AFSPC Certification and Accreditation Tf tiTransformation July 2012 v2.pdf · Certification and Accreditation Tf tiTransformation 19 July 2012 ... AFSPC Certifying Authority (CA)

AFSPCCertification and

Accreditation T f tiTransformation

19 July 2012

Douglas Rausch, Col, USAFChief, Cyber Surety Division

UNCLASSIFIEDUNCLASSIFIED

A Changing Environment

• GPS I (1978 – 1985)• GPS II (1989 – ?)• GPS III (2014 - ?)

215 Feb 11UNCLASSIFIED 215 Feb 11UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

Another Changing Environment

• 1970s: Phone phreaks• 1983: 414 Gang, breaks into ~60 computers, Los Alamos Labg, p ,• 1988: Morris Worm• 1989: Five west German computer users arrested on espionage

charges for breaking into US systems and selling info to KGBcharges for breaking into US systems and selling info to KGB• 1995: Kevin Mitnick arrested• 1996: GAO report - hackers attempted to break into DoD

computers more than 250 000 times - 65% success ratecomputers more than 250,000 times - 65% success rate• 2007: Estonia suffers massive DoS• 2009: Conficker

2010 O ti A St t• 2010: Operation Aurora, Stuxnet• 2011…: wikileaks, Anonymous, Flame

315 Feb 11UNCLASSIFIED 315 Feb 11UNCLASSIFIED

UNCLASSIFIED

And Another Changing Environment

Today: Reactive & Inefficient ProcessesToday: Reactive & Inefficient Processes

ee Tomorrow: Proactive & Operational ProcessesTomorrow: Proactive & Operational Processes

Drive

DriveProcess mapping &

li

C&A Transformation

Documented, repeatable, agile, mission focused C&A Yo

u Yo

u Th

ere

Ther

e

Current State Future State

Tomorrow: Proactive & Operational ProcessesTomorrow: Proactive & Operational Processes

Undocumented, unrepeatable e Change

e Change

Risk assessments derived from

Unmeasured performance

strategy alignment

Metrics implementation

g ,process

Won

’t G

et

Won

’t G

et YY processes

Risk management

Metrics across processes and Stake‐holders

Repeatable, threat i t d i k A

ir Force A

ir Force

Risk assessments derived from controls versus threats

ou

ou H

ere

WH

ere

W

Governance difficult to locate and navigate

framework, ACA implementation

Governance overhaul

oriented risk management framework

Cross‐functional consolidated governance

e Wide

e Wide

Multiple customer portals SharePoint development

hat G

ot

hat G

ot Y

oYo

Lack of tools, automation and standardized workflow

t

Tools and technology research Implementation of standard tools,

technology and TTP for C&A

Consolidated customer portals, online resources and standard workflow management

415 Feb 11UNCLASSIFIED

Wh

Wh management technology and TTP for C&A

Training and TTP success reliant on industry standards

Standardize TTP for AF & Space application Consistent application of controls

to reduce risk – operationally focused for ease of use

UNCLASSIFIED

Organization and AuthoritiesDoD Chief Information

OfficerOSD/CIO

Space DAA/CIOUSSTRATCOM/CC

AF DAA/CIOSAF/A6

AF & Space DAAAFSPC/CC

Space SIAOUSSTRATCOM

AF SIAOSAF/A6

AF & Space DAA (Signatory)

HQ AFSPC/A6

Space CAHQ AFSPC/A6S

AF CAAFNIC

AF CARAFNIC

Space CARHQ AFSPC/A6SS


UNCLASSIFIED

Future Changes to C&A Policy

National Institute of Standards and Technology IA Risk Management Framework

The Committee on National Security Systems

National Information Assurance Policy for Space Systems Used to Support National Security Missions


UNCLASSIFIED

Risk Management FrameworkAFSPC Certifying Authority (CA) Risk Determination

Inputs:Inputs to the CAInputs:

• SIP• POA&M

A hit t /B d

Evaluate Likelihood

Present Risk

• Architecture/Boundary• Independent Validation

ReportsEvaluate Determine ImpactRisk Rating

Outputs:• Likelihood 5x5• Impact 5x5

715 Feb 11UNCLASSIFIED 2

• Overall risk rating

UNCLASSIFIED

Risk vs. Compliance Based Approach

Evolving AFSPC methodology based on NIST Risk Management Framework and best in class approaches

