Upload
herbert-schmidt
View
218
Download
3
Tags:
Embed Size (px)
Citation preview
DEFENSE L DEFENSE LOGISTICS AGENCY
XXIXXI
METRICS AND CONTROLS FOR DEFENSE IN DEPTH
AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE
Purpose
DEFENSE L DEFENSE LOGISTICS AGENCY
XXIXXI
•Provide an overview of the a DLA Information Assurance initiative entitled Metrics and Controls for Defense in Depth (McDiD)
• Illustrate how McDiD applies the Federal Information Technology Security Assessment Framework within the DoD Information Technology Security Certification and Accreditation Process (DITSCAP)
McDiD Impetus
DEFENSE L DEFENSE LOGISTICS AGENCY
XXIXXI
• Department of Defense Mandate
• DoD Instruction 5200.28, Security Requirements for Automated Information Security Systems (AIS), 21 March 1988, mandates the accreditation of all AIS to include stand-alone personal computers, connected systems and networks.
• DoD Instruction 5200.40, DoD Information Technology Security Certification and Accreditation Process (DITSCAP), 1 November 1999, established a four-phase process, required activities and general certification and accreditation criteria.
• DoD Chief Information Officer Guidance and Policy Memorandum No. 6-8510, DoD Global Information Grid (GIG) Information Assurance (IA), June 16, 2000,directed that DoD develop an enterprise-wide IA architectural overlay to implement a strategy of layered defense (defense-in-depth).
• Chairman of the Joint Chiefs of Staff Instruction 6510.04, Information Assurance Metrics, 15 March 2000, establishes reporting requirements for the Chairman’s Joint Monthly Readiness Reports.
• Need for Improved Security
• Internetworking is increasing the business/mission impact of disruption.
• Vulnerability is increasing due to the ease of access to cyber weapons and capabilities.
• Agency security assessment program has revealed systemic security issues.
McDiD Objectives
DEFENSE L DEFENSE LOGISTICS AGENCY
XXIXXI
• Leverage an existing mandatory program, DITSCAP, as the “container” and delivery mechanism for all information assurance requirements and initiatives
• Shift certification and accreditation focus and resources from documentation & reporting to active security management
• Improve quality and consistency of certification and accreditation efforts
• Create an integrated enterprise management view to:
• Support information assurance oversight• Ensure protection across accreditation boundaries
• Distinguish enterprise versus local roles and responsibilities
• Make policy and technical information easily accessible to DLA security professionals
• Facilitate and enable information/best practices exchange and collaboration within the DLA security community
• Structure information so as to:
• Satisfy multiple information assurance reporting requirements
• Maximize information reuse among related programs and disciplines, e.g., Architecture, Program and Budget, Asset Management, Configuration Management, Continuity Planning
• Provide for continuous Information Assurance process improvement
Tested and Reviewed
Procedures & Controls
Documented Procedures &
Controls
Fully Integrated
Procedures and Controls
Documented Policy
Implemented Procedures & Controls
Federal Information Technology Security Assessment Framework
1
2
3
4
5
LEV
EL
S
DEFENSE L DEFENSE LOGISTICS AGENCY
XXIXXI
DEFENSE L DEFENSE LOGISTICS AGENCY
XXIXXI
DoD Information Technology Security Certification and Accreditation Process
Phase 3: Validation• Compliance with controls is
independently tested• Authority to Operated is
granted
Phase 4: Post Accreditation
• SSAA is updated to reflect changes in IT baseline
• Security assessment is updated quarterly
• Compliance with controls is periodically independently tested
Phase 1: Definition• SSAA is drafted• Security requirements are
identified• SSAA is negotiated and
approved
Phase 2: Verification• Security Procedures and
Controls are implemented
Phase 0 [Implicit]
• Department and Agency policies are established
• C&A process is established
DEFENSE L DEFENSE LOGISTICS AGENCY
XXIXXI Certification & Accreditation Roles & Responsibilities
Phase Action Enterprise Program Manager Network or System Manager
O,1 Identify SecurityRequirements and DevelopCorresponding Controls
Assess Enterprise Threat Assess IT Trends Assess Existing Department
and Agency Governances Formulate/Update Agency
Policy Develop enterprise level
controls
Assess local and network orsystem level securitygovernances, IT configuration, andsystem/network specific threats
Supplement enterprise controls asrequired
2 Implement Controls Provide resources andtechnical guidance as required
Develop test procedures tovalidate implementation
Implement security controls
3 Validate Effectiveness ofControls
Conduct enterprise or agency-wide validation, e.g.,vulnerability assessments,penetration testing
Conduct network or system leveltesting, e.g., review of plans andprocedures
4 Continuously ImproveSecurity Posture, Policy andControls
Assess enterprise securityprofile revealed by Phase 3
Assess process feedbackcollected during Phases 2-3
Repeat Phase 1quarterly andas needed
Repeat Phase 3 annually
Repeat Phase 1 quarterly Repeat Phase 3 annually Provide feedback to HQ
Security Controls - Translate General Requirements into Actionable and Testable Objective Security Conditions
DEFENSE L DEFENSE LOGISTICS AGENCY
XXIXXI
2.1. CONFIGURATION CONTROL BOARD.
All information systems are under the control of a chartered ConfigurationControl Board (CCB) that meets regularly and reports to the appropriateCommander. The CCB membership includes an Information Assurancerepresentative. A record of CCB activities is maintained.
