Embed Size (px)
Citation preview
CYBERSAFE OverviewAFCEA C4ISR Symposium
28 April 2015
Presented by:
Mr. Brian MarshAssistant Chief Engineer
(Certification & Mission Assurance)SPAWAR 5.0
Statement A: Approved for public release, distribution is unlimited (27 APRIL 2015)
2
CYBERSAFE BLUF
▼ The CYBERSAFE Program is focused on ensuring effective cybersecurity design, procurement, and operation of the Navy’s most critical warfighting systems
▼ SPAWAR will play multiple key roles from both a Navy Enterprise and a SYSCOM perspective
▼ CYBERSAFE will bring heightened consideration to the cybersecurity elements of many SPAWAR Programs
But first, let’s discuss CYBERSAFE in the context of Navy cybersecurity
3
Source: Symantec 2015 Internet Security Threat Report
Extreme challenge to keep pace with exponential increase in cybersecurity requirements
Current Cyber Environment
4
Information Technology / Information Assurance Technical Authority Board
(IT/IA TAB)
Task Force Cyber Awakening
Technical Specs/Standards Developer
Joint Regional Security Stack (JRSS)
Authority to Operate (ATO) – Security Control Assessor
(SCA)
As Navy’s IA Technical Authority, SPAWAR will assume additional roles in CYBERSAFE
SPAWAR’s Role in Navy Cybersecurity
5
Scope
CYBERSAFE Overview
Construct
Platform PMsPEOs
Technical AuthorityIT/IA TA
Security & QA Authority
SYSCOMs
CYBERSAFE CERTIFICATION
AUTHORITYCYBERSAFE PMO
Navy Cybersecurity
CYBERSAFE
▼ Focused on limited subset of select network components that enable Mission Critical capabilities
▼ CYBERSAFE components may require additional controls beyond RMF
▼ CYBERSAFE Office to become an element within the overall Navy cybersecurity construct
Objective
Establish a CYBERSAFE Program to provide maximum reasonable assurance of a hardened subset of critical warfighting components
CYBERSAFE Program will focus on Mission Assurance of critical warfighting capabilities
6
CYBERSAFE Facets
Cyber System Level Cyber Condition
Y
Z
X FULL NET
• --------------• --------------
• --------------• --------------
TE
CH
NIC
AL C
AP
AB
ILITIE
S
CYBERSAFE Grade
NO NET
SEMI NET
• --------------• --------------CSL 1: Platform Safety
CSL 2: Platform Combat
CSL 3: Networked Combat
CSL4: Sustained Combat
Grade A: Mission Critical
Grade B: Mission Essential
Material Grade C: Non-Mission Essential
OperateOperating mode of platform based on likelihood of cyber
attack
DesignFunctionality Hierarchy of system to end-to-end
mission
Procure & BuildLevel of cyber protection incorporated into system
design
IT/IA TAB to develop criteria for leveraging facets to identify CYBERSAFE critical items
7
SPAWAR’s Role in CYBERSAFE
SPAWAR is Technical Authority for CYBERSAFE
– Cross-Enterprise Role
– Define criteria to identify CYBERSAFE Critical Items
– Develop specs & standards for CYBERSAFE Critical Items
– Interface with SYSCOM TAs to resolve CYBERSAFE issues
SPAWAR to establish a CYBERSAFE Entity
– Cross-SPAWAR Role (Led by SPAWAR 5.0)
– Identify SPAWAR’s CYBERSAFE Critical Items
– Ensure specs & standards are incorporated into acquisition and implemented into capabilities
– Perform certification of SPAWAR CYBERSAFE Critical Items
Ente
rpris
e Ro
leSY
SCO
M R
ole
COMSPAWAR assigned CHENG as SPAWAR’s Lead for CYBERSAFE
8
FY14 FY15 FY16 FY17
Host Level ProtectionSecurity Information Event Management (SIEM)
Information Sharing-Cross Domain Solution Information Tagging - Data Tagging
Network Firewall Vulnerability Scanning Account Management Public Key EnablingNetwork Intrusion Detection System (IDS) / Intrusion Protection System (IPS) Boundary Protection Cyber Configuration Management Wireless CommunicationsDFIA Afloat Cyber Risk Assessment Software Assurance Wireless Enclave Access Control
Continuous Monitoring DFIA Airborne
Event Management-Incident Management, Contingency Planning, Disaster Recovery, and Incident Response Data Encryption - DIT , Link
Asset ManagementAuthentication and Authorization / IdAM Data Encryption - DAR
