Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Assurance (IA) What Every Manager Should Know

Similar presentations


Presentation on theme: "Information Assurance (IA) What Every Manager Should Know"— Presentation transcript:

1 Information Assurance (IA) What Every Manager Should Know
SecureIT conference Lesson primarily focuses on the DITSCAP process Defense Information Technology Certification & Accreditation Process 5 March 2008 Presented by the IA Technical Authority Mike Davis “EASY” button Statement A: Approved for public release; distribution is unlimited (10 JANUARY 2008)

2 What’s Wrong With This Picture?
What level of security is provided here? I couldn’t get through the gate because it was completely locked. It was properly installed and configured. I could not get through it. But....

3 Summary (Preview) “Gotchas” Major resources KEY Success elements
“Assuming” you don’t need IA (Standalone, have a firewall, etc…) Not adding in IA cost, schedule and performance Major resources KEY Success elements Build IA in up front (Requirements, ISSE, SEP, ISP, IAS, TEMP, etc) Start C&A early (C&A plan, CRR) Risk Management, Risk Management, Risk Management CAC cards needed, You will be, or already are, penetrated – are you prepared?

4 What is Information Assurance (IA)?
“Measures that Protect and Defend Information and Information Systems by Ensuring Their Availability, Integrity, Authentication, Confidentiality, and Non-Repudiation. This Includes Providing for Restoration of Information Systems by Incorporating Protection, Detection, and Reaction Capabilities.” Confidentiality Assurance that Information is Not Disclosed to Unauthorized Entities or Processes Integrity Quality of Information System Reflecting Logical Correctness and Reliability of Operating System INFOSEC Availability Definition/Exploit/Vulnerability/Counter Confidentiality: Keep information secret/Compromise of classified information/ Transmission of classified information in the clear/Encryption (Ex: Physical Encryption, Code, Cipher, Stegenography) Integrity: No authorized modification to information/Undetected modification of/ information/Insertion of malicious code that modifies track information (Ex: Watermark, Wax Seal, Hashing/Digital Signal, Physical) Availability: information and systems are up when needed/Cannot access information when needed DOS network attacks/Network defense capabilities (IDS/FWS) (Ex: Covert Channel, TRANSEC LPI/LPD, CND) Authentication: 3 factors identify people/Processes/Systems/Unauthorized access to system (Ex: Something you know/have/are) Identification: Access control/Weak passwords/Enabling biometric log on/Strong password Non-Repudiation: Guarantee sender/receiver Information Assurance Timely, Reliable Access to Data and Information Services for Authorized Users Authentication Security Measure Designed to Establish Validity of Transmission, Message, or Originator Non-Repudiation Assurance Sender of Data is Provided with Proof of Delivery and Recipient with Proof of Sender’s Identity DATA is your most critical asset – is it adequately protected?

5 IA is a Critical National Issue
Presidential Decision Directive 63 (May 1998) “… a national effort to ensure the security of the increasingly vulnerable and interconnected infrastructure of the United States, especially the cyber-based infrastructure.” Many companies are part of CIP in some manner – are you ready?

6 The Threat is Real, Pervasive, and Increasing
Why is IA so Important? WE all operate in a highly interactive environment Global Networks Interconnected Applications and Services Powerful Computing Devices Components routinely interact with Other Services, Governments, Allied/Coalition Partners, Agencies, Commercial Partners Incident trend increasing - NCDOC reported 1,540 confirmed incidents between Jun06 - Jun07 CND activities: Cyber Asset Reduction and Security (CARS) – response to recent DoD-wide incidents Effective training (8570.1M) SECRET section to cover the data from Dan and Dave: NMCI, NCDOC Just as we rely on information to provide quality of life for everyday activities, such as; paying bills over the phone and internet, using electronic devices to open and secure your car, and accessing databases for banking account information, The Navy operates in a highly interactive environment regarding global networks, interconnected applications and services. The Navy also routine interacts with the other services, government agencies, ally/coalition partners, commercial and universities. The Threats are real with a wide range of capabilities, from the - Non-professionals to state sponsored hackers. - Whether unintentional or malicious, and the threat is never static based upon a - Rapidly changing technology. “COMPLEXITY OF TODAY’S SYSTEMS AND NETWORKS PRESENTS SIGNIFICANT SECURITY CHALLENGES FOR BOTH PRODUCERS AND CONSUMERS OF INFORMATION TECHNOLOGY.” “THE WARFIGHTER MUST BE ABLE TO TRUST THE NETWORKS AND DATA.” The next few slides I will be providing examples of headline news regarding Information Assurance/Information System threats. The Threat is Real, Pervasive, and Increasing

7 UNCLASSIFIED Secure Enough? As what was previously presented concerning an adversary’s innovation, let’s revisit our scenario regarding providing access control to the Executive Parking Lot…. When an organization does not put much thought into their security system, adversaries can easily get around what was thought to be a fool proof system. Not only should we provide a security gate, but we should have some means of checking/ensuring access control via security guard. Provide/establish a security perimeter. Provide defense in depth just in case the perimeter is breeched. And lastly, obtain a situational awareness of your surroundings to enhance the possibility of being proactive versus reactive.” There is NO single IA “Silver Bullet” Appearances of security can be deceiving, have hidden effects

8 UNCLASSIFIED Defense-in-Depth As what was previously presented concerning an adversary’s innovation, let’s revisit our scenario regarding providing access control to the Executive Parking Lot…. When an organization does not put much thought into their security system, adversaries can easily get around what was thought to be a fool proof system. Not only should we provide a security gate, but we should have some means of checking/ensuring access control via security guard. Provide/establish a security perimeter. Provide defense in depth just in case the perimeter is breeched. And lastly, obtain a situational awareness of your surroundings to enhance the possibility of being proactive versus reactive.” There is NO single IA “Silver Bullet” But at what level - which methods, capabilities MUST we have?

9 IA is an Enabler for all IT/IS
We Count on Information Superiority to Improve Combat Effectiveness Full Spectrum Dominance Network Centric Warfare IA Enables Information Superiority in a Network-Centric Paradigm Global Secure, Interoperable Network State-of-the Art Protection for Information Infrastructure Information Assurance Trusted Applications Secure Networks Dynamic Operations Trained Workforce Naval Transformation Power Projection Precision Engagement Focused Logistics Assured Access Network Centric Warfare Info Sharing Virtual Collaboration Streamlined Planning Better Awareness Information Superiority Decision Superiority Knowledge Management Uninterrupted Info Flow Integrated C4ISR Warfighters must trust the network and the information provided if they will use it. If the network is not trusted we will not achieve information dominance. Designing and integrated IA capabilities into our applications and network infrastructure will result in a secure NETCENTRIC environment. Lack of IA can: Destroy confidence in the information provided to decision makers Cast doubt on the integrity of core systems Fosters doubt and confusion leading to non-net centric methods Increases time needed for decision cycles and kill chain cycles IA must protect, but not encumber the user

