federal cyber policy and assurance issues dwayne ramsey computer protection program manager berkeley...
TRANSCRIPT
Federal Cyber Policy and Assurance Issues
Dwayne RamseyComputer Protection Program Manager
Berkeley LabCyber Security Summit
September 27, 2004
“And so, extrapolating from the best figures available, we see that current trends, unless dramatically reversed, will inevitably lead to a situation in which the sky will fall.”
Outline
• Federal IT management initiatives• DOE Cyber Security Program• Cyber Assurances• Technical Vision• Research
Current Federal IT Strategy
• Efforts are underway to integrate
— Federal Enterprise Architecture,
— Agency capital planning efforts, and
— Cyber Security
• Goals :
—Identify best practices,
—Leverage resources,
—Manage cyber assurance
Information Technology…
… per Clinger-Cohen Act of 1996 and OMB Circular A-11
• Equipment used by an agency or its contractors in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information.
• Computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources.
• Does not include any equipment that is acquired by a Federal contractor incidental to a Federal contract.
DOE Cyber Security Program
• Umbrella document is DOE Order 205.1 DEPARTMENT OF ENERGY CYBER SECURITY MANAGEMENT PROGRAM of 3/21/2003—Lays out roles, responsibilities, requirements—Implementation through DOE Program Cyber
Security Plans (DOE Office of Science for Berkeley Lab)
—Allows for a graded approach• DOE Policy directives included in M&O Contracts• FISMA and NIST requirements flow down to DOE
Laboratories
DOE Cyber Green?
• Significant effort in the past few months to achieve a green rating on the President’s Management Agenda and FISMA
• Federal Authority to Operate (ATO) required—NIST compliant security documentation e.g.
• Certification and Accreditation of all unclassified systems
• security plans consistent with NIST SP 800-18• Risk Assessment consistent with NIST SP 800-26
• Frequent data calls• Increased audits of cyber security at the DOE
Laboratories
Assurance Concepts
• The cyber threat is being rapidly automated• Automated defenses are trying to keep up• Assurance practices not keeping pace – still
paperwork intensive• Assurance is very important. We must find
ways to automate• Assurance Metrics are byproducts of
operations:—must come from real time events as they
occur in the operations of the networked environment
Assurance Management
Assurance Operations
Assurance Requirements“What Not How”
Assurances
Operational Requirements
Assurance Flow
Regulation and Oversight
CongressOMBNISTDOE
DOEand
ContractorSites
Assurance Modes
We are at a crossroads.
• One path leads toward checklists and paper assurances
• The other moves us to automation and the self healing network
• Assurance should be based on automated processes
DOE Cyber ProgramCongressOMBDOE, SCGAO/IG/OABest Practices
PlansAppropriate to Tier I, II, III
Labs
Operations
Reported Metrics
High Level CYBER Assurance Model
Assurance Documents
POLICY
Directives
Automate this part
CM, C&A, Authority to Operate, ResidualRisk, etc.
Integrate Assurance into
Daily OperationalProcesses
Audits and Reviews
Direction
Feedback
Technical Vision
Fully automated monitoring
• Network information continuously collected
• Successful attacks and intrusions immediately
discovered
• Systems continuously scanned
• Network vulnerabilities detected as they appear
• Vulnerabilities immediately resolved
•Automatically sequestered
•Automatically alert owners/sys admins
•Automatically remove blocks when vulnerabilities are
fixed
• Assurance data generated from monitoring output
Cyber Research
“For historical reasons, no federal funding agency has assumed responsibility for supporting basic research in this area--not the Defense Advanced Research Projects Agency (DARPA), not the National Science Foundation (NSF), not the Department of Energy (DoE), not the National Security Agency (NSA). Because no funding agency feels it "owns" this problem, relatively small, sporadic research projects have been funded, but
no one has questioned the underlying assumptions on cyber security that were established in the 1960s mainframe environment.”
Wm. A. Wulf, Ph.D.President, National Academy of Engineering and AT&T Professor of Engineering and Applied Science, University of Virginia before the House Science Committee U.S. House of Representatives, October 10, 2001
http://www.nae.edu/nae/naehome.nsf/weblinks/MKEZ-542KBP?OpenDocument