DAU Hot Topic Forum · Hot Topic Forum – Cybersecurity – Denman January 21, 2016 DoDI 5000.02 (Encl 11) – Cybersecurity • a. Cybersecurity Risk Management Framework (RMF)

Hot Topic Forum – Cybersecurity – Denman January 21, 2016

DAU Hot Topic Forum DAU's Response to

Acquisition Cybersecurity

Needs

Presented by Tim Denman

DAU Cybersecurity Learning Director

January 21, 2016


Cybersecurity Hot Topic Forum Overview

• The Importance of Cybersecurity to the DoD

• Cybersecurity Policies and Publications

• DAU’s Response to Acquisition Cybersecurity

Needs

• Questions

2


The Importance of Cybersecurity

The Department of Defense has the largest network in the world and

DoD must take aggressive steps to defend its networks, secure its

data, and mitigate risks to DoD missions.

THE DEPARTMENT OF DEFENSE CYBER STRATEGY April 2015

The Defense Department’s own networks and systems are vulnerable to intrusions and

attacks. In addition to DoD’s own networks, a cyberattack on the critical infrastructure

and key resources on which DoD relies for its operations could impact the U.S.

military’s ability to operate in a contingency. DoD has made gains in identifying cyber

vulnerabilities of its own critical assets through its Mission Assurance Program – for

many key assets, DoD has identified its physical network infrastructure on which key

physical assets depend – but more must be done to secure DoD’s cyber infrastructure.

3


Cybersecurity – The Reality

What GAO Found

• Threats to systems supporting critical infrastructure and federal

operations are evolving and growing. Federal agencies have reported

increasing numbers of cybersecurity incidents that have placed

sensitive information at risk, with potentially serious impacts on

federal and military operations; critical infrastructure; and the

confidentiality, integrity, and availability of sensitive government,

private sector, and personal information. The increasing risks are

demonstrated by the dramatic increase in reports of security incidents,

the ease of obtaining and using hacking tools, and steady advances in

the sophistication and effectiveness of attack technology. 4


DoD Communications

What has changed in the last 8 years?

5

http://media.dma.mil/2015/Aug/28/2001276543/-1/-1/0/080712-F-BS330-501.JPG


Cybersecurity-Related Policies & Issuances http://iac.dtic.mil/csiac/ia_policychart.html

Policy Chart

references over

180 documents.

Most are less

than 3 years old.

Developed by the

DoD Deputy CIO

for Cybersecurity (Updated 10/27/15)

6


Key Cybersecurity Policies

• DoDI 5000.02 - Operation of the Defense Acquisition

System

• DoDI 8500.01 – Cybersecurity

• DoDI 8510.01 – Risk Management Framework (RMF)

for DoD Information Technology (IT)

• DoDD 8140.01 – Cyberspace Workforce

Management

• National Initiative for Cybersecurity Education (NICE)

7


DoDI 5000.02 (Encl 11) – Cybersecurity

• a. Cybersecurity Risk Management Framework (RMF). Cybersecurity RMF steps and

activities, as described in DoD Instruction 8510.01, should be initiated as early as

possible and fully integrated into the DoD acquisition process including

requirements management, systems engineering, and test and evaluation.

Integration of the RMF in acquisition processes reduces required effort to achieve

authorization to operate and subsequent management of security controls throughout

the system life cycle.

• b. Cybersecurity Strategy. All acquisitions of systems containing IT, including NSS, will

have a Cybersecurity Strategy. The Cybersecurity Strategy is an appendix to the

Program Protection Plan (PPP) that satisfies the statutory requirement in section 811

of P.L. 106-398

DoDI 5000.02, January 7, 2015, Enclosure 11, Requirements Applicable To All Programs

Containing Information Technology (IT), page 136 8


Cybersecurity – A Team Sport

Cybersecurity in the DoD acquisition workforce requires vigilance from everyone who

communicates information digitally. It is a true team sport that affects everyone’s job and it is

the responsibility of the entire DoD workforce.

Who should be involved and how?

9


This instruction applies to:

All DoD-owned IT or DoD-controlled IT that receive, process, store, display, or transmit DoD

information. These technologies are broadly grouped as DoD IS, platform IT (PIT), IT services,

and products. This includes IT supporting research, development, test and evaluation (T&E), and

DoD-controlled IT operated by a contractor or other entity on behalf of the DoD .

Department of Defense Directive (DoDD) 8500.01E, April 23, 2007

DoDI 8500.01 – Cybersecurity Replaces IA

Information Assurance (IA) - Measures that protect and defend information and

information systems by ensuring their availability, integrity, authentication,

confidentiality, and non-repudiation. This includes providing for restoration of

information systems by incorporating protection, detection, and reaction capabilities.