10 Who’s Against Us ? Malicious Outsider Attacks Espionage & Sabotage
Insider Attacks Hardware/Software Distribution Attacks Espionage & Sabotage Disasters & Accidents Passive Intercept Attacks EVERYONE – Especially criminals “for their profit / your loss”

11 Threat Vectors (review – note MOST are operational, not technical *)
Source Intentional Insider Outsider Unintentional Poorly trained administrator Accidents Lazy or untrained employee Fires Floods Power failures Natural Where do the threat agents come from? Natural – Forces of nature E.g. Hurricanes in – CH Wildfire in – SD Unintentional Intestinal Insider Outsider DOS attacks Become insiders Foreign intelligence agents Terrorists Criminals Corporate raiders Crackers Fired employee Disgruntled employee Subverted employee Service providers Contractors * Lack of adequate “CM” (including useable, reportable audits) are “THE” main IA control most often not met

12 Some Sources of Threat (we have met the enemy, and they are us…;-((
Threats Resulting from Crime or Loss Natural and Physical Unintentional 55% Intentional 25% Natural and Physical 20% Intentional Unintentional Source: Computer Security Institute6 Example: IAVA 2006-A-0012 – MS Office vulnerability Impact: Someone can use to create new accounts with rights of logged in user Your Risk Management Plan should address ALL this

13 Attack Sophistication is on the Rise
Increased speed and automation Increased sophistication Attacks are increasingly asymmetric Increased threats from Infrastructure attacks Automation; speed of attack tools The level of automation in attack tools continues to increase. Automated attacks commonly involve four phases, each of which is changing. A. Scanning for potential victims. Widespread scanning has been common since Today, scanning tools are using more advanced scanning patterns to maximize impact and speed. B. Compromising vulnerable systems. Previously, vulnerabilities were exploited after a widespread scan was complete. Now, attack tools exploit vulnerabilities as a part of the scanning activity, which increases the speed of propagation. C. Propagate the attack. Before 2000, attack tools required a person to initiate additional attack cycles. Today, attack tools can self-initiate new attack cycles. We have seen tools like Code Red and Nimda self-propagate to a point of global saturation in less than 18 hours. D. Coordinated management of attack tools. Since 1999, with the advent of distributed attack tools, attackers have been able to manage and coordinate large numbers of deployed attack tools distributed across many Internet systems. Today, distributed attack tools are capable of launching denial of service attacks more efficiently, scanning for potential victims and compromising vulnerable systems. Coordination functions now take advantage of readily available, public communications protocols such as Internet Relay Chat (IRC) and instant messaging (IM). Increasing sophistication of attack tools Attack tool developers are using more advanced techniques than previously. Attack tool signatures are more difficult to discover through analysis and more difficult to detect through signature-based systems such as antivirus software and intrusion detection systems. Three important characteristics are the anitforensic nature, dynamic behavior, and modularity of the tools. A. Anti-forensics. Attackers use techniques that obfuscate the nature of attack tools. This makes it more difficult and time consuming for security experts to 2 analyze new attack tools and to understand new and rapidly developing threats. Analysis often includes laboratory testing and reverse engineering. B. Dynamic behavior. Early attack tools performed attack steps in single defined sequences. Today’s automated attack tools can vary their patterns and behaviors based on random selection, predefined decision paths, or through direct intruder management. C. Modularity of attack tools. Unlike early attack tools that implemented one type of attack, tools now can be changed quickly by upgrading or replacing portions of the tool. This causes rapidly evolving attacks and, at the extreme, polymorphic tools that self-evolve to be different in each instance. In addition, attack tools are more commonly being developed to execute on multiple operating system platforms. As an example of the difficulties posed by sophisticated attack tools, many common tools use protocols like IRC or HTTP (HyperText Transfer Protocol) to send data or commands from the intruder to compromised hosts. As a result, it has become increasingly difficult to distinguish attack signatures from normal, legitimate network traffic. Increasingly asymmetric threat Security on the Internet is, by its very nature, highly interdependent. Each Internet system’s exposure to attack depends on the state of security of the rest of the systems attached to the global Internet. Because of the advances in attack technology, a single attacker can relatively easily employ a large number of distributed systems to launch devastating attacks against a single victim. As the automation of deployment and the sophistication of attack tool management both increase, the asymmetric nature of the threat will continue to grow. Increasing threat from infrastructure attacks Infrastructure attacks are attacks that broadly affect key components of the Internet. They are of increasing concern because of the number of organizations and users on the Internet and their increasing dependency on the Internet to carry out day-to-day business. Four types of infrastructure attacks are briefly described below. Attack 1 – Distributed denial of service Attack 2 – Worms Attack 3 – Attacks on the Internet Domain Name System (DNS) Attack 4 – Attacks against or using routers Asymmetrical cyber warfare – we fix many holes, they find one

14 Statutes Clinger-Cohen Act (CCA), 1996
Requires an Information Assurance strategy consistent with the Department’s Global Information Grid Government Information Security Reform Act (GISRA), 2000 Requires federal agencies to assess the security of their non-classified information systems and to provide risk assessment and report the security needs of all systems Federal Information Security Management Act (FISMA), 2002 Requires each agency to develop, document, and implement an agency-wide information security program IT Security policy recently incorporated into FAR OMB Circular A-130, 2000 Establishes a minimum set of controls to be included in Federal automated information security programs FISMA The Federal Acquisition Regulations (FAR) recently (Sept ) incorporated the IT security provisions of Federal Information Security Management Act (FISMA) in order to focus "much-needed attention on the importance of system and data security by contracting officials and other members of the acquisition team.” There is an increased need to focus on the role of contractors in security as more and more federal agencies outsource various information technology functions. The rule requires contracting officers to seek advice from information security specialists when buying IT goods and services. It also mandates that buyers adhere to Federal Information Processing Standards and agency-specific security requirements when making technology purchases. In addition, the rule establishes a formal definition of the term information security. There are mandates, laws, acts, regulations we MUST follow

15 Directives and Instructions
DoDD Information Assurance (IA), Oct 02 DoDI IA Implementation, Feb 03 DoDI IA in the Defense Acquisition System, July 04 DoDD The Defense Acquisition System, May 03 DoDI Operation of the Defense Acquisition System, May 03 DoDI DoD Information Assurance Certification and Accreditation Process (DIACAP) DoDI DITSCAP, Dec 97 Overarching DoD IA requirement 24 Oct 02 establishes IA policy and defines responsibilities. Implementation procedures. Provides a set of baseline IA controls that must be applied. Integration of IA into Defense Acquisition Systems. Certification and Accreditation Policy document. Applicable to systems processing TS GENSER and below information not applicable to systems processing SCI separate set of directives E.g. DCID 6/3 are applicable POC at ONI. Note: SCI has additional directives that take precedence. Other references in backup – DIACAP is now the one!

