Advanced Technology Academic Research Council Federal … · Advanced Technology Academic Research...

D o D C I O

S U P P O R T T H E W A R F I G H T E R

UNCLASSIFIED

Advanced Technology Academic Research Council

Federal CISO Summit

Acting Deputy DoD CIO Cyber Security Department of Defense

25 January 2018

Ms. Thérèse Firmin

D o D C I O


UNCLASSIFIED

Overview

Secretary Mattis’ Priorities

Cybersecurity Focus Areas

2

D o D C I O


UNCLASSIFIED

Secretary Mattis’ Priorities

• Restore military readiness as we build a more lethal force

• Strengthen alliance and attract new partners

• Bring business reforms to the Department of Defense

3

D o D C I O


UNCLASSIFIED

Cybersecurity Focus Areas

• Manage cybersecurity risk to highest priority missions, systems and networks

• Streamline processes and policies throughout CIO

• Grow the cyber workforce

4

D o D C I O


UNCLASSIFIED

Focus Area 1

Manage Cybersecurity Risk to Highest Priority Missions, Systems and

Networks

5

D o D C I O


UNCLASSIFIED

CYBERSCORECARD CYBERBASICSDISCIPLINE

IMPLEMENTAION PLAN

MONITORING AND METRICS

COMPLIANCE NSCSAR

· CYBERSECURITY ARCH· OPERATINGSYSTEMS/

NETWORKCOMPONENTS· MAJOR DOD PROGRAMS

· INNOVATION

· PACE OFCHANGE

· INTERNET OFTHINGS

· CLOUD

· LEADERSHIP· KNOWLEDGE· ACCOUNTABILITY· RISKMGMT· TRAINING

· CYBERFORCES· USERS· INDUSTRY· GOVTPARTNERS

DEPENDABLE MISSION

EXECUTIONINTHE FACE OF CYBER

WARFARE

TECHNOLOGY CULTURE

PEOPLE & PARTNERS

SYSTEMS & NETWORKS

DOD CYBERSECURITYLANDSCAPE

Hactivism

PhishingAttacks

Malware

Insider Threat

Exfiltration of Intellectual

Property

Threats from State Adversaries

Threats from Non-state

Adversaries

6

D o D C I O


UNCLASSIFIED

Cyber Executive Order 13800

• Heads of executive departments and agencies have ultimate responsibility

for cybersecurity.

• CIO/CISO chains of command still responsible, but also includes the non-

CIO executive leaders.

• Within DoD, the Cybersecurity Scorecard is being used as a mechanism to

begin to drive this accountability.

7

D o D C I O


UNCLASSIFIED

8

DIB Cybersecurity Program

The DIB Cybersecurity Program is a

public-private partnership that:

• Provides a collaborative environment for

sharing unclassified and classified cyber

threat information

• Offers analyst-to-analyst exchanges,

mitigation and remediation strategies

• Increases U.S. Government and industry

understanding of cyber threat

Mission: Enhance and supplement Defense Industrial Base (DIB)

participants’ capabilities to safeguard DoD information that resides

on, or transits, DIB unclassified information systems

Eligibility: A contractor must be a

Cleared Defense Contractor to

participate in this program.

D o D C I O


UNCLASSIFIED

Focus Area 2

Streamline Processes and Policies Throughout CIO

9

D o D C I O


UNCLASSIFIED

Protecting the DoD’s Unclassified Information

Security requirementsfrom CNSSI 1253, based on NIST SP 800-53, apply

Security requirements from NIST SP 800-171, DFARS Clause 252.204-7012, and/or FAR Clause 52.204-21 apply

When cloud services are used to process data on the DoD's behalf, DFARS Clause 252.239-7010 and DoD Cloud Computing SRG apply

DoD Owned and/or

Operated Information System

System Operated on Behalf of the DoD

Contractor’s Internal System

Controlled Unclassified Information

FederalContract

Information

Covered Defense Information

(includes Unclassified Controlled Technical

Information)

ControlledUnclassified Information

(USG-wide)

Cloud Service Provider

ExternalCloud/CSP CSP

InternalCloud

DoD Information System

CSP

When cloud services are provided by DoD, the DoD Cloud Computing SRG applies

Cloud Service Provider

Controlled Unclassified Information

Unclassified10

D o D C I O


UNCLASSIFIED

Transition from CIO Scorecard 1.0 to 2.0

• Scorecard 1.0 provides aggregation of existing datao Extensive survey to produce scorecard

o Limited to compliance (Yes and No)

o Tabular Data view

• Scorecard 2.0 shifts to Risk Management – “Heat Map” o Eliminate the “human in the loop”

o Integration of threat and impact with current vulnerability data – Heat Map View

o Facilitates agility and rapid decision making by the CISO/CIOs

o Assists commander as a risk assessment tool for missions

2.0: Threat / Risk ViewScorecard 1.0

11

D o D C I O


UNCLASSIFIED

Integrating the Cybersecurity Framework

with the Risk Management Framework

12

• CS risk only part of organizational risk management procedures

• Organizational risk management requires multi-disciplinary teams

• Taxonomy allows IT/CS/Business personnel to communicate

• Implementation will vary between orgs based on their needs

• Goal: allocate scarce resources to address CS needs most efficiently

• Focus on Critical Assets First

Cybersecurity Framework

Risk Management Framework

D o D C I O


UNCLASSIFIED

Focus Area 3

Grow the Cyber Workforce

13

D o D C I O


UNCLASSIFIED

Cyber Workforce

14

Trends & Challenges:- Growing Reliance on Technology

- Increasingly Complex Operating Environment

- Evolution of Skills and Expectations

- Lack of Cyber Workforce Standards

D o D C I O


UNCLASSIFIED

End State

• Increased Senior-level advocacy for cybersecurity as a mission imperative.

• Improved cybersecurity in organic and outsourced systems.

• Use of tools based on common standards that allow us to exploit power of big data analytics.

• Increased collaboration with our partners within DoD, other government agencies, industry and our academic partners.

• Proactive, anticipatory and responsive to cyber threats.

15

D o D C I O


UNCLASSIFIED

16

Advanced Technology Academic Research Council Federal … · Advanced Technology Academic Research...

Documents

Transcript of Advanced Technology Academic Research Council Federal … · Advanced Technology Academic Research...