DSLC Rm (3E813) Layout - Mil
Download
Report
Transcript DSLC Rm (3E813) Layout - Mil
Cyber
What is that - really?
A General Overview of our
Cyber Prioritization Crisis
Information Assurance (IA) for ServiceOctober
6, Architecture
2009
Oriented
(SOA)
SecureSD / C4ISR Cyber
Mike Davis
for
Information Systems Security Association,
VP, ISSA, SD;
and
The Security Networks
Technical Advisor, TSN
[email protected]
(my “day job” – Chief Systems Engineer (CSE) for large deck ships & shore sites - SPAWAR 5.0.2 / 5.2)
1
Good for public release. No distribution statement needed.
What’s Wrong With This Security?
What level of “cyber” protection is provided here?
Capabilities that are “invisible” (IA/cyber, safety, reliability) - what you see is not the whole picture!
2
Couldn’t get through the gates because they were completely
locked. They were properly installed, configured and validated.
I could not get through it. But.... So there seems to be gaps…
Summary Preview
• There are MANY IA/cyber initiatives in the works
– Follow the CNCI trail, that should prevail…
• We still need cyber enterprise “R”equirements, just
as we do now for IA and IO and C&A and ….
– What is needed now, current issues, will exist in cyber
– W/o an enterprise risk management approach, any / all
paths will do… and we stay in the crisis of prioritization
• We ALL need better collaboration – DOD on down
– Users / platforms must drive cyber = KISS = commodity
– YOU - Vendors / integrators must coalesce, drive the train
Cyber = smarter IO & IA collaboration with ALL stakeholders in COMMON ways..
3
Setting the “Cyber” Stage
• Feb 2008 – Pakistan’s routing mis-configuration denies
YouTube access for 2 hours showing routing vulnerability
• Aug 2008 – Major vulnerability discovered in DNS
• Nov 2008 – Conficker botnet affects as many as 12 million
computers worldwide (and still out there)
• Symantec reports 15,000 new types of malware daily
• Gartner estimates 3.6M victims lost $3.2B in the U.S. in
2007 due to phishing attacks
• Consumer Reports estimates U.S. consumers lost $8.5B
and replaced 2.1M computers because of viruses, spyware,
etc. between 2006 and 2008
• And Many, many, many more …..
Cyber crime revenues are now equal to all illegal drug trade
4
From Homeland Security brief
Cyber = A National Security Issue
Ubiquitous Presence…
•
•
•
•
•
•
Salient Danger…
1.5 billion people on the Internet;
much of Asia and Africa still to come
•
(using wireless, which is cheaper to install)
•
Upwards of 200B e-mails per day
Critical to commerce, government,
business processes, safety, etc.
Exponential demand; 8 hours of
YouTube uploaded every minute
Increasing connections; global
wireless and cellular usage
Volumetric rise in data everywhere,
with no enterprise data security and
tracking approach (Internet = database)
•
•
•
•
Cyberspace intrusions and attacks
are a real and emerging threat
U.S. faces a dangerous mixture of
vulnerabilities and adversaries
Cyberspace situational awareness is
not mature (and not at all levels)
PEOPLE, Information and the
C4ISR infrastructure are targets
Exploitation, disruption, exfiltration,
misinformation or destruction are
adversary goals (& bragging rights)
Malicious cyberspace activity is
increasing in regularity and severity
“Attacks on Critical Infrastructure could significantly disrupt the
functioning of government and business alike and produce cascading
effects far beyond the targeted sector and physical location of the incident.”
-- 2007 National Infrastructure Protection Plan
5
(Source: derived from JS Cyber 101 brief)
What is “Cyber”?
“A global domain within the information environment consisting of
the interdependent network of information technology
infrastructures, including the Internet, telecommunications
networks, computer systems, and embedded processors and
controllers.“
-- DoD Definition of Cyberspace
Cyber space operations = employment of cyber capabilities where
the primary purpose is to achieve military objectives or effects in
or through cyberspace. Such operations include computer network
operations and activities to operate and defend the GIG
“The military strategic goal is to ensure US military strategic
superiority in cyberspace.”
