220 likes | 837 Views
Trusted Defense Systems. Kristen Baldwin Director, Systems Analysis DDRE/Systems Engineering. Trusted Defense Systems Strategy. Report on Trusted Defense Systems. Delivering Trusted Systems. USD(AT&L) ASD(NII)/ DoD CIO. Elements of the Strategy. CPI Identification Critical Components
E N D
Trusted Defense Systems Kristen Baldwin Director, Systems Analysis DDRE/Systems Engineering
Trusted Defense Systems Strategy Report on Trusted Defense Systems Delivering Trusted Systems USD(AT&L) ASD(NII)/DoD CIO
Elements of the Strategy • CPI Identification • Critical Components • Critical Technology • System Security Engineering • Anti-Tamper, SPI • System Assurance • Supply Chain Risk Mitigation • Trusted Foundry, DMEA • Threat and vulnerability assessments • Focus on Mission Critical Systems • Identify Critical Components for Trust • Protect Critical Technology • Technology Investment Strategies • DARPA TRUST • NSA Center for Assured SW, Air Force Application SW Assurance CoE • IA/HW/SW Assurance • DIB Cyber Security • Standards for Secure Products and Networks • Damage Assessments
Increased Priority for Program Protection Threats: Nation-state, terrorist, criminal, rogue developer who: Gain control of systems through supply chain opportunities Exploit vulnerabilities remotely Vulnerabilities: All systems, networks, applications Intentionally implanted logic (e.g., back doors, logic bombs, spyware) Unintentional vulnerabilities maliciously exploited (e.g., poor quality or fragile code) Consequences: Stolen critical data & technology; corruption, denial of critical warfighting functionality Today’s acquisition environment drives the increased emphasis: Then Standalone systems >>> Some software functions >>> Known supply base >>> Now Networked systems Software-intensive Prime Integrator, hundreds of suppliers
Challenges Being Addressed • Policy and guidance for security is not streamlined • There is a lack of useful methods, processes and tools for acquirers and developers • Criticality is usually identified too late to budget and implement protection • Horizontal protection process is insufficiently defined • Lack of consistent method for measuring cost and success of “protection” • Intelligence data is not available to programs for risk awareness • Security not typically identified as an operational requirement, and is therefore lower priority Data Source: GAO report, white papers, military service feedback
Major Efforts being executed by DDRE/SE • Implementing 5200.39 and 5000.02 Program Protection Policy • Review/Coordination of PPPs for ACAT I programs • Program protection assessment methodology • Guidance and best practice countermeasures, education and training, industry outreach, to assist programs with CPI identification and protection • Supply Chain Risk Management • Procedures, capability to utilize threat information in acquisition • Commercial standards for secure components (ISO/IEC, The Open Group) • Horizontal Protection Procedures • Acquisition Security Database (ASDB) oversight and implementation • Advancing the practice: System Security Engineering • SERC Research Topic – “Security Engineering” • INCOSE Working Group on System Security Engineering • DoD/NSA Criticality Analysis Working Group • DoD Anti-Tamper Executive Agent • Anti-Tamper IPT, AT policy, guidance advocate • Legislative Proposal – Defense Exportability Fund Pilot Program • Countering Counterfeits Tiger Team • Lifecycle strategy to reduce counterfeits, esp microelectronics
Program Protection Policy • DoD Policy: DODI 5200.39 “Critical Program Information Protection Within the DoD” • Provide uncompromised and secure military systems to the warfighter by • performing comprehensive protection of CPI • through the integrated and synchronized application of CI, Intelligence, Security, systems engineering, and other defensive countermeasures to mitigate risk… • “CPI. Elements or components of an RDA program that, if compromised, could cause significant degradation in mission effectiveness; • Includes information about applications, capabilities, processes, and end-items. • Includes elements or components critical to a military system or network mission effectiveness. • Includes technology that would reduce the US technological advantage if it came under foreign control…”
DoD 5000 Lifecycle Approach to Early, Designed-In Program Protection Production & Deployment O&S • Milestone Decision Authority approves PPP in addition to PM • Acquisition Strategy, RFP, SEP, and TEMP reflect PPP relevant information • Streamlined Program Protection Plan • One-stop shopping for documentation • of acquisition program security (ISP, IA, AT appendices) • Living document, data driven, easy to update, maintain • Identify candidate CPI in TDS, and potential countermeasures Full Rate Prod DR MS B MS C MS A Engineering and Manufacturing Development Materiel Solution Analysis S&T Programs CDD CPD Technology Development MDD • Obtain threat assessments from Intel/CI, assess supplier risks • Develop design strategy for CPI protection • Submit PPP to Acquisition Security Database (ASDB) • Enhance countermeasure information in Program Protection Plan (PPP) • Evaluate that CPI Protection, RFP requirements have been met • Contractor adds detail to Program Protection Plan • Preliminary verification and • validation that design meets • assurance plans
Multifaceted Approach to Program Protection DoDM 5200.39 Requires use of Supply Chain Risk Management (SCRM) and System Security Engineering Best Practice Countermeasures to protect Critical Program Information (CPI) SCRM Key Practices Systems Security Engineering (risk mitigation) DoDI DoDM 5200.39 Specific tools and practices (e.g. Malicious code checks, software assurance techniques) Requires Best Practices Other countermeasures (INFOSEC, IA, ITAR, FMS, etc.) Map to CPI being protected & location in Use to contract for security in Program Protection Plan (PPP) Requests for Proposals (RFP)
