Transcript Document

CYBERSAFE Overview
AFCEA C4ISR Symposium
28 April 2015
Presented by:
Mr. Brian Marsh
Assistant Chief Engineer
(Certification & Mission Assurance)
SPAWAR 5.0
Statement A: Approved for public release, distribution is unlimited (27 APRIL 2015)
CYBERSAFE BLUF
▼ The CYBERSAFE Program is focused on ensuring effective
cybersecurity design, procurement, and operation of the
Navy’s most critical warfighting systems
▼ SPAWAR will play multiple key roles from both a Navy
Enterprise and a SYSCOM perspective
▼ CYBERSAFE will bring heightened consideration to the
cybersecurity elements of many SPAWAR Programs
But first, let’s discuss CYBERSAFE in the context of Navy cybersecurity
2
Current Cyber Environment
Source:
Symantec
2015
Internet
Security
Threat
Report
Extreme challenge to keep pace with exponential increase in cybersecurity requirements
3
SPAWAR’s Role in Navy Cybersecurity
Information Technology / Information
Assurance Technical Authority Board
(IT/IA TAB)
Joint Regional Security
Stack (JRSS)
Task Force Cyber Awakening
Technical Specs/Standards Developer
Authority to Operate
(ATO) – Security
Control Assessor
(SCA)
As Navy’s IA Technical Authority, SPAWAR will assume additional roles in CYBERSAFE
4
CYBERSAFE Overview
Objective
Scope
Establish a CYBERSAFE Program to provide maximum
reasonable assurance of a hardened subset of critical
warfighting components
Construct
Navy
Cybersecurity
CYBERSAFE
Platform PMs
PEOs
▼ Focused on limited subset of select network
components that enable Mission Critical
capabilities
CYBERSAFE
CERTIFICATION
AUTHORITY
CYBERSAFE PMO
Technical
Authority
IT/IA TA
▼ CYBERSAFE components may require
Security & QA
Authority
SYSCOMs
additional controls beyond RMF
▼ CYBERSAFE Office to become an element
within the overall Navy cybersecurity
construct
CYBERSAFE Program will focus on Mission Assurance of critical warfighting capabilities
5
CYBERSAFE Facets
Cyber System Level
CSL 2: Platform Combat
CSL4: Sustained Combat
Grade A:
Mission Critical
X FULL NET
• -------------• --------------
Grade B:
Mission Essential
Y SEMI NET
• -------------• --------------
Material Grade C:
Non-Mission Essential
Z NO NET
• -------------• --------------
CAPABILITIES
CSL 3: Networked Combat
Cyber Condition
TECHNICAL
CSL 1: Platform Safety
CYBERSAFE Grade
Design
Procure & Build
Operate
Functionality Hierarchy
of system to end-to-end
mission
Level of cyber protection
incorporated into system
design
Operating mode of platform
based on likelihood of cyber
attack
IT/IA TAB to develop criteria for leveraging facets to identify CYBERSAFE critical items
6
SPAWAR’s Role in CYBERSAFE
Enterprise Role
SPAWAR is Technical Authority for CYBERSAFE
– Cross-Enterprise Role
– Define criteria to identify CYBERSAFE Critical Items
– Develop specs & standards for CYBERSAFE Critical Items
– Interface with SYSCOM TAs to resolve CYBERSAFE issues
SYSCOM Role
SPAWAR to establish a CYBERSAFE Entity
– Cross-SPAWAR Role (Led by SPAWAR 5.0)
– Identify SPAWAR’s CYBERSAFE Critical Items
– Ensure specs & standards are incorporated into acquisition
and implemented into capabilities
– Perform certification of SPAWAR CYBERSAFE Critical Items
COMSPAWAR assigned CHENG as SPAWAR’s Lead for CYBERSAFE
7
SPAWAR IA Standards Plan
FY14
Host Level Protection
Network Firewall
Network Intrusion Detection System
(IDS) / Intrusion Protection System
(IPS)
DFIA Afloat
Continuous Monitoring
FY15
FY16
FY17
Security Information Event
Management (SIEM)
Vulnerability Scanning
Information Sharing-Cross Domain
Solution
Account Management
Boundary Protection
Cyber Risk Assessment
Cyber Configuration Management
Software Assurance
Event Management-Incident
Management, Contingency Planning,
Disaster Recovery, and Incident
Response
Authentication and Authorization /
IdAM
Web Security
Email Security
BIOS Protection / TPM / Embedded
Firmware
Key Management / Exchange
Wireless Communications
Wireless Enclave Access Control
Patch Management
