, Air Force Application SW Assurance CoE –IA/HW/SW Assurance Focus on Mission Critical Systems Identify Critical Components for Trust Protect Critical Technology

4 NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-4 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. 4 Increased Priority for Program Protection Threats: Nation-state, terrorist, criminal, rogue developer who: –Gain control of systems through supply chain opportunities –Exploit vulnerabilities remotely Vulnerabilities: All systems, networks, applications –Intentionally implanted logic (e.g., back doors, logic bombs, spyware) –Unintentional vulnerabilities maliciously exploited (e.g., poor quality or fragile code) Consequences: Stolen critical data & technology; corruption, denial of critical warfighting functionality Then Standalone systems >>> Some software functions >>> Known supply base >>> Now Networked systems Software-intensive Prime Integrator, hundreds of suppliers Today’s acquisition environment drives the increased emphasis:

5 NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-5 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Challenges Being Addressed Policy and guidance for security is not streamlined There is a lack of useful methods, processes and tools for acquirers and developers Criticality is usually identified too late to budget and implement protection Horizontal protection process is insufficiently defined Lack of consistent method for measuring cost and success of “protection” Intelligence data is not available to programs for risk awareness Security not typically identified as an operational requirement, and is therefore lower priority Data Source: GAO report, white papers, military service feedback

6 NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-6 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Major Efforts being executed by DDRE/SE Implementing 5200.39 and 5000.02 Program Protection Policy –Review/Coordination of PPPs for ACAT I programs –Program protection assessment methodology –Guidance and best practice countermeasures, education and training, industry outreach, to assist programs with CPI identification and protection Supply Chain Risk Management –Procedures, capability to utilize threat information in acquisition –Commercial standards for secure components (ISO/IEC, The Open Group) Horizontal Protection Procedures –Acquisition Security Database (ASDB) oversight and implementation Advancing the practice: System Security Engineering –SERC Research Topic – “Security Engineering” –INCOSE Working Group on System Security Engineering –DoD/NSA Criticality Analysis Working Group DoD Anti-Tamper Executive Agent –Anti-Tamper IPT, AT policy, guidance advocate –Legislative Proposal – Defense Exportability Fund Pilot Program Countering Counterfeits Tiger Team –Lifecycle strategy to reduce counterfeits, esp microelectronics

7 NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-7 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Program Protection Policy DoD Policy: DODI 5200.39 “Critical Program Information Protection Within the DoD” –Provide uncompromised and secure military systems to the warfighter by − performing comprehensive protection of CPI − through the integrated and synchronized application of CI, Intelligence, Security, systems engineering, and other defensive countermeasures to mitigate risk… –“CPI. Elements or components of an RDA program that, if compromised, could cause significant degradation in mission effectiveness; − Includes information about applications, capabilities, processes, and end-items. − Includes elements or components critical to a military system or network mission effectiveness. − Includes technology that would reduce the US technological advantage if it came under foreign control…”

8 NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-8 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies.

9 NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-9 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. DoD 5000 Lifecycle Approach to Early, Designed-In Program Protection Identify candidate CPI in TDS, and potential countermeasures Milestone Decision Authority approves PPP in addition to PM Acquisition Strategy, RFP, SEP, and TEMP reflect PPP relevant information Obtain threat assessments from Intel/CI, assess supplier risks Develop design strategy for CPI protection Submit PPP to Acquisition Security Database (ASDB) Enhance countermeasure information in Program Protection Plan (PPP) Evaluate that CPI Protection, RFP requirements have been met Full Rate Prod DR MS CMS B MS A Technology Development CDD Engineering and Manufacturing Development CPD Production & Deployment O&S MDD Materiel Solution Analysis Streamlined Program Protection Plan One-stop shopping for documentation of acquisition program security (ISP, IA, AT appendices) Living document, data driven, easy to update, maintain Contractor adds detail to Program Protection Plan Preliminary verification and validation that design meets assurance plans S&T Programs

10 NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-10 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Multifaceted Approach to Program Protection Requests for Proposals (RFP) DoDI DoDM 5200.39 DoDI DoDM 5200.39 Program Protection Plan (PPP) Map to CPI being protected & location in Use to contract for security in SCRM Key Practices SCRM Key Practices Requires Other countermeasures (INFOSEC, IA, ITAR, FMS, etc.) Best Practices Systems Security Engineering (risk mitigation) Systems Security Engineering (risk mitigation) Specific tools and practices (e.g. Malicious code checks, software assurance techniques) DoDM 5200.39 Requires use of Supply Chain Risk Management (SCRM) and System Security Engineering Best Practice Countermeasures to protect Critical Program Information (CPI)  

11 NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-11 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Systems Security Engineering (SSE): Early Engineering Emphasis Identify components that need protection –Perform criticality analysis based on mission context and system function − Evaluate CONOPS, threat information, notional system architecture to identify critical components (hardware, software and firmware) − Identify rationale for inclusion or exclusion from candidate CPI list –Perform trade-offs of design concepts and potential countermeasures to minimize vulnerabilities, weaknesses, and implementation costs Establish System Security Engineering Criteria –Ensure preferred concept has preliminary level security requirements derived from candidate CPI countermeasures –Ensure system security is addressed as part of Systems Engineering Technical Reviews We have begun to apply these practices with major acquisition programs

12 NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-12 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Systems Security Engineering Systems Security Engineering Definition : –An element of system engineering that applies scientific and engineering principles to identify security vulnerabilities and minimize or contain risks associated with these vulnerabilities (MIL-HDBK-1785: Systems Security Engineering Program Management Requirements) Codify guidance and best practice –To identify software, hardware vulnerabilities –To support program protection planning –To support secure systems design Work is needed to fully expand this discipline –Foundational science and engineering, competencies (as compared to other SE Specialties: reliability, safety, etc) –Methods and tools: V&V, architecting for security –Community and design team recognition of SSE as a key design consideration

13 NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-13 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Systems Security Engineering Research Roadmap Joint DDRE/SE and NSA funded SE Research Center task –Goal: Develop a research roadmap to grow Systems Security Engineering as a key discipline of SE Workshop in March 2010 to collect input –50 attendees from industry, government, and academia Proposed research modules in key areas: –Definitions: What is the scope of Systems Security Engineering? –Metrics: How much security is enough? How do we compare? –Frameworks: What is the trade space for making security engineering decisions? Are there architectural commonalities to leverage? –Workforce: How do we train researchers, developers, and acquisition professionals to do this? What do they need to know? –Methods, Processes, and Tools: How might practitioners actually do this? What can we learn from related disciplines (e.g. Safety, Reliability, Surety)? Final report in September 2010

14 NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-14 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Standardization Efforts Buying with Confidence –Open Group engagement to develop secure commercial product standards –Technology supply chain security standard through ISO –Supply Chain Risk Mitigation –Countering Counterfeits Tiger Team –DFAR for safeguarding unclassified DoD information on DIB networks –Object Management Group software assurance frameworks Building with Integrity –NDIA System Assurance Guidebook, adopted by NATO Standardization Agency –ISO 15026: Standard for Systems and Software Assurance –Criticality Analysis Working Group –Systems Security Engineering research roadmap –DHS Software Assurance Horizontal Protection –DoD-wide Critical Program Information identification process –Acquisition Security Database adoption and implementation

15 NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-15 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. In Summary Holistic approach to assurance is critical –To focus attention on the threat –To avoid risk exposure from gaps and seams Program Protection Policy provides overarching framework for trusted systems –Common implementation processes are beneficial Stakeholder integration is key to success –Acquisition, Intelligence, Engineering, Industry, Research Communities are all stakeholders Systems engineering brings these stakeholders, risk trades, policy, and design decisions together –Informing leadership early; providing programs with risk-based options

16 NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-16 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Backup Slides

17 NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-17 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Key Enablers of the Strategy The requirement for assurance is allocated among the right systems and their critical components DoD understands its supply chain risks DoD systems are designed and sustained at a known level of assurance Commercial sector shares ownership and builds assured products Technology investment transforms the ability to detect and mitigate system vulnerabilities Prioritization Supplier Assurance Engineering- In-Depth Industry Outreach Technology Investment Assured Systems Vision of Success *Reference: DoD System Assurance CONOPS, 2004

18 NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-18 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Desired Outcome Program Benefit Coherent direction and integrated policy framework to respond to security requirements Risk-based approach to implementing security Provision of expert engineering and intelligence support to our programs Streamline process to remove redundancy; focus on protection countermeasures DoD Benefit Reduced risk exposure to gaps/seams in policy and protection activity Improved oversight and focus on system assurance throughout the lifecycle Ability to capitalize on common methods, instruction and technology transition opportunities Cost effective approach to “building security in” where most appropriate

19 NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-19 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. SE PPP and Assessment Criteria Program Criticality Analysis uses a collection of techniques to identify the critical functions / capabilities that need protection –Mission thread analysis –Vulnerability analysis –WBS analysis (What are the major cost elements) –Domain specific knowledge –COTS design vulnerabilities and supply chain Design and assurance techniques –Defense in Depth –Draft PDR Exit Criteria –Draft CDR Exit Criteria –Configuration management access control SW Development assurance techniques –Static code analyzers –Design and code walkthroughs / inspections for assurance