Systems Security Engineering (SSE): Early Engineering Emphasis • Identify components that need protection • Perform criticality analysis based on mission context and system function • Evaluate CONOPS, threat information, notional system architecture to identify critical components (hardware, software and firmware) • Identify rationale for inclusion or exclusion from candidate CPI list • Perform trade-offs of design concepts and potential countermeasures to minimize vulnerabilities, weaknesses, and implementation costs • Establish System Security Engineering Criteria • Ensure preferred concept has preliminary level security requirements derived from candidate CPI countermeasures • Ensure system security is addressed as part of Systems Engineering Technical Reviews • We have begun to apply these practices with major acquisition programs
Systems Security Engineering • Systems Security Engineering Definition: • An element of system engineering that applies scientific and engineering principles to identify security vulnerabilities and minimize or contain risks associated with these vulnerabilities (MIL-HDBK-1785: Systems Security Engineering Program Management Requirements) • Codify guidance and best practice • To identify software, hardware vulnerabilities • To support program protection planning • To support secure systems design • Work is needed to fully expand this discipline • Foundational science and engineering, competencies (as compared to other SE Specialties: reliability, safety, etc) • Methods and tools: V&V, architecting for security • Community and design team recognition of SSE as a key design consideration
Systems Security Engineering Research Roadmap • Joint DDRE/SE and NSA funded SE Research Center task • Goal: Develop a research roadmap to grow Systems Security Engineering as a key discipline of SE • Workshop in March 2010 to collect input • 50 attendees from industry, government, and academia • Proposed research modules in key areas: • Definitions: What is the scope of Systems Security Engineering? • Metrics: How much security is enough? How do we compare? • Frameworks: What is the trade space for making security engineering decisions? Are there architectural commonalities to leverage? • Workforce: How do we train researchers, developers, and acquisition professionals to do this? What do they need to know? • Methods, Processes, and Tools: How might practitioners actually do this? What can we learn from related disciplines (e.g. Safety, Reliability, Surety)? • Final report in September 2010
Standardization Efforts • Buying with Confidence • Open Group engagement to develop secure commercial product standards • Technology supply chain security standard through ISO • Supply Chain Risk Mitigation • Countering Counterfeits Tiger Team • DFAR for safeguarding unclassified DoD information on DIB networks • Object Management Group software assurance frameworks • Building with Integrity • NDIA System Assurance Guidebook, adopted by NATO Standardization Agency • ISO 15026: Standard for Systems and Software Assurance • Criticality Analysis Working Group • Systems Security Engineering research roadmap • DHS Software Assurance • Horizontal Protection • DoD-wide Critical Program Information identification process • Acquisition Security Database adoption and implementation
In Summary • Holistic approach to assurance is critical • To focus attention on the threat • To avoid risk exposure from gaps and seams • Program Protection Policy provides overarching framework for trusted systems • Common implementation processes are beneficial • Stakeholder integration is key to success • Acquisition, Intelligence, Engineering, Industry, Research Communities are all stakeholders • Systems engineering brings these stakeholders, risk trades, policy, and design decisions together • Informing leadership early; providing programs with risk-based options
The requirement for assurance is allocated among the right systems and their critical components DoD understands its supply chain risks DoD systems are designed and sustained at a known level of assurance Commercial sector shares ownership and builds assured products Technology investment transforms the ability to detect and mitigate system vulnerabilities Key Enablers of the Strategy Prioritization Supplier Assurance Engineering- In-Depth Industry Outreach Technology Investment Assured Systems Vision of Success *Reference: DoD System Assurance CONOPS, 2004
Desired Outcome Program Benefit DoD Benefit Reduced risk exposure to gaps/seams in policy and protection activity Improved oversight and focus on system assurance throughout the lifecycle Ability to capitalize on common methods, instruction and technology transition opportunities Cost effective approach to “building security in” where most appropriate • Coherent direction and integrated policy framework to respond to security requirements • Risk-based approach to implementing security • Provision of expert engineering and intelligence support to our programs • Streamline process to remove redundancy; focus on protection countermeasures
SE PPP and Assessment Criteria • Program Criticality Analysis uses a collection of techniques to identify the critical functions / capabilities that need protection • Mission thread analysis • Vulnerability analysis • WBS analysis (What are the major cost elements) • Domain specific knowledge • COTS design vulnerabilities and supply chain • Design and assurance techniques • Defense in Depth • Draft PDR Exit Criteria • Draft CDR Exit Criteria • Configuration management access control • SW Development assurance techniques • Static code analyzers • Design and code walkthroughs / inspections for assurance
Systems Security Engineering: Integration of Security Resources 20
CPI Formats andExample Protections • Information Systems • Information Assurance (controls for applications, networks, IT processes and platform IT interconnections) • Communications Security (Encryption, decryption) • End Items • Anti-Tamper (deter, prevent, detect, respond) • Information Assurance • Supply Chain Risk Management (assessing supplier risk) • Software Assurance (tools, processes to ensure SW function) • System Security Engineering • Trusted Foundry (integrated circuit providers) • Hard Copy Documents • Information Security (Document markings, handling instructions) • Foreign Disclosure (restrict/regulate foreign access) • Physical Security (gates, guards, guns) • Ideas/Knowledge • Personnel Security (trustworthy, reliable people) • Access Controls