Bob MarchantSotera Defense Solutions

A comparison of Systems Engineering and Security Engineering practices and professionals

Or maybe a commercial for the INCOSE working group!

BIO35 Engineering Experience

27 in Systems Engineering20+ in Security Engineering

BSCS, MBA, ABD PhD (IST)CDP, GSEC, CISSP, ISSEP, DTMSE (adult ed certified) trainerProcess Champion (IPPD, CMMI)

OutlineIssuesPossible CausesComparing the Cycles

SDLC/RMFLust to Dust (all dust no lust)

Comparing the ProfessionalsNext Steps

So what the issue?Security Engineering struggling

Consistent complaint of lack of involvement!Active INCOSE WGNew Standards evolving

Extremely broad BOK (very little build focus)CISSP – 10 categories from physical to cryptoISSEP – 4 categories

Discipline struggles to maintain currency

Possible causesand is systems engineering the cure?Incomplete Models?

No VNo Gates

Continuous monitor mentalityTechnician/Manager focusBOK is Broke

Comparing the CyclesThe familiar one(s)

Comparing the CyclesIn a simpler form

Design

Operations

Retirement

Definition

Development

Deployment

Comparing the CyclesThe Security Engineering forms

Regardless – it is all about Risk Management

• Viewed by many models/frameworks – IATF– RMF– ISO– Custom

• Let’s look at NIST

Comparing the CyclesThe RMF CATEGORIZE

Information System

SELECTSecurity Controls

IMPLEMENT Security Controls

MONITORSecurity Controls

AUTHORIZEInformation System

ASSESS Security Controls

Starting Point

Define criticality/sensitivity of information system according to potential

worst-case, adverse impact to mission/business.

Select baseline security controls; apply tailoring

guidance and supplement controls as needed base on

risk assessment

Implement security controls within enterprise

architecture using sound systems engineering

practices; apply security configuration settings

Determine security control effectiveness (i.e., controls

implemented correctly, operating as intended, meeting security for

information systems).

Determine risk to organizational operations and

assets, individuals, other organizations, and the Nation;

if acceptable, authorize operation.

Continuously track changes to the information system that may affect security controls

and reassess control effectiveness.

Comparing the CyclesBoth CATEGORIZE

Information System

SELECTSecurity Controls

IMPLEMENT Security Controls

MONITORSecurity Controls

AUTHORIZEInformation System

ASSESS Security Controls

Starting Point

Define criticality/sensitivity of information system according to potential

worst-case, adverse impact to mission/business.

Select baseline security controls; apply tailoring

guidance and supplement controls as needed base on

risk assessment

Implement security controls within enterprise

architecture using sound systems engineering

practices; apply security configuration settings

Determine security control effectiveness (i.e., controls

implemented correctly, operating as intended, meeting security for

information systems).

Determine risk to organizational operations and

assets, individuals, other organizations, and the Nation;

if acceptable, authorize operation.

Continuously track changes to the information system that may affect security controls

and reassess control effectiveness.

Design

Operations

Retirement

Definition

Development

Deployment

Where’s the V?

From Concept to CreationWITH GATES AND REVIEWS !!!

MISSIONand Real

World

ICDsCONOPS

SpecsDocs

Conceptual

Model

S Y

S T

E M

Captured in

Built as

Used toCreate

Comparing the CyclesWhere’s the gates?Where’s the focus?

CATEGORIZE Information System

SELECTSecurity Controls

IMPLEMENT Security Controls

MONITORSecurity Controls

AUTHORIZEInformation System

ASSESS Security Controls

Starting Point

Define criticality/sensitivity of information system according to potential

worst-case, adverse impact to mission/business.

Select baseline security controls; apply tailoring

guidance and supplement controls as needed base on

risk assessment

Implement security controls within enterprise

architecture using sound systems engineering

practices; apply security configuration settings

Determine security control effectiveness (i.e., controls

implemented correctly, operating as intended, meeting security for

information systems).

Determine risk to organizational operations and

assets, individuals, other organizations, and the Nation;

if acceptable, authorize operation.

Continuously track changes to the information system that may affect security controls

and reassess control effectiveness.

