1© Life Cycle Institute© Life Cycle Institute

Cybersecurity Risk Management Framework Strategy

for Defense Platform Systems Workshop

2© Life Cycle Institute

Cybersecurity ensures information

technology systems are available, reliable and

secure

Cybersecurity is…

Software and hardware based

Technical and non-technical

Based on information from NSA, DoD, DISA

and DoN

3© Life Cycle Institute

Participants will learn how to:

Explain the context of cybersecurity in

Defense Platform IT (PIT) systems

Summarize how to apply the NIST Risk

Management Framework to Defense Platform

IT (PIT) systems

Estimate requirements and resources to

address cybersecurity compliance in their

organization/infrastructure

4© Life Cycle Institute

Cybersecurity Risk Management Framework

Strategy for Defense Platform Systems

Workshop

1-day workshop.7 Continuing education units (CEUs)

PrivateWorkshops may be tailored to your specific needs and delivered at your site.

5© Life Cycle Institute

Who Should Attend

Individuals and teams responsible for the application of Risk Management Framework

People with funding authority for security. For example:

– DoD Program Managers

– Technical Managers

– Technical Directors

– Requirements Officers

– IT Managers

6© Life Cycle Institute

Review the Five Functions of Cybersecurity

Identify

Protect

Detect

Respond

Recover

7© Life Cycle Institute

Platform Information Technology (PIT)

PIT process is a modified form of the

DIACAP process. Differences include: • Signature approval cycle - the Certification

Authority (CA- SPAWAR 05) is not involved in

the PIT signature chain

• Information Assurance Controls (IACs) is less

restrictive than in DIACAP

PIT Training• Because the PIT process is so similar to

DIACAP, there is no separate training available.

– DON-CIO PIT Policy of Feb 2010 applies

until RMF transition.

• Upon transition to RMF, PIT will be treated the

same as any other IT system.

Aboard or on a platform

Standalone

Interconnection to other platform

IT

Interconnection to other non-platform IT

PIT Structures

Computer resources that are physically part of, dedicated to, or essential

in real time to the mission performance of special-purpose systems

8© Life Cycle Institute

Risk Management Framework (RMF)

• Replaces DIACAP

• 6-step process – aligns to DIACAP phases

Categorize

Select

Implement

Assess

Authorize

Monitor

9© Life Cycle Institute

RMF vs. DIACAPSecurity requirements and standards

uniquely determined by each system. More

granular than DIACAP. PIT is included.

All systems inherit enterprise standards and

requirements PIT systems have a separate

process.

Validator is a qualified, resourced, and

permanent member of the CIO staff

Validator is a qualified, resourced, and permanent

member of the CIO staff

6 Steps (analogous to phases) 5 pre-defined phases. Each system works to a

plan that aligns to the system life-cycle

Accreditation status communicated via

letter and status code (IATO, ATO) in

EMASS

Accreditation status communicated by assigned

IA controls’ compliance ratings and letter and

status code (ATO, IATO, ATT) in DIACAP

Scorecard

Automated tools, enterprise managed KS,

requirements tied to architecture

Automated tools, enterprise managed KS,

requirements tied to architecture

ATO means security risk is at an acceptable

level to support mission and live data

ATO means security risk is at an acceptable level

to support mission and live data

Continuous asynchronous monitoring;

reaccreditation TBD; reviewed annually,

FISMA reporting

Continuous asynchronous monitoring;

reaccreditation every 3-4 years; reviewed

annually, FISMA reporting

10© Life Cycle Institute

Learn to apply RMF

Identify cyber threats

Assign control strategies

Analyze the cost and benefits of secure designs

11© Life Cycle Institute

Reasons to Choose the Life Cycle Institute

Extensive cybersecurity experience within DoD and commercial sector

We provide vulnerability scanning, penetration testing, risk analysis and

remediation services

Our engineers are qualified mentors for industry-leading security trainers

An active learning experience

Learning by doing vs. lecture

Group activities, assessments, case studies

Network with peers

Develop action plans to drive results post-training

12© Life Cycle Institute

Education@LCE.com

www.LCE.com

800-556-9589

The Life Cycle Institute is the learning, leadership and

change management practice at Life Cycle Engineering.