-- National Military Strategy for Cyberspace Operations
It could mean just about anything….
But mostly a balanced IO/CNO & IA/CND portfolio
6
DoD CND (and “Cyber”) Defense in Depth
The “smart” integration and collaboration
between MANY needed IO & IA functions
CND SP
- Incident Response /
Management
- Prometheus
- Threat Analysis
- Compliance Scans
- IAVM Management
IDS
PKI
Firewalls
NUDOP
IAP Monitoring
Standard IP Blocks
DNS Blackholes
PROMETHEUS
ACLs
Email AV
DITSCAP/DIACAP
ACLs
Standard IP Block Lists
LOCAL ENCLAVE
Anti-virus
In-Line Virus Scanning
Vulnerability Remediation
PKI
ENMS
SIPR NAC
IWCE
SLIDR
WIDS
POR Management
WAN SA
NET Cool Data
Enclave DMZ
TIER III
TMAT
HOST
In-Line Filtering
• SCCVISCRI
WIDS
Standardized Configurations
Insider Threat
Multi-Layer Protocol
Defense
• HBSS
Content Filtering
Wireless Mapping
DAR
• RNOSC
DRRS-N
IASM
TMAT
SCCVI-SCRI
Global CND UDOP
CONOPS
Tier 3 SIM
CARS
IAVM Compliance
CAC/PKI
Tutelage
In-Line Filtering
DNS Blackholing
IAVM
Compliance
IP Sonar
NET Cool Data
CARS
HBSS
CDS
CENTRIXS Monitoring
Email AV
DITSCAP/DIACAP
NET Cool View
Vulnerability
Remediation
IPS
GIAP
CND Data Strategy
Metrics
System Patching
Firewalls
TRICKLER /
CENTAUR
SIPRNET Firewall PPS Policy
Alert Filtering
Vulnerability Scanning
PKI
Funded and
Funded and
Rolling Out
Rolling Out
Proposed or In
Proposed or In
Development
Development
Threat Analysis
NMCI NIPRNET IDS Feeds
IAVM Implementation
Threat Assessment
NET Cool / INMS View
PKI
Site Compliance Scans
Operational
Operational
Incident Handling
Incident Response
LAN (POP/HUB)
WAN (Enclave)
Deep Packet Inspection
CND POR
Honey Grid
Deep Packet Inspection
Navy DMZ
Functional NIC
Enterprise
DMZ
DAPE
NMCI SIPRNET IDS Feeds
TIER II
Navy GIG (NCDOC)
TIER I
DoD GIG (JTF-GNO)
Cyber = “mostly” Life-cycle education and proactive, dynamic defense….