10

Cybersecurity - Prevention of damage to, protection of, and restoration of computers,

electronic communications systems, electronic communications services, wire

communication, and electronic communication, including information contained therein,

to ensure its availability, integrity, authentication, confidentiality, and

nonrepudiation. Department of Defense Instruction (DoDI) 8500.01, March 14, 2014


“Policy: Cybersecurity…must be included throughout the

lifecycle…to include *acquisition, design, development,

developmental testing, operational testing, integration,

implementation, operation, upgrade, or replacement of all DoD

IT supporting DoD tasks and missions”

• DoD CIO coordinates with the DOT&E to ensure that cybersecurity

responsibilities are integrated into the operational testing and evaluation for

DoD acquisition programs

• USD(AT&L) ensures the DoD acquisition process incorporates cybersecurity

planning, implementation, testing, and evaluation and ensures acquisition

community personnel are qualified

• DoD COMPONENT HEADS ensure that system security engineering and

trusted systems and networks processes, tools and techniques are used in

the acquisitions under their purview.

DoDI 8500.01: Cybersecurity

* Note the different job responsibilities that must be involved. 11


– Adopts “Cybersecurity” instead of “Information Assurance”

– Extends applicability to all DoD information technology

processing DoD information

– Emphasizes operational resilience, integration, reciprocity,

and interoperability

– Aligns with Joint Task Force Transformation Initiative (DoD,

NIST, IC, and CNSS)

– Adopts common Federal cybersecurity terminology so we

are all speaking the same language

– Transitions to the newly revised NIST SP 800-53 Security

Control Catalog

– Incorporates early/continuously in acquisition lifecycle

DoDI 8500/ 8510: Cybersecurity/ RMF

12


DoDI 8510.01 - RMF – 6 Step Process

This process parallels the system life cycle, with the RMF activities being initiated at program

or system inception

13


• The new policy is more consistent with established disciplines and best practices for effective systems engineering, systems security engineering, and program protection planning outlined in DoDI 5000.02 & DAG.

• The new policy leverages and builds upon numerous existing Federal policies

and standards so we have less DoD policy to write and maintain.

DoD participates in CNSS and NIST policy development as a vested stakeholder

with the goals of a more synchronized cybersecurity landscape and to protect

the unique requirements of DoD Missions and warfighters

DoD

participates

in

development

of CNSS and

NIST

documents

ensuring

DoD

equities are

met

DoD

leverages

CNSS and

NIST

policies and

filters

requirements

to meet DoD

needs

14

DoDI 8510.01 - Why Change Policy?


DoD Directive 8140.01 Cyberspace Workforce Management (Issued 8/11/2015)

a. Reissues and renumbers DoD Directive (DoDD) 8570.01 to

update and expand established policies and assigned

responsibilities for managing the DoD cyberspace workforce.

b. Authorizes establishment of a DoD cyberspace workforce

management council to ensure that the requirements of this

directive are met.

c. Unifies the overall cyberspace workforce and establishes

specific workforce elements (cyberspace effects, cybersecurity,

and cyberspace information technology (IT)) to align, manage

and standardize cyberspace work roles, baseline qualifications,

and training requirements.

In short this directive replaces DoDD 8570.01, establishes cyber workforce elements,

and paves the way for DoDI 8140, which will be based on the NICE Framework 15


National Initiative for Cybersecurity

Education (NICE)

• Vision: A digital economy that is enabled by a

knowledgeable and skilled cybersecurity workforce.

• Mission: To foster, energize, and promote a robust

network and an integrated ecosystem of

cybersecurity education, training, and workforce

development.

• Goals – Accelerate Learning and Skills Development

– Nurture a Diverse Learning Community

– Guide Career Development and Workforce Planning

16


National Cybersecurity Workforce Framework

• The National Cybersecurity Workforce

Framework provides a blueprint to categorize,

organize, and describe cybersecurity work

into Specialty Areas, tasks, and knowledge,

skills and abilities (KSAs). The Workforce

Framework provides a common language to

speak about cyber roles and jobs and helps

define professional requirements in

cybersecurity.

• The Workforce Framework organizes

cybersecurity into seven high-level

Categories, each comprised of several

Specialty Areas.

Knowledge, Skills & Abilities (KSA) for each competency within the NICE

framework will be a major driver for future DAU Mission Assistance offerings 17

https://niccs.us-cert.gov/training/national-cybersecurity-workforce-framework

https://niccs.us-cert.gov/training/national-cybersecurity-workforce-framework


Securely Provision

• Concerned with conceptualizing,

designing, and building secure IT

systems, with responsibility for some

aspect of the systems' development

Operate and Maintain

• Responsible for providing the

support, administration, and

maintenance necessary to ensure

effective and efficient IT system

performance and security.

Protect and Defend

• Responsible for the identification,

analysis, and mitigation of threats to

internal IT systems or networks.

Investigate

• Responsible for the investigation of

cyber events and/or crimes of IT

systems, networks, and digital

evidence.

Collect and Operate

• Responsible for specialized denial

and deception operations and

collection of cybersecurity

information that may be used to

develop intelligence.

Analyze

• Responsible for highly specialized

review and evaluation of incoming

cybersecurity information to

determine its usefulness for

intelligence.

