Federal Cyber Policy and Assurance Issues

Dwayne RamseyComputer Protection Program Manager

Berkeley LabCyber Security Summit

September 27, 2004

“And so, extrapolating from the best figures available, we see that current trends, unless dramatically reversed, will inevitably lead to a situation in which the sky will fall.”

Outline

• Federal IT management initiatives• DOE Cyber Security Program• Cyber Assurances• Technical Vision• Research

Current Federal IT Strategy

• Efforts are underway to integrate

— Federal Enterprise Architecture,

— Agency capital planning efforts, and

— Cyber Security

• Goals :

—Identify best practices,

—Leverage resources,

—Manage cyber assurance

Information Technology…

… per Clinger-Cohen Act of 1996 and OMB Circular A-11

• Equipment used by an agency or its contractors in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information.

• Computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources.

• Does not include any equipment that is acquired by a Federal contractor incidental to a Federal contract.

DOE Cyber Security Program

• Umbrella document is DOE Order 205.1 DEPARTMENT OF ENERGY CYBER SECURITY MANAGEMENT PROGRAM of 3/21/2003—Lays out roles, responsibilities, requirements—Implementation through DOE Program Cyber

Security Plans (DOE Office of Science for Berkeley Lab)

—Allows for a graded approach• DOE Policy directives included in M&O Contracts• FISMA and NIST requirements flow down to DOE

Laboratories

DOE Cyber Green?

• Significant effort in the past few months to achieve a green rating on the President’s Management Agenda and FISMA

• Federal Authority to Operate (ATO) required—NIST compliant security documentation e.g.

• Certification and Accreditation of all unclassified systems

• security plans consistent with NIST SP 800-18• Risk Assessment consistent with NIST SP 800-26

• Frequent data calls• Increased audits of cyber security at the DOE

Laboratories

Assurance Concepts

• The cyber threat is being rapidly automated• Automated defenses are trying to keep up• Assurance practices not keeping pace – still

paperwork intensive• Assurance is very important. We must find

ways to automate• Assurance Metrics are byproducts of

operations:—must come from real time events as they

occur in the operations of the networked environment

Assurance Management

Assurance Operations

Assurance Requirements“What Not How”

Assurances

Operational Requirements

Assurance Flow

Regulation and Oversight

CongressOMBNISTDOE

DOEand

ContractorSites

Assurance Modes

We are at a crossroads.

• One path leads toward checklists and paper assurances

• The other moves us to automation and the self healing network

• Assurance should be based on automated processes

DOE Cyber ProgramCongressOMBDOE, SCGAO/IG/OABest Practices

PlansAppropriate to Tier I, II, III

Labs

Operations

Reported Metrics

High Level CYBER Assurance Model

Assurance Documents

POLICY

Directives

Automate this part

CM, C&A, Authority to Operate, ResidualRisk, etc.

Integrate Assurance into

Daily OperationalProcesses

Audits and Reviews

Direction

Feedback

Technical Vision

Fully automated monitoring

• Network information continuously collected

• Successful attacks and intrusions immediately

discovered

• Systems continuously scanned

• Network vulnerabilities detected as they appear

• Vulnerabilities immediately resolved

•Automatically sequestered

•Automatically alert owners/sys admins

•Automatically remove blocks when vulnerabilities are

fixed

• Assurance data generated from monitoring output

Cyber Research

“For historical reasons, no federal funding agency has assumed responsibility for supporting basic research in this area--not the Defense Advanced Research Projects Agency (DARPA), not the National Science Foundation (NSF), not the Department of Energy (DoE), not the National Security Agency (NSA). Because no funding agency feels it "owns" this problem, relatively small, sporadic research projects have been funded, but

no one has questioned the underlying assumptions on cyber security that were established in the 1960s mainframe environment.”

Wm. A. Wulf, Ph.D.President, National Academy of Engineering and AT&T Professor of Engineering and Applied Science, University of Virginia before the House Science Committee U.S. House of Representatives, October 10, 2001

http://www.nae.edu/nae/naehome.nsf/weblinks/MKEZ-542KBP?OpenDocument