Title: Integrated Program Protection

Date: 12 Dec 2018

Presenters: Steve Kern, CENG, NAVAIR Cyber Warfare Detachment and Vincent Lamolinara, Prof.of Acquisition Cybersecurity, Defense Acquisition University, Mid-Atlantic Region

Moderator: Jim Davis, Logistics Department Chair, Defense Acquisition University, Mid-Atlantic Region

Objectives

• Show that Cybersecurity is a principal integrating factor in System Security Engineering and Program Protection Planning (PPP)

• Show that Integrated Cybersecurity / PPP properly characterizes and prioritizes residual weapon system risk

• Discuss how to improve DoD acquisition outcomes and achieve higher mission success and survivability in a cyber-contested environment through integrated PPP across the system lifecycle by:

• Transformational approaches• Reducing / eliminating redundancy• Building on existing Systems Engineering processes

Integrated System Security Engineering:Cybersecurity is the Common Link Across Functional Areas

3

Critical Program Information• Anti-tamper

Information• Cybersecurity

• C, I, A• Resilience• Survivability

Mission Critical Components &

Functions• TSN / SCRM

System

Security Engineering

• HW/SW/FW Assurance• Phys/Op/Info/Pers/ComSEC

Cybersecurity & the Acquisition Lifecycle Integration Tool (CALIT) CALIT Ver 3.0 Aug 2018

Presented to:

Presented by:

Integrated Program Protection Vision

11/2018

Steve Kern, Cyber Warfare Chief EngineerSenior Scientific Technical Manager (SSTM)

Acquisition Community

Vision

An integrated Program Protection Process to protect

– advanced technology, – safety of flight, – mission critical functions, and– components

throughout the acquisition lifecycle,apply countermeasures and protections

from malicious adversarial intent,illuminate and balance cyber risk and

maximize resilience in a cyber contested environment.

6

Program Protection Instructions

7

Slide from DASD(SE) Melinda Reed briefing to NDIA on 25 Oct 2017

Observations

1. Process and organizational structure has been developed to address the individual program protection instructions. There are redundancies and overlaps in tasks among the processes.

2. There is an imbalance of Program Office effort across the processes.• RMF and CPI/AT receive significant emphasis• TSN/CA and the “cyber part” of SCRM receive less emphasis

3. An integrated Program Protection Process will identify opportunities to include technical and procedural security measures at the beginning of Systems Engineering and throughout the lifecycle during updates and engineering changes, as opposed to selecting controls after susceptibilities have been designed into the system.

4. One of the first steps in many processes is to decompose the mission of the platform/system into critical systems that are required to execute that mission.

• RMF from the data protection perspective (if NIST Control RA-3 is selected)• CRA Step 1 is to “Decompose Mission Essential Functions”• CPI Steps 1 & 2 are “Identify Mission Capability” and “Decompose System into components“• TSN/CA Step 1 process is “ID principle mission threads and mission system functions”• CYBERSAFE is to implement TSN/CA and is based on “Mission Essential Functions”

8

Observations (cont.)

5. The second (or third/fourth) step in many of the processes is to conduct some sort of criticality analysis/judgement of the identified subcomponents

• RMF Step 2 is to “Select Controls” – judge criticality of the data • CRA Step 3 is to “Develop Attack Surface/ Attack Trees” • CPI Step 3 process is to “Evaluate Criticality of each component (at least 3 levels)”• TSN/CA Step 4 process is to “Assign criticality failure levels (I, II, III, IV) to components”

6. An adversarial-based assessment is required by all of the processes• RMF does NOT require a Threat Assessment but NIST control RA-3 could be implemented

and is part of a Common Control Package (CCP)• CRA’s require an intelligence-driven Threat Assessment• CPI requires a intelligence (and Counter-Intelligence) driven Threat Assessment• TSN/CA requires a (vendor) supply chain assessment (and CI assessment) for sources for

components that are deemed critical level I/II components (not an adversarial based Threat Assessment )

7. We can do better

9

SYSTEMS ENGINEERING PROCESS| Step 2 Step 3 Step 5 Step 9 Step 10 |System Requirements High-Level Design | H/W S/W Development | System Validation | Changes/UpgradesFUNCTIONAL ANALYSIS AND ALLOCATION | DESIGN SYNTHESIS | VERIFICATION | DEPLOYMENT

• CRA Viewpoint 1• RMF Step 1 • Intel Threat

Assessment• AT Step 1 CPI

Assessment• T&E Cybersecurity

Requirements Analysis

• Cyber Attack Trees

• Cyber Risk Cube• Categorization

Letter • PM Signature • CPI Memo• Intel Production

Requests• Threat Model• Cyber VOLT• Cyber T&E

Strategy

• CRA Viewpoint 2• RMF Step 2• CTT• CPI Assessment• AT Steps 2• Intel Threat

Assessment• T&E Attack

Surface Characterization

• Cyber Attack Trees• Cyber Risk Cube• Initial RMF Control

Selection & Security Assessment Plan

• AT Mission Essential Function

• AT Level of Protection Requirement

• AT Letter of Concurrence

• CYBERSAFE Mission Criticality

• Critical Intelligence Parameters

• Intel Production Requests

• Threat Model

• CRA Viewpoint 3• RMF Step 2/3• AT Steps 3 & 4• TSN/Criticality

Analysis• SCRM Illumination• Intel Threat

Assessment• CYBERSAFE

Planning• T&E Cooperative

Vulnerability Identification

• Cyber Attack Trees• Cyber Risk Cube• RMF Control

Selection & Control Design Plan

• Initial/ Final AT Plan• AT Attack Trees• Critical ICT

Components• SCRM-TAC Request• DT Test Plan• CYBERSAFE EDRAP• Intel Production

Requests• Threat Model• Critical Component

CVI Reports

• CRA Viewpoint 4• RMF Step 4/5• SCRM Assessment• Developmental

Testing• CYBERSAFE OQE

& Risk Review Board

• OT CVPA• OT Adversarial

Assessment

• Cyber Attack Trees• Cyber Risk Cube• RMF Risk

Assessment Report, Security Assessment Report, FSCA Endorsement & Authorization to Operate

• SCRM Supply Chain• AT Implemented• DT Test Report• OT Test Report• FINTEL• CYBERSAFE

Certification

• RMF Continuous Monitoring

• CYBERSAFE continuous Monitoring

Integrated Program Protection VisionPR

OC

ESS

STEP

OU

TPU

TS

System Security Engineering (SSE)

11

Anti-Tamper (AT)

Defense Exportabilty Features (DEF)

Software Assurance (SwA)

Hardware Assurance (HwA)

Cybersecurity

Supply Chain Risk Management (SCRM)

Other Security (OPSEC, INFOSEC, PERSEC, COMSEC)

Survivability / Resilience

System Security Engineering DCs

Performance RequirementsStructure

MaintainabilityPropulsion

SecuritySafetyPower

ReliabilityOther System Engineering

24 System Engineering Design Considerations

Source: Defense Acquisition Guidebook (DAG)

SSE Produces Common Sets of Artifacts

12

Authority to Operate

CYBERSAFE Certification

Requirements Design Implementation Assessment

Common set of artifacts tailored into separate approval packages for CYBERSAFE, Cyber Survivability Endorsement, ATO and AT Approval

Artif

acts

Anti-tamper ApprovalATEA

Cyber Survivability Endorsement

DT / OT Blue & Red Team Test

System Security Working Group

13

SSWG

LOGPOPL

Cyber TeamISSMISSOISSE

Security

Intel

T&E SEAT

User

Training

Ad Hoc includes as needed:PM, BFM, CON, et. al.

DeveloperAd Hoc

S/W Engr

The IPT Model Integrates Cybersecurity across Competencies

System Security Working Group

14

System Security Working Group (SSWG) Charter

SSWGInputs OutputsCDDAcq StratDODAFDoDI 5000.02 (enclosure 14)DoDI 5000.75DoDI 8500.01DoDI 5200.44NIST SP 800-53DoD Cybersecurity T&E GuideCNSS 505CNSSI 1253Security Technical Implementation Guides (STIGs)

Program Protection Plan (PPP)Cybersecurity StrategyCriticality AnalysisTest & Evaluation Master Plan (TEMP) Appendix EAnti-Tamper (AT) PlanSecurity Engineering Inputs

System Engineering Plan (SEP)System DesignSoftware Development Plan (SDP)Request for Proposal (RFP)Program Security Classification Guide (SCG)Supply Chain Risk Management (SCRM) PlanLife Cycle Support Plan (LCSP)Software Assurance Plan Program Budget

How do we make these Outputs “living” documents?

Test as a Cyber Integrator

• T&E links the Risk Management Framework (RMF) & Program Protection Plan (PPP) Analysis

• Mission-Based Cyber Risk Assessment (MBCRA)– CTT, CRA, SCA-V, CJA, etc.– Institute for Defense Analyses comparative study

provides a decision diagramhttps://intelshare.intelink.gov/sites/atlcoi/cyberTableTops

Cyber Risk Assessment (CRA)

16

Mission Critical Functions Mapped to Subsystems

Attack Tree Nodal AnalysisCombining All Risk Aspects

Mission–Based Risk

• Shows mission risk, recommends test, justifies fixes, tradeoffs• Re-assess selected Cybersecurity Controls

CRA comprehensively Assesses People, Processes & Technology (PPT)

17

Joint Staff Survivability KPP provides a Framework for Integrated Cybersecurity Requirements

Why do we need CYBERSAFE, Trusted Systems and Networks, etc.?

18

Exposing Engineers to Failures More Frequently Incentivizes Them to Build Resilient Services.

Continuous Red & Blue “Testing” is the New Normal

*Chaos Monkey is a service which identifies groups of systems and randomly terminates one of the systems in a group.

Case Study of Warfighter Information Network –Tactical (WIN-T) Inc 2

• Passed Adversarial Cyber FOT&E!

