170 likes | 487 Views
Acquisition and Technology Overview: System Assurance and Cyber Security. Kristen Baldwin Deputy Director, Strategic Initiatives Office of the Deputy Under Secretary of Defense (Acquisition and Technology) March 2009. Agenda. Increased priority for program protection Threats
E N D
Acquisition and Technology Overview:System Assurance and Cyber Security Kristen Baldwin Deputy Director, Strategic Initiatives Office of the Deputy Under Secretary of Defense (Acquisition and Technology) March 2009
Agenda • Increased priority for program protection • Threats • Vision of Success • A plan for improving DoD Program Protection • Policy • Designing for Security • Program Protection Plans • Tools • Outcomes • Defense Industrial Base Cyber Security • Call to attention • Acquisition and contracting actions
Increased Priority for Program Protection Threats: Nation-state, terrorist, criminal, rogue developer who: Gain control of IT/NSS/Weapons through supply chain opportunities Exploit vulnerabilities remotely Vulnerabilities: All IT/NSS/Weapons (incl. systems, networks, applications) Intentionally implanted logic (e.g., back doors, logic bombs, spyware) Unintentional vulnerabilities maliciously exploited (e.g., poor quality or fragile code) Consequences: Stolen critical data & technology; corruption, denial of critical warfighting functionality System Assurance is the confidence that the system functions as intended and is free of exploitable vulnerabilities, either intentionally or unintentionally designed or inserted during the lifecycle 3
Vision of Success The requirement for assurance is allocated among the right systems and their critical components DoD understands its supply chain risks DoD systems are designed and sustained at a known level of assurance Commercial sector shares ownership and builds assured products Technology investment transforms the ability to detect and mitigate system vulnerabilities Prioritization Supplier Assurance Engineering- In-Depth Industry Outreach Technology Investment Assured Systems 4
Improving DoD Program Protection Increase Efficiency of Program Personnel Coordinating Security Disciplines Reduce Program Documenta-tion Streamlining The PPP Improved Protection of DoD Weapon Systems Reduce Cost of Implementing Protection Early ID, Designed-In Protection Reduce Program Level of Effort Program Protection Tools 5
Program Protection Policy • DoD Policy: DODI 5200.39 “Critical Program Information Protection Within the DoD” • Provide uncompromised and secure military systems to the warfighter by performing comprehensive protection of CPI • CPI. Elements or components of an RDA program that, if compromised, could cause significant degradation in mission effectiveness; • Includes information about applications, capabilities, processes, and end-items. • Includes elements or components critical to a military system or network mission effectiveness. • Includes technology that would reduce the US technological advantage if it came under foreign control • To minimize the chance that the Department’s warfighting capability will be impaired due to the compromise of elements or components being integrated into DoD systems by foreign intelligence, foreign terrorist, or other hostile elements through the supply chain or system design. • DoD 5000.02 • CPI shall be identified at MS A in the Technology Development Strategy • Program Protection Plan shall be developed and approved by MS B; updated and approved at MS C
DoD 5000.02:Early, Designed-In Program Protection Production & Deployment O&S • Acquisition Strategy, TDS, RFP, SEP, and TEMP revised to include PPP relevant information • Milestone Decision Authority approves Program Protection Plan (PPP) • Streamlined Program Protection Plan • One-stop shopping for documentation • of acquisition program security (ISP, • IAS, AT appendices) • Living document, easy to update, • maintain • Improve over time based on feedback • Identify draft CPI, estimated protection duration and S&T Lab countermeasures Full Rate Prod DR MS B MS C MS A Engineering & Manufacturing Development & Demonstration Materiel Solution Analysis CDD CPD TechDev MDD • Assess supplier risks • Develop design strategy for CPI protection • Enhance countermeasure • information PPP • Evaluatethat CPI Protection RFP • requirements have been met • Update PPP with lifecycle • sustainment planning • Update PPP, with contractor • additions • Preliminary verification and • validation that design meets • assurance plans 7
Systems Security Engineering: Integration of Security Resources 8
Engineering for System Assurance • “Engineering for System Assurance” V1.0 Guidebook signed out at NDIA October 1, 2008 • Posted on SSE Web site at: • http://www.acq.osd.mil/sse/ssa/guidance.html • Provides guidance on how to address System Assurance through Systems Engineering processes • Aligns to DoD acquisition lifecycle processes with actionable criteria • Adds emphasis to ISO/IEC 15288 SE processes • Enhanced IA focus and alignment with current processes • Focus on hardware, software and operational environment • Dovetails with Program Protection Planning (PPP) processes • Supports identification of trusted foundry resources • Informs Anti-tamper considerations
New PPP: Data Driven Format Pithy, Dynamic, Modular Verbose, Static, Essay Example Format 11
PPP Process Desired Outcome Program Benefit Coherent direction and integrated policy framework to respond to security requirements Risk-based approach to implementing security Provision of expert engineering and intelligence support to our programs Streamline process to remove redundancy; focus on protection countermeasures DoD Benefit Reduced risk exposure to gaps/seams in policy and protection activity Improved oversight and focus on system assurance throughout the lifecycle Ability to capitalize on common methods, instruction and technology transition opportunities Cost effective approach to “building security in” where most appropriate
Defense Industrial Base Cyber Security
Defense Industrial Base Cyber Security • DEPSECDEF Call to action: “Stop the Bleeding” • July 10, 2007: DSD, DNI, VCJCS meeting with CEOs of 16 DIB partners • DIB Cyber Security Task Force formed: • Developing strategies for information sharing; • Incident reporting; • Benchmarking information security practices; • Acquisition and contracting procedures • Damage assessment • SSE/Strategic Initiatives leads the Acquisition and Contracting efforts for DIB CS Task Force
DIB CS – Activities for Acquisition and Contracting • AT&L Policy Memo – • Directs Acquisition Executives to engage their Program Executive Offices and Program Managers to take immediate steps to: • Ensure that CUI is identified and appropriately protected in DoD acquisition programs. • Report incidences and exfiltrations • Evaluating information security standards • Developing DFAR Language • Piloting with Services to learn and refine policy and guidance • Working with industry partners to “raise the bar” • NDIA System Assurance Committee • AIA, ITAA, other interactions • Developing Education and Training materials • Program Managers • Contracting Officers • Small Business Mentors