Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Acquisition and Technology Overview: System Assurance and Cyber Security Kristen Baldwin Deputy Director, Strategic Initiatives Office of the Deputy.

Published byDarren Howard Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Acquisition and Technology Overview: System Assurance and Cyber Security Kristen Baldwin Deputy Director, Strategic Initiatives Office of the Deputy."— Presentation transcript:

1 1 Acquisition and Technology Overview: System Assurance and Cyber Security Kristen Baldwin Deputy Director, Strategic Initiatives Office of the Deputy Under Secretary of Defense (Acquisition and Technology) March 2009

2 (DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 2 Agenda  Increased priority for program protection  Threats  Vision of Success  A plan for improving DoD Program Protection  Policy  Designing for Security  Program Protection Plans  Tools  Outcomes  Defense Industrial Base Cyber Security  Call to attention  Acquisition and contracting actions

3 (DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 3 3 Increased Priority for Program Protection  Threats: Nation-state, terrorist, criminal, rogue developer who:  Gain control of IT/NSS/Weapons through supply chain opportunities  Exploit vulnerabilities remotely  Vulnerabilities: All IT/NSS/Weapons (incl. systems, networks, applications)  Intentionally implanted logic (e.g., back doors, logic bombs, spyware)  Unintentional vulnerabilities maliciously exploited (e.g., poor quality or fragile code)  Consequences: Stolen critical data & technology; corruption, denial of critical warfighting functionality System Assurance is the confidence that the system functions as intended and is free of exploitable vulnerabilities, either intentionally or unintentionally designed or inserted during the lifecycle

4 (DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 4 4 Vision of Success  The requirement for assurance is allocated among the right systems and their critical components  DoD understands its supply chain risks  DoD systems are designed and sustained at a known level of assurance  Commercial sector shares ownership and builds assured products  Technology investment transforms the ability to detect and mitigate system vulnerabilities Prioritization Supplier Assurance Engineering- In-Depth Industry Outreach Technology Investment Assured Systems

5 (DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 5 Reduce Cost of Implementing Protection Reduce Program Level of Effort Reduce Program Documenta- tion Increase Efficiency of Program Personnel Improving DoD Program Protection 5 Streamlining The PPP Program Protection Tools Early ID, Designed-In Protection Coordinating Security Disciplines Improved Protection of DoD Weapon Systems

6 (DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 6 Program Protection Policy  DoD Policy: DODI 5200.39 “Critical Program Information Protection Within the DoD”  Provide uncompromised and secure military systems to the warfighter by performing comprehensive protection of CPI  CPI. Elements or components of an RDA program that, if compromised, could cause significant degradation in mission effectiveness; oIncludes information about applications, capabilities, processes, and end-items. oIncludes elements or components critical to a military system or network mission effectiveness. oIncludes technology that would reduce the US technological advantage if it came under foreign control  To minimize the chance that the Department’s warfighting capability will be impaired due to the compromise of elements or components being integrated into DoD systems by foreign intelligence, foreign terrorist, or other hostile elements through the supply chain or system design.  DoD 5000.02  CPI shall be identified at MS A in the Technology Development Strategy  Program Protection Plan shall be developed and approved by MS B; updated and approved at MS C

7 (DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 7 7 DoD 5000.02: Early, Designed-In Program Protection Identify draft CPI, estimated protection duration and S&T Lab countermeasures Acquisition Strategy, TDS, RFP, SEP, and TEMP revised to include PPP relevant information Milestone Decision Authority approves Program Protection Plan (PPP) Assess supplier risks Develop design strategy for CPI protection Enhance countermeasure information PPP Evaluate that CPI Protection RFP requirements have been met Update PPP with lifecycle sustainment planning Full Rate Prod DR MS CMS B MS A TechDev CDD Engineering & Manufacturing Development & Demonstration CPD Production & Deployment O&S MDD Materiel Solution Analysis Streamlined Program Protection Plan One-stop shopping for documentation of acquisition program security (ISP, IAS, AT appendices) Living document, easy to update, maintain Improve over time based on feedback Update PPP, with contractor additions Preliminary verification and validation that design meets assurance plans

8 (DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 8 Systems Security Engineering: Integration of Security Resources 8

9 (DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 9 Engineering for System Assurance  “Engineering for System Assurance” V1.0 Guidebook signed out at NDIA October 1, 2008  Posted on SSE Web site at:  http://www.acq.osd.mil/sse/ssa/guidance.html http://www.acq.osd.mil/sse/ssa/guidance.html  Provides guidance on how to address System Assurance through Systems Engineering processes  Aligns to DoD acquisition lifecycle processes with actionable criteria  Adds emphasis to ISO/IEC 15288 SE processes  Enhanced IA focus and alignment with current processes  Focus on hardware, software and operational environment  Dovetails with Program Protection Planning (PPP) processes  Supports identification of trusted foundry resources  Informs Anti-tamper considerations

10 (DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 10 Approval Letter

11 (DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 11 New PPP: Data Driven Format Critical Program Information (CPI) Critical Program Information Impact of Loss (Low, Med, Hi) Reason (for each change in status)List Locations (Lab(s), PMO, Contractor Name(s), Test Site(s)) Status Dates (watch, new, removed) GPSNew: Critical warfighting componentPMO, Contractor XNew 6/2006 Radar FPGANew: target for hackersPMO, Prime, Subcontractor Z Watch 6/2007 Communication Card Watch: US lead in technology Removed: No longer leading edge technology N/ANew 4/1998 Removed 4/2007 11 Verbose, Static, Essay Pithy, Dynamic, Modular Example Format

