Professor Edward A. AdkinsDefense Acquisition University (DAU)Engineering, Test and [email protected], 850-883-4802
DoD Cybersecurity
Policy Update
May 10, 2017
DAU Supporting ITEA Test Instrumentation Workshop
“The DoD should expect cyber attacks tobe part of all conflicts in the future, and should not expect competitors to play by ourversion of the rules” DSB Report
What’s the Big Deal?
Resilient Systems… andAdvanced Cyber Threats
“Cybersecurity is a requirement for all DoD programs and must be fully considered and implemented in all aspects of acquisition programs across the life cycle.” DODI 5000.02
Overview• Definition of Cybersecurity
• DODI 8500.01 / 8510.01, Mar 2014
• DODI 5000.02, Feb 2017:
– Cybersecurity and the PM
– Cybersecurity and T&E
– Threats and Intel
• FY16 Law – NDAA 1647
• DAU Cybersecurity Activities
• Summary
What is Cybersecurity?…. “The prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.”
(Source: National Security Presidential Directive-54 / Homeland Security Presidential Dir-23, “Cybersecurity Policy,” January 8, 2008)
Cybersecurity applies to all IT that receives, processes, stores, displays, or transmits DoD information
Cybersecurity
Overview• Definition of Cybersecurity
• DODI 8500.01 / 8510.01, Mar 2014
• DODI 5000.02, Feb 2017:
– Cybersecurity and the PM
– Cybersecurity and T&E
– Threats and Intel
• FY16 Law – NDAA 1647
• DAU Cybersecurity Team/Activities
• Summary
The DoD CIO updated several 8500-series publications to transition from information assurance (IA) to Cybersecurity.
These policies employ a more holistic, adaptive, resilient and dynamic approach to implement cybersecurity across the full spectrum of IT and cyber operations.
Both revised March 2014
Prior VersionsDoDD 8500.01E, DoDI 8500.2
DoDI 8510.01Updated Versions
DoDI 8500.01, DoDI 8510.01
Information Assurance (IA)
Mission Assurance Cat. (MAC) Confidentiality Level (CL)
DoD Specific IA Definitions
DoD IA Controls
Cybersecurity
Security Objective: Confidentiality, Integrity, Availability
Impact Value: Low/Mod/High
CNSSI 4009 Glossary of Terms
CNSSI 1253 - Categorizes Systems to Select NIST SP 800-53 Security Controls
Joint Task Force Transformation Initiative
C&A Process Risk Management Framework(RMF)
DODI 8500.01 and 8510.01
DODI 8510.01: RMF
Risk Management Framework
OSD Website… the RMF Timeline
Completed DIACAP Package Submitted to AO for Signature ATO Date Maximum Duration of ATO under
DIACAP
Present through May 31, 2015
Determined by AO Signature Date
2.5 years from AO signature date
June 1, 2015 through February 1, 2016
2 years from AO signature date
February 2, 2016 through October 1, 2016
1.5 years from AO signature date
What this means: Systems authorized under DIACAP should be extinct by mid-year 2018. All systems will be authorized for test/fielding via the Risk Management Framework (RMF)
Overview• Definition of Cybersecurity
• DODI 8500.01 / 8510.01, Mar 2014
• DODI 5000.02, Feb 2017:
– Cybersecurity and the PM
– Cybersecurity and T&E
– Threats and Intel
• FY16 Law – NDAA 1647
• DAU Cybersecurity Team/Activities
• Summary
• Prior DODI 5000.02 was 154 pages…the latest version dated Feb 2, 2017 is 188 pages - (changes are shown in blue below)
– 1. Purpose.a. “Policy for the management of all acquisition programs.”b. Authorizes Milestone Decision Authorities (MDAs) to tailor the regulatory requirements and acquisition procedures…to efficiently achieve program objectives, consistent with statutory requirementsc. Assigns, reinforces, and prescribes procedures for acquisition responsibilities related to cybersecurity in the Defense Acquisition System (DAS).
– Also New: Enclosure 14. Cybersecurity in the DAS
DODI 5000.02: Cybersecurity and PM
• DODI 5000.02, dated Feb 2, 2017 – Enclosure 14: Cybersecurity in the Defense Acquisition System
– 2. Cybersecurity Risks. “Program Managers (PMs) will pay…attention to:”• a. Government Program Organization.• b. Contractor Organizations and Environments. “Poor
cybersecurity practices, untrained personnel, undetected malicious insiders,… incorrect classification of information…dissemination… control, and… network security can be used by threat actors…”
• c. Software and Hardware.• d. System Interfaces.• e. Enabling and Support Equipment, Systems, and Facilities.