16 Serious Recognition of CyberCrime
Federal Criminal Code Related to Computer Crime 18 U.S.C. § 1029.  Fraud and Related Activity in Connection with Access Devices 18 U.S.C. § 1030.  Fraud and Related Activity in Connection with Computers 18 U.S.C. § 362.  Communication Lines, Stations, or Systems 18 U.S.C. § 2511.  Interception and Disclosure of Wire, Oral, or Electronic Communications Prohibited 18 U.S.C. § 2701.  Unlawful Access to Stored Communications 18 U.S.C. § 2702.  Disclosure of Contents 18 U.S.C. § 2703.  Requirements for Governmental Access Other related crimes Copyright Offenses 17 U.S.C. 506, 18 U.S.C. 2319, 18 U.S.C. 2318 Copyright Management Offenses 17 U.S.C. 1201, 17 U.S.C. 1202, 17 U.S.C. 1203, 17 U.S.C. 1204, 17 U.S.C. 1205 Bootlegging Offenses 18 U.S.C. 2319A Trademark Offenses 18 U.S.C. 2320 Trade Secret Offenses 18 U.S.C. 1831, 18 U.S.C. 1832, 18 U.S.C. 1833, 18 U.S.C. 1834, 18 U.S.C. 1835, 18 U.S.C. 1836, 18 U.S.C. 1837, 18 U.S.C. 1838, 18 U.S.C. 1839 Offenses Relating to the Integrity of IP Systems 17 U.S.C. 506(c-d), 17 U.S.C. 506(e), 18 U.S.C. 497, 35 U.S.C. 292 Offenses Relating to the Misuse of Dissemination Systems 18 U.S.C. 1341, 18 U.S.C. 1343, 18 U.S.C. 2512, 47 U.S.C. 553, 47 U.S.C. 605 LOTS of laws, many more crimes!

17 IA covers more than Networks
Land-mobile radio cryptographic and key management systems (high and medium assurance) SONAR buoy and other disposable sensor clandestine communications Aircraft wireless intercom systems Software cryptography (medium & basic) assurance Software anti-tamper systems RF identification devices (RFID) security OPSEC/COMSEC monitoring systems (i.e., monitoring software) Spectrum management inclusion of TRANSEC Emanations security (TEMPEST and other vulnerability assessments) VoIP integration with E-911 services Security markings standards & software Open Source software security (freeware and shareware) Secure CHAT (XMPP) systems Complex needs, complex systems complex security WE need an enterprise “protections” risk management approach

18 GIG IA Protection Strategy Evolution
Transactional “Enterprise IA” Protection Model Required level of Information Protection “Specified” for each Transaction Static “Perimeter” Protection Model Common level of Information Protection provided by System High Environment Common User Trust Level (Clearances) across sys-high environment User Trust Level sufficient across Transaction/COI – varies for enterprise Privilege gained by access to environment and rudimentary roles Privilege assigned to user/device based on operational role and can be changed Today Future Information “authority” determines required level of protection (QoP) for the most sensitive information in the sys-high environment – high water mark determines IT/IA/“Comms” Standards for all information Information “authority” determines required level of end-to-end protection (QoP) required to access information – translates to a set of IT/IA/“Comms” Standard that must be met for the Transaction to occur Manual Review to Release Information Classified at Less than Sys-high Manual Analysis and Procedures determine allowed interconnects Automated mechanisms allow information to be Shared (“Released”) when users/devices have proper privilege and Transaction can meet QoP requirements We will be loosely connected, sharing information – and protected?

19 160.2: CRYPTO & Key Management 160.5: Future Enterprise Networking
Local US Navy IA/Security entity PEO C4I provides most IA/Security for the fleet Program Management Warfare (PMW) 160 is the Navy IA Acquisition agent PMW 160 PMW 160.1: Afloat Networks 160.2: CRYPTO & Key Management 160.3: Messaging 160.4: Network Security 160.5: Future Enterprise Networking ISNS/PC SCN Implementation SCI Networks SubLAN CENTRIXS PPL / SSIL CMPO Crypto Products EKMS and KMI KG-3X APM KG-40AR & MLCS PKI Secure Voice DMS DEBS / NREMS Legacy Systems Tactical Messaging / NAVMACS*** Network Security CND CDS JCDX Radiant Mercury CDS Boundary CANES ADNS and VIXS CANES Core Services COMPOSE Network Management: PLM Tool / EMIO Interior Communications Buying IA/Security products is “easy” – “CM” is really, really hard

20 Information Communities
While the Federal government has many levels of data classification needs and access control, So do you (public, admin, proprietary, business confidential, B2B, etc) Special Capabilities Network (SpecCap Net) Weapons Picture/control (SAP) Reliable & Assured Info Exchange Intelligence Oriented Network (JWICS-like) INTEL Picture/TACTICAL INTEL Awareness Order of Battle/Warfare Profile Collaboration tools Coalition Nets TOP SECRET Exchange Area All GENSER TS collaboration/messaging Careful Info Exchange Tactical Classified Network (SIPRNET-like) Common Sensor Picture Tactical Awareness/Exchange Warfare Profile/Collaboration tools Coalition Nets Classified Network (SIPRNET-like) voice (PSTN - STE/STU gateway) audio/video/ data streaming data (as available) Collaboration tools Coalition Nets Unclassified Network (NIPRNET-like) voice (PSTN connection) audio/ video data streaming data (as available) Collaboration tools Coalition Nets Careful Info Exchange SBU SBU - community of interest isolation What types and levels of data, hence security, do you NEED?

21 Systems Security Engineering Implementations
Computer Security COMPUSEC - Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware, and information being processed, stored, and communicated. Communications Security COMSEC – Measures and controls taken to deny unauthorized individuals information derived from telecommunications and to ensure the authenticity of such telecommunications. Communications security includes cryptosecurity, transmission security (TRANSEC), emission security (EMSEC or TEMPEST), and physical security of COMSEC material. Electronic Security ELSEC - Protection resulting from measures designed to deny unauthorized individuals information derived from the interception and analysis of non-communications electromagnetic radiations.

22 IA Across the Stack Application Information Information Presentation
Computer Network Sensors SIGSEC/COMSEC Monitoring Event Detect/Correlation Application COMPUSEC Information Operations Information Assurance Presentation Session Computer Network Defense Transport COMSEC Network Operations Security Data Link Electronic Warfare Physical ELSEC & EMSEC Event Response **ISO/IEC Open Systems Interconnection Reference Model

23 IA 10 Distinct Activities
IA1 - Defend the Network & Infrastructure IA2 - Defend the Enclave Boundary IA3 - Defend the Computing Environment IA4 - Supporting Infrastructures IA5 - System Security Methodology IA6 - Security Management IA7 - Defensive Information Operations IA8 - Training and Awareness IA9 - Management and Operations IA10 - Tactical Environment

24 Defend the Network / Infrastructure
Interconnect Global Networks Zone 4 Security Naval Communications & Networks Network Operating Center Interconnect Ship/Shore/Command Networks Zone 3 Security MAN, BAN LAN Interconnect Workstation or Server Zone 2 Security Interconnect Network Infrastructure Appliances

