3 May 2017Presenter: Ty TheriotModerator: LtCol Stephani Hunsinger

Cybersecurity Planning Lunch and Learn

LtCol Stephani Hunsinger USAF, CNEStephani.Hunsinger@dau.mil703-805-5212

Mr. Tyrone “Ty” Theriot, CNETyrone.Theriot@dau.mil703-805-4983

DoDI 8510.01, RMF 6 Step Process

2

This iterative process parallels the system life cycle, with the RMF activities being initiated at program or system inception

We will only focus on these 2 for the Lunch and Learn

RMF Integration across the Acquisition Lifecycle

SYSTEM SECURITY ENGINEERING (SSE)

A CB

LRIPTechnology Maturation & Risk

Reduction

Production & Deployment

DRFPRD

MaterielSolutionAnalysis

CDD-V

CDDICD

Operations &

SupportMateriel Development

Decision

FRP

Decision

Sustainment

Disposal

FOC

Engineering & Manufacturing Development

IOC

CPD

1 CATEGORIZE System

2 SELECT Security ControlsEstablish Cybersecurity

WIPT

CSSSP,CMS

DraftCDD

SRR

ASSEP,TEMP

Influence Design/RFP

Build 1.1

Build 1.2

Build 1.3

Build 1.4

Build 0.1

Build 2.1

Build 3.1

Build 3.2

SSE - MSA Phase• Include System Security

in Design Trades• Leverage Threat Data• Evaluate CONOPS• Perform initial

Criticality Analysis

Cybersecurity & the Acquisition Lifecycle Integration Tool (CALIT)

CALIT Ver 2.02

PM and Cybersecurity

5

The PM is responsible for meeting cybersecurity requirements throughout the lifecycle of the program. Cybersecurity defined as:

“Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation”

PMs and Chief Engineers/Lead Systems Engineers who are unfamiliar with the details of the DoD cybersecurity regulations and policies should consider the following three security objectives when trying to balance specific cybersecurity requirements with the other requirements that apply to their system: Confidentiality, Integrity and Availability

DoD Program Manager’s Guidebook for Integrating the Cybersecurity Risk Management Framework (RMF) into the System Acquisition Lifecycle Sept 2015

6

Cybersecurity Requirements

RMF Step 1: Categorize System• Categorize the system in accordance with the

CNSSI 1253• Initiate the Security Plan• Register system with DoD Component

Cybersecurity Program • Assign qualified personnel to RMF roles

OSD RMF Knowledge Service https://rmfks.osd.mil/rmf/RMFImplementation/Categorize/Pages/DoDIS.aspx

7

Cybersecurity Requirements

RMF Step 1: Categorize SystemFor NSS, the Security Categorization Task (RMF Step 1, Task 1-1) is a two-step process:1. Determine impact values: (i) for the informationtype(s) processed, stored, transmitted, or protected by the information system; and (ii) for the information system.2. Identify overlays that apply to the information system and its operating environment to account for additional factors (beyond impact) that influence the selection of Security controls.http://www.dss.mil/documents/CNSSI_No1253.pdf

8

CONFIDENTIALITY: Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.

INTEGRITY: Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity.

AVAILABILITY: Ensuring timely and reliable access to and use of information.

OSD RMF Knowledge Service https://rmfks.osd.mil/rmf/RMFImplementation/Categorize/Pages/DoDIS.aspx

Categorization Definitions (44 U.S.C., Section 3542)

9

• How can a malicious adversary use the unauthorized disclosure of information to do limited/serious/severe harm to agency operations, agency assets, or individuals?

• How can a malicious adversary use the unauthorized disclosure of information to gain control of agency assets that might result in unauthorized modification of information, destruction of information, or denial of system services that would result in limited/serious/severe harm to agency operations, agency assets, or individuals?

• Would unauthorized disclosure/dissemination of elements of the information type violate laws, executive orders, or agency regulations?

Confidentiality FactorsAnswers to the following questions will help in the evaluation process:

NIST Special Publication 800-60 Volume I Revision 1

10

• How can a malicious adversary use the unauthorized modification or destruction of information to do limited/serious/severe harm to agency operations, agency assets, or individuals?

• Would unauthorized modification/destruction of elements of the information type violate laws, executive orders, or agency regulations?

Integrity FactorsAnswers to the following questions will help in the evaluation process:

NIST Special Publication 800-60 Volume I Revision 1

11

• How can a malicious adversary use the disruption of access to or use of information to do limited/serious/severe harm to agency operations, agency assets, or individuals?

• Would disruption of access to or use of elements of the information type violate laws, executive orders, or agency regulations?