Test, certification, maintenance, design, development, manufacturing, training systems, equipment…can be used by threat actors…”
DODI 5000.02: Cybersecurity and PM
• DODI 5000.02, dated Feb 2, 2017 – contains a new Enclosure 14: Cybersecurity in the Defense Acquisition System
– 1.a.(1) Introduction. “…Cybersecurity is a requirement for all DoD programs and must be fully considered and implemented in all aspects of acquisition programs across the life cycle.” [PMs - can’t go it alone]
– 1.b. Program Manager (PM) Responsibilities. “PMs…are responsible for the cybersecurity of their programs, systems, and information. This responsibility starts from the earliest exploratory phases of a program, with supporting technology maturation, through all phases of the acquisition. Acquisition activities include system concept trades, design, development, Test and Evaluation (T&E), production, fielding, sustainment, and disposal.”
DODI 5000.02: Cybersecurity and PM
Overview• Definition of Cybersecurity
• DODI 8500.01 / 8510.01, Mar 2014
• DODI 5000.02, Feb 2017:
– Cybersecurity and the PM
– Cybersecurity and T&E
– Threats and Intel
• FY16 Law – NDAA 1647
• DAU Cybersecurity Team/Activities
• Summary
• DODI 5000.02, dated Feb 2, 2017 – new Enclosure 14: Cybersecurity in the Defense Acquisition System
– “3.b. Design for Cyber Threat Environments. In order to design, develop, and acquire systems that can operate in applicable cyber threat environments, PMs will… (2)(b) Identify the digitized T&E data that will contribute to assessing progress toward achieving cybersecurity requirements. The T&E strategy should include not only the explicit cybersecurity requirements, but also all key interfaces. This is the key first step of the T&E planning process to support design and development. To support the architecture and design considerations… determine the avenues and means by which the system and supporting infrastructure may be exploited for cyber-attack and use this information to design T&E activities and scenarios.”
DoDI 5000.02: Cybersecurity and T&E
• DODI 5000.02, dated Feb 2, 2017 – new Enclosure 14: Cybersecurity in the Defense Acquisition System
– “3.b. Design for Cyber Threat Environments. PMs will… (2)(c) Apply DoDIs 8500.01 and 8510.01 IAW DoD Component implementation and governance procedures. PMs will use program protection planning, system security engineering, Developmental Test and Evaluation (DT&E), sustainment activities, and cybersecurity capabilities or services external to the system (e.g., common controls) to meet [RMF] objectives. PMs will collaborate with designated Authorizing Officials (AOs) from program inception and throughout the life cycle, to ensure system and organizational cybersecurity operations are in alignment, and to avoid costly changes…”
DoDI 5000.02: Cybersecurity and T&E
• DODI 5000.02, dated Feb 2, 2017 – new Enclosure 14: Cybersecurity in the Defense Acquisition System
– “3.b. Design for Cyber Threat Environments. PMs will… (13) Plan for… cybersecurity T&E in order to identify and eliminate as many cybersecurity shortfalls as early in the program as possible... Beginning early, before Milestone A, work closely with the Chief Developmental Tester as well as the T&E WIPT to plan…and conduct cybersecurity T&E. Cybersecurity T&E spans the entire material life cycle of the program… T&E activities should be planned for and documented in the Test and Evaluation Master Plan (TEMP), including the T&E Strategy, evaluation frameworks (DT&E and operational T&E), and resource requirements.”
DoDI 5000.02: Cybersecurity and T&E
• DODI 5000.02, dated Feb 2, 2017 – new Enclosure 14: Cybersecurity in the Defense Acquisition System
– “3.b.(13).(a) Developmental Testing [DT&E]1. Cooperative Vulnerability Identification. Conduct T&E activities to collect data needed to identify vulnerabilities and plan the means to mitigate or resolve them, including system scans, analysis, and architectural reviews. 2. Adversarial Cybersecurity DT&E. Conduct a cybersecurity DT&E event using realistic threat exploitation techniques in representative operating environments and scenarios to exercise critical missions within a cyber-contested environment to identify any vulnerabilities.”