25 Network Defense Products/Services
Crypto High Assurance Type-1 Modular Crypto System Imbedded Crypto Unclassified Crypto (FIPS 140-2) Virtual Private Network High Assurance Guards Cross Domain Systems Radiant Mercury Secure Voice Telephone and Tactical STU, STE Secure Voice Gateways Voice Over IP (VoIP) Wireless LAN Networks

26 Defend the Enclave Boundary
DOD Global Information Grid Navy Marine Corps Intranet USN User Enclaves Ship/Shore Enclave DISA Intrusion Detection N/MCI Intrusion Detection Fleet Enclave Intrusion Detection Group 1 DoD Defense Info Network Group 2 Internet NIPRNET Group 3 Router Block Filter Group N.. DISA Firewall N/MCI Firewall Ship/Shore Gateway Firewall LAN Local Firewalls Information Assurance Boundaries Extend Throughout the Enterprise – “Defense In Depth”

27 Computer Network Defense (CND) Shore and Afloat Infrastructure
DISN Trusted Navy Networks Computer Network Defense in Depth External Attacks Network Intrusion Detection Sensor (Force Level Only) Fleet NOC Premise Router Outer Security Screening Router Host-Based Intrusion Protection Sensors DNS Load Leveler VPN Information Assurance Security Tools (SCCVI/SCRI) FW FW NIDS/IPS NIF VSCAN Load Leveler HIPS (HBSS) Inner Security Screening Router Host Packet Shaper NIDS IASM Fleet Router Ship Router Malevolent Insider Extending the Security Boundaries Beyond the NOC Comprehensive IA Suite at all Fleet NOCs Defense in depth strategy at the afloat unit level Protection, detection, reaction capabilities end-to-end

28 Electronic Key Management System (EKMS): Architecture Overview
EKMS provides; FY04 Completed 99% of Tier 2 Account Transition to Phase 4 EKMS Designated by CNO As the POC for All Tier 2 User Application Software to Assure Compatibility With CUAS and LCMS Completed Evaluation of SDS and SKL First EDMs and Software and Provide Test Reports Developed EKMS Manager’s Guide Developed COI for Phase 4 EKMS Manager Course Completed CT3 Operator Manual and DMD Manual Completed Draft COI for the CT3 and DMD Course for FY05 Training Start Completed the CT3 Version 3.2 Development for the DTD That Is Required to Interface With SDS and SKL Software Completed a Pilot of KEYMAN! With Five Accounts Completed Demonstration of NKM at IASWS and PACOM Conferences NSA Became a Partner on NKM Including Providing Development Funds Reviewed the KMI ORD and KMI CI-2 Tech Package FY05 Start Implementation of EKMS Phase 5, New Fill Devices, CUAS and DMD, New LMDs, New Version of SCO (5.07), LCMS Version 5.X, New Architecture, Net Key Management, IP Based Tier 0-2 EKMS Provides: Automated ordering, generation, distribution, and destruction of electronic KEY MATerial (KEYMAT); accounting for cryptographic items; and reduced risk of mishandling or compromising KEYMAT

29 HIDS: Host Based Intrusion Detection
Operational Strategy Provide the ISSM IDS Afloat RealSecure Host Based Intrusion Detection System (HIDS) on All ISNS Servers Address the Insider Threat Implementation Strategy COTS With Central Management Hierarchical and Auditing Installed on All ISNS Servers and High Value Workstations Detects Attempted Attacks on the Targeted Platform Accomplishments and Efforts IT-21 Interoperability Test and Evaluation Completed Request for Addition to the Preferred Products List Underway

30 Supporting Infrastructures
PKI

31 Common Intrusion Detection Framework Common Operating Picture
Defensive Information Operations (IO) IO = CNE + CAN + EW + OPSEC This medium is classified US Government property SECRET Trinitron GCCS IA COP Intell Components CINCS CYBERWATCH ARFOR NAVFOR AFFOR MARFOR DISA-GOSC EUCOM SPACECOM STRATCOM TRANSCOM SOCOM SOUTHCOM PACOM ACOM CENTCOM INTELLINK WATCHCON NMCC NSIRC MID DII INFOCON Red Team Common Intrusion Detection Framework Info Assurance Common Operating Picture

32 Certification and Accreditation (C&A) Terminology
Certification: “Comprehensive evaluation of the technical and non-technical security features of an Automated Information System (AIS) and other safeguards, made in support of the accreditation process to establish the extent to which a particular design and implementation meets a set of specified security requirements.” * * DoDI , DoD Information Technology Security Certification and Accreditation Process (DITSCAP) 12/30/97 Accreditation: “Formal declaration by a Designated Approving Authority (DAA) that an AIS is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk.” * * CNSS No. 4009, National Information Systems Security (INFOSEC) Glossary These terms often get inter-changed, not well understood Certification: How well does a system meet its security requirements? Lab testing/operational testing/risk assessment Accreditation: Formal acceptance of the risk of operating the system. Balances operational need with risk assessment.

33 USN Compliance Roadmap
Security of Federal Automated Information Resources Appendix III, OMB Circular A-130 Management of Federal Information Resources Path is well established, yet programs have a hard time following, complying Information Assurance DODD Oct 24, 2002 Protecting Sensitive Compartmented Information Within Information Systems DCID 6/3 June 5, 1999 Information Assurance Implementation DODI Feb 6, 2003 Department of the Navy Information Systems Security (INFOSEC) SECNAVINST A Dec 20, 2004 Navy Information Assurance (IA) Program OPNAVINST B Nov 9, 1999

34 DITSCAP / DIACAP Roles and Responsibilities
Designated Approving Authority (DAA) Formally assumes responsibility for operating a system at an acceptable level of risk (often said they have 51% of the vote) Program Manager (PM) (or System Manager – SM) Responsible for the overall procurement, development, integration, modification, or operation and maintenance of the IT system Senior IA Official (SIAO) Establish and enforce C&A process, act as or delegate CA oversight Certification Authority (CA) Responsible for making a technical judgment of the system’s compliance with stated requirements, assessing the system’s security risk, and coordinating certification activities DoD IS User Representative (UR) Represents the user community in defining operational requirements IA Managers (IAMs) Support PM/SM, provide C&A status, direction to IAOs DoDD , para. E.3.3.1 The key to the DITSCAP is the agreement between the IT system program manager(4), the DAA, the CA, and the user representative.

35 DIACAP Process The DoD Information Assurance Certification and Accreditation Process (DIACAP) is a dynamic, information assurance (IA) certification and accreditation (C&A) process that supports and complements the net-centric, Global Information Grid (GIG)-based environment. The DIACAP establishes a standard process for: Identifying, implementing, and validating standardized IA Controls Authorizing the operation of DoD information systems Managing an IA posture across the DoD information system life cycle The core activities of the DIACAP are consistent with DoDD , DoDI , DoDI , the acquisition life cycle requirements of DoDD and DoDI , FISMA security requirements, Appendix III of OMB A-130, industry best practices, and lessons learned. (DoDI supersedes the DoD Information Technology Security Certification and Accreditation Process (DITSCAP) (defined in DoDI and DoD M).)

