170 likes | 389 Views
Defense Information Systems Agency A Combat Support Agency. DoD Mobility Security Snapshot 30 May 2012. Mr. Greg Youst DISA Chief Mobility Engineer. CTO Mobility Lead DISA/TO1A 1. UNCLASSIFIED // FOR OFFICIAL USE ONLY UNCLASSIFIED. Agenda. A Combat Support Agency
E N D
DefenseInformationSystemsAgency ACombatSupportAgency DoDMobilitySecuritySnapshot 30May2012 Mr.GregYoust DISAChiefMobilityEngineer CTOMobilityLead DISA/TO1A1 UNCLASSIFIED//FOROFFICIALUSEONLY UNCLASSIFIED
Agenda ACombatSupportAgency •DISAFSOandSTIGProcess – – – – FSOandSTIGOverview CurrentSTIGProcessandMobilityProblems NISTSP800-53ApproachtoSTIGDevelopment MobileTechnologySTIGDevelopmentPlans •ClassifiedMobility –BottomLineupFront –SecureMobilityConceptandPath –NSAMobilityProgram(ExcerptsfromNSAbrief) 2 UNCLASSIFIED
MobilityObjective DoD MobileEnterprise ACombatSupportAgency DoDCIOVISION:Allowthewarfighterthepowertoconnecttotheinformation resourcestheyneedfromanydevice,anywhereintheworld. OUTCOME:TheDoDInformationEnterprisewillenableuserstoconnect,identify themselves,accessservices,findandshareinformation,andcollaborateas neededforthemissionathand. DISACTOVISION:Guideandsupportthedevelopmentofmobiledevices, infrastructure,applications/deliveryandmanagementrequiredtosupportthe DoDmobilityvision. Mobility Devices Infrastructure Applications Management UNCLASSIFIED 3
Agenda ACombatSupportAgency •DISAFSOandSTIGProcess – – – – FSOandSTIGOverview CurrentSTIGProcessandMobilityProblems NISTSP800-53ApproachtoSTIGDevelopment MobileTechnologySTIGDevelopmentPlans •ClassifiedMobility –BottomLineupFront –SecureMobilityConceptandPath –NSAMobilityProgram(ExcerptsfromNSAbrief) 4 UNCLASSIFIED
Agenda ACombatSupportAgency •DISAFSOandSTIGProcess – – – – FSOandSTIGOverview CurrentSTIGProcessandMobilityProblems NISTSP800-53ApproachtoSTIGDevelopment MobileTechnologySTIGDevelopmentPlans •ClassifiedMobility –BottomLineupFront –SecureMobilityConceptandPath –NSAMobilityProgram(ExcerptsfromNSAbrief) 5 UNCLASSIFIED
UNCLASSIFIED WhoisDISAFSO? ACombatSupportAgency DefenseInformationSystemsAgency FieldSecurityOperations Mission: ResponsibleforenhancingavailabilityandsecurityoftheGlobalInformationGridbyensuringadherenceto InformationAssuranceandNETOPSPoliciesincludingdevelopmentofguidesandprocedures;trainingof CombatantCommands,subordinateandservicecomponents;implementationofstandardIAsolutions; formalcertificationreviewsandtrackingcompliancemetrics. Functions: Develop,ImplementandMaintainIASecurityGuidanceandProcesses.ConductFullScopeSecurity ReviewsandProvideAssistance.ProvideCertificationandAccreditationSupportandPerformasTheSingle CertifyingAuthorityforDISA.DevelopandImplementaNETOPSEvaluationandCertificationProgram. PerformComputerNetworkDefenseServiceProviderassessmentsandmakeCertification recommendations.ImplementSecurityArchitectureandInformationAssuranceTools.Developand distributeIATrainingProductsandProvideIATraining.Develop,Implement,andMaintainVulnerability ManagementSystems. 6 UNCLASSIFIED