DoDI 5000.02: Cybersecurity and T&E
• DODI 5000.02, dated Feb 2, 2017 – new Enclosure 14: Cybersecurity in the Defense Acquisition System
– “3.b.(13).(b) Operational Testing [OT]. Two phases of cybersecurity testing are required as part of OT for all systems under the oversight of the Director of Operational Test and Evaluation. PMs should coordinate with the appropriate operational test agency… 1. Cooperative Vulnerability and Penetration Assessment.This phase consists of an overt examination of the system to identify all significant vulnerabilities and the risk of exploitation of those vulnerabilities... The assessment should consider the operational implications of vulnerabilities as they affect the capability to protectsystem data, detect unauthorized activity, react to system compromise, and restore system capabilities. This may be integrated with DT&E…if conducted in a realistic operational environment...”
DoDI 5000.02: Cybersecurity and T&E
• DODI 5000.02, dated Feb 2, 2017 – new Enclosure 14: Cybersecurity in the Defense Acquisition System
– “3.b.(13).(b) Operational Testing [OT]. Two phases… 2. Adversarial Assessment. This phase assesses the ability of a unit equipped with a system to support its mission while withstanding cyber threat activity representative of an actual adversary... The test must evaluate the ability to protect the system and data, detect threat activity, react to threat activity, and restore mission capability degraded or lost due to threat activity. This test…should [use] National Security Agency-certified adversarial team to act as a cyber aggressor presenting multiple cyber intrusion vectors consistent with the…threat.”
Cybersecurity have requirements or controls to “restore?”
DoDI 5000.02: Cybersecurity and T&E
What is Operational Resilience? The ability of systems to anticipate,continue to operate correctly in theface of, recover from, and evolve tobetter adapt to advanced cyber threats
“Whenever possible, technologycomponents (e.g., hardware andsoftware) have the ability toreconfigure, optimize, self-defend, andrecover… with little or no human intervention.” (p. 3)
Operational Resilience
Testing “restore” / “recover” requirements... do we do this?
• DODI 5000.02, dated Feb 2, 2017 – contains Guidance on T&Einteraction with Intelligence – Enclosure 4 – DT&E:
– 5. c. DT&E Planning Considerations. IAW DoDI 8510.01, all programs must have security controls implemented…
…DIA, in coordination with the PM, will determine the generation of the relevant operational threat environment based on the System Threat Assessment VOLT Report, the Multi-Service Force Deployment, the Joint Country Forces Assessment and scenario support products IAW DoDI 5000.61, DIA Directive 5000.200 and DIA Instruction 5000.002.”
DoDI 5000.02: Cybersecurity and T&E
Overview• Definition of Cybersecurity
• DODI 8500.01 / 8510.01, Mar 2014
• DODI 5000.02, Feb 2017:
– Cybersecurity (CS) and the PM
– Cybersecurity and T&E
– Threats and Intel
• FY16 Law – NDAA 1647
• DAU Cybersecurity Team/Activities
• Summary
Threats: Becoming Sophisticated
We need to consider these various types of threats:During Test Planning…Test Events…and for the T&E data we are collecting…
• DODI 5000.02, dated Feb 2, 2017 – contained minor CHANGES for TTRA, LMDP and Lifecycle due dates – Table 2 Requirements:
– “Technology Targeting Risk Assessment (TTRA). Regulatory. Prepared by DoD Component and coordinated with DoD Component Intelligence analytical centers per DoDI O-5240.24 and DoDI 5200.39. Forms the analytic foundation for Counterintelligence assessments in the PPP. Defense Intelligence Agency (DIA) will validate the report for ACAT ID and IAM; for ACAT IC, IAC, and below, the DoD [Intelligence] Component will be the validation authority. …Required at Milestone A. ”
– “Life-Cycle Mission Data Plan (LMDP). Regulatory; required if the system is dependent on Intelligence Mission Data. A draft is due for Development RFP Release; approved at Milestone B.”
DODI 5000.02: Threats and Intel
• DODI 5000.02, dated Feb 2, 2017 – contained MAJOR CHANGES for use of VOLT and VOLT Report – Table 2 Requirements:
– Initial Threat Assessment…and Capstone Assessment. DELETED
– Validated On-line Life-cycle Threat (VOLT) Report. Regulatory. MDAP and MAIS programs require a…system-specific VOLT Report to assess…capability gaps against likely threat capabilities at IOC. VOLT Reports are required for all other programs unless waived by the MDA. Programs on the DOT&E Oversight List require a unique, system-specific VOLT, unless waived by MDA and DOT&E. DoD Components produce a VOLT.