36 DIACAP Process “C&A” - Now more automated, IA controls based, but still a pain…

37 DoDD IA requirements shall be included in all information system acquisitions or upgrades IA shall be “a visible element of all investment portfolios” including competitively-sourced IS All DoD IS shall be assigned an appropriate Mission Assurance Category Community risk shall be assessed and measures taken to mitigate that risk prior to interconnecting systems All DoD IS shall be certified and accredited IAW All IA or IA-enabled IT must be validated in compliance with NSTISSP 11 Systems enabling coalition operations shall be approved by the responsible Combatant Commander and DAAs DoD /2 vs Orange Book mid 80’s Network Centric Systems focused Operation open environment Trusted computing base Defense in depth and breadth focus (layering Focus in technical controls of solutions and understanding in system design Interdependencies) COTS GOTS One of the government's major IA / C&A directives

38 NSTISSP 11 IA Products IA Enabled Products
Mandates the use of Common Criteria evaluated products in national security systems for IA or IA-Enabled products/systems IA Products Firewall Virtual Private Network (VPN) Intrusion Detection Systems (IDS) Anti-Virus IA Enabled Products Operating Systems (e.g., NT, XP, Linux) Database Management systems Network Management systems Web Browsers (e.g., Netscape or IE) National Security Telecommunications Information Systems Security Policy Common Criteria represent an international agreement. Basically, if a product is there, use it. FIPS: Crypto modules for COI separation Common Criteria: COTS software/appliance solutions NSA: IA Encryption devices Another major technical reference to understand

39 QDR Identified IA Gaps Trusting the Edge
Distributed Trust Model – nodes and users High assurance platforms Security Management Infrastructure Automated and adaptable dynamic policy applications Risk adaptive access control Secure mobility for future GIG warfighter networks Wireless security architectures Authenticated User/Devices Assured Information Sharing Cross Domain Solutions Situational Awareness and Response/Enterprise Health Node-based situational assessment Automated network reconfiguration, recovery, and reconstitution What our senior leadership thinks is lacking (circa 2006)

40 Acquisition perspective on IA issues
Lack of overall IA Compliance Minimal C&A effectiveness (can’t inspect in security) IA / CND Products need modernization / evolution IA designed in better – SETR process Need an Enterprise Risk Management approach Lack of an IA Master Plan / Strategy Poor IA/Security Configuration Management Need more enterprise IA/Security Solutions IA training at all levels… lacking PEO / PMW IAM guidance Install process cumbersome, non-user-friendly Sound familiar - you have them, are resolutions in work?

41 IA/Security Axioms to consider / accommodate / educate
Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Good security now is better than perfect security never. A false sense of security is worse than a true sense of insecurity. Your security is only as strong as your weakest link. It is best to concentrate on known, probable threats. Security is an investment, not an expense.

42 IA / Security “Best Practices”
Best practices are not a panacea, complete or what YOU need to do Do you even know your business protection needs? Do you have a current asset inventory? Determine what is “good enough” or “minimally acceptable? Quantify your environment’s threats and vulnerabilities your list should have 10 – 50 or so threats assessed Have a security policy that’s useful, complete, VIP endorsed yes, that’s HAVE A POLICY, choose a model, then enforce it too! Run self-assessment on security measures (use accepted tests, STIGs, etc) and compliance (HIPAA, PCI, CFR, SOX, etc) Training and awareness programs – needed, but not a black hole TEST your continuity, recovery plans, backup – can you restore? Encrypt where you can (do you need it for: IM, Chat, , file transfer, online meetings, storage, backup, etc) Be familiar with the “NIST” IA/Security series – they are great! Always use capabilities off the preferred products lists (PPLs) A risk management plan should roll all these into one effort You can somewhat control what you plan, but get what you enforce…

43 Overall IA/Security Approach
ALL IA/security environments should include the below top-ten elements to ensure a well-integrated, effective, and “best value” data protection approach. 1 - Comprehensive security policy - must have, and strictly enforce, a rule set and execution process that accommodates dynamic priorities, compliance, auditing, leadership changes and enforcement methods, while detailing policy at the required levels with specific ownership. 2 - Distribute clear governance - technical, administrative and operational “chain of commands” must be delineated, including rules of engagement and communication paths between them and all stakeholders. 3 - Build in defense-in-depth - maintain multiple protection fronts - operations center, gateway, network access control (NAC), desktop, storage centers, remote access, etc. 4 - Develop, maintain and follow a strategy, master plan - use an enterprise architecture to capture and track all requirements and capabilities. 5 - Strict configuration management - automated, tracking and reporting to enable enforcement. You must have an inventory management knowledge that covers all elements: hardware, software and “settings” - where a mis-configured system causes a false sense of security. 6 - Develop an effective tool suite - stress automation where possible, and KISS, for SLAs, testing, metrics, etc. IA/Security is more leadership, strategic direction, than technical!

44 Overall IA/Security Approach
7 - Guard against major hacker entry points - stealing passwords, trojan horses, software defaults, man-in-the-middle attacks, numerous wireless vulnerabilities, social engineering (general awareness and PII info), using vulnerability research against you (zero day, etc), phased attacks (slow, multi-level, methodical, engineered), lack of user education/awareness and apathy, un-enforced time-outs and failed access tries, and multiple insider threats (gain access as an employee), etc… 8 - Actively guard malware entry points / methods: a - Monitor all web traffic - assess trends - on forums, file-sharing, blogs, corporate drives, portals, etc b - Use content filters - assess / scan ALL file types - zip, word, etc - including uploaded files and instant messenger (and don’t trust file extensions, as “txt” can be renamed to “exe”) - prevent downloading executables, shareware, etc… c - Block rouge URLs/inappropriate web sites dynamically and use URL filtering on both in and out bound traffic 9 - Test critical elements - continuity and recovery plans, training programs, compliance levels, key vulnerabilities, etc… 10 - Develop and periodically update an enterprise “protections” risk assessment. Always understand your current threats, vulnerabilities and impacts to business and warfighter effectiveness… Establish what is “good enough” or minimally acceptable… minimize what you don’t know you don’t know… IA/Security is more leadership, strategic direction, than technical!

