METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE

DEFENSE L DEFENSE LOGISTICS AGENCY

XXIXXI

METRICS AND CONTROLS FOR DEFENSE IN DEPTH

AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE

Purpose


XXIXXI

•Provide an overview of the a DLA Information Assurance initiative entitled Metrics and Controls for Defense in Depth (McDiD)

• Illustrate how McDiD applies the Federal Information Technology Security Assessment Framework within the DoD Information Technology Security Certification and Accreditation Process (DITSCAP)

McDiD Impetus


XXIXXI

• Department of Defense Mandate

• DoD Instruction 5200.28, Security Requirements for Automated Information Security Systems (AIS), 21 March 1988, mandates the accreditation of all AIS to include stand-alone personal computers, connected systems and networks.

• DoD Instruction 5200.40, DoD Information Technology Security Certification and Accreditation Process (DITSCAP), 1 November 1999, established a four-phase process, required activities and general certification and accreditation criteria.

• DoD Chief Information Officer Guidance and Policy Memorandum No. 6-8510, DoD Global Information Grid (GIG) Information Assurance (IA), June 16, 2000,directed that DoD develop an enterprise-wide IA architectural overlay to implement a strategy of layered defense (defense-in-depth).

• Chairman of the Joint Chiefs of Staff Instruction 6510.04, Information Assurance Metrics, 15 March 2000, establishes reporting requirements for the Chairman’s Joint Monthly Readiness Reports.

• Need for Improved Security

• Internetworking is increasing the business/mission impact of disruption.

• Vulnerability is increasing due to the ease of access to cyber weapons and capabilities.

• Agency security assessment program has revealed systemic security issues.

McDiD Objectives


XXIXXI

• Leverage an existing mandatory program, DITSCAP, as the “container” and delivery mechanism for all information assurance requirements and initiatives

• Shift certification and accreditation focus and resources from documentation & reporting to active security management

• Improve quality and consistency of certification and accreditation efforts

• Create an integrated enterprise management view to:

• Support information assurance oversight• Ensure protection across accreditation boundaries

• Distinguish enterprise versus local roles and responsibilities

• Make policy and technical information easily accessible to DLA security professionals

• Facilitate and enable information/best practices exchange and collaboration within the DLA security community

• Structure information so as to:

• Satisfy multiple information assurance reporting requirements

• Maximize information reuse among related programs and disciplines, e.g., Architecture, Program and Budget, Asset Management, Configuration Management, Continuity Planning

• Provide for continuous Information Assurance process improvement

Tested and Reviewed

Procedures & Controls

Documented Procedures &

Controls

Fully Integrated

Procedures and Controls

Documented Policy

Implemented Procedures & Controls

Federal Information Technology Security Assessment Framework

1

2

3

4

5

LEV

EL

S


XXIXXI


XXIXXI

DoD Information Technology Security Certification and Accreditation Process

Phase 3: Validation• Compliance with controls is

independently tested• Authority to Operated is

granted

Phase 4: Post Accreditation

• SSAA is updated to reflect changes in IT baseline

• Security assessment is updated quarterly

• Compliance with controls is periodically independently tested

Phase 1: Definition• SSAA is drafted• Security requirements are

identified• SSAA is negotiated and

approved

Phase 2: Verification• Security Procedures and

Controls are implemented

Phase 0 [Implicit]

• Department and Agency policies are established

• C&A process is established


XXIXXI Certification & Accreditation Roles & Responsibilities

Phase Action Enterprise Program Manager Network or System Manager

O,1 Identify SecurityRequirements and DevelopCorresponding Controls

Assess Enterprise Threat Assess IT Trends Assess Existing Department

and Agency Governances Formulate/Update Agency

Policy Develop enterprise level

controls

Assess local and network orsystem level securitygovernances, IT configuration, andsystem/network specific threats

Supplement enterprise controls asrequired

2 Implement Controls Provide resources andtechnical guidance as required

Develop test procedures tovalidate implementation

Implement security controls

3 Validate Effectiveness ofControls

Conduct enterprise or agency-wide validation, e.g.,vulnerability assessments,penetration testing

Conduct network or system leveltesting, e.g., review of plans andprocedures

4 Continuously ImproveSecurity Posture, Policy andControls

Assess enterprise securityprofile revealed by Phase 3

Assess process feedbackcollected during Phases 2-3

Repeat Phase 1quarterly andas needed

Repeat Phase 3 annually

Repeat Phase 1 quarterly Repeat Phase 3 annually Provide feedback to HQ

Security Controls - Translate General Requirements into Actionable and Testable Objective Security Conditions


XXIXXI

2.1. CONFIGURATION CONTROL BOARD.

All information systems are under the control of a chartered ConfigurationControl Board (CCB) that meets regularly and reports to the appropriateCommander. The CCB membership includes an Information Assurancerepresentative. A record of CCB activities is maintained.

Metric RatingExplain or Justify Your Rating for

this Control

C4: No CCB capability exists.

C3: A CCB is being planned.

C2: A CCB exists, but does nothave a charter signed by theCommander. (Does not includeIA membership.)

