dau hot topic forum · hot topic forum – cybersecurity – denman january 21, 2016 dodi 5000.02...
TRANSCRIPT
Hot Topic Forum – Cybersecurity – Denman January 21, 2016
DAU Hot Topic Forum DAU's Response to
Acquisition Cybersecurity
Needs
Presented by Tim Denman
DAU Cybersecurity Learning Director
January 21, 2016
Hot Topic Forum – Cybersecurity – Denman January 21, 2016
Cybersecurity Hot Topic Forum Overview
• The Importance of Cybersecurity to the DoD
• Cybersecurity Policies and Publications
• DAU’s Response to Acquisition Cybersecurity
Needs
• Questions
2
Hot Topic Forum – Cybersecurity – Denman January 21, 2016
The Importance of Cybersecurity
The Department of Defense has the largest network in the world and
DoD must take aggressive steps to defend its networks, secure its
data, and mitigate risks to DoD missions.
THE DEPARTMENT OF DEFENSE CYBER STRATEGY April 2015
The Defense Department’s own networks and systems are vulnerable to intrusions and
attacks. In addition to DoD’s own networks, a cyberattack on the critical infrastructure
and key resources on which DoD relies for its operations could impact the U.S.
military’s ability to operate in a contingency. DoD has made gains in identifying cyber
vulnerabilities of its own critical assets through its Mission Assurance Program – for
many key assets, DoD has identified its physical network infrastructure on which key
physical assets depend – but more must be done to secure DoD’s cyber infrastructure.
3
Hot Topic Forum – Cybersecurity – Denman January 21, 2016
Cybersecurity – The Reality
What GAO Found
• Threats to systems supporting critical infrastructure and federal
operations are evolving and growing. Federal agencies have reported
increasing numbers of cybersecurity incidents that have placed
sensitive information at risk, with potentially serious impacts on
federal and military operations; critical infrastructure; and the
confidentiality, integrity, and availability of sensitive government,
private sector, and personal information. The increasing risks are
demonstrated by the dramatic increase in reports of security incidents,
the ease of obtaining and using hacking tools, and steady advances in
the sophistication and effectiveness of attack technology. 4
Hot Topic Forum – Cybersecurity – Denman January 21, 2016
DoD Communications
What has changed in the last 8 years?
5
Hot Topic Forum – Cybersecurity – Denman January 21, 2016
Cybersecurity-Related Policies & Issuances http://iac.dtic.mil/csiac/ia_policychart.html
Policy Chart
references over
180 documents.
Most are less
than 3 years old.
Developed by the
DoD Deputy CIO
for Cybersecurity (Updated 10/27/15)
6
Hot Topic Forum – Cybersecurity – Denman January 21, 2016
Key Cybersecurity Policies
• DoDI 5000.02 - Operation of the Defense Acquisition
System
• DoDI 8500.01 – Cybersecurity
• DoDI 8510.01 – Risk Management Framework (RMF)
for DoD Information Technology (IT)
• DoDD 8140.01 – Cyberspace Workforce
Management
• National Initiative for Cybersecurity Education (NICE)
7
Hot Topic Forum – Cybersecurity – Denman January 21, 2016
DoDI 5000.02 (Encl 11) – Cybersecurity
• a. Cybersecurity Risk Management Framework (RMF). Cybersecurity RMF steps and
activities, as described in DoD Instruction 8510.01, should be initiated as early as
possible and fully integrated into the DoD acquisition process including
requirements management, systems engineering, and test and evaluation.
Integration of the RMF in acquisition processes reduces required effort to achieve
authorization to operate and subsequent management of security controls throughout
the system life cycle.
• b. Cybersecurity Strategy. All acquisitions of systems containing IT, including NSS, will
have a Cybersecurity Strategy. The Cybersecurity Strategy is an appendix to the
Program Protection Plan (PPP) that satisfies the statutory requirement in section 811
of P.L. 106-398
DoDI 5000.02, January 7, 2015, Enclosure 11, Requirements Applicable To All Programs
Containing Information Technology (IT), page 136 8
Hot Topic Forum – Cybersecurity – Denman January 21, 2016
Cybersecurity – A Team Sport
Cybersecurity in the DoD acquisition workforce requires vigilance from everyone who
communicates information digitally. It is a true team sport that affects everyone’s job and it is
the responsibility of the entire DoD workforce.
