OCR of the Document

View the Document >>

Department of Defense, Implementing Program Protection and Cybersecurity, Powerpoint, March 17, 2015

Implementing Program Protection and Cybersecurity Melinda Reed Mark Godino Office of the Deputy Assistant Secretary of Defense for Systems Engineering Office of the Deputy Assistant Secretary of Defense for C3 Cyber Business Systems Precision Strike Annual Review PSAR-15 Springfield VA March 17 2015 PSAR-15 2015 03 17 Page-1 Distribution Statement A – Approved for public release by OSR SR Case #s 15-S-0089 14-S-2175 15-R-0910 apply Distribution is unlimited Malicious Supply Chain Risk • Threat – Nation-state terrorist criminal or rogue developer who gains control of systems or information through supply chain opportunities exploits vulnerabilities remotely and or degrades system behavior Access points are throughout the acquisition lifecycle… • Vulnerabilities – All systems networks and applications – Intentionally implanted logic HW SW – Unintentional vulnerabilities maliciously exploited e g poor quality or fragile code – Controlled unclassified information resident on or transiting supply chain networks • Consequences – Loss of data system corruption – Loss of confidence in critical warfighting capability mission impact PSAR-15 2015 03 17 Page-2 …and across numerous supply chain entry points - Government - Prime subcontractors - Vendors commercial parts manufacturers - 3rd party test certification activities Distribution Statement A – Approved for public release by OSR SR Case #s 15-S-0089 14-S-2175 15-R-0910 apply Distribution is unlimited Many System Security Risks to Consider Quality Escape Reliability Failure Product defect inadequacy introduced either through mistake or negligence during design production and postproduction handling resulting in the introduction of deficiencies vulnerabilities and degraded life-cycle performance Mission failure in the field due to environmental factors unique to military and aerospace environment factors such as particle strikes device aging hotspots electromagnetic pulse etc Fraudulent Product Counterfeit and other than genuine and new devices from the legally authorized source including relabeled recycled cloned defective out-ofspec etc Malicious Insertion The intentional insertion of malicious hard soft coding or defect to enable physical attacks or cause mission failure includes logic bombs Trojan ‘kill switches’ and backdoors for unauthorized control and access to logic and data Anti-Tamper Information Losses Unauthorized extraction of sensitive intellectual property using reverse engineering side channel scanning runtime security analysis embedded system security weakness etc Stolen data provides potential adversaries extraordinary insight into US defense and industrial capabilities and allows them to save time and expense in developing similar capabilities Systems Security Engineering is a critical discipline of SE addressing a spectrum of security risks that are magnified by complex system attributes PSAR-15 2015 03 17 Page-3 Distribution Statement A – Approved for public release by OSR SR Case #s 15-S-0089 14-S-2175 15-R-0910 apply Distribution is unlimited DoDI 5000 02 and PPP Outline Guidance • Program managers will employ system security engineering practices and prepare a PPP to guide their efforts and the actions of others to manage the risks to critical program information and mission-critical functions and components associated with the program – • Program managers will describe in their PPP – – – – – • PSAR-15 2015 03 17 Page-4 The PPP will be submitted for MDA approval at each Milestone review beginning with Milestone A Critical Program Information mission-critical functions and critical components Threats to and vulnerabilities of these items Plans to apply countermeasures to mitigate associated risks Plans for exportability and potential foreign involvement The Cybersecurity Strategy and Anti-Tamper plan are included as appendices PPP Outline and Guidance provides a template Distribution Statement A – Approved for public release by OSR SR Case #s 15-S-0089 14-S-2175 15-R-0910 apply Distribution is unlimited Safeguarding Unclassified Controlled Technical Information • Secretary of Defense Memorandum October 10 2013 – Recognizes the threat to the competitive capabilities of the Defense Industrial Base DIB and the technological superiority of our fielded military systems – Directs a series of actions to o Protect DoD unclassified controlled technical information from cyber intrusions o Minimize the consequences associated with loss of this information – Augments and re-emphasizes current activities such as the DIB Cyber Security Information Assurance CS IA Program PSAR-15 2015 03 17 Page-5 Distribution Statement A – Approved for public release by OSR SR Case #s 15-S-0089 14-S-2175 15-R-0910 apply Distribution is unlimited DFARS Clause 252 204-7012 Safeguarding Unclassified Controlled Technical Information • Published November 18 2013 – Clause affects all new contracts that contain or will contain unclassified controlled technical information – Includes flow down to all subcontracts • Purpose Establish minimum requirements for DoD unclassified controlled technical information on contractor information systems – Requires contractors implement minimum set of information security controls o 51 information security controls from NIST SP 800-53 Revision 4 o Combination of Technical Process Awareness and Training measures – Requires contractors report cyber incident and compromises – Requires contractor actions to support DoD damage assessment as needed • Incident Reporting – Reporting includes o DoD contracts and subcontractor information affected by a cyber incident or compromise o DoD programs platforms or systems involved o Description of DoD technical information compromised – Reported information does not include signatures or other threat actor indicators http www acq osd mil dpap dars dfars html current 204_73 htm PSAR-15 2015 03 17 Page-6 Distribution Statement A – Approved for public release by OSR SR Case #s 15-S-0089 14-S-2175 15-R-0910 apply Distribution is unlimited PPP Methodology Criticality Analysis Determine system critical components based on critical mission threads Analyze component vulnerability to malicious exploit Identify potential component suppliers CPI Analysis Program Protection Plan Identify capability elements providing a US technological advantage Determine candidate protection measures to address vulnerabilities anti-tamper cybersecurity hardware software assurance physical security operations security supply chain system security and trusted suppliers Assess the risk associated with each CPI exposure consequence of compromise Determine foreign involvement expectations and impacts on protection measures Respond to acquisition and security requirements Continually assess security risks during design reviews and system implementation Conduct early defense exportability features planning and design Conduct horizontal analysis Conduct engineering risk cost trade-off analysis to select protection measures Threats and Vulnerabilities Assessment Identify supply chain threats and vulnerabilities Contractor Identify foreign collection threats and vulnerabilities Identify personnel physical operational threats and vulnerabilities Test and Evaluation Assess hardware and software vulnerabilities Identify acquisition mitigations e g blind buy trusted source Determine system security requirements Evaluate anti-tamper protections Verify security requirements Contractor Developmental Test Operational Test Program Protection – an Integral Part of Systems Engineering PSAR-15 2015 03 17 Page-7 Distribution Statement A – Approved for public release by OSR SR Case #s 15-S-0089 14-S-2175 15-R-0910 apply Distribution is unlimited SE SSE and DT E are Mutually Supportive DT E MSA SEP PPP TMRR Preliminary System Design with critical hardware software components vulnerabilities SEP PPP EMD Detailed System Design with identified known vulnerabilities SEP PPP P D PSAR-15 2015 03 17 Page-8 System Requirements security performance and threat parameters System Evaluation Methodology T E strategy schedule resources MS-A TEMP DT E Assessment Evaluation Framework T E strategy schedule resources MS-B TEMP DT E Assessment MS-C TEMP System Acceptance Distribution Statement A – Approved for public release by OSR SR Case #s 15-S-0089 14-S-2175 15-R-0910 apply Distribution is unlimited Requirements are translated into industry solicitations throughout the lifecycle SEP PPP TEMP drive the protection requirements and verification activities and should be tailored to meet their domain SE Our Focus on SSE and SE • DoD is putting policy in place for a risk-based cost benefit trade-off process to protect systems their supply chain and their software development • DoD is emphasizing the importance of SSE within systems engineering and its contribution to the design of systems by – Ensuring that program protection is addressed during the SE technical reviews – Incorporating program protection and system security engineering requirements and processes into engineering development contracts – Working with industry and standards groups revitalize system security engineering • Industry is playing an important role in the DoD SSE initiative by – Investing in research and processes to protect systems the supply chain and the software development – Developing their SE and SSE processes and skills DoD efforts are targeting integration of system security engineering considerations throughout the system life cycle PSAR-15 2015 03 17 Page-9 Distribution Statement A – Approved for public release by OSR SR Case #s 15-S-0089 14-S-2175 15-R-0910 apply Distribution is unlimited Questions PSAR-15 2015 03 17 Page-10 Distribution Statement A – Approved for public release by OSR SR Case #s 15-S-0089 14-S-2175 15-R-0910 apply Distribution is unlimited