1 Acquisition and Technology Overview: System Assurance and Cyber Security Kristen Baldwin Deputy Director, Strategic Initiatives Office of the Deputy.

Slides:

Advertisements

Similar presentations

Program Management Office (PMO) Design

Advertisements

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

ERS Overview 5/15/12 | Page-1 Distribution Statement A – Cleared for public release by OSR, SR Case #s 12-S-0258, 0817, 1003, and 1854 apply. Affordable,

NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-1 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984.

Continuous Process Improvement (CPI) Program Update Colonel Ric Sherman, United States Army Office of the Assistant Deputy Under Secretary of Defense for.

National Infrastructure Protection Plan

4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009.

1 May 2009 ver. 5.5 Materiel Development Decision (MDD) MDA: Approves AoA Study Guidance Determines acquisition phase of entry Identifies initial review.

Defense Critical Infrastructure Program (DCIP)

Systems Engineering in a System of Systems Context

DoD Systems and Software Engineering A Strategy for Enhanced Systems Engineering Kristen Baldwin Acting Director, Systems and Software Engineering Office.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

1 Perform Assess Policy and Guidance Acquisition Program Improvement Model Acquisition Programs Acquisition Workforce Human Capital Strategic Planning.

Recent Trends in DoD Systems and Software Engineering Processes Bruce Amato Acting Deputy Director, Software Engineering and Systems Assurance Office of.

Chemical Biological Defense Acquisition Initiatives Forum (CBDAIF)

What are MRLs ? Alfred W. Clark Dawnbreaker, Inc.

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Executive summary prepared by some members of the ICH Q9 EWG for example only; not an official policy/guidance July 2006, slide 1 ICH Q9 QUALITY RISK MANAGEMENT.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

The U. S. National Strategy for Global Supply Chain Security Neema Khatri Office of International Affairs U.S. Department of Homeland Security.

DoD Acquisition Domain (Sourcing) (DADS) Analysis of Alternatives (AoA) E-Business/SPS Joint Users’ Conference November 15-19, 2004 Houston, TX.

1 Pipeline Measurement Process Review Committee Kickoff Session Paul Blackwell Office of the Deputy Assistant Secretary of Defense for Supply Chain Integration.

NIST Special Publication Revision 1

Why is BCL Needed? BCL addresses long-standing challenges that have impacted the delivery of business capabilities The DepSecDef directed increasing the.

Service Transition & Planning Service Validation & Testing

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Protecting Critical Information Assets and Records FIRM Forum.

Homeland Security Grant Program 2015 Process Michelle Hanneken Illinois Emergency Management Agency.

The Architecture Lecture September 2006 Cem Kaner CSE 1001.

Radar Open Systems Architectures

Joint Program Executive Office for Chemical and Biological Defense _APBI_JPEO 1 INTRODUCTIONS Preparing Proposals and Responses to Solicitations.

The Defense Acquisition Management System 2009 Implementing DoDI 5000

2 William P. McNally Assistant Administrator for Procurement NASA Procurement Tenets August 4, 2008 NCMA Conference.

Shift Left Feb 2013 Page-1 DISTRIBUTION STATEMENT A – Cleared for Open Publication by OSR on January 17 th, 2013 – SR case number 13-S-0851 Dr. Steven.

Verification and Validation — An OSD Perspective — Fred Myers Deputy Director, Test Infrastructure Test Resource Management Center November 4, 2009.

DOD SOFTWARE ASSURANCE INITIATIVE: Mitigating Risks Attributable to Software through Enhanced Risk Management Joe Jarzombek, PMP Deputy Director for Software.

Earned Value Management Update Nancy L. Spruill Director, Acquisition Resources and Analysis Office of the Under Secretary of Defense (Acquisition, Technology.

1 1 Defense Acquisition Guidebook Progress Update March 27, 2012.

0 2 Nov 2010, V1.4 Steve Skotte, DAU Space Acquisition Performance Learning Director New Space Systems Acquisition Policy.

Latest Strategies for IT Security Margaret Myers Principal Director, Deputy CIO United States Department of Defense North American Day 2006.

| 1 Weapon System Acquisition Reform- Product Support Assessment DAU SYMPOSIUM 13 April 2010 Presented by: Basil Gray Where Innovation.