Who should be involved and how?
9
Hot Topic Forum – Cybersecurity – Denman January 21, 2016
This instruction applies to:
All DoD-owned IT or DoD-controlled IT that receive, process, store, display, or transmit DoD
information. These technologies are broadly grouped as DoD IS, platform IT (PIT), IT services,
and products. This includes IT supporting research, development, test and evaluation (T&E), and
DoD-controlled IT operated by a contractor or other entity on behalf of the DoD .
Department of Defense Directive (DoDD) 8500.01E, April 23, 2007
DoDI 8500.01 – Cybersecurity Replaces IA
Information Assurance (IA) - Measures that protect and defend information and
information systems by ensuring their availability, integrity, authentication,
confidentiality, and non-repudiation. This includes providing for restoration of
information systems by incorporating protection, detection, and reaction capabilities.
10
Cybersecurity - Prevention of damage to, protection of, and restoration of computers,
electronic communications systems, electronic communications services, wire
communication, and electronic communication, including information contained therein,
to ensure its availability, integrity, authentication, confidentiality, and
nonrepudiation. Department of Defense Instruction (DoDI) 8500.01, March 14, 2014
Hot Topic Forum – Cybersecurity – Denman January 21, 2016
“Policy: Cybersecurity…must be included throughout the
lifecycle…to include *acquisition, design, development,
developmental testing, operational testing, integration,
implementation, operation, upgrade, or replacement of all DoD
IT supporting DoD tasks and missions”
• DoD CIO coordinates with the DOT&E to ensure that cybersecurity
responsibilities are integrated into the operational testing and evaluation for
DoD acquisition programs
• USD(AT&L) ensures the DoD acquisition process incorporates cybersecurity
planning, implementation, testing, and evaluation and ensures acquisition
community personnel are qualified
• DoD COMPONENT HEADS ensure that system security engineering and
trusted systems and networks processes, tools and techniques are used in
the acquisitions under their purview.
DoDI 8500.01: Cybersecurity
* Note the different job responsibilities that must be involved. 11
Hot Topic Forum – Cybersecurity – Denman January 21, 2016
– Adopts “Cybersecurity” instead of “Information Assurance”
– Extends applicability to all DoD information technology
processing DoD information
– Emphasizes operational resilience, integration, reciprocity,
and interoperability
– Aligns with Joint Task Force Transformation Initiative (DoD,
NIST, IC, and CNSS)
– Adopts common Federal cybersecurity terminology so we
are all speaking the same language
– Transitions to the newly revised NIST SP 800-53 Security
Control Catalog
– Incorporates early/continuously in acquisition lifecycle
DoDI 8500/ 8510: Cybersecurity/ RMF
12
Hot Topic Forum – Cybersecurity – Denman January 21, 2016
DoDI 8510.01 - RMF – 6 Step Process
This process parallels the system life cycle, with the RMF activities being initiated at program
or system inception
13
Hot Topic Forum – Cybersecurity – Denman January 21, 2016
• The new policy is more consistent with established disciplines and best practices for effective systems engineering, systems security engineering, and program protection planning outlined in DoDI 5000.02 & DAG.
• The new policy leverages and builds upon numerous existing Federal policies
and standards so we have less DoD policy to write and maintain.
DoD participates in CNSS and NIST policy development as a vested stakeholder
with the goals of a more synchronized cybersecurity landscape and to protect
the unique requirements of DoD Missions and warfighters
DoD
participates
in
development
of CNSS and
NIST
documents
ensuring
DoD
equities are
met
DoD
leverages
CNSS and
NIST
policies and
filters
requirements
to meet DoD
needs
14
DoDI 8510.01 - Why Change Policy?