C1: A chartered CCB (includingIA representation) meetsregularly and reports to theCommander. A record of CCBactivities is maintained.

Control Number Control Name Control Description

Metrics

Master list of IA Controls

•Number•Name •Desc

National & DoD Policy

National & DoD Policy DLA PolicyDLA Policy

DLA Program Review

Findings

DLA Program Review

FindingsVulnerability Assessments

Vulnerability Assessments

IG/GAO/Other Audit Findings

IG/GAO/Other Audit Findings

Agency System / Network

Connection Agreements

Agency System / Network


Commercial Best Practices

Commercial Best Practices

Local Security Policy

Local Security Policy

Local System / Network


Local System / Network


Local Configuration

Mgmt Practices

Local Configuration

Mgmt Practices

Information Category

(Sensitivity and Classification)

Information Category

(Sensitivity and Classification)

DLA Wide

System SpecificLegend

DAA Specified Requirements

DAA Specified Requirements

Controls are Derived from Many Sources


XXIXXI

A COTS Requirements Management System Maintains Controls Traceablity


XXIXXI

• Provides “provenance” or traceability to authority for or origin of each control

• Ensures all policy mandates are addressed• Supports Agency level policy assessment and formulation• Enables continuous improvement of controls

A COTS Free Form Database Provides a Repository for IA Reference Material


XXIXXI

• Enables research and analysis with Lexus-Nexus like functionality • Makes IA reference material widely available via web

1. Centralized authorship and promulgation of the enterprise portions

2. Narrative translated into “fill in the blank”

Threat AssessmentSecurity Requirements (Controls)Security CONOPSTest & Evaluation ProceduresRisk Assessment

3. Centralized development and promulagation of standard templates for Authors, Testers, & Reviewers

4. Centralized adminstration of a a web-based COTS ConfigurationManagement system for SSAA document management and workflow

Standard Tools and Methods Improve the Quality and Consistency of Certification and Accreditation Process


XXIXXI

Functional Data Category

[e.g., e-mail, network

management traffic, IDS

data, financial, contract,

requirements, requisitions,

etc.]

Data Type[Unclassified, Privacy Act, Financially Sensitive,

Admin/Other, Confidential, Secret, Top

Secret, Compartmented / Special Access]

User Clearance

Level[Uncleared,

NonSensitive, NonCritical Sensitive,

Critical Sensitive,

Confidential, Secret, Top

Secret, Compartment

ed/SA]

Data Source

(Originating System,

Subsytem or Module)

Receiving System or

Module

Transmission Mode

[Intranet, Internet, Web, FTP, Telnet, Stand Alone,

Manual Procedure, VAN, Other]

Protection Mechanism [VPN, SSL,

SecureShell, Other]

C&A Status of

Interfacing System

DATA TYPE AND FLOW

Date Last Updated: 2/19/01

System System

Security Security

Authorization Authorization

AgreementAgreement

Better, Cheaper, Faster Better, Cheaper, Faster

Master list of IA Controls

•Number•Name •Desc

McDiD is Administered Through a

Comprehensive IA Knowledge-Base (CIAK)

Department of Defense

DIRECTIVE April 1, 2000NUMBER xxxx.xx

Subject: Computer Network Defense (CND) ASD(C3I)

References: (a) DoD 5025.1-M, (b) DoD Directive S-3600-1 (c) DoD Directive 5160

1. PURPOSE1.1. Establishes computer network defense (CND)policy, definition, and responsibilities within theDepartment of Defense.

1.2. Authorizes the publication of DoD xxxx.xx-R/M/I, consistent with DoD 5025.1-M (reference (a)).

2.APPLICABILITY

This Directive applies to the Office of the Secretary ofDefense (OSD); the Military Departments; theChairman of the Joint Chiefs of Staff; the CombatantCommands; the Inspector General of the Departmentof Defense IG,DoD); the Defense Agencies and DoDfield activities (hereafter referred to collectively as"the DoD Components").







2.APPLICABILITY








2.APPLICABILITY


Navigation Aid for “Drill Down” to Supporting Engineering Guides and Contract Clauses







2.APPLICABILITY








2.APPLICABILITY








2.APPLICABILITY


Navigation Aid to “Trace Back” to

Policy & Requirements

Each Control is Supported by Metrics

COUNTER

EASURE

CLASS

ATTACKS THREAT

LEVEL

VALUE

OF

INFORMA

ION

SECURIT

SERVICE

TECHNIC

L

COUNTER

EASURES

NONTECH

ICAL

COUNTER

EASURES

ROBUSTN

SS

SERVICE

ELEMENT

TECHNOL

GY

TECHNOL

GY GAPS

MECHANI

MS

McDiD Implementation Schedules Drive C&A and

Budget

CIAK Feeds Defense Operational Readiness

Reporting System

Controls Provide an “Index” for the IA Knowledge-Base


XXIXXI

Conclusion


XXIXXI

The McDiD Information Assurance initiative, while still early in its implementation, has:

– Reduced SSAA preparation costs & time by an order of magnitude

– Improved quality• Standard controls & metrics

• Standard scope & level of effort

• Infused learning & common understanding

– Identified additional opportunities for collaboration and process improvement

Documents

METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE