Title: Cybersecurity and SETR Cyber S… · Security Controls. 4. Assess Security Controls. 6....
Transcript of Title: Cybersecurity and SETR Cyber S… · Security Controls. 4. Assess Security Controls. 6....
Title: Cybersecurity and SETR
Date: 16 August, 2017
Presenters: Roy Wilson and Vincent Lamolinara, Professors of Acquisition Cybersecurity, Defense Acquisition University, Mid-Atlantic Region
Moderator: Jim Davis, Logistics Department Chair, Defense Acquisition University, Mid-Atlantic Region
Learning Objective
(LO) The participants will understand and recognize how cybersecurity is addressed via systems engineering technical review (SETR) to counter adversarial threats to system information, critical program information (CPI), and critical components (CC)/Critical Functions (CF).
System Security Engineering (SSE)
3
Anti-Tamper (AT)
Defense Exportabilty Features (DEF)
Software Assurance (SwA)
Hardware Assurance (HwA)
Cybersecurity
Supply Chain Risk Management (SCRM)
Other Security (OPSEC, INFOSEC, PERSEC, COMSEC)
System Security EngineeringPerformance Requirements
StructureMaintainability
PropulsionSecuritySafetyPower
ReliabilityOther System Engineering
System Engineering
SSE an element of system engineering (SE) that applies engineering principles to • Identify security vulnerabilities• Minimize or contain risks associated with these vulnerabilities.
SSE Processes Across the Lifecycle
• What are the most difficult tasks of the SE process for SSE?
• Compare with other SE areas?
Continuous application across all phases
4
5
Integrating RMF, Cybersecurity, Systems Engineering & Test
5. SystemAuthorization
Decision
3. ImplementSecurity Controls
4. Assess Security Controls
6. Continuous Monitoring
1. Categorize
System
Determine AuthorizationBoundary
2. Select SecurityControls
System Survivability KPP
Ref: ISO/IEC/IEEE 15288, Systems and Software Engineering- System Lifecycle Processes, 15 May 15
Blue Team / Vulnerability Assessments
Red Team / Threat Representative Testing
Cyber Risk Assessment (CRA Secure Coding Practices
Cybersecurity Stakeholders
SecurityArchitecture and
Design
Trusted Systems / Supply Chain Risk (TSN/SCRM)
Cyber in the RFP
Cyber Table Top (CTT)
Cyber Table Top (CTT)
RMFTestSys EngCybersecurity
ELO 7
System Security Engineering (SSE) & SETR
https://www.dau.mil/tools/t/Cybersecurity-and-Acquisition-Lifecycle-Integration-Tool-(CALIT)
7
• Iterative with changes in architecture, test and new threats across the acquisition lifecycle
Ref: Cybersecurity TE Guidebook, Jul 2015
Cybersecurity – Test & Evaluation
• CTT designed to support• Test “Tools” often custom per platform• DT Must integrate with & support OT&E – Adversary Threat Level ROE!!• Cyber Ranges & Red Teams have limited availability
Cyber Security in the SETR Timeline
8Enclosure IV to NAVAIR SWP 4800-43
SETR Entry/Exit Criteria Checklists for SSE
9Enclosure IV to NAVAIR SWP 4800-43
• Major SETR events• ASR, SRR, SFR, PDR, CDR, TRR,
SVR, FCA, PCA• Service/SYSCOM/MAJCOM specific• Tailored for each system
• Common core • OSD/SE CRWS assessing SETR
entry and exit criteria for resiliency
PDR SSE Criteria Sample (partial list)
10Enclosure IV to NAVAIR SWP 4800-43
SSE concerns in system Allocated baseline.
Security performance requirements addressed in Preliminary system design within constraints (Cost, Schedule, etc.). Ready for Detailed design.
Security requirements flowed down to lower tier specifications. • Tagged with meta-data, bi-directionally traceable, verifiable.
System trade studies include security impacts for architecture, design, CONOPS, etc.
Updated criticality analysis, CPI, critical functions / components, countermeasures, with rationale.
Questions?
11