Metric RatingExplain or Justify Your Rating for
this Control
C4: No CCB capability exists.
C3: A CCB is being planned.
C2: A CCB exists, but does nothave a charter signed by theCommander. (Does not includeIA membership.)
C1: A chartered CCB (includingIA representation) meetsregularly and reports to theCommander. A record of CCBactivities is maintained.
Control Number Control Name Control Description
Metrics
Master list of IA Controls
•Number•Name •Desc
National & DoD Policy
National & DoD Policy DLA PolicyDLA Policy
DLA Program Review
Findings
DLA Program Review
FindingsVulnerability Assessments
Vulnerability Assessments
IG/GAO/Other Audit Findings
IG/GAO/Other Audit Findings
Agency System / Network
Connection Agreements
Agency System / Network
Connection Agreements
Commercial Best Practices
Commercial Best Practices
Local Security Policy
Local Security Policy
Local System / Network
Connection Agreements
Local System / Network
Connection Agreements
Local Configuration
Mgmt Practices
Local Configuration
Mgmt Practices
Information Category
(Sensitivity and Classification)
Information Category
(Sensitivity and Classification)
DLA Wide
System SpecificLegend
DAA Specified Requirements
DAA Specified Requirements
Controls are Derived from Many Sources
DEFENSE L DEFENSE LOGISTICS AGENCY
XXIXXI
A COTS Requirements Management System Maintains Controls Traceablity
DEFENSE L DEFENSE LOGISTICS AGENCY
XXIXXI
• Provides “provenance” or traceability to authority for or origin of each control
• Ensures all policy mandates are addressed• Supports Agency level policy assessment and formulation• Enables continuous improvement of controls
A COTS Free Form Database Provides a Repository for IA Reference Material
DEFENSE L DEFENSE LOGISTICS AGENCY
XXIXXI
• Enables research and analysis with Lexus-Nexus like functionality • Makes IA reference material widely available via web
1. Centralized authorship and promulgation of the enterprise portions
2. Narrative translated into “fill in the blank”
Threat AssessmentSecurity Requirements (Controls)Security CONOPSTest & Evaluation ProceduresRisk Assessment
3. Centralized development and promulagation of standard templates for Authors, Testers, & Reviewers
4. Centralized adminstration of a a web-based COTS ConfigurationManagement system for SSAA document management and workflow
Standard Tools and Methods Improve the Quality and Consistency of Certification and Accreditation Process
DEFENSE L DEFENSE LOGISTICS AGENCY
XXIXXI
Functional Data Category
[e.g., e-mail, network
management traffic, IDS
data, financial, contract,
requirements, requisitions,
etc.]
Data Type[Unclassified, Privacy Act, Financially Sensitive,
Admin/Other, Confidential, Secret, Top
Secret, Compartmented / Special Access]
User Clearance
Level[Uncleared,
NonSensitive, NonCritical Sensitive,
Critical Sensitive,
Confidential, Secret, Top
Secret, Compartment
ed/SA]
Data Source
(Originating System,
Subsytem or Module)
Receiving System or
Module
Transmission Mode
[Intranet, Internet, Web, FTP, Telnet, Stand Alone,
Manual Procedure, VAN, Other]
Protection Mechanism [VPN, SSL,
SecureShell, Other]
C&A Status of
Interfacing System
DATA TYPE AND FLOW
Date Last Updated: 2/19/01
System System
Security Security
Authorization Authorization
AgreementAgreement
Better, Cheaper, Faster Better, Cheaper, Faster
Master list of IA Controls
•Number•Name •Desc
McDiD is Administered Through a
Comprehensive IA Knowledge-Base (CIAK)
Department of Defense
DIRECTIVE April 1, 2000NUMBER xxxx.xx
Subject: Computer Network Defense (CND) ASD(C3I)
References: (a) DoD 5025.1-M, (b) DoD Directive S-3600-1 (c) DoD Directive 5160
1. PURPOSE1.1. Establishes computer network defense (CND)policy, definition, and responsibilities within theDepartment of Defense.
1.2. Authorizes the publication of DoD xxxx.xx-R/M/I, consistent with DoD 5025.1-M (reference (a)).
2.APPLICABILITY
This Directive applies to the Office of the Secretary ofDefense (OSD); the Military Departments; theChairman of the Joint Chiefs of Staff; the CombatantCommands; the Inspector General of the Departmentof Defense IG,DoD); the Defense Agencies and DoDfield activities (hereafter referred to collectively as"the DoD Components").
Department of Defense
DIRECTIVE April 1, 2000NUMBER xxxx.xx
Subject: Computer Network Defense (CND) ASD(C3I)
References: (a) DoD 5025.1-M, (b) DoD Directive S-3600-1 (c) DoD Directive 5160
1. PURPOSE1.1. Establishes computer network defense (CND)policy, definition, and responsibilities within theDepartment of Defense.