7
(From NCDOC briefs)
Integration of Cyber Security and Defense
New/Custom Trojans
Spear Phishing
Zero Day Exploits
Soft Cert Searches
Web Based Attacks
Social Engineering
Stolen Credentials
• CCZ
• NIOSC Construct
• Tactical IDS placement
• DNS Blackhole
• IP Block Initiative
• CAC/PKI
• Network Forensics
• Malware Analysis
• Signature Development
• Mobius Project
• Trends Analysis
• Online Surveys
• IDS Monitoring
• Incident Handling
• IAVM
• CARS initiative
• Mobius to Prometheus
• Cyber Tactical Teams
• Enhanced Compliance
• LE/CI integration
• Threat Analysis
• Process Improvements
• CCZ
• NIOSC Construct
• Tactical IDS placement
• DNS Blackhole
• IP Block Initiative
• CAC/PKI
• Network Forensics
• Malware Analysis
• Signature Development
• Mobius Project
• Trends Analysis
• Online Surveys
• IDS Monitoring
• Incident Handling
• IAVM
• Tactical Sensor Pilot
• HBSS Pilot
• SCCVI/SCRI
• Enhanced Collaboration
• IDS to IPS Transition
• CARS initiative
• Mobius to Prometheus
• Cyber Tactical Teams
• Enhanced Compliance
• LE/CI integration
• Threat Analysis
• Process Improvements
• CCZ
• NIOSC Construct
• Tactical IDS placement
• DNS Blackhole
• IP Block Initiative
• CAC/PKI
• Network Forensics
• Malware Analysis
• Signature Development
• Mobius Project
• Trends Analysis
• Online Surveys
• IDS Monitoring
• Incident Handling
• IAVM
2005
2006
2007
Capabilities
Compromised Password Files
Known Trojans and Malware
Commonly Known
Vulnerabilities
Indiscriminant Recon
Insider Threat
• Mobius Project
• Trends Analysis
• Online Surveys
• IDS Monitoring
• Incident Handling
• IAVM
2003 / 2004
Where, lack of “IA
CM” is pervasive and
undermines it all
• HBSS Deployment
• Content Filtering
• Joint Data Strategy
• NMIMC Integration
• SLIDR Pilot
• Insider Threat Tool Pilot
• OCRS / IAVA Spiral
• Tactical Sensor Pilot
• HBSS Pilot
• SCCVI/SCRI
• Enhanced Collaboration
• IDS to IPS Transition
• CARS initiative
• Mobius to Prometheus
• Cyber Tactical Teams
• Enhanced Compliance
• LE/CI integration
• Threat Analysis
• Process Improvements
• CCZ
• NIOSC Construct
• Tactical IDS placement
• DNS Blackhole
• IP Block Initiative
• CAC/PKI
• Network Forensics
• Malware Analysis
• Signature Development
• Mobius Project
• Trends Analysis
• Online Surveys
• IDS Monitoring
• Incident Handling
• IAVM
2008
Synchronized “cyber” capabilities to narrow the Threat Vectors
8
(From NCDOC briefs)
President's Cyber Plan
1 - Ensure accountability in federal agencies, cyber security
will be designated as a key management priority.
2 - Work with ALL the key players, including state and local
governments and the private sector.
3 - Strengthen the public-private partnerships.
4 - Continue to invest in the cutting-edge research and
development necessary for the innovation and discovery.
5 - Begin a national campaign to promote cyber security
awareness and digital literacy.
Common themes – stresses education and proactive/dynamic defense
9
What makes Cyber different?
Given Cyber = “virtual” warfare, somewhat different from
the kinetic / physical environment we all know well
-- Includes ALL Offensive and Defensive IT/IO/IA
capabilities and DOTMPLF, ALL aggregated somehow
-- Essentially a select critical technical combination of
IO/CNO and IA/CND + more integration stuff
-- A different virtual ROE than Kinetic – sometimes
reversed, legally constrained (and what is “an act of War?”)
-- Shared vulnerabilities mandate a proactive, dynamic
defensive posture – a “mission kill” is one e-mail away
-- Thus a crisis of prioritization, where everything is
urgent, mandatory… and the many CoC lines are blurred
Many high-level cyber definitions and approaches abound
FEW “definitive” enterprise top down action plans, yet
10
Cyberspace Characteristics
• What’s different?
–
–
–
–
Man-made domain… complex and insecure by design
Global stakeholders — public, private and government
Speed of both action and change – zero separation
Transcends physical, organizational and geopolitical
boundaries – highly sensitive to political/legal influence
– Anonymity – identity/intent of players not always clear
RoE / CONOPS
Kinetic = virtual
“NO” boundaries
Legal aspects rule
No clear Cyber IFF!
11
(Source: derived from JS Cyber 101 brief)
Global reach
& impact
AND sensors
everywhere,
ISR/METOC,
SPACE,
Networks,
ETC, Etc, etc!
