Title: Cybersecurity and SETR Cyber S¢  Security Controls. 4. Assess Security Controls. 6. Continuous

  • View
    0

  • Download
    0

Embed Size (px)

Text of Title: Cybersecurity and SETR Cyber S¢  Security Controls. 4. Assess Security Controls. 6....

  • Title: Cybersecurity and SETR

    Date: 16 August, 2017

    Presenters: Roy Wilson and Vincent Lamolinara, Professors of Acquisition Cybersecurity, Defense Acquisition University, Mid-Atlantic Region

    Moderator: Jim Davis, Logistics Department Chair, Defense Acquisition University, Mid-Atlantic Region

  • Learning Objective

    (LO) The participants will understand and recognize how cybersecurity is addressed via systems engineering technical review (SETR) to counter adversarial threats to system information, critical program information (CPI), and critical components (CC)/Critical Functions (CF).

  • System Security Engineering (SSE)

    3

    Anti-Tamper (AT)

    Defense Exportabilty Features (DEF)

    Software Assurance (SwA)

    Hardware Assurance (HwA)

    Cybersecurity

    Supply Chain Risk Management (SCRM)

    Other Security (OPSEC, INFOSEC, PERSEC, COMSEC)

    System Security Engineering Performance Requirements

    Structure Maintainability

    Propulsion Security Safety Power

    Reliability Other System Engineering

    System Engineering

    SSE an element of system engineering (SE) that applies engineering principles to • Identify security vulnerabilities • Minimize or contain risks associated with these vulnerabilities.

  • SSE Processes Across the Lifecycle

    • What are the most difficult tasks of the SE process for SSE?

    • Compare with other SE areas?

    Continuous application across all phases

    4

  • 5

    Integrating RMF, Cybersecurity, Systems Engineering & Test

    5. System Authorization

    Decision

    3. Implement Security Controls

    4. Assess Security Controls

    6. Continuous Monitoring

    1. Categorize

    System

    Determine Authorization Boundary

    2. Select Security Controls

    System Survivability KPP

    Ref: ISO/IEC/IEEE 15288, Systems and Software Engineering- System Lifecycle Processes, 15 May 15

    Blue Team / Vulnerability Assessments

    Red Team / Threat Representative Testing

    Cyber Risk Assessment (CRA Secure Coding Practices

    Cybersecurity Stakeholders

    Security Architecture and

    Design

    Trusted Systems / Supply Chain Risk (TSN/SCRM)

    Cyber in the RFP

    Cyber Table Top (CTT)

    Cyber Table Top (CTT)

    RMF Test Sys Eng Cybersecurity

    ELO 7

  • System Security Engineering (SSE) & SETR

    https://www.dau.mil/tools/t/Cybersecurity-and-Acquisition-Lifecycle-Integration-Tool-(CALIT)

  • 7

    • Iterative with changes in architecture, test and new threats across the acquisition lifecycle

    Ref: Cybersecurity TE Guidebook, Jul 2015

    Cybersecurity – Test & Evaluation

    • CTT designed to support • Test “Tools” often custom per platform • DT Must integrate with & support OT&E – Adversary Threat Level ROE!! • Cyber Ranges & Red Teams have limited availability

  • Cyber Security in the SETR Timeline

    8Enclosure IV to NAVAIR SWP 4800-43

  • SETR Entry/Exit Criteria Checklists for SSE

    9Enclosure IV to NAVAIR SWP 4800-43

    • Major SETR events • ASR, SRR, SFR, PDR, CDR, TRR,

    SVR, FCA, PCA • Service/SYSCOM/MAJCOM specific • Tailored for each system

    • Common core • OSD/SE CRWS assessing SETR

    entry and exit criteria for resiliency

  • PDR SSE Criteria Sample (partial list)

    10Enclosure IV to NAVAIR SWP 4800-43

    SSE concerns in system Allocated baseline.

    Security performance requirements addressed in Preliminary system design within constraints (Cost, Schedule, etc.). Ready for Detailed design.

    Security requirements flowed down to lower tier specifications. • Tagged with meta-data, bi-directionally traceable, verifiable.

    System trade studies include security impacts for architecture, design, CONOPS, etc.

    Updated criticality analysis, CPI, critical functions / components, countermeasures, with rationale.

  • Questions?

    11

  • Contact Info

    • Roy Wilson 240.895.7328 Roy.Wilson@dau.mil

    • Vinny Lamolinara 240.895.7382 Vincent.Lamolinara@dau.mil

    12

    mailto:Roy.Wilson@dau.mil mailto:Vincent.Lamolinara@dau.mil

    Title: Cybersecurity and SETR�� Learning Objective System Security Engineering (SSE) SSE Processes Across the Lifecycle� Slide Number 5 Slide Number 6 Slide Number 7 Cyber Security in the SETR Timeline SETR Entry/Exit Criteria Checklists for SSE PDR SSE Criteria Sample (partial list) Slide Number 11 Contact Info