Unified Capability - VoIP, Telecom
DFIA Airborne
Asset Management
Cyber Situational Awareness
Supply Chain Risk Management
DFIA Ashore
IA TA Glossary
DFIA and Standards POR
Implementation Guidance (includes
Controls / Standards mapping)
Information Tagging - Data Tagging
Public Key Enabling
Data Encryption - DIT, Link
Data Encryption - DAR
Remote Access
DNS Security
Virtualization Security
Assured Cloud Computing
IA Standards Work Plan approved by the IT/IA TAB
8
SPAWAR IA Standards Plan
FY14
Host Level Protection
Network Firewall
Network Intrusion Detection System
(IDS) / Intrusion Protection System
(IPS)
DFIA Afloat
FY15
FY16
Security Information Event
Management (SIEM)
Vulnerability Scanning
Information Sharing-Cross Domain
Solution
Account Management
Boundary Protection
Cyber Risk Assessment
Cyber Configuration Management
Wireless Communications
Software Assurance
Wireless Enclave Access Control
Event Management-Incident
Management, Contingency Planning,
Disaster Recovery, and Incident
CYBERSAFE Standards
Response
Data Encryption - DIT, Link
Authentication and Authorization /
CYBERSAFE Certification Criteria
IdAM
Data Encryption - DAR
Web Security
Remote Access
CYBERSAFE Grade A/B/C Criteria
Email Security
DNS Security
BIOS Protection / TPM / Embedded
Requirements for CYBERSAFE Grades A/B/C Systems
Firmware
Virtualization Security
Key Management / Exchange
Assured Cloud Computing
Plus…
New task to develop initial CYBERSAFE Standards
Continuous Monitoring
FY17
DFIA Airborne
Asset Management
Cyber Situational Awareness
Supply Chain Risk Management
DFIA Ashore
IA TA Glossary
DFIA and Standards POR
Implementation Guidance (includes
Controls / Standards mapping)
Information Tagging - Data Tagging
Public Key Enabling
Inspection and Audit Criteria for CYBERSAFE
Patch Management
Unified Capability - VoIP, Telecom
SPAWAR will play a lead role in developing the technical underpinnings for CYBERSAFE
9
SPAWAR Equities
▼ SPAWAR 5.0 work with PEOs to identify SPAWAR CYBERSAFE Items
▼ Baseline Configuration Pilot will assist in identifying Control Points
▼ Potential Programs with CYBERSAFE components:








CANES
BFTN
JALN
ADNS
DCGS-N
GCCS-M/J
NMT
MUOS
CANES aligns with CYBERSAFE Grade A criteria as it provides networking,
compute, and storage for mission critical applications and data
Due to its role as entryway to the ship, ADNS is a critical Control Point that
enables connectivity for mission critical systems and components
NMT’s vital SATCOM capabilities provide assured C2 to Naval Commanders
in support of Ballistic Missile Defense
SPAWAR will not identify CYBERSAFE Critical Items until TAB issues selection criteria
10
CYBERSAFE Way Ahead
▼ CYBERSAFE Implementation Plan approved by CNO on 21 April
▼ CYBERSAFE Office to release CYBERSAFE Instruction and 100-Day Plan
 IT/IA TAB begin work on criteria
development
CYBERSAFE
2015 Timeline
Aug
Submit CYBERSAFE
POA&M
▼ Establish SPAWAR Tiger Team
 Led by SPAWAR 5.0
 Cross-SYSCOM representation
FOC
Apr
CYBERSAFE
Instruction and 100Day Plan
Apr - FOC
IT/IA TAB develop
criticality criteria. SPAWAR
Tiger Team develops
implementation approach.
 Leverage TAB criteria and Baseline
Pilot to identify CYBERSAFE Items
 Develop POA&M for developing
implementing, and maintaining
CYBERSAFE Entity at SPAWAR
Oct
CYBERSAFE
FOC
Apr
CNO Approval
11
Summary
▼ Building upon the foundation provided by IA TA, CYBERSAFE is a
key component of a common Navy plan for Cyber that:
 Promotes a holistic approach to securing critical warfighting capabilities
 Mandates use of common specifications and standards in acquisition and implementation
 Ensures compliance with common specifications and standards through certification process
▼ CYBERSAFE will increase awareness of cybersecurity requirements
for many SPAWAR Programs
 IT/IA TAB will set criteria for identifying CYBERSAFE Critical Items
 SPAWAR 5.0 will work with PEOs to identify CYBERSAFE Critical Items within Programs
12
13