Cyberspace Characteristics
All of the warfighting
domains intersect…
In relation to other
mission areas…
C2
IA
Cyberspace Domain is contained
within and transcends the others
… cyberspace is a blend of exclusive and
inclusive ties
The “Venn connections / COIs” are extensive
Numerous dynamic “COIs” dominate relationships
Adding complexity and causing “cross domain” data sharing effects
12
(Source: derived from JS Cyber 101 brief)
NSPD-54/HSPD-23: CNCI ‘12 Initiatives’
Focus Area 3 Focus Area 2 Focus Area 1
Many are still being finessed, and all need prioritized
Trusted Internet
Connections
Deploy Passive
Sensors Across
Federal Systems
Pursue Deployment of
Intrusion Prevention
Systems
Coordinate and
Redirect R&D
Efforts
Establish a front line of defense
Connect Current
Centers to Enhance
Situational Awareness
Develop Gov’t-wide
Counterintelligence
Plan for Cyberspace
Increase Security of
the Classified
Networks
Expand
Education
Resolve to secure cyberspace / set conditions for long-term success
Define and Develop
Enduring Lead Ahead
Technologies,
Strategies & Programs
Define and Develop
Enduring Deterrence
Strategies & Programs
Manage Global
Supply Chain Risk
Define Federal Role for
Cybersecurity in Critical
Infrastructure Domains
Shape future environment / secure U.S. advantage / address new threats
“THESE” are the key long-term GIG business opportunity areas!
13
(Source: derived from JS Cyber 101 brief)
Cyber Prioritization Crisis
Our paper in socialization – highlights are:
-- Cyber is fundamentally enacting a prioritized and balanced
approach between existing IO/CNO (aka offense) and
IA/CND (aka defense) capabilities,
-- with diminishing resources, while also addressing dynamic
and emerging threats through targeted R&D/S&T initiatives
to fill gaps of the cyber vision.
-- The RoE, CONOPS, relationships required are NOT the
same as existing kinetic processes, and can be reversed!
-- Political / legal aspects of cyber will impede us all!
-- CoC needs an effective situational awareness (SA) capability
for "cyber" to enhance our decision superiority
14
Cyber Prioritization Crisis
Paper in socialization – intended for technical discussions
Cyber technical foundations (what matters):
1 - Enterprise risk management process
2 - Fix/update/simplify what we have (and IA CM too!)
3 - NO clear IA/security/cyber vision
4 - Supply chain security issues – intractable?
5 - No enterprise SOA / automated IA approach
6 - Enforce a common data strategy, security aspect
15
Leadership Summary / Recap / Results
(Cyber Security Collaboration Summit – SD – Nov 08)
•Common vision / end state / master plan
•Governance & more governance
•Specified requirements and then some
•Prescriptive implementation guidance required
•What’s “good enough” IA/Security?
•Pedigree approach – simplify V&V / C&A (build it in in)
•What is the IA business basis / ROI?
•What is the future risk environment?
•Training at all levels, especially user and SW development
•Standard architectures / standards / profiles (and a Trust Model!!!)
• SOA security is vague - at best…
WE must collectively quantify & prioritize these for leadership actions
16
Representative Navy Operator IA issues
•
•
•
•
•
•
•
•
•
•
IA Master Plan; Architecture vision; clear IA goals
IA Governance Structure / Consistent Policies
Workforce Quals / Certs / Training
"Improve Speed to Capability” - Implementing newer
technologies.. HBSS, DAR, etc….
IA Approach, Strategy consistent with SYSCOMs and DoD
IA Policy/Architecture “implementation” guidance
Enterprise Access Control - "Trust Model"
Certification & Accreditation - Aggregation of systems
Supply Chain Security / Defense in Breadth
Sustain current IA and CND posture to ensure readiness
Calling things “cyber” will not change the current IA and IO issues
These are still the activities that are needed for protecting the GIG
17
Recent IT/Cyber Leadership perspectives
A - Political / legal cyber approach
Cyber offense must be strictly monitored controlled, due to potential
escalation & state department implications & countries suing each
other
B - Navy IT FLAG/SES Feb 09 meeting results / paper:
-- Greater accountability, completer visibility, net-centric concepts need
to be revisited, can't protect all networks - ensure the C2 / enterprise
-- Need better situational awareness, discipline in development and
acquisition, TTPs... And training...