UNCLASSIFIED WhatisaSTIG? ACombatSupportAgency SecurityTechnicalImplementationGuide: •ACompendiumofDODPolicies,Security RegulationsandBestPracticesforSecuring anIAorIA-EnabledDevice(Operating System,Network,ApplicationSoftware,etc.) •AGuideforInformationSecurity •MandatedinDODD8500.1,DODI8500.2 •EndorsedbyCJCSI6510.01,AR25-2,and AFI33-202 GOALS •IntrusionAvoidance •IntrusionDetection •ResponseandRecovery •SecurityImplementationGuidance 7 UNCLASSIFIED
UNCLASSIFIED STIGExample: OrganizationofaSmartphoneSTIG ACombatSupportAgency • • STIGconsistsofseveralproductSTIGsandassociatedsupportdocuments DraftAndroid2.2(Dell)STIG – – – – – – – MobileOSSTIG •Android2.2.2(Dell)productSTIG–XMLfile WirelessManagementServerSTIG •GoodMobilitySuite(Android2.2)STIG–XMLfile PolicySTIGs •GeneralWirelessPolicySTIG–XMLfile •SmartphonePolicySTIG–XMLfile •WirelessManagementServerPolicySTIG–XMLfile STIGOverview •ProvidesinformationfoundineverySTIGandanoverviewofanumberofimportanttopics regardingusingAndroiddevicesintheDoDenvironment. ReadMeFile •ListscontentoftheSTIGpackageandhowtoviewthexmlfiles. AndroidSTIGConfigurationTables •ListsrequiredandrecommendedAndroidsmartphoneandGoodMobilitySuitesettings. AndroidSTIGCheckCrossReferenceTable •ListsallapplicablesecuritycontrolsintheDoDVulnerabilityManagementSystem(VMS) databaseandshowsiftheyareapplicabletotheAndroidsmartphoneortotheGoodserver. 8 UNCLASSIFIED
UNCLASSIFIED WhatProblemsexistwiththeCurrent STIGDevelopmentProcess? ACombatSupportAgency SecureProductDevelopment • • • Nomasterlistofallrequirementsforproducts Vendorsdonotknow,indetail,whatrequirementstheyhavetomeet. Notknowing“whentheyaredone” IAComplianceReporting • • • Determiningcompliancestatistics Inabilitytobeabletovalidatethatallrequirementsareaddressedincurrent checklists Inconsistentreportingoffindingsandcompliancestatus SecurityGuideDevelopment • • • • • • • HighDemandforNew&UpdatedSecurityGuidance Duplicationofrequirements Vague/GeneralguidanceinDoDIAControls Variousinterpretationsoftherequirements Requirementsnotwritteninameasurableformat Inconsistencyindocumentsfromdifferentsources ContentAuthorshavetointerpretthepoliciestodeterminewhatrequirementsthey havetoaddress.Notknowing“whentheyaredone” 9 UNCLASSIFIED
UNCLASSIFIED Solvingtheproblem AnalyzePoliciesONCEfor eachProductFamilyto IdentifyRequirementsand ImplementationGuidance ACombatSupportAgency DoD Policy Security • • • • DoD8500Series IAVMs CTO’s SP800-53&CNSS1253 Requirement Guides and STIGs 4SecurityRequirementGuides AdditionalTechnologySRGs UnlimitedSTIGs • • • Publish 45,000+vulnerabilitiesand requirementsinVMS • Guidance •CJCSM&more OtherGuidalines •MobileIABest Practices •RiskAssessmentInfo Product Family Status •HighDemandforNew&UpdatedSecurity Guidance • • • • OperatingSystems Applications NetworkInfrastructure Non-Computing& •AutomatedProcesstoAuthorGuidance •DefineRequirementsonce,Usethemmanytimes Policy •Additional RequirementsProfiles •SavesTimeandAllowsforbetterResource Utilization 10 UNCLASSIFIED
UNCLASSIFIED Future ACombatSupportAgency UNCLASSIFIED