Traditional Compliance Traditional Compliance Based Assessment Based Assessment

Future State Risk Based Future State Risk Based AssessmentAssessment

Control BaseCounters generic threats

Team approach to select IA controls during system development - considering

Mission & Threat FocusMission & Threat Focus

threat environment

Risk ToleranceEarly senior leaderBased on generic

mission setsEarly senior leader approval of security prioritiesOps Constraint AwareOps Constraint Aware


Results in greater focus on critical security items, elimination of items Results in greater focus on critical security items, elimination of items within risk tolerancewithin risk tolerance, and , and control control reductionreduction

UNCLASSIFIED

CNSS Space WG

• Revising CNSSP No. 12, National IA Policy for Space Systems Used to Support National Security Missionsy pp y• Changes needed due to:

• National Space Policy increasing reliance on commercial launch and payload hosting

• Greater interconnectivity with/reliance on non-space systems • Increased threats to space systems resulting from above

• Aligns policy to current CNSS and NIST issuances, also directs:• TRANSEC and COMSEC in integrated systems

engineeringSupply chain risk management• Supply chain risk management

• Need to secure all telemetry, command uplinks• Integration with Computer Network Defense

capabilities


capabilities• Info security for all applicable space systems

(gov’t, cmcl, foreign, R&D)

UNCLASSIFIED

CNSS WG Next Steps…

• CNSSP No. 12 out for review by CNSS Committee• Identified challenges beyond current scope of CNSS Space WG thatIdentified challenges beyond current scope of CNSS Space WG that

should be addressed in future actions including: • Expand policy to incorporate evolving cyber security practices (e.g.,

greater interconnectivity with commercial space assets)greater interconnectivity with commercial space assets)• Detailed Risk Management Framework implementation guidance for

space systems; how to effectively manage risk looking at full range of options available to system owners/operators/usersp y p

• Extend policy to further secure space systems U.S. relies upon but doesn’t build, own, and/or launch

• Complete Space Overlay coordination, publish as annex to CNSSIComplete Space Overlay coordination, publish as annex to CNSSI 1253

CNSS Space Working Group will continue to be venue for


AFSPC to guide space system Information Assurance Policy

UNCLASSIFIED

Agent of the Certifying Authority

• Licensed, qualified agents to validate IA control compliance for the Certification Authority (CA)

• Provides independent assessment of IA posture• Performs hands-on validation and recommends mitigations

• Requirements: • Team lead with DoD 8570.01-M IAM Level III certification

• Minimum of 8 years high-level (enterprise preferred) IT experiencey g ( p p ) p• Minimum of 5 years of senior level IA experience

• Technical team to perform assessments

• Benefits:• Standardized and repeatable risk assessments

Decreases certification time frame


• Decreases certification time frame• Technical staff on-site bridge the gap between programs and CA

UNCLASSIFIED

Example 1 - CHIRP

Commercially Hosted Infrared Payload (CHIRP)• Supports infrared sensor system development• Multi-national manufacture checkout launchMulti-national manufacture, checkout, launch• Required rapid C&A of SV to meet schedule• CHIRP assessed as a MAC III, Classified System

• IAW current DoDI 8500.2, 105 total IA controls could apply• Expended 145-180 staff hours negotiating N/A controls• 33 compliant, 2 non-compliant, 70 (i.e., 67%) not applicable

• Under upcoming revision to DoDI 8500.2 same MAC III/Classified could require 500 controls vice the 105 initially indicated for CHIRP

• Greater number of controls provides higher granularity to apply only IA controls needed for risk exposure but does require greater work at outset to ensure proper selection

• Space Overlay and NIST IA controls for space systems developed by AFSPC and others• Augment general IT controls with those specific to space system environment/threatAugment general IT controls with those specific to space system environment/threat• Trims about 21% of controls/enhancements providing finer tuned IA requirements with

less staff effort

Space Overlay is common starting point – adjusted security controls baseline.


Space Overlay is common starting point adjusted security controls baseline. Pre-negotiated tailoring/supplementing helps developers, assessors, and AOs

minimize the effort to select a system-specific baseline.