-- focus more resources on defensive posture and key critical actions
(aka - have a risk management approach), closer collaboration…
-- Senior Cyber Advisor’s major conclusions : Stricter CM & SA /
inspect traffic
Issues / suggestions are similar to others , but collectively act WE must!
18
Hard “IA/Cyber” Problems List (HPL)
• Original Version
– Composed in 1997-98 based on several government sponsored
workshops; Published in 1999
• Topics
–
–
–
–
–
–
–
–
–
–
–
–
1. Intrusion and Misuse Detection
2. Intrusion and Misuse Response
3. Security of Foreign and Mobile Code
4. Controlled Sharing of Sensitive Information
5. Application Security
6. Denial of Service
7. Communications Security
8. Security Management Infrastructure
9. Information Security for Mobile Warfare
A. Secure System Composition
B. High Assurance Development
C. Metrics for Security
From Homeland Security brief
19
Areas of opportunities in Cyber…
Areas of Potential “IA/Cyber” Research
• Global Scale Identity
Management
• Scalable Trustworthy
Systems
• Survivability of Time-Critical
Systems
• Situational Understanding
and Attack Attribution
• Combating Insider Threats
• Data Provenance
• Privacy-Aware Security
• Enterprise Level Metrics
• Coping with Malware and
Botnets
From Homeland Security brief
20
• Usability and Security
• System Evaluation Lifecycle
• Network recovery and
reconstitution
• Cyber Security economic
modeling
• Finance Sector R&D Agenda
• Modeling of Internet Attacks critical infrastructure
• Process Control System
(PCS) security
• Software Quality Assurance
Other areas of opportunities in Cyber…
Federal Plan for Cyber Security and Information
Assurance (CSIA) R&D
• Overarching categories
– Functional Cyber Security Needs
– Needs for Securing the Infrastructure
– Cyber Security Assessment and
– Characterization
– Foundations for Cyber Security
– Domain-Specific Security Needs
– Enabling Technologies for Cyber Security
and Information Assurance R&D
– Advanced and Next-Generation Systems
and Architecture for Cyber Security
– Social Dimensions of Cyber Security
More areas of opportunities in Cyber…
21
From Homeland Security brief
What can we expect to help us?
• NSA / GIAP with CNCI = better IA stuff
• Support for “data/content centric security – DCS”
• Leaders get it, but we need translate geek speak
• ESM / PvM helps automated systems, reporting
• COTS IA – commercial suite “B” encryption
• Going beyond boundary protection approach
– Effective trust binding between data, layers and domains
• Eventually an IA vision -> enterprise architecture
– Easier to build IA in through a top-down structure / standards
22
Where you can assist
• New technologies, methods, processes (CNCI!)
• Not so niche areas of general systems engineering,
integration, “rapid COTS / GOTS insertion,” etc
• Collaboration with other innovative companies
• Partner with other security groups, IA/cyber entities
• Cyber “packages” needed, not un-integrated SW
• Follow issues / concerns – they will not go away
• Think tank, study, and discovery support efforts
• Top down risk management, prioritization approach!
23
Summary
• There are MANY IA/cyber initiatives in the works
– Follow the CNCI trail, that should prevail…
• We still need cyber enterprise “R”equirements, just
as we do now for IA and IO and C&A and ….
– What is needed now, current issues, will exist in cyber
– W/o an enterprise risk management approach, any / all
paths will do… and we stay in the crisis of prioritization
• We ALL need better collaboration – DOD on down
– Users / platforms must drive cyber = KISS = commodity
– YOU - Vendors / integrators must coalesce, drive the train
Remember the “P6” principle…
That’s our story – what’s yours?