Oversight and Development

• Provide leadership, management,

direction, and/or development and

advocacy so that all individuals and

the organization may effectively

conduct cybersecurity work

Cybersecurity Workforce Framework – 7 Areas

18


The NICE Framework

19

• IA Compliance Enterprise Architecture Sys Req Plng Sys Development

• SW Engineering Tech Demonstration Test & Evaluation Securely Provision

•Data Administration Knowledge Mgt Network Services Systems Admin

•Info System Security Mgt Customer & Tech Support Systems Security Analysis Operate & Maintain

•Computer Network Defense (CND) CND Infrastructure Support

•Incident Response Security Program Mgt Vulnerability Assessment & Mgt Protect & Defend

•Cyber Threat Analysis All-source Analysis

•Exploitation Analysis Targets Analyze

•Collection Operations Cyber Operations

•Cyber Operational Planning Collect & Operate

•Legal Advice & Advocacy Education & Training

•Strategic Planning & Policy Oversight & Development

•Investigation

• Digital Forensics Investigate

Consists of seven categories, 32 specialty areas grouped within the seven categories, and a list of associated

knowledge / skills / abilities (KSAs) grouped within each of the specialty areas.


DAU’s Response to Acquisition

Cybersecurity Needs

• Cybersecurity Mission Assistance (MA) (consulting) and

curriculum needs have increased significantly over the last

2 years

• New Cybersecurity IPT was charted in 2014 to develop a

response to increased cybersecurity demand

• 7 dedicated acquisition cybersecurity professionals were

hired beginning in August of 2015 (Enterprise Assets)

• Several cybersecurity-related courses are being

developed

• Over 30 Cybersecurity MA engagements are anticipated in

FY 2017 (many engagements are in workshop form)

20


DAU Acquisition Cybersecurity Training

• Vision: Enable the Defense Acquisition Workforce to

strengthen cybersecurity throughout the product

lifecycle

• Support DAU’s Acquisition Learning Model and

satisfy Customer’s immediate requirements – Integrate the traditional, targeted/tailored, consulting, and workshop training

into the Foundational, Workflow, and Performance learning objectives

– Remain current and relevant

• Design Cybersecurity training to satisfy the

Knowledge, Skills & Abilities (KSA) for competencies

within the National Initiative for Cybersecurity

Education (NICE) framework 21


DAU Cybersecurity Team

• Foundational Learning Directorate Cybersecurity Team

– David Pearson - E&T Center Director, Ft Belvoir, VA

– Tim Denman - Cybersecurity Learning Director, Huntsville, AL

– Dr. Greg Butler - Hill AFB, UT

– Derek Duchein – San Diego, CA

– Chris Newborn – San Diego, CA

– Paul Shaw - San Diego, CA

– Heath Ferry – Huntsville, AL

– Rodney Visser – Huntsville, AL

– Kim Kendall – Fort Belvoir, VA

• Other DAU Cybersecurity Experts

– Steve Mills - Huntsville, AL

– Ed Adkins - Eglin AFB, FL

– Stephani Hunsinger - Fort Belvoir, VA

22

Primary Career fields include:

Information Technology,

Engineering, Program

Management, Contracting,

and Test & Evaluation

Areas of expertise include:

Software Assurance,

Resiliency, Contracting,

Architecture, Cloud Security,

Operational Testing, Threat

Monitoring, and Supply Chain

Risk Management

Our team teaches DoD Acquisition Cybersecurity but team members have Army, Air

Force, Navy and civilian backgrounds


Cybersecurity Curriculum Development

• CLE 074 – Cybersecurity Throughout DoD Acquisition – Deployed March, 2015

• ENG 160 - Program Protection Planning Awareness – To be deployed mid 2016

• ENG 260 - Program Protection Planning for Practitioners – To be deployed late 2016/ early 2017

• ISA 220 - RMF for Practitioners – To be deployed late 2016 /early 2017

• Supply Chain Risk Management – Successful course kickoff Dec 9, 2015, Deploy early 2017

• Software Assurance – Successful course kickoff Dec 9, 2015, Deploy early 2017

• Unclassified Controlled Technical Information (CTI) – Working with OUSD to build workflow learning products for rapid training

– Based on Better Buying Power 3.0

DAU, … will develop education

and training to increase

workforce understanding of the

value and best practices for

system cybersecurity and CTI

protection by October 2016.

(BBP 3.0)

23


DAU Cybersecurity Workshops

Three levels of DAU Workshops…

1. Policy

2. RMF for Programs

3. Products for Programs Driven by Customers

24

DoD 8500.01 Cybersecurity

DoD 8510.01 RMF

DoD 5000.02

RMF Implementation

Program RMF Strategy

Cybersecurity Contractual Requirements

Workshops can also serve as a bridge to cybersecurity curriculum development products


Questions? Tim Denman

Cybersecurity Learning Director

Defense Acquisition University

[email protected]

Or

[email protected]

25

mailto:[email protected]

mailto:[email protected]

Documents

DAU Hot Topic Forum · Hot Topic Forum – Cybersecurity – Denman January 21, 2016 DoDI 5000.02 (Encl 11) – Cybersecurity • a. Cybersecurity Risk Management Framework (RMF)