Cyber Situational Awareness Web Security Remote AccessSupply Chain Risk Management Email Security DNS Security
DFIA AshoreBIOS Protection / TPM / Embedded Firmware Virtualization Security
IA TA Glossary Key Management / Exchange Assured Cloud ComputingDFIA and Standards POR Implementation Guidance (includes Controls / Standards mapping) Patch Management Unified Capability - VoIP, Telecom
IA Standards Work Plan approved by the IT/IA TAB
SPAWAR IA Standards Plan
9
FY14 FY15 FY16 FY17
Host Level ProtectionSecurity Information Event Management (SIEM)
Information Sharing-Cross Domain Solution Information Tagging - Data Tagging
Network Firewall Vulnerability Scanning Account Management Public Key EnablingNetwork Intrusion Detection System (IDS) / Intrusion Protection System (IPS) Boundary Protection Cyber Configuration Management Wireless CommunicationsDFIA Afloat Cyber Risk Assessment Software Assurance Wireless Enclave Access Control
Continuous Monitoring DFIA Airborne
Event Management-Incident Management, Contingency Planning, Disaster Recovery, and Incident Response Data Encryption - DIT , Link
Asset ManagementAuthentication and Authorization / IdAM Data Encryption - DAR
Cyber Situational Awareness Web Security Remote AccessSupply Chain Risk Management Email Security DNS Security
DFIA AshoreBIOS Protection / TPM / Embedded Firmware Virtualization Security
IA TA Glossary Key Management / Exchange Assured Cloud ComputingDFIA and Standards POR Implementation Guidance (includes Controls / Standards mapping) Patch Management Unified Capability - VoIP, Telecom
CYBERSAFE Standards
CYBERSAFE Certification Criteria
CYBERSAFE Grade A/B/C Criteria
Requirements for CYBERSAFE Grades A/B/C Systems
Inspection and Audit Criteria for CYBERSAFE
Plus…New task to develop initial CYBERSAFE Standards
SPAWAR IA Standards Plan
SPAWAR will play a lead role in developing the technical underpinnings for CYBERSAFE
10
SPAWAR Equities
▼ SPAWAR 5.0 work with PEOs to identify SPAWAR CYBERSAFE Items
▼ Baseline Configuration Pilot will assist in identifying Control Points
▼ Potential Programs with CYBERSAFE components:
CANES BFTN JALN ADNS DCGS-N GCCS-M/J NMT MUOS
CANES aligns with CYBERSAFE Grade A criteria as it provides networking, compute, and storage for mission critical applications and data
Due to its role as entryway to the ship, ADNS is a critical Control Point that enables connectivity for mission critical systems and components
NMT’s vital SATCOM capabilities provide assured C2 to Naval Commanders in support of Ballistic Missile Defense
SPAWAR will not identify CYBERSAFE Critical Items until TAB issues selection criteria
11
CYBERSAFE Way Ahead
▼ CYBERSAFE Implementation Plan approved by CNO on 21 April
▼ CYBERSAFE Office to release CYBERSAFE Instruction and 100-Day Plan
FOC
OctCYBERSAFE
FOC
AugSubmit CYBERSAFE
POA&M
AprCYBERSAFE
Instruction and 100-Day Plan
AprCNO Approval
IT/IA TAB begin work on criteria development
▼ Establish SPAWAR Tiger Team Led by SPAWAR 5.0
Cross-SYSCOM representation
Leverage TAB criteria and Baseline Pilot to identify CYBERSAFE Items
Develop POA&M for developing implementing, and maintaining CYBERSAFE Entity at SPAWAR
CYBERSAFE 2015 Timeline
Apr - FOCIT/IA TAB develop criticality
criteria. SPAWAR Tiger Team develops
implementation approach.
12
▼ Building upon the foundation provided by IA TA, CYBERSAFE is a key component of a common Navy plan for Cyber that: Promotes a holistic approach to securing critical warfighting capabilities Mandates use of common specifications and standards in acquisition and implementation Ensures compliance with common specifications and standards through certification process
▼ CYBERSAFE will increase awareness of cybersecurity requirements for many SPAWAR Programs IT/IA TAB will set criteria for identifying CYBERSAFE Critical Items SPAWAR 5.0 will work with PEOs to identify CYBERSAFE Critical Items within Programs
Summary
13
