Upload
phungkien
View
213
Download
0
Embed Size (px)
Citation preview
3 May 2017Presenter: Ty TheriotModerator: LtCol Stephani Hunsinger
Cybersecurity Planning Lunch and Learn
LtCol Stephani Hunsinger USAF, [email protected]
Mr. Tyrone “Ty” Theriot, [email protected]
DoDI 8510.01, RMF 6 Step Process
2
This iterative process parallels the system life cycle, with the RMF activities being initiated at program or system inception
We will only focus on these 2 for the Lunch and Learn
RMF Integration across the Acquisition Lifecycle
SYSTEM SECURITY ENGINEERING (SSE)
A CB
LRIPTechnology Maturation & Risk
Reduction
Production & Deployment
DRFPRD
MaterielSolutionAnalysis
CDD-V
CDDICD
Operations &
SupportMateriel Development
Decision
FRP
Decision
Sustainment
Disposal
FOC
Engineering & Manufacturing Development
IOC
CPD
1 CATEGORIZE System
2 SELECT Security ControlsEstablish Cybersecurity
WIPT
CSSSP,CMS
DraftCDD
SRR
ASSEP,TEMP
Influence Design/RFP
Build 1.1
Build 1.2
Build 1.3
Build 1.4
Build 0.1
Build 2.1
Build 3.1
Build 3.2
SSE - MSA Phase• Include System Security
in Design Trades• Leverage Threat Data• Evaluate CONOPS• Perform initial
Criticality Analysis
Cybersecurity & the Acquisition Lifecycle Integration Tool (CALIT)
CALIT Ver 2.02
PM and Cybersecurity
5
The PM is responsible for meeting cybersecurity requirements throughout the lifecycle of the program. Cybersecurity defined as:
“Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation”
PMs and Chief Engineers/Lead Systems Engineers who are unfamiliar with the details of the DoD cybersecurity regulations and policies should consider the following three security objectives when trying to balance specific cybersecurity requirements with the other requirements that apply to their system: Confidentiality, Integrity and Availability
DoD Program Manager’s Guidebook for Integrating the Cybersecurity Risk Management Framework (RMF) into the System Acquisition Lifecycle Sept 2015
6
Cybersecurity Requirements
RMF Step 1: Categorize System• Categorize the system in accordance with the
CNSSI 1253• Initiate the Security Plan• Register system with DoD Component
Cybersecurity Program • Assign qualified personnel to RMF roles
OSD RMF Knowledge Service https://rmfks.osd.mil/rmf/RMFImplementation/Categorize/Pages/DoDIS.aspx
7
Cybersecurity Requirements
RMF Step 1: Categorize SystemFor NSS, the Security Categorization Task (RMF Step 1, Task 1-1) is a two-step process:1. Determine impact values: (i) for the informationtype(s) processed, stored, transmitted, or protected by the information system; and (ii) for the information system.2. Identify overlays that apply to the information system and its operating environment to account for additional factors (beyond impact) that influence the selection of Security controls.http://www.dss.mil/documents/CNSSI_No1253.pdf
8
CONFIDENTIALITY: Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.
INTEGRITY: Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity.
AVAILABILITY: Ensuring timely and reliable access to and use of information.
OSD RMF Knowledge Service https://rmfks.osd.mil/rmf/RMFImplementation/Categorize/Pages/DoDIS.aspx
Categorization Definitions (44 U.S.C., Section 3542)
9
• How can a malicious adversary use the unauthorized disclosure of information to do limited/serious/severe harm to agency operations, agency assets, or individuals?
• How can a malicious adversary use the unauthorized disclosure of information to gain control of agency assets that might result in unauthorized modification of information, destruction of information, or denial of system services that would result in limited/serious/severe harm to agency operations, agency assets, or individuals?
• Would unauthorized disclosure/dissemination of elements of the information type violate laws, executive orders, or agency regulations?
Confidentiality FactorsAnswers to the following questions will help in the evaluation process:
NIST Special Publication 800-60 Volume I Revision 1
10
• How can a malicious adversary use the unauthorized modification or destruction of information to do limited/serious/severe harm to agency operations, agency assets, or individuals?
• Would unauthorized modification/destruction of elements of the information type violate laws, executive orders, or agency regulations?
Integrity FactorsAnswers to the following questions will help in the evaluation process:
NIST Special Publication 800-60 Volume I Revision 1
11
• How can a malicious adversary use the disruption of access to or use of information to do limited/serious/severe harm to agency operations, agency assets, or individuals?
• Would disruption of access to or use of elements of the information type violate laws, executive orders, or agency regulations?