45 Online Services - INFOSEC Web Site
Anti-Virus IA Publications and Policies NCDOC “Ask The Expert” IA Bulletin Board Advisories Customer Service INFOSEC Chat IAVM Training Help with INFOSEC Products & Services (i.e., VPN, FORTEZZA, Firewalls, Intrusion Detection, Secure Voice, EKMS, TEMPEST) Fleet Internet Security Handbook

46 DISA IA Web Resources

47 IA/security resources
This site has almost everything you need other IA/Security sites (cont): Main sites other IA/Security sites: Great ISSE / SSE Site Great Sites too PPL sites in backup

48 Summary (Review) “Gotchas” Major resources KEY Success elements
“Assuming” you don’t need IA (Standalone, have a firewall, etc…) Not adding in IA cost, schedule and performance Major resources KEY Success elements Build IA in up front (Requirements, ISSE, TEMP, etc) Start C&A early (C&A plan, CRR) Risk Management, Risk Management, Risk Management CAC cards needed, BUT much is on the CD ROM provided “EASY” button

49 BACKUP

50 Why Should You Care About IA
Why Should You Care About IA? In a net-centric world, a risk taken by one is a risk shared by all Migration from stove-piped systems has enhanced the concept of the “weakest link” in security. Physical controls and link encryption is no longer sufficient. Without adequate IA/Security – our organizations will fail

51 Program Protection Overview (one perspective (Anti-Tamper))
PPP CPI Threat Vuln. Risk OPSEC SCG INFOSEC PERSEC PHYSEC COMSEC INFO ASSURANCE SECED SSE/AT FOREIGN DISCLOSURE PUBLIC AFFAIRS TA/CP Building Blocks Program Protection Planning: The overarching security process for an acquisition program Critical Program Information: What to Protect ‘program unique” Threat, Vulnerability & Risk Analysis Countermeasures Documents SCG OPSEC Plans (as needed) Policy (DoD, AF, NISPOM) Local Operating Instructions, Security Manuals, etc. Program Protection Overview (one perspective (Anti-Tamper)) However you parse it, “IA” threads/interfaces are pervasive

52 Preferred Product Lists (PPL)
Generally programs should strive to use PPL devices / processes in building their systems. Other than the type-1 COMSEC devices, which require individual certification letters held by the companies, the list below is probably the 90% solution without getting industry groups such as ICSA labs. NIST FIPS 140 certifications: NIST algorithm certifications: NIAP/Common Criteria: DISA IASE: NSA IAD: NOTE - A PPL list can range from algorithms to specific equipment configurations. For example, one radio might have FIPS approval when ordered using model number 123 and an NSA type-1 certification when ordered using model number Same is true for a router, IPS, Yet even if a device has a CC EAL-4 certification, you still need to ensure that the protection profile used and the security target meets your specific application.

53 Information “Protections” Overview (or why “IA” is so complex / hard…)
and CNO Defend Attack Exploit CIO FISMA Operations IAMs CND CMI/KMI p PKI/CAC ID Mgmt p p P P CA Support C&A p P P p p P P IA P p P P P Policy Training IA Services IA includes much more than the ISSP. Hard IA Product are the hi-grade IA products that are expensive and require a long time to develop. Hard IA products are the “must-have” products of the ISSP and should have priority. Soft IA products are the commercial - grade IA products that are often COTS.. Soft IA products can be (and often are) ) bought with non-ISSP funds.. Without enough ISSP funding ,Navy should fund the “must - have “ Hard IA Products at the expense of Soft IA product s and CA S upport that can be funded by other. Program Elements. Multiple players Multiple PEs/Lines Multiple threats Multiple PMW/S/As Typical Acquisition part Enterprise Risk Mgmt. Requirements P = Hard IA Product p = Soft IA Product IA/Security Strategy AND Governance critical to success

54 USN IA Issues/Challenges
Rapidly evolving Navy threats-vulnerabilites to critical assets Crypto Modernization Data exfiltration Web based threats Technology evolution challenges fielding efforts Provide IA engineering to translate ForceNet capabilities into Computer Network Defense solutions Installation processes - SHIPMAIN/FRCB Integration and coordination between Programs Remediation of system assests to meet standard baseline builds Integration of IAVA/B SSAA / C&A coordination Verification of site security compliance Certification & Accreditation (CA) of systems Training (at all levels, especially maintenance) You too will have these challenges at some level

55 Navy Specific IA Policy Guidance
SECNAVINST , DON Info. Sys. Security Program and SECNAV Manual M-5239 Basic Policy/Guidelines for Security of National Security Systems OPNAVINST B, Navy IA Program Establish Policies and Procedures for Proper Management and Protection of Information and Information Systems Navy IA Publications Series 5239 Introduction to Information Systems Security Terms Abbreviations, and Acronyms Information Systems Security Manager Information Systems Security Officers Network Security Officers Assessed Products List Introduction to C&A

56 DITSCAP to DIACAP The recent release of DOD interim guidance for the Defense Information Assurance Certification and Accreditation Program (DIACAP - DoDI ) supersedes: DoDI : DITSCAP Instruction DoDI M: DOD DITSCAP Application Manual However, Service specific guidance has not been released. Currently signed DITSACP Phase I, II, or III > remains in DITSCAP Navy programs remain in DITSCAP until DON CIO submits their guidance Joint Programs Are transitioning based on guidance from the lead Service Navy specific guidance/transition point not finalized, yet, everyone in DOD must develop DIACAP transition plans More can be found on the IDSA Web Site at Navy specific guidance and updates at under the documentation tab

57 DoD IA Controls Subject Areas
Technical and Non-Technical Security Design & Configuration Identification & Authentication Enclave & Computing Environment Enclave Boundary Defense Physical & Environmental Personnel Continuity Vulnerability & Incident Management Mobile Code/CCB/Testing/Ports & Protocols/Documentation The DoD IA controls are organized into eight subject areas. The subject areas reflect a defense-in-depth approach, and are drawn from the Information Assurance Technical Framework and supporting IA infrastructures, system life cycle concepts, OMB A-130, and the DoD definition for information assurance. Documentation/Policy Compliance/Configure Management/Mobile Code Use - Security Design and Configuration (31) - Controls directed towards ensuring security during the system’s development cycle. CCB/Testing/Design/Mobile Code Use/Ports and Protocals - Identification and Authentication (9) – Password implementation/Key management. - Enclave and Computing Environment (48) – Audit trails/Host based IDS/Access controls/Date integrity controls/Encryption/Virus protection. - Enclave Boundary Defenses (8) – Firewalls/Network IDS/Remote access/VPNs. - Physical and Environmental (27) – Emergency lighting/Fire protection/Physical access *screen locks. - Personnel (7) – Rules of behavior/Training/Clearances *Need to know restrictions. - Continuity (24) – Disaster recovery procedures/Alternate sites/Spares. - Vulnerability and Incident Management (3) – Reporting incidents and conducting vulnerability assessments.

