130 likes | 241 Views
Federal Cyber Policy and Assurance Issues. Dwayne Ramsey Computer Protection Program Manager Berkeley Lab Cyber Security Summit September 27, 2004.
E N D
Federal Cyber Policy and Assurance Issues Dwayne Ramsey Computer Protection Program Manager Berkeley Lab Cyber Security Summit September 27, 2004
“And so, extrapolating from the best figures available, we see that current trends, unless dramatically reversed, will inevitably lead to a situation in which the sky will fall.”
Outline • Federal IT management initiatives • DOE Cyber Security Program • Cyber Assurances • Technical Vision • Research
Current Federal IT Strategy • Efforts are underway to integrate • Federal Enterprise Architecture, • Agency capital planning efforts, and • Cyber Security • Goals : • Identify best practices, • Leverage resources, • Manage cyber assurance
Information Technology… … per Clinger-Cohen Act of 1996 and OMB Circular A-11 • Equipment used by an agency or its contractors in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. • Computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources. • Does not include any equipment that is acquired by a Federal contractor incidental to a Federal contract.
DOE Cyber Security Program • Umbrella document is DOE Order 205.1 DEPARTMENT OF ENERGY CYBER SECURITY MANAGEMENT PROGRAM of 3/21/2003 • Lays out roles, responsibilities, requirements • Implementation through DOE Program Cyber Security Plans (DOE Office of Science for Berkeley Lab) • Allows for a graded approach • DOE Policy directives included in M&O Contracts • FISMA and NIST requirements flow down to DOE Laboratories
DOE Cyber Green? • Significant effort in the past few months to achieve a green rating on the President’s Management Agenda and FISMA • Federal Authority to Operate (ATO) required • NIST compliant security documentation e.g. • Certification and Accreditation of all unclassified systems • security plans consistent with NIST SP 800-18 • Risk Assessment consistent with NIST SP 800-26 • Frequent data calls • Increased audits of cyber security at the DOE Laboratories
Assurance Concepts • The cyber threat is being rapidly automated • Automated defenses are trying to keep up • Assurance practices not keeping pace – still paperwork intensive • Assurance is very important. We must find ways to automate • Assurance Metrics are byproducts of operations: • must come from real time events as they occur in the operations of the networked environment
Assurance Flow • Regulation and • Oversight • Congress • OMB • NIST • DOE DOE and Contractor Sites Assurance Requirements “What Not How” Assurance Management Assurance Operations Assurances Operational Requirements
Assurance Modes We are at a crossroads. • One path leads toward checklists and paper assurances • The other moves us to automation and the self healing network • Assurance should be based on automated processes
High Level CYBER Assurance Model POLICY Directives Congress OMB DOE, SC GAO/IG/OA Best Practices DOE Cyber Program Direction Plans Appropriate to Tier I, II, III Labs Feedback Integrate Assurance into Daily Operational Processes Operations Assurance Documents Audits and Reviews Reported Metrics CM, C&A, Authority to Operate, Residual Risk, etc. Automate this part
Technical Vision Fully automated monitoring • Network information continuously collected • Successful attacks and intrusions immediately discovered • Systems continuously scanned • Network vulnerabilities detected as they appear • Vulnerabilities immediately resolved • Automatically sequestered • Automatically alert owners/sys admins • Automatically remove blocks when vulnerabilities are fixed • Assurance data generated from monitoring output
Cyber Research “For historical reasons, no federal funding agency has assumed responsibility for supporting basic research in this area--not the Defense Advanced Research Projects Agency (DARPA), not the National Science Foundation (NSF), not the Department of Energy (DoE), not the National Security Agency (NSA). Because no funding agency feels it "owns" this problem, relatively small, sporadic research projects have been funded, but no one has questioned the underlying assumptions on cyber security that were established in the 1960s mainframeenvironment.” Wm. A. Wulf, Ph.D.President, National Academy of Engineering and AT&T Professor of Engineering and Applied Science, University of Virginia before the House Science Committee U.S. House of Representatives, October 10, 2001 http://www.nae.edu/nae/naehome.nsf/weblinks/MKEZ-542KBP?OpenDocument