Availability FactorsAnswers to the following questions will help in the evaluation process:

NIST Special Publication 800-60 Volume I Revision 1

Confidentiality, Integrity and Availability Impact Levels

12

Potential Impact Definitions from CNSSI 1253, Section 3.1:

LOW: If the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

MODERATE: If the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals and exceeds mission expectations.

HIGH: If the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals and exceeds mission expectations.

13NIST Special Publication 800-60 Volume I Revision 1

14

RMF Step 1: Categorize System (example)

Defense-in-Depth Functional Implementation Architecture (DFIA) Defense Level MML

C I ALogistics L L LIntelligence L M LTargeting M L LSurveillance L L LReconnaissance L L LMine Detection L L LSystem Categorization M M L

Information TypeImpact Values

Determine system categorization impact level for Confidentiality, Integrity and Availability by determining impact values for each information type and rolling up into a high water mark.

High Water Mark.

Work with your Security Control Assessor to tailor.

Confidentiality, Integrity and Availability Impact Levels

15

EXAMPLE 1: A law enforcement organization managing extremely sensitive investigative information determines that the potential impact from a loss of confidentiality is high, the potential impact from a loss of integrity is moderate, and the potential impact from a loss of availability is moderate.

NIST Special Publication 800-60 Volume I Revision 1

EXAMPLE 2: A financial organization managing routine administrative information (not privacy related information) determines that the potential impact from a loss of confidentiality is low, the potential impact from a loss of integrity is low, and the potential impact from a loss of availability is low.

Defense-in-Depth Functional Implementation Architecture (DFIA) Defense Level HMM

Defense-in-Depth Functional Implementation Architecture (DFIA) Defense Level LLL

16

Security categorization is a two-step process:

Step 1. Determine potential impact values for the information type(s) processed, stored or transmitted or protected by the information system; and for the information system.

Step 2. Identify overlays that apply to the information system and its operating environment to account for additional factors (beyond impact) that influence the selection of security controls.

OSD RMF Knowledge Service https://rmfks.osd.mil/rmf/RMFImplementation/Categorize/Pages/DoDIS.aspx

Identify Overlay

17

Attachments to Appendix F (Formerly Appendix K)CNSS Published Overlays:Attachment 1: Overlay Template (1 Aug 13)Attachment 2: Space Platform Overlay (6 Jun 13)Attachment 3: Cross Domain Solution Overlay (27 Sep 13)Attachment 4: Intelligence Overlay (23 Oct 12) (Document is U//FOUO)Attachment 5: Classified Information Overlay (9 May 14)Attachment 6: Privacy Overlay (20 Apr 15)

Identify Overlay

http://www.dss.mil/documents/CNSSI_No1253.pdf

18

Identify Overlay

http://www.dla.mil/Portals/104/Documents/GeneralCounsel/FOIA/FOIA_PrivacyOverlay_150420.pdf

19

Cybersecurity Requirements RMF Step 2: Select Security Controls• Common Control Identification• Select security controls• Develop system-level continuous

monitoring strategy• Review and approve the security plan and

continuous monitoring strategy • Apply overlays and tailor

OSD RMF Knowledge Service https://rmfks.osd.mil/rmf/RMFImplementation/Categorize/Pages/DoDIS.aspx

20

• Each family contains security controls related to the general security topic of the family• Security Controls and Control Enhancements organized into 18 RMF Security Control Families with

over 900 controls• Control Flexibility

– Assignment and selection statements embedded within controls to allow organizations todefine these values

Security Control Family

21

OSD RMF Knowledge Service

https://rmfks.osd.mil/rmf/General/SecurityControls/Pages/ControlsExplorer.aspx

SELECT

22

OSD RMF Knowledge Service

https://rmfks.osd.mil/rmf/General/SecurityControls/Pages/ControlsExplorer.aspx

SELECT

23

OSD RMF Knowledge Service

https://rmfks.osd.mil/rmf/General/SecurityControls/Pages/ControlsExplorer.aspx

24

OSD RMF Knowledge Service

https://rmfks.osd.mil/rmf/General/SecurityControls/Pages/ControlsExplorer.aspx

SELECT

25

OSD RMF Knowledge Service

https://rmfks.osd.mil/rmf/General/SecurityControls/Pages/ControlsExplorer.aspx

Work with your Security Control Assessor to tailor controls.

3 May 2017Presenter: Ty TheriotModerator: LtCol Stephani Hunsinger

Cybersecurity Planning Lunch and Learn

LtCol Stephani Hunsinger USAF, CNEStephani.Hunsinger@dau.mil703-805-5212

Mr. Tyrone “Ty” Theriot, CNETyrone.Theriot@dau.mil703-805-4983

Questions?