20 NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-20 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Systems Security Engineering: Integration of Security Resources 20

21 NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-21 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. CPI Formats and Example Protections Information Systems –Information Assurance (controls for applications, networks, IT processes and platform IT interconnections) –Communications Security (Encryption, decryption) End Items –Anti-Tamper (deter, prevent, detect, respond) –Information Assurance –Supply Chain Risk Management (assessing supplier risk) –Software Assurance (tools, processes to ensure SW function) –System Security Engineering –Trusted Foundry (integrated circuit providers) Hard Copy Documents –Information Security (Document markings, handling instructions) –Foreign Disclosure (restrict/regulate foreign access) –Physical Security (gates, guards, guns) Ideas/Knowledge –Personnel Security (trustworthy, reliable people) –Access Controls

Download ppt "NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-1 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984."

Similar presentations

1 The Systems Engineering Research Center UARC Dr. Dinesh Verma Executive Director January 13, 2010 www.stevens.edu/SERC.

1 The Systems Engineering Research Center UARC Dr. Dinesh Verma Executive Director January 13,
Roadmap for Sourcing Decision Review Board (DRB)

Roadmap for Sourcing Decision Review Board (DRB)
State of Indiana Business One Stop (BOS) Program Roadmap Updated June 6, 2013 RFI ATTACHMENT D.

State of Indiana Business One Stop (BOS) Program Roadmap Updated June 6, 2013 RFI ATTACHMENT D.
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
ERS Overview 5/15/12 | Page-1 Distribution Statement A – Cleared for public release by OSR, SR Case #s 12-S-0258, 0817, 1003, and 1854 apply. Affordable,

ERS Overview 5/15/12 | Page-1 Distribution Statement A – Cleared for public release by OSR, SR Case #s 12-S-0258, 0817, 1003, and 1854 apply. Affordable,
BENEFITS OF SUCCESSFUL IT MODERNIZATION

BENEFITS OF SUCCESSFUL IT MODERNIZATION
Chris Reisig, Task Group Chairman December 17, 2009 NDIA EHM Committee EHM Technology Transition Study Report.

Chris Reisig, Task Group Chairman December 17, 2009 NDIA EHM Committee EHM Technology Transition Study Report.
©2006 OLC 1 Process Management: The Foundation for Achieving Organizational Excellence Process Management Implementation Worldwide.

©2006 OLC 1 Process Management: The Foundation for Achieving Organizational Excellence Process Management Implementation Worldwide.
National Infrastructure Protection Plan

National Infrastructure Protection Plan
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
1 Acquisition and Technology Overview: System Assurance and Cyber Security Kristen Baldwin Deputy Director, Strategic Initiatives Office of the Deputy.

1 Acquisition and Technology Overview: System Assurance and Cyber Security Kristen Baldwin Deputy Director, Strategic Initiatives Office of the Deputy.
SERC Achievements and Program Direction Art Pyster Deputy Executive Director November, 2010 www.SERCuarc.org Note by R Peak 12/7/2010: This presentation.

SERC Achievements and Program Direction Art Pyster Deputy Executive Director November, Note by R Peak 12/7/2010: This presentation.
Software and System Engineering Integration Sponsor Overview Kristen Baldwin Deputy Director, Software Engineering and System Assurance Office of the Under.

Software and System Engineering Integration Sponsor Overview Kristen Baldwin Deputy Director, Software Engineering and System Assurance Office of the Under.
DoD Systems and Software Engineering A Strategy for Enhanced Systems Engineering Kristen Baldwin Acting Director, Systems and Software Engineering Office.

DoD Systems and Software Engineering A Strategy for Enhanced Systems Engineering Kristen Baldwin Acting Director, Systems and Software Engineering Office.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
1 Introduction to System Engineering G. Nacouzi ME 155B.

1 Introduction to System Engineering G. Nacouzi ME 155B.
Recent Trends in DoD Systems and Software Engineering Processes Bruce Amato Acting Deputy Director, Software Engineering and Systems Assurance Office of.

Recent Trends in DoD Systems and Software Engineering Processes Bruce Amato Acting Deputy Director, Software Engineering and Systems Assurance Office of.
Aust. AM Collaborative Group (AAMCOG) An introduction to ISO 55000 “What to do” guide 20th October 2014.

Aust. AM Collaborative Group (AAMCOG) An introduction to ISO “What to do” guide 20th October 2014.
The Software Product Life Cycle. Views of the Software Product Life Cycle  Management  Software engineering  Engineering design  Architectural design.

The Software Product Life Cycle. Views of the Software Product Life Cycle  Management  Software engineering  Engineering design  Architectural design.

Similar presentations

Ads by Google