58 Mission Assurance Categories
Confidentiality Levels Mission Assurance Categories MAC I – vital to operational readiness or mission effectiveness of deployed or contingency forces. Loss of integrity or availability unacceptable. Requires most stringent protective measures. MAC II – important to the support of deployed or contingency forces. Loss of integrity unacceptable, unavailability tolerable only for short time. Require additional safeguards beyond best practices. MAC III – necessary to conduct of day-to-day business. Protection commensurate with commercial best practices. LEVEL DEFINITION High Classified Information Medium Sensitive Information, Not Cleared for Public Release Basic Information Cleared for Public Release Information assurance requirements have traditionally been identified through a process of answering four questions: (1) What is the operational value of the information? (2) What is the threat? (3) What statutory and policy requirements must the system satisfy? and (4) What operational, environmental, or technical factors may impact IA solutions? DoD Directive , Information Assurance, establishes how DoD will describe the operational value of information in terms of confidentiality, availability and integrity. It establishes three mission assurance categories that set availability and integrity levels, and three confidentiality levels relative to information classification, sensitivity and need-to-know. As early as possible in its life cycle, each DoD information system is assigned a MAC and confidentiality level MAC levels determine how robust your system needs to be (ie. Availability & Integrity). For example, NMCI is MAC II. This is a cost concern. MAC is most expensive. MAC II and high level = 110 Controls

59 Statutory & Regulatory Compliance SSEE
Federal Information Security Management Act (FISMA) Privacy Act Health Insurance Portability and Accountability Act (HIPAA) Family Educational Rights and Privacy Act (FERPA) Government Paperwork Elimination Act (GPEA) Information Technology Management Reform Act (Klinger-Cohen) Public Company Accounting Reform and Investor Protection Act (Sarbanes-Oxley) E-Government Act Computer Security Act National Information Infrastructure Protection Act Electronic Signature in Global and National Commerce Act Financial Modernization Act of 1999, (Gramm-Leach-Bliley) National Institute of Standards and Technology Act (as applies to IA certifications and broad agency standards) Presidential Directive 24, "Telecommunications Protection Policy National Security Directive 145,... Executive Orders 12958, 12333,... Federal Criminal Codes Related to Computer Crime Federal information protection and ownership statutes DOD 85xx series Information Assurance directives DODD C , Communications Security (COMSEC) CJCSI C - Information Assurance and Computer Network Defense SECNAVINST A, Department of the Navy Information Assurance (IA) Policy OPNAVINST B, Navy Information Assurance (IA) Program 13,564 STE/FNBDT units fielded to date STE OMNI Afloat 4,048 Shore: 240 Shore 5,884 SECTERA Wireless (GSM) SECTERA Wireline Afloat: 59 Shore: 2,110 Shore: 1,233 Afloat completed to date: 136 Ships (63%), 23 Submarines (33%) Fielded 13,564 STE/FNBDT Devices (to Date) Provided Over 500 Technical Assists Provided a FNBDT Capable Conference Bridge to Support Operation Iraqi Freedom, Conference Bridge Still in Operation Managed STU-III Screening/Repair Facility to Maintain Fleet Readiness Developed Naval Advanced Secure Voice Architecture Developed Variable Data Rate (VDR) Algorithm With Range of 2.4kbps (MELP Compatible Base Rate) up to 32kpbs Successfully Completed JUICE 04 Exercise Complete Replacement of Mission Critical Shore and Afloat STU-IIIs With STE/FNBDT Terminals, Perform Shipboard FNBDT IWF TEMPALT to Provide FNBDT Capability to Underway Platforms, Enhance Strategic/Tactical Interoperability Install Tactical Shore Gateways (TSG) FY05-FY07 Initiate Next Generation Tactical Secure Voice/Data Device Requirements Study

60 PEO ACT Documents Program Protection Plan (PPP)
PPP is only required for programs that have Critical Program Information (CPI). Established to identify and protect classified and other sensitive information from foreign intelligence collection or unauthorized disclosure. Clinger-Cohen Act (CCA) CCA applies to programs containing Mission Critical (MC) or Mission Essential (ME) IT systems including NSS For additional information go to System Security Authorization Agreement (SSAA)

61 IA Roadmap Correlation to DoD 5000 Lifecycle
Establish an IA organization Identify IA requirements Develop an acquisition IA strategy Secure resources for IA If you don’t start the IA Engineering and C&A process early in the development cycle, you are adding risk to schedule and cost for the program. Initiate DITSCAP Incorporate IA solutions Test and evaluate IA solutions (IATO’s/ATO) Accredit the system Maintain the system’s security posture throughout its life-cycle Note: An IATO may be required to support demonstrations, test events, and/or initial fielding

62 IA Roadmap Steps Establish an IA organization Identify IA requirements
Develop an acquisition IA strategy Secure resources for IA Initiate DITSCAP Incorporate IA solutions Test and evaluate IA solutions Accredit the system Maintain the system’s security posture throughout its life-cycle

63 Navy DITSCAP Relationships
DAA NETWARCOM Approval Flow: Request from the PM to the DAA via the CA Certification Authority to the DAA DAA to NETWARCOM CA SPAWAR 05 Cert. Agents PM DoDD , para. E.3.3.1 The DAA, the CA, and the user representative resolve critical schedule, budget, security, functionality, and performance issues. This agreement is documented in the SSAA that is used to guide and document the results of the C&A. The objective is to use the SSAA to establish a binding agreement on the level of security required before the system development begins or changes to a system are made.  The System Security Authorization Agreement (SSAA) contains a formal and binding agreement between the IT system program managers, the DAA, the CA, and the user representative that establish the level of security required before the system development begins or changes to a system are made.  The SSAA is used to guide and document the results of the certification and accreditation (C&A) and the implementation of IT security requirements. The SSAA resolves several issues, including the: critical schedule for the C&A The schedule for the planning and certification actions. budget. The SSAA identifies all costs relevant to the C&A process.  The program manager adds a C&A funding line item to the program budget to ensure the funds are available.  Funding covers any travel or program contractor costs associated with certification, test development, testing and accreditation. security requirements based on the group or class into which the system falls. functionality of the system. This means the operational and security functionality of the system. performance issues. Resourced by PM User Rep. Resource Sponsor Default for PORs

64 SSAA System Security Authorization Agreement (SSAA) Documents
All requirements for accreditation All security criteria DITSCAP plan System architecture C&A level of effort Agreement among Government entities Objectives of the SSAA Document the formal agreement among the DAA(s), the CA, the user representative, and the program manager. Document all requirements necessary for accreditation. Document all security criteria for use throughout the IT system life-cycle. Minimize documentation requirements by consolidating applicable information into the SSAA (security policy, concept of operations (CONOPS), plans, architecture description, etc.). Document the DITSCAP plan. The SSAA idenitifies: the system mission. The requirements of the system and its intended capabilities the system architecture. The hardware and software design, security, and communications (the interfaces between this and other systems). the security requirements of an AIS. It is used throughout the entire DITSCAP to guide actions, document decisions, specify Information Technology Security (ITSEC) requirements, document certification tailoring and level of effort, identify possible solutions, and maintain operational systems security. the level of effort. The level of effort necessary to achieve accreditation. the principals of the agreement. The SSAA is an agreement among government entities.  To be binding on the government's contractors, the provisions must be included in separate contractual documents between the government and any contractors. See SSAA format in DoDD , encl. 6.

65 DoDI E Information assurance shall be traced as a programmatic entity in the Planning, Programming, and Budgeting System (PPBS) and visibility extended into budget execution. Strategic IA goals and annual IA objectives shall be established according to the DoD Information Management Strategic Plan (reference (ai)), and funding and progress toward those objectives shall be tracked, reported, and validated. IA must be an integral part of programmatic processes.