Materiel Development Decision (MDD) Information Requirements

Condition Based Maintenance Plus (CBM+) Overview

Small Business Programs Tatia Evelyn-Bellamy Director Small Business Division Small Business Center February 2016.

Distribution Statement A – Approved for public release by DOPSR. Distribution is unlimited PSM Workshop April 6, 2016 | Page-1 Melinda Reed Office.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

Environment, Safety, and Occupational Health Opportunities in DoD Business Transformation May 4, 2006.

2.1 ACQUISITION STRATEGYSlide 1 Space System Segments.

UNCLASSIFIED The Open Group 01/07/10 Page-1 Kick-off Meeting for The Open Group Acquisition Cyber Security Initiative Ms. Kristen Baldwin Director, Systems.

ICOTE Meeting October, Chief Developmental Tester Project Status for ICOTE October 2014 Brendan Rhatigan – Lockheed Martin.

Business, Cost Estimating & Financial Management Considerations

CLE Introduction to Agile Software Acquisition

System Engineering Considerations (See Chapters 3 and 9)

Life Cycle Logistics.

MDD to Milestone A Requirements Management Activities

ISA 201 Intermediate Information Systems Acquisition

Production Considerations

Milestone A to Milestone B Requirements Management Activities

Introduction to the Federal Defense Acquisition Regulation

Purpose Provide an update on recent major changes to law, policy, and guidance that affect the way we conduct IA&E activities National Defense Authorization.

MDD to Milestone A Requirements Management Activities

Information Required for Milestone and Decision Reviews

MRL 6 Artifacts (at End of TMRR) Page 1 of 6

Online Aerospace Supplier Information System (OASIS) Pilot Program Update Craig Bennett DCMA HQ May2018.

By Jeff Burklo, Director

Cybersecurity ATD technical

The Department of Defense Acquisition Process

Purpose Provide an update on recent major changes to law, policy, and guidance that affect the way we conduct IA&E activities National Defense Authorization.

Presentation transcript:

1 Acquisition and Technology Overview: System Assurance and Cyber Security Kristen Baldwin Deputy Director, Strategic Initiatives Office of the Deputy Under Secretary of Defense (Acquisition and Technology) March 2009

(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 2 Agenda  Increased priority for program protection  Threats  Vision of Success  A plan for improving DoD Program Protection  Policy  Designing for Security  Program Protection Plans  Tools  Outcomes  Defense Industrial Base Cyber Security  Call to attention  Acquisition and contracting actions

(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 3 3 Increased Priority for Program Protection  Threats: Nation-state, terrorist, criminal, rogue developer who:  Gain control of IT/NSS/Weapons through supply chain opportunities  Exploit vulnerabilities remotely  Vulnerabilities: All IT/NSS/Weapons (incl. systems, networks, applications)  Intentionally implanted logic (e.g., back doors, logic bombs, spyware)  Unintentional vulnerabilities maliciously exploited (e.g., poor quality or fragile code)  Consequences: Stolen critical data & technology; corruption, denial of critical warfighting functionality System Assurance is the confidence that the system functions as intended and is free of exploitable vulnerabilities, either intentionally or unintentionally designed or inserted during the lifecycle

(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 4 4 Vision of Success  The requirement for assurance is allocated among the right systems and their critical components  DoD understands its supply chain risks  DoD systems are designed and sustained at a known level of assurance  Commercial sector shares ownership and builds assured products  Technology investment transforms the ability to detect and mitigate system vulnerabilities Prioritization Supplier Assurance Engineering- In-Depth Industry Outreach Technology Investment Assured Systems

(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 5 Reduce Cost of Implementing Protection Reduce Program Level of Effort Reduce Program Documenta- tion Increase Efficiency of Program Personnel Improving DoD Program Protection 5 Streamlining The PPP Program Protection Tools Early ID, Designed-In Protection Coordinating Security Disciplines Improved Protection of DoD Weapon Systems

(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 6 Program Protection Policy  DoD Policy: DODI “Critical Program Information Protection Within the DoD”  Provide uncompromised and secure military systems to the warfighter by performing comprehensive protection of CPI  CPI. Elements or components of an RDA program that, if compromised, could cause significant degradation in mission effectiveness; oIncludes information about applications, capabilities, processes, and end-items. oIncludes elements or components critical to a military system or network mission effectiveness. oIncludes technology that would reduce the US technological advantage if it came under foreign control  To minimize the chance that the Department’s warfighting capability will be impaired due to the compromise of elements or components being integrated into DoD systems by foreign intelligence, foreign terrorist, or other hostile elements through the supply chain or system design.  DoD  CPI shall be identified at MS A in the Technology Development Strategy  Program Protection Plan shall be developed and approved by MS B; updated and approved at MS C