24
“easy” button
[email protected]
“easy” button
25
What is Information
Assurance (IA)?
“Measures that Protect and Defend Information and Information Systems by
Ensuring Their Availability, Integrity, Authentication, Confidentiality, and NonRepudiation. This Includes Providing for Restoration of Information Systems
by Incorporating Protection, Detection, and Reaction Capabilities.”
INFOSEC
Integrity
Availability
Authentication
Non-Repudiation
Information Assurance
Confidentiality
• Assurance that Information is Not Disclosed to
Unauthorized Entities or Processes
• Quality of Information System Reflecting Logical
Correctness and Reliability of Operating System
• Timely, Reliable Access to Data and Information Services
for Authorized Users
• Security Measure Designed to Establish Validity of
Transmission, Message, or Originator
• Assurance Sender of Data is Provided with Proof of
Delivery and Recipient with Proof of Sender’s Identity
WHAT parts belong where – wrt our collective enterprise cyber model?
26
26
Cyber “Protections” Overview
(or why “IA/IO/Cyber” is so complex / hard… because it is ALL of this and more!)
“CIO”
FISMA
Operations
IAMs
“IO”
and
CA Support
CMI/KMI
Policy
CND
PKI/CAC
ID Mgmt
C&A
IA
IA Services
Typical IA Acquisition elements
Enterprise Risk Mgmt.
CNO
Defend
Attack
Exploit
Training
Multiple
Multiple
Multiple
Multiple
players
PEs/Lines
threats
PMW/S/As
Requirements
NETOPS
27
Strategy AND Governance critical to “implementation” success!
Cyber – Spans Warfare and Business Mission Areas
Net-centric operations as well as the emerging new joint capabilities and integration development process
is where the DoD is headed in the “Business of Warfighting”
Cyberspace
Cyber must effectively integrate Business and Warfighter Mission Areas
Where GOVERANCE (or lack of it), still rules…
Source: Secretary of State Hillary Clinton Statement, January 21 2009
Source: SSC Atlantic Cyber Strategy
28 (Source:
notional – partially derived from industry partner brief)
IA / Cyber must be E2E!
WE have a “natural” hierarchy in our enterprise IT/network environment,
where complexities arise in the numerous interfaces and many to many
communications paths typically involved in end-to-end (E2E) transactions
AND, People and
processes TOO!
Apps
System /
services
HW/SW/FM
“CCE”
Network
SoS
Enclave
Site
Enterprise
Each sub-aggregation is responsible for the IA controls within their boundaries and
also inherit the controls of their environment – need to formalize reciprocity therein!
Thus, the IA/cyber controls and interfaces in each element /
boundary must be quantified / agreed to upfront!
29
An “Overall” Enterprise Picture
(what are the minimal elements, who “owns” them, & how do they get integrated?)
“SOA Security” needs to account for more than “just” SOA!
Apps & COIs
SOA/ESB/Services
Business processes
There is more to the enterprise IA/C&A picture than “just”
CCE, SOA and Apps, which are hard enough to integrate
ITIL/ITSM SLA execution
CCE
Data security strategy / ownership
Dynamic Access Control
Hardware / Software Assurance
Data privacy protection and Auditable anonymity
IA/Security strategy must consider the whole enterprise trust model!
30
30
What’s a “simple” IA/Cyber
end-state / vision look like?
What are the “Requirements”
An end-state stresses encapsulation through a virtualized fabric
31
So what really matters in IA/Cyber E2E?
A notional Quality of Protection (QoP) Hierarchy
(Wrt our defense in “breadth” position paper – but what REALLY matters?)