UNCLASSIFIED SRGtoSTIGHierarchy ACombatSupportAgency OperatingSystem NetworkSRG Application SRG Policy SRG SRG Mobile Application SRG Mobile PolicySRG MobileOS SRG MDMServer SRG iOS4 ISCG BlackBerry Handheld STIG Windows Phone6.5 STIG Android2.2 (Dell)STIG 12 UNCLASSIFIED
UNCLASSIFIED Agenda ACombatSupportAgency •DISAFSOandSTIGProcess – – – – FSOandSTIGOverview CurrentSTIGProcessandMobilityProblems NISTSP800-53ApproachtoSTIGDevelopment MobileTechnologySTIGDevelopmentPlans •ClassifiedMobility –BottomLineupFront –SecureMobilityConceptandPath –NSAMobilityProgram(ExcerptsfromNSAbrief) UNCLASSIFIED
BottomLineUpFront ACombatSupportAgency •DoDandCiviliancustomerswillcontinuetolosecapabilityforclassifiedmobile communicationsprovidedbytheSecteraandSME-PEDmobiledevicesdueto theeliminationofCSDservicebycommercialcellularcarriers CircuitSwitchedData (CSD)Infrastructure RetirementbyCarrier CSDserviceelimination ratesanddatesestimated basedonbestinformation fromcarriers(Jan2012) •DoDspentatleast$247,600,000onUnclassifiedmobileservices.DoDreliance onmobileusagecontinuestogrow,andFY12costsmayexceed$400,000,000 •CurrentperUserCostis$45-75permonthperdevice+BackOfficeCosts DoDMobilitySolutionmustaddressdiminishingsupportforcurrentClassified mobiletechnologyandrisingcostsforUnclassifiedmobilecommunications 14 UNCLASSIFIED
MobilityEfforts ACombatSupportAgency FY11 FY12 FY13 FY14 FY15 DegradesasCircuitSwitched ServiceiseliminatedbyVendors SecureVoice SUNSET Current SME-PED Capability NSAFishbowl SecureData UnclassVoice UnclassData FUNDED NSA FUNDED Developmental(Modified CommercialPhoneforSecureVoice) MCEPUpgrade(Replaces CommercialCircuitSwitchedtransportto bridgeCapabilityGapforClassifiedVoice) EstablishmentofMobility, TransportInfrastructure& BSSsandOSSs (”MVNO”ServiceforImprovedSecureVoice& Data,. MDMSystem(DeliversOTA capability,technicalprovisioning,SIM Control&end-to-endconfigurationcontrol withMASforDevice-Awareend-point SecureVoice InteroperabilityforfullrangeSecureVoice SecureVoice Providesadegreeofsoftwareseparation SecureVoice SecureData 1CarrieraccessibleTransport1GovernmentTransportforVoiceandData UnclassData–ANDROIDSTIG–EEPilot GoodPilot DeviceAwareSecurityS/W PartialFunding UNFUNDED UNFUNDED 15 Services(applications) MDM/MAS UNCLASSIFIED
SecureMobilityEnd-to-End Concept ACombatSupportAgency Operatesovercommercialwirelessnetworks 3G/4Gtechnologyforimprovedcustomerexperience CommercialmobiledevicesBuiltonopenstandards DoDMobilityEnterprise(secure)Platform SecurityServices (SIM,Device, Network) Mobile Web/App Clients Device& NetworkMgt &Security Secure Services& Applications Customer Service& VOIP Email Chat Calendar Mobile Apps Enterprise Integration Technical Support UNCLASSIFIED 16
UNCLASSIFIED//FOROFFICIALUSEONLY MobileSecurity DevelopmentPath ACombatSupportAgency Continued Development Secure VoIP Web Data Tablet Wi-Fi Enterprise Data CapabilityIntegration CapabilityIntegration CapabilityIntegration CommercialSolutions Basedonopen standards&NSA Architecture/Guidance SDES/DTLS-SRTP MobilePolicy Encrypted TrustedOS BareMetal VoIPAPP Enforcement SDCards(Cryptr)(SEAndroid) Hypervisor MobileDevice Management UNCLASSIFIED 17