Transcript Acquisition and Technology Overview: System Assurance and Cyber Security Kristen Baldwin Deputy Director, Strategic Initiatives Office of the Deputy Under Secretary of Defense (Acquisition and.

Acquisition and Technology Overview:
System Assurance and Cyber Security
Kristen Baldwin
Deputy Director, Strategic Initiatives
Office of the Deputy Under Secretary of Defense
(Acquisition and Technology)
March 2009
1
Agenda
 Increased priority for program protection


Threats
Vision of Success
 A plan for improving DoD Program Protection
 Policy
 Designing for Security
 Program Protection Plans
 Tools
 Outcomes
 Defense Industrial Base Cyber Security


Call to attention
Acquisition and contracting actions
(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA)
2
Increased Priority for Program Protection
 Threats: Nation-state, terrorist, criminal, rogue developer who:
 Gain control of IT/NSS/Weapons through supply chain
opportunities
 Exploit vulnerabilities remotely
 Vulnerabilities: All IT/NSS/Weapons (incl. systems, networks,
applications)
 Intentionally implanted logic (e.g., back doors, logic bombs,
spyware)
 Unintentional vulnerabilities maliciously exploited (e.g., poor
quality or fragile code)
 Consequences: Stolen critical data & technology; corruption, denial
of critical warfighting functionality
System Assurance is the confidence that the system
functions as intended and is free of exploitable vulnerabilities,
either intentionally or unintentionally designed or inserted
during the lifecycle
(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA)
3
3
Vision of Success
Prioritization
Supplier
Assurance
EngineeringIn-Depth
Industry
Outreach
Technology
Investment
 The requirement for assurance is allocated
among the right systems and their critical
components
 DoD understands its supply chain risks
 DoD systems are designed and sustained at a
known level of assurance
 Commercial sector shares ownership and
builds assured products
 Technology investment transforms the ability
to detect and mitigate system vulnerabilities
Assured Systems
(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA)
4
4
Improving DoD Program Protection
Increase
Coordinating
Efficiency
Security
of Program
Disciplines
Personnel
Reduce
Streamlining
Program
DocumentaThe PPP
tion
Improved
Protection of
DoD Weapon
Systems
Reduce
Early ID,
Cost of
Designed-In
Implementing
Protection
Protection
Reduce
Program
Program
Protection
Level of
Tools
Effort
5
(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA)
5
Program Protection Policy
 DoD Policy: DODI 5200.39 “Critical Program Information Protection Within
the DoD”
 Provide uncompromised and secure military systems to the warfighter
by performing comprehensive protection of CPI
 CPI. Elements or components of an RDA program that, if compromised,
could cause significant degradation in mission effectiveness;
o Includes information about applications, capabilities, processes,
and end-items.
o Includes elements or components critical to a military system or
network mission effectiveness.
o Includes technology that would reduce the US technological
advantage if it came under foreign control
 To minimize the chance that the Department’s warfighting capability will
be impaired due to the compromise of elements or components being
integrated into DoD systems by foreign intelligence, foreign terrorist, or
other hostile elements through the supply chain or system design.
 DoD 5000.02
 CPI shall be identified at MS A in the Technology Development Strategy
 Program Protection Plan shall be developed and approved by MS B;
updated and approved at MS C
(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA)
6
DoD 5000.02:
Early, Designed-In Program Protection
• Acquisition Strategy, TDS, RFP, SEP, and
TEMP revised to include PPP relevant
information
• Milestone Decision Authority approves
Program Protection Plan (PPP)
• Identify draft CPI, estimated
protection duration and S&T Lab
countermeasures
MS A
Materiel
MDD Solution
Analysis
TechDev
• Assess supplier risks
• Develop design strategy for CPI
protection
MS B
CDD
Streamlined Program Protection Plan
• One-stop shopping for documentation
of acquisition program security (ISP,
IAS, AT appendices)
• Living document, easy to update,
maintain
• Improve over time based on feedback
MS C
Engineering &
Manufacturing
Development &
Demonstration
CPD
• Update PPP, with contractor
additions
• Preliminary verification and
validation that design meets
assurance plans
Full Rate
Prod DR
Production &
Deployment
O&S
• Enhance countermeasure
information PPP
• Evaluate that CPI Protection RFP
requirements have been met
• Update PPP with lifecycle
sustainment planning
7
(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA)
7
Systems Security Engineering:
Integration of Security Resources
8
(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA)
8
Engineering for System Assurance
 “Engineering for System Assurance” V1.0 Guidebook signed out
at NDIA October 1, 2008
 Posted on SSE Web site at:
 http://www.acq.osd.mil/sse/ssa/guidance.html
 Provides guidance on how to address System Assurance through
Systems Engineering processes
 Aligns to DoD acquisition lifecycle processes with actionable
criteria
 Adds emphasis to ISO/IEC 15288 SE processes
 Enhanced IA focus and alignment with current processes
 Focus on hardware, software and operational environment
 Dovetails with Program Protection Planning (PPP) processes
 Supports identification of trusted foundry resources
 Informs Anti-tamper considerations
(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA)
9
Approval Letter
(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA)
10
New PPP: Data Driven Format
Pithy, Dynamic, Modular
Verbose, Static, Essay
Critical Program
Information
Impact of
Loss
Critical Program Information (CPI)
Reason (for each change in status)
List Locations
(Low, Med,
Hi)
GPS
Radar FPGA
New: Critical warfighting component
New: target for hackers
Communication
Card
Watch: US lead in technology
(Lab(s), PMO,
Contractor Name(s), Test
Site(s))
PMO, Contractor X
PMO, Prime,
Subcontractor Z
N/A
Removed: No longer leading edge
technology
Status Dates (watch,
new, removed)
New 6/2006
Watch 6/2007
New 4/1998
Removed 4/2007
11
(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA)
11
Program Protection Tools
12
(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA)
12
PPP Process Desired Outcome
Program Benefit
 Coherent direction and integrated
policy framework to respond to
security requirements
 Risk-based approach to
implementing security
 Provision of expert engineering and
intelligence support to our programs
 Streamline process to remove
redundancy; focus on protection
countermeasures
DoD Benefit
 Reduced risk exposure to
gaps/seams in policy and protection
activity
 Improved oversight and focus on
system assurance throughout the
lifecycle
 Ability to capitalize on common
methods, instruction and technology
transition opportunities
 Cost effective approach to “building
security in” where most appropriate
(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA)
13
Defense Industrial Base
Cyber Security
(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA)
14
Defense Industrial Base Cyber Security
 DEPSECDEF Call to action: “Stop the Bleeding”
 July 10, 2007: DSD, DNI, VCJCS meeting with CEOs
of 16 DIB partners
 DIB Cyber Security Task Force formed:
o
o
o
o
o
Developing strategies for information sharing;
Incident reporting;
Benchmarking information security practices;
Acquisition and contracting procedures
Damage assessment
 SSE/Strategic Initiatives leads the Acquisition and
Contracting efforts for DIB CS Task Force
(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA)
15
DIB CS – Activities for Acquisition and
Contracting
 AT&L Policy Memo –

Directs Acquisition Executives to engage their Program Executive
Offices and Program Managers to take immediate steps to:
o Ensure that CUI is identified and appropriately protected in DoD acquisition
programs.
o Report incidences and exfiltrations




Evaluating information security standards
Developing DFAR Language
Piloting with Services to learn and refine policy and guidance
Working with industry partners to “raise the bar”
 NDIA System Assurance Committee
 AIA, ITAA, other interactions
 Developing Education and Training materials



Program Managers
Contracting Officers
Small Business Mentors
(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA)
16
Questions
(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA)
17