“DATA QoP”
(C-I-A and N & A)
Complex…
Dynamic…
Settings
IA&A and CBE / DCS
(distributed / transitive trust model … E2E data-centric security and protections)
Core / Security Services
Standards
( WS* and other security policy / protocols / standards (including versions & extensions therein)
Known…
Static…
network protection – CND – FW / IDS / VPN / etc
IA devices
(in general, mature capabilities – but multiple unclear “CM” processes are persistent and problematic)
CNO/E/A, “I&W”, OPSEC, etc
IO … and ... IA
A&E /
Policy
Crypto, KMI, TSM/HAP, policy, etc
Mainly: IA standards, IA&A, CBE/DCS and digital policy!
32
GIG IA Protection Strategy Evolution
33
Static “Perimeter”
Protection Model
Transactional
“Enterprise IA”
Protection Model
Common level of
Information Protection
provided by System
High Environment
Required level of
Information Protection
“Specified” for each
Transaction
•
Common User Trust Level (Clearances) across sys-high
environment
•
User Trust Level sufficient across Transaction/COI – varies for
enterprise
•
Privilege gained by access to environment and rudimentary
roles
•
Privilege assigned to user/device based on operational role and
can be changed
•
Information “authority” determines required level of protection
(QoP) for the most sensitive information in the sys-high
environment – high water mark determines IT/IA/“Comms”
Standards for all information
•
Information “authority” determines required level of end-to-end
protection (QoP) required to access information – translates to a
set of IT/IA/“Comms” Standard that must be met for the
Transaction to occur
•
Manual Review to Release Information Classified at Less
than Sys-high
•
•
Manual Analysis and Procedures determine allowed
interconnects
Automated mechanisms allow information to be Shared
(“Released”) when users/devices have proper privilege and
Transaction can meet QoP requirements
We will be loosely connected, sharing information – and protected?
The Big Picture: XML Family of Specifications
34
IA / C&A Building blocks
•
•
…. The desired end-state is in general one of a transformed single C&A process that
accommodates all C&A needs and activities (re: T&E / V&V)
End-state needs to integrate and accommodate several major perspectives / initiatives:
–
–
–
–
•
•
(1) aggregation into some number of larger systems of systems (SoS) and enclaves / platforms,
(2) platform IT (PIT),
(3) the federal C&A transformation effort (bringing together DOD, IC and federal agencies), and
(4) the new NNWC C&A process (for the Navy aspect).
Develop a "security container" of sorts emulating the "CC" process (see http://www.niapccevs.org/cc-scheme/ ) that IA devices go through –establishes the same format / needs
Natural to have a limited and controlled set of IA building blocks for a FEW main classes:
–
–
–
–
–
–
–
IA devices (crypto, EKMS, PKI/CAC, VPN, Firewall, IDS/IPS, HBSS, HAP/TPM devices, reference monitor, etc)
IA enabled capabilities (OS, web browsers, messaging systems, screening routers, etc )(and we submit the
IA/WSS standards need to go here too… prescribe a limited set of IA “profiles” with defined standards / protocols!)
Services and Applications ( we think we can define a standard "security container" for each, ideally a “class” maybe a couple are needed for SOA/Services – we postulate the earlier three C&A types would work well) )
Critical IA capability devices (any key IT capabilities, we may have missed and want to specifically consider)
PIT Platform IT variants (there should be ONE general PIT super set, then each SYSCOM takes that and tailors it
a little more for HM&E, WPNs/CBS, Avionics/Controls, SATCOM/LOS radios, etc)
Remainder of NIST 95 descriptions: Intelligence activities; Cyrptologic activities; command and control; weapons
and their systems; systems for "direct military / intelligence" missions; and classified systems... Any “special cases”
defined
AND/OR consider the remainder of 8500.2 categories: AIS application; enclaves; outsourced IT; PIT
interconnection (where Platform IT refers to computer resources, both hardware and software, that are physically
part of, dedicated to, or essential in real time to the mission performance of special purpose systems, such as
weapons, training simulators, diagnostic test and maintenance equipment, calibration equipment, equipment used in
the R&D of weapons systems, medical technologies, transport vehicles, buildings, and utility distribution systems)
Just as “IT” must transition to a “commodity” approach, so must Cyber security!
35