Availability FactorsAnswers to the following questions will help in the evaluation process:
NIST Special Publication 800-60 Volume I Revision 1
Confidentiality, Integrity and Availability Impact Levels
12
Potential Impact Definitions from CNSSI 1253, Section 3.1:
LOW: If the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
MODERATE: If the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals and exceeds mission expectations.
HIGH: If the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals and exceeds mission expectations.
14
RMF Step 1: Categorize System (example)
Defense-in-Depth Functional Implementation Architecture (DFIA) Defense Level MML
C I ALogistics L L LIntelligence L M LTargeting M L LSurveillance L L LReconnaissance L L LMine Detection L L LSystem Categorization M M L
Information TypeImpact Values
Determine system categorization impact level for Confidentiality, Integrity and Availability by determining impact values for each information type and rolling up into a high water mark.
High Water Mark.
Work with your Security Control Assessor to tailor.
Confidentiality, Integrity and Availability Impact Levels
15
EXAMPLE 1: A law enforcement organization managing extremely sensitive investigative information determines that the potential impact from a loss of confidentiality is high, the potential impact from a loss of integrity is moderate, and the potential impact from a loss of availability is moderate.
NIST Special Publication 800-60 Volume I Revision 1
EXAMPLE 2: A financial organization managing routine administrative information (not privacy related information) determines that the potential impact from a loss of confidentiality is low, the potential impact from a loss of integrity is low, and the potential impact from a loss of availability is low.
Defense-in-Depth Functional Implementation Architecture (DFIA) Defense Level HMM
Defense-in-Depth Functional Implementation Architecture (DFIA) Defense Level LLL
16
Security categorization is a two-step process:
Step 1. Determine potential impact values for the information type(s) processed, stored or transmitted or protected by the information system; and for the information system.
Step 2. Identify overlays that apply to the information system and its operating environment to account for additional factors (beyond impact) that influence the selection of security controls.
OSD RMF Knowledge Service https://rmfks.osd.mil/rmf/RMFImplementation/Categorize/Pages/DoDIS.aspx
Identify Overlay
17
Attachments to Appendix F (Formerly Appendix K)CNSS Published Overlays:Attachment 1: Overlay Template (1 Aug 13)Attachment 2: Space Platform Overlay (6 Jun 13)Attachment 3: Cross Domain Solution Overlay (27 Sep 13)Attachment 4: Intelligence Overlay (23 Oct 12) (Document is U//FOUO)Attachment 5: Classified Information Overlay (9 May 14)Attachment 6: Privacy Overlay (20 Apr 15)
Identify Overlay
http://www.dss.mil/documents/CNSSI_No1253.pdf
18
Identify Overlay
http://www.dla.mil/Portals/104/Documents/GeneralCounsel/FOIA/FOIA_PrivacyOverlay_150420.pdf
19
Cybersecurity Requirements RMF Step 2: Select Security Controls• Common Control Identification• Select security controls• Develop system-level continuous
monitoring strategy• Review and approve the security plan and
continuous monitoring strategy • Apply overlays and tailor
OSD RMF Knowledge Service https://rmfks.osd.mil/rmf/RMFImplementation/Categorize/Pages/DoDIS.aspx
20
• Each family contains security controls related to the general security topic of the family• Security Controls and Control Enhancements organized into 18 RMF Security Control Families with
over 900 controls• Control Flexibility
– Assignment and selection statements embedded within controls to allow organizations todefine these values
Security Control Family
21
OSD RMF Knowledge Service
https://rmfks.osd.mil/rmf/General/SecurityControls/Pages/ControlsExplorer.aspx
SELECT
22
OSD RMF Knowledge Service
https://rmfks.osd.mil/rmf/General/SecurityControls/Pages/ControlsExplorer.aspx
SELECT
23
OSD RMF Knowledge Service
https://rmfks.osd.mil/rmf/General/SecurityControls/Pages/ControlsExplorer.aspx
24
OSD RMF Knowledge Service
https://rmfks.osd.mil/rmf/General/SecurityControls/Pages/ControlsExplorer.aspx
SELECT
25
OSD RMF Knowledge Service
https://rmfks.osd.mil/rmf/General/SecurityControls/Pages/ControlsExplorer.aspx
Work with your Security Control Assessor to tailor controls.
3 May 2017Presenter: Ty TheriotModerator: LtCol Stephani Hunsinger
Cybersecurity Planning Lunch and Learn
LtCol Stephani Hunsinger USAF, [email protected]
Mr. Tyrone “Ty” Theriot, [email protected]
Questions?