(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 7 7 DoD : Early, Designed-In Program Protection Identify draft CPI, estimated protection duration and S&T Lab countermeasures Acquisition Strategy, TDS, RFP, SEP, and TEMP revised to include PPP relevant information Milestone Decision Authority approves Program Protection Plan (PPP) Assess supplier risks Develop design strategy for CPI protection Enhance countermeasure information PPP Evaluate that CPI Protection RFP requirements have been met Update PPP with lifecycle sustainment planning Full Rate Prod DR MS CMS B MS A TechDev CDD Engineering & Manufacturing Development & Demonstration CPD Production & Deployment O&S MDD Materiel Solution Analysis Streamlined Program Protection Plan One-stop shopping for documentation of acquisition program security (ISP, IAS, AT appendices) Living document, easy to update, maintain Improve over time based on feedback Update PPP, with contractor additions Preliminary verification and validation that design meets assurance plans

(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 8 Systems Security Engineering: Integration of Security Resources 8

(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 9 Engineering for System Assurance  “Engineering for System Assurance” V1.0 Guidebook signed out at NDIA October 1, 2008  Posted on SSE Web site at:   Provides guidance on how to address System Assurance through Systems Engineering processes  Aligns to DoD acquisition lifecycle processes with actionable criteria  Adds emphasis to ISO/IEC SE processes  Enhanced IA focus and alignment with current processes  Focus on hardware, software and operational environment  Dovetails with Program Protection Planning (PPP) processes  Supports identification of trusted foundry resources  Informs Anti-tamper considerations

(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 10 Approval Letter

(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 11 New PPP: Data Driven Format Critical Program Information (CPI) Critical Program Information Impact of Loss (Low, Med, Hi) Reason (for each change in status)List Locations (Lab(s), PMO, Contractor Name(s), Test Site(s)) Status Dates (watch, new, removed) GPSNew: Critical warfighting componentPMO, Contractor XNew 6/2006 Radar FPGANew: target for hackersPMO, Prime, Subcontractor Z Watch 6/2007 Communication Card Watch: US lead in technology Removed: No longer leading edge technology N/ANew 4/1998 Removed 4/ Verbose, Static, Essay Pithy, Dynamic, Modular Example Format

(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 12 Program Protection Tools 12

(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 13 PPP Process Desired Outcome Program Benefit  Coherent direction and integrated policy framework to respond to security requirements  Risk-based approach to implementing security  Provision of expert engineering and intelligence support to our programs  Streamline process to remove redundancy; focus on protection countermeasures DoD Benefit  Reduced risk exposure to gaps/seams in policy and protection activity  Improved oversight and focus on system assurance throughout the lifecycle  Ability to capitalize on common methods, instruction and technology transition opportunities  Cost effective approach to “building security in” where most appropriate

(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 14 Defense Industrial Base Cyber Security

(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 15 Defense Industrial Base Cyber Security  DEPSECDEF Call to action: “Stop the Bleeding”  July 10, 2007: DSD, DNI, VCJCS meeting with CEOs of 16 DIB partners  DIB Cyber Security Task Force formed: oDeveloping strategies for information sharing; oIncident reporting; oBenchmarking information security practices; oAcquisition and contracting procedures oDamage assessment  SSE/Strategic Initiatives leads the Acquisition and Contracting efforts for DIB CS Task Force

(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 16 DIB CS – Activities for Acquisition and Contracting  AT&L Policy Memo –  Directs Acquisition Executives to engage their Program Executive Offices and Program Managers to take immediate steps to: oEnsure that CUI is identified and appropriately protected in DoD acquisition programs. oReport incidences and exfiltrations  Evaluating information security standards  Developing DFAR Language  Piloting with Services to learn and refine policy and guidance  Working with industry partners to “raise the bar”  NDIA System Assurance Committee  AIA, ITAA, other interactions  Developing Education and Training materials  Program Managers  Contracting Officers  Small Business Mentors

(DELIBERATIVE DOCUMENT: For discussion purposes only. Draft working papers. Do not release under FOIA) 17 Questions