12 (DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 12 Program Protection Tools 12

13 (DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 13 PPP Process Desired Outcome Program Benefit  Coherent direction and integrated policy framework to respond to security requirements  Risk-based approach to implementing security  Provision of expert engineering and intelligence support to our programs  Streamline process to remove redundancy; focus on protection countermeasures DoD Benefit  Reduced risk exposure to gaps/seams in policy and protection activity  Improved oversight and focus on system assurance throughout the lifecycle  Ability to capitalize on common methods, instruction and technology transition opportunities  Cost effective approach to “building security in” where most appropriate

14 (DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 14 Defense Industrial Base Cyber Security

15 (DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 15 Defense Industrial Base Cyber Security  DEPSECDEF Call to action: “Stop the Bleeding”  July 10, 2007: DSD, DNI, VCJCS meeting with CEOs of 16 DIB partners  DIB Cyber Security Task Force formed: oDeveloping strategies for information sharing; oIncident reporting; oBenchmarking information security practices; oAcquisition and contracting procedures oDamage assessment  SSE/Strategic Initiatives leads the Acquisition and Contracting efforts for DIB CS Task Force

16 (DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 16 DIB CS – Activities for Acquisition and Contracting  AT&L Policy Memo –  Directs Acquisition Executives to engage their Program Executive Offices and Program Managers to take immediate steps to: oEnsure that CUI is identified and appropriately protected in DoD acquisition programs. oReport incidences and exfiltrations  Evaluating information security standards  Developing DFAR Language  Piloting with Services to learn and refine policy and guidance  Working with industry partners to “raise the bar”  NDIA System Assurance Committee  AIA, ITAA, other interactions  Developing Education and Training materials  Program Managers  Contracting Officers  Small Business Mentors

17 (DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 17 Questions

Download ppt "1 Acquisition and Technology Overview: System Assurance and Cyber Security Kristen Baldwin Deputy Director, Strategic Initiatives Office of the Deputy."

Similar presentations

Program Management Office (PMO) Design

Program Management Office (PMO) Design
Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
ERS Overview 5/15/12 | Page-1 Distribution Statement A – Cleared for public release by OSR, SR Case #s 12-S-0258, 0817, 1003, and 1854 apply. Affordable,

ERS Overview 5/15/12 | Page-1 Distribution Statement A – Cleared for public release by OSR, SR Case #s 12-S-0258, 0817, 1003, and 1854 apply. Affordable,
NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-1 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984.

NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-1 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984.
Continuous Process Improvement (CPI) Program Update Colonel Ric Sherman, United States Army Office of the Assistant Deputy Under Secretary of Defense for.

Continuous Process Improvement (CPI) Program Update Colonel Ric Sherman, United States Army Office of the Assistant Deputy Under Secretary of Defense for.
National Infrastructure Protection Plan

National Infrastructure Protection Plan
4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009.

4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009.
1 May 2009 ver. 5.5 Materiel Development Decision (MDD) MDA: Approves AoA Study Guidance Determines acquisition phase of entry Identifies initial review.

1 May 2009 ver. 5.5 Materiel Development Decision (MDD) MDA: Approves AoA Study Guidance Determines acquisition phase of entry Identifies initial review.
Defense Critical Infrastructure Program (DCIP)

Defense Critical Infrastructure Program (DCIP)
Systems Engineering in a System of Systems Context

Systems Engineering in a System of Systems Context
DoD Systems and Software Engineering A Strategy for Enhanced Systems Engineering Kristen Baldwin Acting Director, Systems and Software Engineering Office.

DoD Systems and Software Engineering A Strategy for Enhanced Systems Engineering Kristen Baldwin Acting Director, Systems and Software Engineering Office.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
1 Perform Assess Policy and Guidance Acquisition Program Improvement Model Acquisition Programs Acquisition Workforce Human Capital Strategic Planning.

1 Perform Assess Policy and Guidance Acquisition Program Improvement Model Acquisition Programs Acquisition Workforce Human Capital Strategic Planning.
Recent Trends in DoD Systems and Software Engineering Processes Bruce Amato Acting Deputy Director, Software Engineering and Systems Assurance Office of.

Recent Trends in DoD Systems and Software Engineering Processes Bruce Amato Acting Deputy Director, Software Engineering and Systems Assurance Office of.
Chemical Biological Defense Acquisition Initiatives Forum (CBDAIF)

Chemical Biological Defense Acquisition Initiatives Forum (CBDAIF)
What are MRLs ? Alfred W. Clark Dawnbreaker, Inc.

What are MRLs ? Alfred W. Clark Dawnbreaker, Inc.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Executive summary prepared by some members of the ICH Q9 EWG for example only; not an official policy/guidance July 2006, slide 1 ICH Q9 QUALITY RISK MANAGEMENT.

Executive summary prepared by some members of the ICH Q9 EWG for example only; not an official policy/guidance July 2006, slide 1 ICH Q9 QUALITY RISK MANAGEMENT.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

Similar presentations

Ads by Google