Presentation is loading. Please wait.

Presentation is loading. Please wait.

KDP-1: Integrate supply chain knowledge into secure solutions concepts Evaluate supply chain threats with respect to the set of possible solutions under.

Published byMorgan Marsh Modified over 9 years ago

Similar presentations

Presentation on theme: "KDP-1: Integrate supply chain knowledge into secure solutions concepts Evaluate supply chain threats with respect to the set of possible solutions under."— Presentation transcript:

1 KDP-1: Integrate supply chain knowledge into secure solutions concepts Evaluate supply chain threats with respect to the set of possible solutions under consideration. Make decisions about the level of acceptable supply chain risks and acceptable costs of security. Align the acquisition roadmap with the key decision points and require SCRM assessments. Example Laws, Regulations, and/or Standards: FISMA (§3544(b)(2)(C)) makes system owners accountable for information security throughout the lifecycle; FIPS 200 (3) requires minimum security standards for acquisitions; SP 800-37 (3.2) designates security selected based on the system risk; KDP-1 maps to the SDLC Initiation phase as outlined in Section 3.1 of NIST SP 800-64. KDP-2: Incorporate SCRM into Acquisition Requirements Determine the costs of supply chain security; maximize the requirements for low-cost, high-risk-reduction security measures. Comply with decisions from KDP-1. Make decisions about specific SCRM requirements (in context of KDP-1 decisions). Incorporate adequate SCRM into requirements to assure that responses address SCRM. Example Laws, Regulations, and/or Standards: SP 800-70 (4.1): designates a requirements analysis (including security requirements) before selecting an information systems product; IR 7622 (4) designates supply chain controls; KDP-2 maps to the SDLC Development/Acquisition phase, as outlined in Section 3.2 of NIST SP 800-64. KDP-3: Evaluate Proposals for SCRM Capabilities Evaluate proposals against supply chain security requirements from KDP-2. Determine the extent to which proposals satisfy SCRM-related acquisition requirements. Example Laws, Regulations, and/or Standards: SP 800-53 (SA 12): The organization conducts a due diligence review of suppliers prior to entering into contractual agreements to acquire ICT components; KDP-3 maps to the SDLC Development/Acquisition phase, as outlined in Section 3.2 of NIST SP 800-64. KDP-4: Incorporate Threat Assessments and Evaluate Capability to Mitigate Residual Risks Specify requirements for and incorporate threat assessments that provide the acquiring organization with information that guides the selection, with mitigations, or the elimination of proposals. Make decisions to reduce the risk that an offeror will expose the organization to ICT supply chain threats (based on KDP-3 results and threat assessments), by putting contracts, controls, and security in place that will monitor and add adequate resilience in spite of residual supply chain risk. Example Laws, Regulations, and/or Standards: SP 800-53 (SA 5): Incorporate SCRM assessments into all requirements and processes to protect acquirer mission/business practices against compromise; KDP-4 maps to the SDLC Development/Acquisition and Implementation/Assessment phases, as outlined in Sections 3.2 and 3.3 of NIST SP 800-64. KDP-5: Incorporate SCRM Measures into Overall ICT Security Ensure that metrics and information sharing protocols can identify threats with supply chain nexus. Perform acceptance testing and develop continuous certification and testing processes for maintenance, upgrades, and system augmentations. Ensure that systems acquisition and designs can be available to incident response or forensic teams investigating supply chain risks. Ensure proper disposal so that disposed items do not intentionally or inadvertently make their way back into the supply chain. Example Laws, Regulations, and/or Standards: SP 800-39 (2.1) As risks of advanced persistent threats become more pronounced, organizations establish practices for sharing information related to the system development; KDP 5 maps to the SDLC Operations and Maintenance, and Disposal phases as outlined in Sections 3.4 and 3.5 of NIST SP 800-64. … But The Risks Can Be Mitigated at Key Decision Points (KDPs) Supply Chain Risk Management (SCRM) is a decision making process that can reduce risks associated with ICT throughout the acquisition process. A lifecycle-based approach to SCRM requires risk decisions at key decision points in the acquirers’ system development and acquisition process. These KDPs are plotted on the ICT lifecycle in Figure 5 and summarized below. Each KDP addresses specific governance and operations across the lifecycle to cost-effectively manage supply chain risks. To be effective, acquirers, suppliers, service providers, and other stakeholders must share information about KDP outcomes to manage risk. Tools are created to implement these methods, reduce total lifecycle costs, and share information. Figure 5. KDPs extend consideration of SCRM concepts to earlier stages of the lifecycle to more effectively integrate systems risk and security operations RETURN ON SCRM INVESTMENT Early-in-lifecycle investments in SCRM decrease cyber risks that result from poorly/maliciously designed hardware and software, and will ultimately result in decreased expected costs of response, retrofit, and network reconstitution. Conversely, avoidance of SCRM costs in early system development stages will require more sophisticated monitoring and cyber intelligence capabilities to avoid loss of essential functions. To achieve best return on investment, SCRM activities must be embedded and aligned with overall network security strategy and operations. Software & Supply Chain Assurance 1 2345 As of Jan 2013 For more information see DHS NPPD CS&C SECIR Software & Supply Chain Assurance resources at https://buildsecurityin.us-cert.gov/swa