Post SDR

Post PDR

Post CDR

Before TRR

Before AT

O&M

Comparing the CyclesRecapSSE has a cycle but no feedback

In theory yes, in practice – mostly noSSE has a cycle but no real gates

In practice triage, IATT, some form of AOSSE is driven by the CDLC The SSE cycle is stuck in Monitor most of the

time

Comparing the professionalsSome common ground

Scientist: A scientist is one engaging in a systematic activity to acquire knowledge. Scientists perform research toward increasing understanding of nature, including physical, mathematical and social realms. Scientists use empirical methods to study things.

Engineer: An engineer is applies knowledge of applied science and applied mathematics to develop solutions for technical problems. Engineers design materials, structures, technology, inventions, machines and systems. Engineers use ingenuity to create things.

Technician: A technician is a worker in a field of technology who is proficient in the relevant skills and techniques of that technology. Technicians apply methods and skill to build, operate and maintain things.

Manager: One who handles, controls, or directs an activity or other enterprise, including allocation of resources and expenditures. A manager uses qualitative methods to control the build, operation, and maintenance of things.

Comparing the ProfessionalsA sampling of SE - notice the mix

• Chief Engineer/LSE

• Systems Architect/Designer

• Requirements Engineer

• Functional Analyst

• Systems Analyst

• IV&V engineer

• O&M Support Engineers

• Specialty Engineers

Notice the feedbacks

Comparing the Professionals(The RMF/ICD 503)

CATEGORIZE Information System

SELECTSecurity Controls

IMPLEMENT Security Controls

MONITORSecurity Controls

AUTHORIZEInformation System

ASSESS Security Controls

Starting Point

Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business.

Select baseline security controls; apply tailoring guidance and supplement controls as needed base on risk assessment

Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings

Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security for information systems).

Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation.

Continuously track changes to the information system that may affect security controls and reassess control effectiveness.

• Information System Owner• Information Owner/Steward• Risk Executive (Function)• Authorizing Official

• AO Designated Representative• Chief Information Officer• Senior Information Security

Officer• Information System Security

Officer• Information Security Architect• Common Control Provider• Information System Security

Engineer• Security Control Assessor

ISSE per ICD 503 (RMF)

Information System Security Engineer (ISSE)(or Information Security Architect)

Identify security controls that are provided by the organization as common controls for organizational informational systems and document the controls in a Security Plan.

Select security controls for the IS.

ISO per ICD 503 (RMF) Information System Owner (or Program Manager) Categorize the IS and document the results in the Security Plan. Describe the IS in the Security Plan. Register the IS with the appropriate organizational program management offices. Select security controls for the IS and document the controls in the Security Plan. Develop a strategy for the continuous monitoring of security control effectiveness and any proposed or actual changes

to the IS and its operational environment. Implement the security controls specified in the Security Plan. Document the security control implementation in the Security Plan. Provide a functional description of the control

implementation. Conduct initial remedial actions on security controls based on the findings and recommendations of the SAR and

reassess remediated controls as appropriate. Prepare the POA&M based on the findings and recommendations of the SAR excluding any remedial actions taken. Assemble the Security Authorization artifacts and submit to the Authorizing Official for adjudication. Determine the security impact of proposed or actual changes to the IS and its operational environment. Conduct remedial actions based on the results of ongoing monitoring activities, risk assessment, and outstanding

items in the POA&M. Update the Security Plan, security assessment report, and plan of action and milestones based on the results of the

continuous monitoring process. Report the security status of the information system (including the effectiveness of security controls employed within

and inherited by the system) to the AO and other appropriate organizational officials on an ongoing basis in accordance with the monitoring strategy.

Implement an information system decommissioning strategy, when needed, which executes required actions when a system, or system component, is removed from service or transferred to another system.

Comparing the ProfessionalsRECAPIncomplete Models?

No VNo Gates

Continuous monitor mentalityTechnician/Manager focusBOK is Broke

In systems engineering, there is active leadership from the engineers In SSE, the ISSEs are primarily advisor

SE’s are pro-active SSEs react

SE’s are builders, SSE’s are advisors to passive risk managers Risk managers should be pro-active

Next steps?NIST SP800 series evolving (leads the way)INCOSE WG is creating handbookNICE

QUESTIONS?