dod guidelines on cybersecurity t&e - dau sponsored...dod guidelines on cybersecurity t&e...

DoD Guidelines on Cybersecurity T&E

Kim Kendallkim.kendall@dau.mil 256-922-8143

What is Cybersecurity

Defined as the prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communication services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and non-repudiation.

2

DoDI 8500.01 adopts the term “Cybersecurity” in lieu of “Information Assurance” (March 2014)

Five Aspects of Cybersecurity

3

Triad

DOT&E FY 2018 Annual Report

4

Despite improvements, cybersecurity capabilities are not advancing fast enough to stay ahead of the “onslaught of multipronged attacks”

“Recent advance in cyber technologies indicate that automation – and even artificial intelligence – are beginning to make profound changes”

Preparations must include realistic demonstrations of fight-through capabilities, resilience, and alternate modes

DODI 5000.02, Cybersecurity DT & OT in the Defense Acquisition System

• Identify T&E data to assess progress toward achieving cybersecurity requirements

• ... Support cybersecurity assessments & authorization (Encl 4)

• T&E strategy includes explicit cybersecurity requirements & key interfaces

• Design T&E scenarios based on probable adversary access (Attack Surface)

• Program Manager will develop a strategy & resources for cybersecurity testing:– At Milestone A, TEMP will document a strategy &

resources (Encl 5)– At Milestone B, TEMP will ensure evaluation of ability

to protect, detect, react, and restore to sustain continuity of operation (COOP). (Encl 5) 5

Procedures for Operational T&E of Cybersecurity in Acquisition Programs – Apr 03, 2018

6

• OT&E includes Cooperative Vulnerability and Penetration Assessment (CVPA) and an Adversarial Assessment (AA)

• Examine operational resilience attributes (Prevent, Mitigate, Recover)

• TEMP should define a test strategy that includes cybersecurity

• Input to OT&E should include the TEMP, Engineering & Program Protection Plans, threat documents-Validated Online Lifecycle Threat, system supply to critical missions

• The TEMP should identify resources required to execute CVPAs and AAs and include funding, organizations, test assets and threat documentation

DoD Cybersecurity T&E Guidebook• Version 2.0 published April 2018

– Describes each phase, inputs, outputs, tasks– Addresses RMF integration– Includes new appendices - FOUO appendices published separately 30JUN18– Publicly accessible links to the Guidebook

• https://www.acq.osd.mil/dte-trmc/docs/CSTE%20Guidebook%202.0_FINAL%20(25APR2018).pdf• For Official Use Only (FOUO) appendices are accessible to government and authorized contractor personnel

at the following link: https://intelshare.intelink.gov/sites/atlcoi/cyberTableTops/SitePages/Home.aspx

7

• Cybersecurity Requirements and Measures for DT&E• Using Cyber Threat Assessment for Cybersecurity T&E• Mission-Based Cybersecurity Risk Assessments• Cybersecurity Test Infrastructure and Environment Planning• Cybersecurity Test Considerations for Non-IP Systems

Cybersecurity T&E Acquisition Phases

8

Cybersecurity Early in the Lifecycle

9

Added Cyber Survivability as key element of the mandatory System Survivability KPP

Cybersecurity Early in the Lifecycle

10

Cyber Survivability is key element of the mandatory System Survivability KPP

• Elements of the System Survivability KPP are Kinetic, Cyber and EMS survivability

• Cyber Survivability. Ensures warfighter systems are designed to prevent, mitigate, and recover from cyber-attacks by applying a risk managed approach to building and maintaining systems through Cyber Survivability Attributes

Cyber Survivability Endorsement Implementation Guide (FOUO)

• The Joint Staff and DoD CIO developed Cyber Survivability Endorsement (CSE) criteria to assess requirements for key attributes that increase cyber survivability.

11https://intelshare.intelink.gov/sites/cybersurvivability/_layouts/15/start.aspx#/SitePages/Home.aspx

CJCS Cyber Survivability Attributes (CSA)

Cyber Survivability Endorsement (CSE) ensures CSAs addressed in:• Milestone A - Draft CDD / TEMP • Milestone B - Validated CDD at the Development RFP Decision Point• Milestone C - CPD

12

Where is the Focus?

13

THE BRIDGE IS OUT AHEAD

The Risk Management Framework• Required by policy

– DoDI 8500.01 3.a and 3.h requires cybersecurity risk management– DoDI 8510.01 Risk Management Framework (RMF) implements DoD’s Risk Management Policy

• RMF provides a structured, tailorable, and repeatable process that integrates security and risk management activities into the system development life cycle

– Considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations

• RMF helps ensure the appropriate “cyber hygiene” controls and security configurations are designed into the system

– Protections to help meet the goals of risk-managed Confidentiality, Integrity and Availability– Adds continuous monitoring to system life cycle management to ensure ongoing awareness of and risk

managed responses to changing threats and environments

RMF Does Not Replace Cybersecurity T&E14

Risk Management Framework (RMF) Process Overview

15

Interaction of RMF and T&E Cybersecurity Activites

16