advanced technology academic research council federal … · advanced technology academic research...
TRANSCRIPT
D o D C I O
S U P P O R T T H E W A R F I G H T E R
UNCLASSIFIED
Advanced Technology Academic Research Council
Federal CISO Summit
Acting Deputy DoD CIO Cyber Security Department of Defense
25 January 2018
Ms. Thérèse Firmin
D o D C I O
S U P P O R T T H E W A R F I G H T E R
UNCLASSIFIED
Overview
Secretary Mattis’ Priorities
Cybersecurity Focus Areas
2
D o D C I O
S U P P O R T T H E W A R F I G H T E R
UNCLASSIFIED
Secretary Mattis’ Priorities
• Restore military readiness as we build a more lethal force
• Strengthen alliance and attract new partners
• Bring business reforms to the Department of Defense
3
D o D C I O
S U P P O R T T H E W A R F I G H T E R
UNCLASSIFIED
Cybersecurity Focus Areas
• Manage cybersecurity risk to highest priority missions, systems and networks
• Streamline processes and policies throughout CIO
• Grow the cyber workforce
4
D o D C I O
S U P P O R T T H E W A R F I G H T E R
UNCLASSIFIED
Focus Area 1
Manage Cybersecurity Risk to Highest Priority Missions, Systems and
Networks
5
D o D C I O
S U P P O R T T H E W A R F I G H T E R
UNCLASSIFIED
CYBERSCORECARD CYBERBASICSDISCIPLINE
IMPLEMENTAION PLAN
MONITORING AND METRICS
COMPLIANCE NSCSAR
· CYBERSECURITY ARCH· OPERATINGSYSTEMS/
NETWORKCOMPONENTS· MAJOR DOD PROGRAMS
· INNOVATION
· PACE OFCHANGE
· INTERNET OFTHINGS
· CLOUD
· LEADERSHIP· KNOWLEDGE· ACCOUNTABILITY· RISKMGMT· TRAINING
· CYBERFORCES· USERS· INDUSTRY· GOVTPARTNERS
DEPENDABLE MISSION
EXECUTIONINTHE FACE OF CYBER
WARFARE
TECHNOLOGY CULTURE
PEOPLE & PARTNERS
SYSTEMS & NETWORKS
DOD CYBERSECURITYLANDSCAPE
Hactivism
PhishingAttacks
Malware
Insider Threat
Exfiltration of Intellectual
Property
Threats from State Adversaries
Threats from Non-state
Adversaries
6
D o D C I O
S U P P O R T T H E W A R F I G H T E R
UNCLASSIFIED
Cyber Executive Order 13800
• Heads of executive departments and agencies have ultimate responsibility
for cybersecurity.
• CIO/CISO chains of command still responsible, but also includes the non-
CIO executive leaders.
• Within DoD, the Cybersecurity Scorecard is being used as a mechanism to
begin to drive this accountability.
7
D o D C I O
S U P P O R T T H E W A R F I G H T E R
UNCLASSIFIED
8
DIB Cybersecurity Program
The DIB Cybersecurity Program is a
public-private partnership that:
• Provides a collaborative environment for
sharing unclassified and classified cyber
threat information
• Offers analyst-to-analyst exchanges,
mitigation and remediation strategies
• Increases U.S. Government and industry
understanding of cyber threat
Mission: Enhance and supplement Defense Industrial Base (DIB)
participants’ capabilities to safeguard DoD information that resides
on, or transits, DIB unclassified information systems
Eligibility: A contractor must be a
Cleared Defense Contractor to
participate in this program.
D o D C I O
S U P P O R T T H E W A R F I G H T E R
UNCLASSIFIED
Focus Area 2
Streamline Processes and Policies Throughout CIO
9
D o D C I O
S U P P O R T T H E W A R F I G H T E R
UNCLASSIFIED
Protecting the DoD’s Unclassified Information
Security requirementsfrom CNSSI 1253, based on NIST SP 800-53, apply
Security requirements from NIST SP 800-171, DFARS Clause 252.204-7012, and/or FAR Clause 52.204-21 apply
When cloud services are used to process data on the DoD's behalf, DFARS Clause 252.239-7010 and DoD Cloud Computing SRG apply
DoD Owned and/or
Operated Information System
System Operated on Behalf of the DoD
Contractor’s Internal System
Controlled Unclassified Information
FederalContract
Information
Covered Defense Information
(includes Unclassified Controlled Technical
Information)
ControlledUnclassified Information
(USG-wide)
Cloud Service Provider
ExternalCloud/CSP CSP
InternalCloud
DoD Information System
CSP
When cloud services are provided by DoD, the DoD Cloud Computing SRG applies
Cloud Service Provider
Controlled Unclassified Information
Unclassified10
D o D C I O
S U P P O R T T H E W A R F I G H T E R
UNCLASSIFIED
Transition from CIO Scorecard 1.0 to 2.0
• Scorecard 1.0 provides aggregation of existing datao Extensive survey to produce scorecard
o Limited to compliance (Yes and No)
o Tabular Data view
• Scorecard 2.0 shifts to Risk Management – “Heat Map” o Eliminate the “human in the loop”
o Integration of threat and impact with current vulnerability data – Heat Map View
o Facilitates agility and rapid decision making by the CISO/CIOs
o Assists commander as a risk assessment tool for missions
2.0: Threat / Risk ViewScorecard 1.0
11
D o D C I O
S U P P O R T T H E W A R F I G H T E R
UNCLASSIFIED
Integrating the Cybersecurity Framework
with the Risk Management Framework
12
• CS risk only part of organizational risk management procedures
• Organizational risk management requires multi-disciplinary teams
• Taxonomy allows IT/CS/Business personnel to communicate
• Implementation will vary between orgs based on their needs
• Goal: allocate scarce resources to address CS needs most efficiently
• Focus on Critical Assets First
Cybersecurity Framework
Risk Management Framework
D o D C I O
S U P P O R T T H E W A R F I G H T E R
UNCLASSIFIED
Focus Area 3
Grow the Cyber Workforce
13
D o D C I O
S U P P O R T T H E W A R F I G H T E R
UNCLASSIFIED
Cyber Workforce
14
Trends & Challenges:- Growing Reliance on Technology
- Increasingly Complex Operating Environment
- Evolution of Skills and Expectations
- Lack of Cyber Workforce Standards
D o D C I O
S U P P O R T T H E W A R F I G H T E R
UNCLASSIFIED
End State
• Increased Senior-level advocacy for cybersecurity as a mission imperative.
• Improved cybersecurity in organic and outsourced systems.
• Use of tools based on common standards that allow us to exploit power of big data analytics.
• Increased collaboration with our partners within DoD, other government agencies, industry and our academic partners.
• Proactive, anticipatory and responsive to cyber threats.
15