Hot Topic Forum – Cybersecurity – Denman January 21, 2016
DoD Directive 8140.01 Cyberspace Workforce Management (Issued 8/11/2015)
a. Reissues and renumbers DoD Directive (DoDD) 8570.01 to
update and expand established policies and assigned
responsibilities for managing the DoD cyberspace workforce.
b. Authorizes establishment of a DoD cyberspace workforce
management council to ensure that the requirements of this
directive are met.
c. Unifies the overall cyberspace workforce and establishes
specific workforce elements (cyberspace effects, cybersecurity,
and cyberspace information technology (IT)) to align, manage
and standardize cyberspace work roles, baseline qualifications,
and training requirements.
In short this directive replaces DoDD 8570.01, establishes cyber workforce elements,
and paves the way for DoDI 8140, which will be based on the NICE Framework 15
Hot Topic Forum – Cybersecurity – Denman January 21, 2016
National Initiative for Cybersecurity
Education (NICE)
• Vision: A digital economy that is enabled by a
knowledgeable and skilled cybersecurity workforce.
• Mission: To foster, energize, and promote a robust
network and an integrated ecosystem of
cybersecurity education, training, and workforce
development.
• Goals – Accelerate Learning and Skills Development
– Nurture a Diverse Learning Community
– Guide Career Development and Workforce Planning
16
Hot Topic Forum – Cybersecurity – Denman January 21, 2016
National Cybersecurity Workforce Framework
• The National Cybersecurity Workforce
Framework provides a blueprint to categorize,
organize, and describe cybersecurity work
into Specialty Areas, tasks, and knowledge,
skills and abilities (KSAs). The Workforce
Framework provides a common language to
speak about cyber roles and jobs and helps
define professional requirements in
cybersecurity.
• The Workforce Framework organizes
cybersecurity into seven high-level
Categories, each comprised of several
Specialty Areas.
Knowledge, Skills & Abilities (KSA) for each competency within the NICE
framework will be a major driver for future DAU Mission Assistance offerings 17
Hot Topic Forum – Cybersecurity – Denman January 21, 2016
Securely Provision
• Concerned with conceptualizing,
designing, and building secure IT
systems, with responsibility for some
aspect of the systems' development
Operate and Maintain
• Responsible for providing the
support, administration, and
maintenance necessary to ensure
effective and efficient IT system
performance and security.
Protect and Defend
• Responsible for the identification,
analysis, and mitigation of threats to
internal IT systems or networks.
Investigate
• Responsible for the investigation of
cyber events and/or crimes of IT
systems, networks, and digital
evidence.
Collect and Operate
• Responsible for specialized denial
and deception operations and
collection of cybersecurity
information that may be used to
develop intelligence.
Analyze
• Responsible for highly specialized
review and evaluation of incoming
cybersecurity information to
determine its usefulness for
intelligence.
Oversight and Development
• Provide leadership, management,
direction, and/or development and
advocacy so that all individuals and
the organization may effectively
conduct cybersecurity work
Cybersecurity Workforce Framework – 7 Areas
18
Hot Topic Forum – Cybersecurity – Denman January 21, 2016
The NICE Framework
19
• IA Compliance Enterprise Architecture Sys Req Plng Sys Development
• SW Engineering Tech Demonstration Test & Evaluation Securely Provision
•Data Administration Knowledge Mgt Network Services Systems Admin
•Info System Security Mgt Customer & Tech Support Systems Security Analysis Operate & Maintain
•Computer Network Defense (CND) CND Infrastructure Support
•Incident Response Security Program Mgt Vulnerability Assessment & Mgt Protect & Defend
•Cyber Threat Analysis All-source Analysis
•Exploitation Analysis Targets Analyze
•Collection Operations Cyber Operations
•Cyber Operational Planning Collect & Operate
•Legal Advice & Advocacy Education & Training
•Strategic Planning & Policy Oversight & Development
•Investigation
• Digital Forensics Investigate
Consists of seven categories, 32 specialty areas grouped within the seven categories, and a list of associated
knowledge / skills / abilities (KSAs) grouped within each of the specialty areas.