Required at Material Development Decision (MDD) - all programsUpdated at: Milestone A, RFP Release, Milestone C and Full Rate
DODI 5000.02: Threats and Intel
Overview• Definition of Cybersecurity
• DODI 8500.01 / 8510.01, Mar 2014
• DODI 5000.02 dated Feb 2, 2017:
– Cybersecurity (CS) and the PM
– Cybersecurity and T&E
– Threats and Intel
• FY16 Law – NDAA 1647
• DAU Cybersecurity Team/Activities
• Summary
• Section 1647: Evaluation of Cyber Vulnerabilities of Major Weapon Systems of the Department of Defense.
– (a) Evaluation Required. “The Secretary of Defense shall…complete an evaluation of the cyber vulnerabilities of each major weapon system of the Department of Defense NLT December 31, 2019.”
– (b) Plan for Evaluation. “(2) The plan…shall [prioritize] evaluations based on the criticality of major weapon systems, as determined by the Chairman of the Joint Chiefs of Staff based on…employment of forces and threats. (3) The plan… shall not duplicate similar ongoing efforts such as Task Force Cyber Awakening (TFCA) of the Navy or Task Force Cyber Secure (TFCS) of the Air Force.”
NDAA for FY16 – Section 1647
• Section 1647: Evaluation of Cyber Vulnerabilities of Major Weapon Systems of the Department of Defense.
– (c) Status on Progress. “Secretary shall inform the [Congress]of the activities undertaken in the evaluation of major weapon systems under this section as part of the quarterly cyber operations briefings under title 10, United States Code.”
– (d) Risk Mitigation Strategies. “As part of the evaluation of cyber vulnerabilities of major weapon systems of the Department under this section, the Secretary shall develop strategies for mitigating the risks of cyber vulnerabilities identified in the course of such evaluations.”
Who has responsibility for this? AOs? TFCA and TFCS?
NDAA for FY16 – Section 1647
Overview• Definition of Cybersecurity
• DODI 8500.01 / 8510.01, Mar 2014
• DODI 5000.02 dated Feb 2, 2017:
– Cybersecurity (CS) and the PM
– Cybersecurity and T&E
– Threats and Intel
• FY16 Law – NDAA 1647
• DAU Cybersecurity Team/Activities
• Summary
Course Title CommentsCLE 074 - Acquisition Cybersecurity
Deployed March 2015, Being updated – Over 13,000 graduates to date
ACQ 160 – Program Protection Planning Awareness
Deployed July 2016 – 16 hour online course
ENG 260 – Program Protection Planning
Co-developing with DASD(SE) – To be deployed late FY 18
ISA 220 – Risk ManagementFramework
Deployed March 30, 2017 – 12 hour online course
CLE 080 – Supply Chain Risk Management
All course material submitted to contractor. Deploy FY 17 Q4
CLE 081- Software Assurance Course on hold due to budget constraints –Need approximately 6 months for contractor to complete
New Cybersecurity/PPP Curriculum
30
DAU Cybersecurity Consulting (MA)
• Consulting for USAF AO since 2012 • DAU / Lockheed MOU - Cybersecurity Training since 2013 • Consulting for Army Aviation & Missile Research,
Development and Engineering Center (AMRDEC) since 2014• Consulting for USAF (AFOTEC) 2015 • DAU Meeting Army Navy USAF CIO Reps 2015• Training for DMCA 2015• Workshops for Navy (NSWC & LCS PMO) 2015• Workshops for Navy (SPAWAR) since 2015• Workshops for USAF (AFTC/TD) since 2015
“since” = formal MA agreement established and still ongoing
• Training for USAF Intelligence (AFLCMC) since 2015• Workshop for Navy (Crane) 2016• Workshops for USMC (Quantico) since 2016• Training for Navy (SPAWAR) since 2016• Workshop for Army (JLTV PMO) since 2016• Workshops for Joint Interop (JITC) 2016• Workshops for Navy (NAVFAC) since 2016• Training for Navy (COMOPTEVFOR) Jan 2017• Workshops at DAU Regions (available) Jan 2017• Consulting for Navy (AMRAAM program) Feb 2017
Can DAU Mission Assistance (MA) help your Program?
DAU Cybersecurity Consulting (MA)
Summary
• Cybersecurity Defined
• DODI 8500.01 Cybersecurity / 8510.01 RMF Required Mar 2014
• New DODI 5000.02 provided major Cybersecurity updates
– Impacts to PMs and the T&E Community
– Use of Intelligence Community and VOLT solidified
• NDAA 1647 – OSD and Congressional focus on Cybersecurity
• DAU Cybersecurity SME Team is Engaging with Cybersecurity
Training, Workshops and Consulting – Can we help you?
Professor Edward A. AdkinsDefense Acquisition University (DAU)Engineering, Test and [email protected]