UNCLASSIFIED

Example 2 – Eastern/Western Range


UNCLASSIFIED

Western Range

OpticsEnclaveMOPT ROTI

WeatherEnclave

DASS IWX LLPS MARS MIDV

Mobile Surv

EnclaveFMS

EnclaveMOPT ROTI DOAM

MARS MIDV WIND AMPS AWIP RTAM

MARSS AMPS2

Commhub (B7011) Svcs Enclave

CMTS CRTF DVRS GRCS LTTS

Command Destruct Enclave

CCT1, CCT3, CCT4, CCT4.2, CCT6,

CRMV RFMV RSMV TMV1

TMV2

VAFB Radar Enclave

FMS

VTRS Sensitive EnclavePDTS MOBL

Pillar Pt Class Enclave

PPQ6 PTRS PTRS2

CMTS, CRTF, DVRS, GRCS, LTTS, VREC, VSSR, WRVS CCTM, CCS (B7000 & WROCC),

CCPSV161, HAIR, VQ18

Pillar Pt SensitiveEnclavePOVS PDTS

VTRS Classified EnclaveVTRS VTRS2 PDTS, MOBLPPQ6, PTRS, PTRS2

WROCC Classified Enclave

CTPS, FDIO, FOA, INF (Class), LSVD RWRV

POVS, PDTS

WROCC Sensitive Enclave

RSTA, TEMS, INF (Sens), VRAC, OSS PTTC GPPM

B7000 Classified Enclave

ADS, COTS, DIPS, MDDS, MDPS, RSC, RSDS, RSTS, TAER, TIPS,

B7000 Sensitive Enclave

APCA, CCMS, CDGN, MFTC, OMSS UMSS BDMS

VTRS, VTRS2

Communications Infrastructure Classified Enclave

NCT, ECDL

LSVD, RWRV

Communications Infrastructure Sensitive Enclave

SMFO, SNDS, MICR

OSS, PTTC, GPPM CMSS, RDMS OMSS, UMSS, BDMS


85 unsustainable boundaries reduced to 17 geographically/functionally based boundaries

UNCLASSIFIED

Eastern Range

Timing Enclave

Legacy, THAMS, TWSTT

OpticsSensitiveEnclave

DRED

SurvEnclaveGPN 30, SCDS, SSR-N, SSR-S

Wx Sensor Enclave4DLSS, DWR, NLDN, LPLWS

Optics ClassifiedEnclaveCINES, DOAMS,

MIGOR, ATOTS, OCT

WxProcess Enclave

ERDAS, MIDDS, WINDS

Wx Critical EnclaveAMPS, MSC

Comm Services Sens Enclave

Unclass Voice, Video

Cmnd Destruct Enclave

CCRS, Cape 1A, Cape 1B, JD CMD

Radar EnclaveSPARC, 0.134, 1.16, 19.14, 19.39,

28.14, FRVPS

Telemetry Enclave

CTPS, TMCRSP, DTA, Tel-4

Comm Services Class Enclave

DMNE, Secure Voice

JDMTA EnclaveTel-JDMTA

Down Range EnclaveTel-Ant, Tel-Asc, 12.15

MOC Processing Enclave

LAPS, FSDP, MDPP, FVTAM, NIPC, CDR

MOC Safety EnclaveDBS, DRSD, FOV-1, FADSS

Communications Infrastructure Classified EnclaveDT, COMSEC

Communications Infrastructure Sensitive Enclave

MICR, SATCOM, DT, NMS, UCS

CORE EnclaveNCT


62 unsustainable boundaries reduced to 19 geographically/functionally based boundaries

UNCLASSIFIED

Summary

• Security and risk assessment methods must evolve with threats

• Information Assurance (IA) must meet to adapt• Near real time response• Support spiral development• Support spiral development

• Certification & Accreditation StrategiesT iti f DIACAP t RMF• Transition from DIACAP to RMF

• Leverage existing and future control selection flexibility• Partnerships must employ DIACAP team constructs

• Enterprise approaches• Move mitigations down through inheritance


g g• Allow boundaries to cross programs, bases and services

QuestionsQuestions

Documents

AFSPC Certification and Accreditation Tf tiTransformation July 2012 v2.pdf · Certification and Accreditation Tf tiTransformation 19 July 2012 ... AFSPC Certifying Authority (CA)