1.2. Authorizes the publication of DoD xxxx.xx-R/M/I, consistent with DoD 5025.1-M (reference (a)).
2.APPLICABILITY
This Directive applies to the Office of the Secretary ofDefense (OSD); the Military Departments; theChairman of the Joint Chiefs of Staff; the CombatantCommands; the Inspector General of the Departmentof Defense IG,DoD); the Defense Agencies and DoDfield activities (hereafter referred to collectively as"the DoD Components").
Department of Defense
DIRECTIVE April 1, 2000NUMBER xxxx.xx
Subject: Computer Network Defense (CND) ASD(C3I)
References: (a) DoD 5025.1-M, (b) DoD Directive S-3600-1 (c) DoD Directive 5160
1. PURPOSE1.1. Establishes computer network defense (CND)policy, definition, and responsibilities within theDepartment of Defense.
1.2. Authorizes the publication of DoD xxxx.xx-R/M/I, consistent with DoD 5025.1-M (reference (a)).
2.APPLICABILITY
This Directive applies to the Office of the Secretary ofDefense (OSD); the Military Departments; theChairman of the Joint Chiefs of Staff; the CombatantCommands; the Inspector General of the Departmentof Defense IG,DoD); the Defense Agencies and DoDfield activities (hereafter referred to collectively as"the DoD Components").
Navigation Aid for “Drill Down” to Supporting Engineering Guides and Contract Clauses
Department of Defense
DIRECTIVE April 1, 2000NUMBER xxxx.xx
Subject: Computer Network Defense (CND) ASD(C3I)
References: (a) DoD 5025.1-M, (b) DoD Directive S-3600-1 (c) DoD Directive 5160
1. PURPOSE1.1. Establishes computer network defense (CND)policy, definition, and responsibilities within theDepartment of Defense.
1.2. Authorizes the publication of DoD xxxx.xx-R/M/I, consistent with DoD 5025.1-M (reference (a)).
2.APPLICABILITY
This Directive applies to the Office of the Secretary ofDefense (OSD); the Military Departments; theChairman of the Joint Chiefs of Staff; the CombatantCommands; the Inspector General of the Departmentof Defense IG,DoD); the Defense Agencies and DoDfield activities (hereafter referred to collectively as"the DoD Components").
Department of Defense
DIRECTIVE April 1, 2000NUMBER xxxx.xx
Subject: Computer Network Defense (CND) ASD(C3I)
References: (a) DoD 5025.1-M, (b) DoD Directive S-3600-1 (c) DoD Directive 5160
1. PURPOSE1.1. Establishes computer network defense (CND)policy, definition, and responsibilities within theDepartment of Defense.
1.2. Authorizes the publication of DoD xxxx.xx-R/M/I, consistent with DoD 5025.1-M (reference (a)).
2.APPLICABILITY
This Directive applies to the Office of the Secretary ofDefense (OSD); the Military Departments; theChairman of the Joint Chiefs of Staff; the CombatantCommands; the Inspector General of the Departmentof Defense IG,DoD); the Defense Agencies and DoDfield activities (hereafter referred to collectively as"the DoD Components").
Department of Defense
DIRECTIVE April 1, 2000NUMBER xxxx.xx
Subject: Computer Network Defense (CND) ASD(C3I)
References: (a) DoD 5025.1-M, (b) DoD Directive S-3600-1 (c) DoD Directive 5160
1. PURPOSE1.1. Establishes computer network defense (CND)policy, definition, and responsibilities within theDepartment of Defense.
1.2. Authorizes the publication of DoD xxxx.xx-R/M/I, consistent with DoD 5025.1-M (reference (a)).
2.APPLICABILITY
This Directive applies to the Office of the Secretary ofDefense (OSD); the Military Departments; theChairman of the Joint Chiefs of Staff; the CombatantCommands; the Inspector General of the Departmentof Defense IG,DoD); the Defense Agencies and DoDfield activities (hereafter referred to collectively as"the DoD Components").
Navigation Aid to “Trace Back” to
Policy & Requirements
Each Control is Supported by Metrics
COUNTER
EASURE
CLASS
ATTACKS THREAT
LEVEL
VALUE
OF
INFORMA
ION
SECURIT
SERVICE
TECHNIC
L
COUNTER
EASURES
NONTECH
ICAL
COUNTER
EASURES
ROBUSTN
SS
SERVICE
ELEMENT
TECHNOL
GY
TECHNOL
GY GAPS
MECHANI
MS
McDiD Implementation Schedules Drive C&A and
Budget
CIAK Feeds Defense Operational Readiness
Reporting System
Controls Provide an “Index” for the IA Knowledge-Base
DEFENSE L DEFENSE LOGISTICS AGENCY
XXIXXI
Conclusion
DEFENSE L DEFENSE LOGISTICS AGENCY
XXIXXI
The McDiD Information Assurance initiative, while still early in its implementation, has:
– Reduced SSAA preparation costs & time by an order of magnitude
– Improved quality• Standard controls & metrics
• Standard scope & level of effort
• Infused learning & common understanding
– Identified additional opportunities for collaboration and process improvement