Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federal Cyber Policy and Assurance Issues Dwayne Ramsey Computer Protection Program Manager Berkeley Lab Cyber Security Summit September 27, 2004.

Published byLindsay Pierce Modified over 9 years ago

Similar presentations

Presentation on theme: "Federal Cyber Policy and Assurance Issues Dwayne Ramsey Computer Protection Program Manager Berkeley Lab Cyber Security Summit September 27, 2004."— Presentation transcript:

1 Federal Cyber Policy and Assurance Issues Dwayne Ramsey Computer Protection Program Manager Berkeley Lab Cyber Security Summit September 27, 2004

2 “And so, extrapolating from the best figures available, we see that current trends, unless dramatically reversed, will inevitably lead to a situation in which the sky will fall.”

3 Outline Federal IT management initiatives DOE Cyber Security Program Cyber Assurances Technical Vision Research

4 Current Federal IT Strategy Efforts are underway to integrate — Federal Enterprise Architecture, — Agency capital planning efforts, and — Cyber Security Goals : —Identify best practices, —Leverage resources, —Manage cyber assurance

5 Information Technology… … per Clinger-Cohen Act of 1996 and OMB Circular A-11 Equipment used by an agency or its contractors in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. Computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources. Does not include any equipment that is acquired by a Federal contractor incidental to a Federal contract.

6 DOE Cyber Security Program Umbrella document is DOE Order 205.1 DEPARTMENT OF ENERGY CYBER SECURITY MANAGEMENT PROGRAM of 3/21/2003 —Lays out roles, responsibilities, requirements —Implementation through DOE Program Cyber Security Plans (DOE Office of Science for Berkeley Lab) —Allows for a graded approach DOE Policy directives included in M&O Contracts FISMA and NIST requirements flow down to DOE Laboratories

7 DOE Cyber Green? Significant effort in the past few months to achieve a green rating on the President’s Management Agenda and FISMA Federal Authority to Operate (ATO) required —NIST compliant security documentation e.g. Certification and Accreditation of all unclassified systems security plans consistent with NIST SP 800-18 Risk Assessment consistent with NIST SP 800-26 Frequent data calls Increased audits of cyber security at the DOE Laboratories

8 Assurance Concepts The cyber threat is being rapidly automated Automated defenses are trying to keep up Assurance practices not keeping pace – still paperwork intensive Assurance is very important. We must find ways to automate Assurance Metrics are byproducts of operations: —must come from real time events as they occur in the operations of the networked environment

9 Assurance Management Assurance Operations Assurance Requirements “What Not How” Assurances Operational Requirements Assurance Flow Regulation and Oversight Congress OMB NIST DOE and Contractor Sites

10 Assurance Modes We are at a crossroads. One path leads toward checklists and paper assurances The other moves us to automation and the self healing network Assurance should be based on automated processes

11 DOE Cyber Program Congress OMB DOE, SC GAO/IG/OA Best Practices Plans Appropriate to Tier I, II, III Labs Operations Reported Metrics High Level CYBER Assurance Model Assurance Documents POLICY Directives Automate this part CM, C&A, Authority to Operate, Residual Risk, etc. Integrate Assurance into Daily Operational Processes Audits and Reviews Direction Feedback

12 Technical Vision Fully automated monitoring Network information continuously collected Successful attacks and intrusions immediately discovered Systems continuously scanned Network vulnerabilities detected as they appear Vulnerabilities immediately resolved Automatically sequestered Automatically alert owners/sys admins Automatically remove blocks when vulnerabilities are fixed Assurance data generated from monitoring output

13 Cyber Research “ For historical reasons, no federal funding agency has assumed responsibility for supporting basic research in this area--not the Defense Advanced Research Projects Agency (DARPA), not the National Science Foundation (NSF), not the Department of Energy (DoE), not the National Security Agency (NSA). Because no funding agency feels it "owns" this problem, relatively small, sporadic research projects have been funded, but no one has questioned the underlying assumptions on cyber security that were established in the 1960s mainframe environment.” Wm. A. Wulf, Ph.D.President, National Academy of Engineering and AT&T Professor of Engineering and Applied Science, University of Virginia before the House Science Committee U.S. House of Representatives, October 10, 2001 http://www.nae.edu/nae/naehome.nsf/weblinks/MKEZ-542KBP?OpenDocument

Download ppt "Federal Cyber Policy and Assurance Issues Dwayne Ramsey Computer Protection Program Manager Berkeley Lab Cyber Security Summit September 27, 2004."

Similar presentations

SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,

SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,
The World of Access Controls

The World of Access Controls
METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE.

METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE.
Attack Graphs for Proactive Digital Forensics Tara L. McQueen Delaware State University Louis P. Wilder Computational Sciences and Engineering Division.

Attack Graphs for Proactive Digital Forensics Tara L. McQueen Delaware State University Louis P. Wilder Computational Sciences and Engineering Division.
The FISMA Secret October 29, 2009. 2 Of the $6.2* billion that the Federal government spent on cyber defense in 2008, it spent some $1.31 billion on FISMA.

The FISMA Secret October 29, Of the $6.2* billion that the Federal government spent on cyber defense in 2008, it spent some $1.31 billion on FISMA.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Policy Formulation, the Real Scoop Computer Security Awareness Day Mark Leininger September 11, 2007.

Policy Formulation, the Real Scoop Computer Security Awareness Day Mark Leininger September 11, 2007.
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Need of Enterprise- Wide Information Assurance Planning COEN 250 Fall 2007 T. Schwarz, S.J.

Need of Enterprise- Wide Information Assurance Planning COEN 250 Fall 2007 T. Schwarz, S.J.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
1 Continuous Monitoring Proprietary Information of SecureInfo ® Corporation © 2011 All Rights Reserved.

1 Continuous Monitoring Proprietary Information of SecureInfo ® Corporation © 2011 All Rights Reserved.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
A Security Training Program through Transformational Leadership and Practical Approaches Tanetta N. Isler Federal Information Systems Security Educators’

A Security Training Program through Transformational Leadership and Practical Approaches Tanetta N. Isler Federal Information Systems Security Educators’
Overview of Systems Audit

Overview of Systems Audit
OFFICE OF THE UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE CI & SECURITY DIRECTORATE, DDI(I&S) Valerie Heil March 20, 2015 UNCLASSIFIED Industrial Security.

OFFICE OF THE UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE CI & SECURITY DIRECTORATE, DDI(I&S) Valerie Heil March 20, 2015 UNCLASSIFIED Industrial Security.
DFARS 204.73 & 252.204-7012 What is Unclassified Controlled Technical Information (UCTI)?

DFARS & What is Unclassified Controlled Technical Information (UCTI)?

Similar presentations

Ads by Google