• Cybersecurity Integrates into systems engineering vice separate solution

• % Fix Effectiveness was key metric!• Assumption of breach• Continuous Testing & Fixes with JHU APL & Developer

• Threat models, with > 10 million threat sims

20

Summary

• Integrated PPP / Cybersecurity requires transformational SSE / RMF

• Threat and Complexity require continuous monitoring & update

• MBCRA / Test / PPP update never ends in cyber-contested environment

• Cyber Survivability offers Rosetta stone approach to unifying / translating RMF Security Controls and Systems (Security) Engineering methods

• SSWG is paramount – helps end Stovepipes

• PPP brings it all together - can highlight redundant and conflicting issues

Questions?

21

Resources• Cybersecurity in the Defense Acquisition System. Enclosure 14 of Department of

Defense Instruction (DoDI) 5000.02, Operation of the Defense Acquisition System, pp. 171-187, February 2, 2017, Incorporating Change 3, August 10, 2017

• DoD Instruction 5200.39, Critical Program Information (CPI) Identification and Protection Within Research, Development, Test, and Evaluation (RDT&E), May 28, 2015, Incorporating Change 1, November 17, 2017

• DoD Directive 5200.47E, Anti-Tamper (AT), September 4, 2015, Incorporating Change 1, August 28, 2017

• DoD Instruction 5200.44, Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN), November 5, 2012, Incorporating Change 2, July 27, 2017

• USD(AT&L) Memorandum, Document Streamlining – Program Protection Plan (PPP), July 18, 2011

• Cyber Survivability Endorsement Implementation Guide Vol II & Vol III (Classified)• Cyber Table Top Facilitator Site: https://intelshare.intelink.gov/sites/atlcoi/cyberTableTops

22

Additional Resources• Additional Resources & Tools such as CALIT and ACQuipedia articles and videos and can be found

at DAU Cybersecurity Community of Practice Page: https://www.dau.mil/cop/cybersecurity/Pages/Topics/Knowledge%20Sharing%20and%20Job%20Support%20Tools.aspx

• Tools:– Cybersecurity & Acquisition Lifecycle Integration Tool - CALIT– Quick Reference Card - Cybersecurity Black Card

• Videos:– Ongoing Efforts to Protect the DoD’s Unclassified Information, 13 Jan 17 (duration: 12 min)– Cybersecurity Implementation, Kevin Dulany (DoD CIO Office) - Duration: 90 Min– Cybersecurity Risk Management Framework Overview Mar 2017

• Articles:– ACQuipedia - Cybersecurity & the DoD Acquisition Lifecycle– ACQuipedia - RMF for DoD IT– ACQuipedia - System Survivability KPP– ACQuipedia - Supply Chain Risk Management– Defense AT&L Magazine - Including Cybersecurity in the Contract Mix, Mar-Apr 2018– Defense AT&L Magazine - Supply Chain Risk Management: An Introduction to the Credible Threat, Jul-Aug 16– Defense AT&L Magazine - Cybersecurity; The Road Ahead for Defense Acquisition, May-Jun 16– Defense AT&L Magazine - Cyber Integrator Concept, Mar-Apr 15– Defense AT&L Magazine - Cybersecurity Challenges for Program Managers, Sep-Oct 14– Crowd Source Article - Fact Sheet Hack the Pentagon

23

Contact Info

• Vinny Lamolinara240.895.7382Vincent.Lamolinara@dau.mil

• Steve Kern301.342.6040steven.b.kern@navy.mil

24

BACKUP

25

26

Rosetta Stone: SS KPP CSAs to RMF to Systems Security Engineering (SSE) Translation

SS KPP/CSE Implementation Guide Vol II ‒ Risk-Managed Performance Measures, Joint Staff J6/J8, DCIO, NSA IAC, 2018

27

CSA to RMF to System Security Engineering (SSE) Mapping

• SS KPP to CSA to RMF (NIST Security Controls) to SSE Mapping• Least Privilege• Resistance to Attack• Continuous Monitoring• Prioritized Operations• Data Segregation• Recover from a Trusted Source• Periodically Save State• Threat Evolution• Failover

• “Mesh” Interrelation

• Focus on Weapon System germane controls

• Adapt controls for SSE which is more relevant to Weapon Systems

• Exemplar SSE Requirements Language for:• ICD / CDD / CPD• RFP• SOW

RMF - CSA

RMF - SSE

CSA to SSE

Cyber Table Top (CTT) – Risk Assessment

• Input to Controls Selection / Risk Assessment / Pre-Test• User Reps / Focused Mission Areas

*Facilitator Training Available via DAU & Ms. Standard, Sarah M CIV OSD OUSD ATL (US),

ExercisePreparation

Exercise Execution

Post Exercise Analysis

Reporting

Develop Mission Plan

• Analyze Architecture, CONOPS, Intelligence

• Define Mission

• Define Attack Paths, & Vulnerabilities• Analyze adversary attacks

• Determine Cyber Risk: Likelihood vs Consequence

• Mitigations• Reports

Execute Attacks

Describe Effects

Develop Mitigations

Define Access Paths

~ 3-5 days

Color CodeOperational Team

OPFOR Team

~ 30-60 days~ 30-60 days

Control / Analysis Teams Reporting Team