Download ppt "KDP-1: Integrate supply chain knowledge into secure solutions concepts Evaluate supply chain threats with respect to the set of possible solutions under."

Similar presentations

Achieve Benefit from IT Projects. Aim This presentation is prepared to support and give a general overview of the ‘How to Achieve Benefits from IT Projects’

Achieve Benefit from IT Projects. Aim This presentation is prepared to support and give a general overview of the ‘How to Achieve Benefits from IT Projects’
Microsoft Operations Framework (MOF) 4.0

Microsoft Operations Framework (MOF) 4.0
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration.
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
<<Date>><<SDLC Phase>>

<<Date>><<SDLC Phase>>
UNRESTRICTED Infrastructure Assessment as Viewed by Technology Holders IAEA Technical Meeting December 10-12, 2008 R. Godden.

UNRESTRICTED Infrastructure Assessment as Viewed by Technology Holders IAEA Technical Meeting December 10-12, 2008 R. Godden.
U.S. General Services Administration Presentation to: Software and Supply Chain Assurance Forum Improving Cybersecurity through Acquisition December 17,

U.S. General Services Administration Presentation to: Software and Supply Chain Assurance Forum Improving Cybersecurity through Acquisition December 17,
U.S. General Services Administration Presentation to: ACT-IAC Cybersecurity SIG Improving Cybersecurity through Acquisition Emile Monette Senior Advisor.

U.S. General Services Administration Presentation to: ACT-IAC Cybersecurity SIG Improving Cybersecurity through Acquisition Emile Monette Senior Advisor.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Oncor’s EIM Program.

Oncor’s EIM Program.
Security Controls – What Works

Security Controls – What Works
Overarching Roles of Critical Partners In A Project 9:30 – 10:00 Rob Curlee, FMO Joseph Dominque, OCISO Mike Perry, EA.

Overarching Roles of Critical Partners In A Project 9:30 – 10:00 Rob Curlee, FMO Joseph Dominque, OCISO Mike Perry, EA.
CHAPTER 10 & 13 IS within the Organization & Acquiring IS and Applications.

CHAPTER 10 & 13 IS within the Organization & Acquiring IS and Applications.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Systems Engineering Approach to MPS Risk Management Kelly Mahoney Presented at the Workshop for Machine Protection in Linear Accelerators.

Systems Engineering Approach to MPS Risk Management Kelly Mahoney Presented at the Workshop for Machine Protection in Linear Accelerators.
Opportunities & Implications for Turkish Organisations & Projects

Opportunities & Implications for Turkish Organisations & Projects
Enterprise Architecture

Enterprise Architecture
Software Assurance Software Acquisition Working Group Chairs: Stan Wisseman Booz Allen Hamilton Mary L. Polydys National Defense University Information.

Software Assurance Software Acquisition Working Group Chairs: Stan Wisseman Booz Allen Hamilton Mary L. Polydys National Defense University Information.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing

Similar presentations

Ads by Google