66 DoDI 8500.2 Enclosure 4 Attachments
DoD IA Controls Combination No MAC Confidentiality DoDI Enclosure 4 Attachments IA Control Count 1 MAC I Classified 1 and 4 110 2 Sensitive 1 and 5 104 3 Public 1 and 6 79 4 MAC II 2 and 4 5 2 and 5 6 2 and 6 7 MAC III 3 and 4 107 8 3 and 5 98 9 3 and 6 73 Together, the MAC and Confidentiality Level identify the baseline set of DoD IA Controls that apply to a DoD information system. The baseline set contains IA Controls from each of the eight subject areas. Information found in Control count – number of requirements the system must meet.

67 Common Criteria Version 2.1
International vs. U.S. standard U.S., Canada, France, Germany, UK, Russia, et al ISO Standard 15408, “Evaluation Criteria for Information Technology Security” (June 1999) Benefits Specification of security features and assurances based on an international standard Provides common vocabulary for describing requirements and product features Technical oversight provided by government experts Reduced testing costs to sponsors of evaluations 15 Countries recognize:US,Canada,UK,Germany,France, Australia,NZ,Netherlands, Finland, Greece, Italy, Norway, Spain,Israel, Sweden, Austria. Being Considered by Japan, S. Korea, Russia Common Criteria also replaces National Computer Security Center’s Trusted Computer System Evaluation Criteria (TCSEC) or “Orange Book” as of December 31, (NSTISSAM COMPUSEC/1-99) This also effects one of the books in the National Computer Security Center’s “Purple Books” as well. ISO. The source of ISO 9000 and more than International Standards for business, government and society. A network of national standards institutes from 140 countries working in partnership with international organizations, governments, industry, business and consumer representatives. A bridge between public and private sectors. Validated products listed:

68 DoD IM/IT Policy Framework
Realigns all DoD IM/IT related issuances to the 8000 Series 8000 – Capstone IM/IT Policy & Procedures 8100 – Information Resources Management 8200 – Mission & Functional Processes 8300 – Information Infrastructure Design & Engineering 8400 – Information Technology 8500 – Information Assurance

69 IA Policy Framework Realigns all IA related DoD issuances to the 8500 Series General Certification and Accreditation Security Management (SMI, PKI, KMI, EKMS) Computer Network Defense /Vulnerability Mgt Interconnectivity/Multi-Level Security (SABI) Network/Web (Access, Content, Privileges) Assessments (Red Team, TEMPEST Testing & Monitoring) Education, Training, Awareness Other (Mobile Code, IA OT&E, IA in Acquisition)

70 Baseline IA Levels - The Process
Step 1: Determine the System Mission Assurance Category: Category I : Vital to Effectiveness/Readiness of Deployed Forces Any Loss Unacceptable Immediate/Sustained Loss of Mission Effectiveness Most Stringent Protection Measures Required Category II: Important to Support Deployed Forces Loss of Integrity Unacceptable; Loss of Availability Difficult to Manage Loss/Degradation only tolerable for short term = May Seriously Impact Mission Effectiveness/Operational Readiness Additional Safeguards Beyond Best Practices Required Category III: Needed for Day-to-Day business, Does Not Affect Support to Deployed or Contingency Forces in the short-term Loss Tolerated or Overcome without Significant Impact on Mission Effectiveness or Operational Readiness Protective Measures Commensurate with Commercial Best Practices

71 Baseline IA Levels - The Process
Step 2: Based on the Mission Category, Determine the Target Levels of Robustness for Integrity and Availability Basic III Medium High II I Availability Level Integrity Level Mission Category

72 Baseline IA Levels - The Process
Step 3: Consult Enclosure 4 Appendix 1, 2 or 3 for Integrity and Availability Controls (Category I Examples Below) IA Service: Integrity Control Class: Security Architecture Control Number: ARNR-1 Control Name: Non-repudiation Implementation of specific non-repudiation capabilities such as digital signatures exists if mission accomplishment requires non-repudiation. NIST FIPS validated cryptography (e.g. DoD PKI Class 3 or 4 token) is used for encryption, key exchange, digital signature, and hash (AES, 3DES, SKIPJACK, SHA 1, New standards as available, DSA, KEA). IA Service: Availability Control Class: Personnel Security Control Number: PSRB-1 Control Name: Security Rules of Behavior or Acceptable Use Policy A set of rules that describe the IA operations of the enclave or DoD information system and clearly delineate IA responsibilities and expected behavior of all personnel is in place. The rules include the consequences of inconsistent behavior or non-compliance. Signed acknowledgement of the rules is a condition of access.

73 Baseline IA Levels - The Process
Step 4: Determine the Target Level of Robustness for Confidentiality Basic Public Medium Sensitive and Unclassified Not Cleared for Public Release High Classified Confidentiality Level Classification, Sensitivity, and Need-to-Know

74 Baseline IA Levels - The Process
Step 5: Consult Enclosure 4, Appendix 4, 5, or 6 for Confidentiality Controls (Examples for Sensitive or Unclassified Information Not Cleared for Public Release Below) IA Service: Confidentiality Control Class: Audit Control Number: AURR-2 Control Name: Audit Record Retention Audit records are retained for at least one (1) year. IA Service: Confidentiality Control Class: Enclave Boundary Control Number: EBBD-2 Control Name: Boundary Defense Boundary defense mechanisms to include firewalls and network IDS are deployed at the enclave boundary to the WAN, and at layered or internal enclave boundaries as required. All Internet access is proxied through internet access points under the management and control of the enclave manager. Control Number: EBPW-1 Control Name: Public WAN Connection Connections between DoD enclaves and public WANs require a DMZ.

75 IA Control Taxonomy Each IA Control is Comprised of 4 Elements:
Control Class: Acquisition Control Number: ACCS-2 Control Name: Configuration Specifications Control Text: A Departmental reference document such as a Protection Profile or a Security Technical Implementation Guide (STIG) constitutes the primary source for security configuration or implementation guidance for the deployment of newly acquired IT assets.

76 Control Classes CLASS CODE CLASS NAME AC ACQUISITION AR
SECURITY ARCHITECTURE AU AUDIT CC CHANGE CONTROL CE COMPUTING ENVIRONMENT CM CONFIGURATION MANAGEMENT CO CONTINUITY OF OPERATIONS CU CRITICAL UTILITIES AND SUPPLIES EB ENCLAVE BOUNDARY EF ENVIRONMENTAL AND FACILITIES LA LOGICAL ACCESS PA PHYSICAL ACCESS PB PROGRAM & BUDGET PS PERSONNEL SECURITY SC SESSION CONTROLS SD SECURITY DOCUMENTATION ST SECURITY TESTING

77 Follow Best Commercial Standards
Internet Engineering Task Force (IETF) The IETF is the protocol engineering and development arm of the Internet. Though it existed informally for some time, the group was formally established by the IAB in 1986 with Phill Gross as the first Chair. Areas Area Working Groups

78 IA Engineering Information Assurance Core Capabilities
Information Operations Core Capabilities COMSEC Electronic Warfare ELSEC Computer Network Defense COMPUSEC Psychological Operations Military Deception Operations Security Computer Network Sensors SIGSEC/COMSEC Monitoring


Download ppt "Information Assurance (IA) What Every Manager Should Know"

Similar presentations


Ads by Google