Hot Topic Forum – Cybersecurity – Denman January 21, 2016
DAU’s Response to Acquisition
Cybersecurity Needs
• Cybersecurity Mission Assistance (MA) (consulting) and
curriculum needs have increased significantly over the last
2 years
• New Cybersecurity IPT was charted in 2014 to develop a
response to increased cybersecurity demand
• 7 dedicated acquisition cybersecurity professionals were
hired beginning in August of 2015 (Enterprise Assets)
• Several cybersecurity-related courses are being
developed
• Over 30 Cybersecurity MA engagements are anticipated in
FY 2017 (many engagements are in workshop form)
20
Hot Topic Forum – Cybersecurity – Denman January 21, 2016
DAU Acquisition Cybersecurity Training
• Vision: Enable the Defense Acquisition Workforce to
strengthen cybersecurity throughout the product
lifecycle
• Support DAU’s Acquisition Learning Model and
satisfy Customer’s immediate requirements – Integrate the traditional, targeted/tailored, consulting, and workshop training
into the Foundational, Workflow, and Performance learning objectives
– Remain current and relevant
• Design Cybersecurity training to satisfy the
Knowledge, Skills & Abilities (KSA) for competencies
within the National Initiative for Cybersecurity
Education (NICE) framework 21
Hot Topic Forum – Cybersecurity – Denman January 21, 2016
DAU Cybersecurity Team
• Foundational Learning Directorate Cybersecurity Team
– David Pearson - E&T Center Director, Ft Belvoir, VA
– Tim Denman - Cybersecurity Learning Director, Huntsville, AL
– Dr. Greg Butler - Hill AFB, UT
– Derek Duchein – San Diego, CA
– Chris Newborn – San Diego, CA
– Paul Shaw - San Diego, CA
– Heath Ferry – Huntsville, AL
– Rodney Visser – Huntsville, AL
– Kim Kendall – Fort Belvoir, VA
• Other DAU Cybersecurity Experts
– Steve Mills - Huntsville, AL
– Ed Adkins - Eglin AFB, FL
– Stephani Hunsinger - Fort Belvoir, VA
22
Primary Career fields include:
Information Technology,
Engineering, Program
Management, Contracting,
and Test & Evaluation
Areas of expertise include:
Software Assurance,
Resiliency, Contracting,
Architecture, Cloud Security,
Operational Testing, Threat
Monitoring, and Supply Chain
Risk Management
Our team teaches DoD Acquisition Cybersecurity but team members have Army, Air
Force, Navy and civilian backgrounds
Hot Topic Forum – Cybersecurity – Denman January 21, 2016
Cybersecurity Curriculum Development
• CLE 074 – Cybersecurity Throughout DoD Acquisition – Deployed March, 2015
• ENG 160 - Program Protection Planning Awareness – To be deployed mid 2016
• ENG 260 - Program Protection Planning for Practitioners – To be deployed late 2016/ early 2017
• ISA 220 - RMF for Practitioners – To be deployed late 2016 /early 2017
• Supply Chain Risk Management – Successful course kickoff Dec 9, 2015, Deploy early 2017
• Software Assurance – Successful course kickoff Dec 9, 2015, Deploy early 2017
• Unclassified Controlled Technical Information (CTI) – Working with OUSD to build workflow learning products for rapid training
– Based on Better Buying Power 3.0
DAU, … will develop education
and training to increase
workforce understanding of the
value and best practices for
system cybersecurity and CTI
protection by October 2016.
(BBP 3.0)
23
Hot Topic Forum – Cybersecurity – Denman January 21, 2016
DAU Cybersecurity Workshops
Three levels of DAU Workshops…
1. Policy
2. RMF for Programs
3. Products for Programs Driven by Customers
24
DoD 8500.01 Cybersecurity
DoD 8510.01 RMF
DoD 5000.02
RMF Implementation
Program RMF Strategy
Cybersecurity Contractual Requirements
Workshops can also serve as a bridge to cybersecurity curriculum development products
Hot Topic Forum – Cybersecurity – Denman January 21, 2016
Questions? Tim Denman
Cybersecurity Learning Director
Defense Acquisition University
Or
25