Bob Marchant Sotera Defense Solutions A comparison of

Bob Marchant Sotera Defense Solutions A comparison of Systems Engineering and Security Engineering practices and professionals Or maybe a commercial for the INCOSE working group!

BIO 35 Engineering Experience 27 in Systems Engineering 20+ in Security Engineering BSCS, MBA, ABD Ph. D (IST) CDP, GSEC, CISSP, ISSEP, DTM SE (adult ed certified) trainer Process Champion (IPPD, CMMI)

Outline Issues Possible Causes Comparing the Cycles SDLC/RMF Lust to Dust (all dust no lust) Comparing the Professionals Next Steps

So what the issue? Security Engineering struggling Consistent complaint of lack of involvement! Active INCOSE WG New Standards evolving Extremely broad BOK (very little build focus) CISSP – 10 categories from physical to crypto ISSEP – 4 categories Discipline struggles to maintain currency

Possible causes and is systems engineering the cure? Incomplete Models? No V No Gates Continuous monitor mentality Technician/Manager focus BOK is Broke

Comparing the Cycles The familiar one(s)

Comparing the Cycles In a simpler form Definition Design Development Deployment Operations Retirement

Comparing the Cycles The Security Engineering forms • Viewed by many models/frameworks – IATF – RMF – ISO – Custom • Let’s look at NIST Regardless – it is all about Risk Management

Comparing the Cycles The RMF Starting Point CATEGORIZE Information System MONITOR Security Controls Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. Security Controls Select baseline security controls; apply tailoring guidance and supplement controls as needed base on risk assessment Continuously track changes to the information system that may affect security controls and reassess control effectiveness. IMPLEMENT AUTHORIZE Security Controls Information System Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. SELECT ASSESS Security Controls Determine security control effectiveness (i. e. , controls implemented correctly, operating as intended, meeting security for information systems). Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings

Comparing the Cycles Both Starting Point CATEGORIZE Information System MONITOR Security Controls Continuously track changes to the information system that may affect security controls and reassess control effectiveness. Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. Definition SELECT Security Controls Select baseline security controls; apply tailoring guidance and supplement controls as needed base on risk assessment Design Development Deployment AUTHORIZE Operations Information System Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. Retirement ASSESS Security Controls Determine security control effectiveness (i. e. , controls implemented correctly, operating as intended, meeting security for information systems). IMPLEMENT Security Controls Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings

From Concept to Creation WITH GATES AND REVIEWS !!! MISSION and Real World Captured in ICDs CONOPS Specs Docs Used to Create S Y S T E M Built as Conceptual Model

Comparing the Cycles Where’s the gates? Where’s the focus? Starting Point Post SDR CATEGORIZE Information System MONITOR Security Controls Continuously track changes to the information system that may affect security controls and reassess control effectiveness. Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. Post PDR O&M Post CDR AUTHORIZE Information System Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. Security Controls Select baseline security controls; apply tailoring guidance and supplement controls as needed base on risk assessment IMPLEMENT Security Controls Before TRR ASSESS Security Controls Before AT SELECT Determine security control effectiveness (i. e. , controls implemented correctly, operating as intended, meeting security for information systems). Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings

Comparing the Cycles Recap SSE has a cycle but no feedback In theory yes, in practice – mostly no SSE has a cycle but no real gates In practice triage, IATT, some form of AO SSE is driven by the CDLC The SSE cycle is stuck in Monitor most of the time

Comparing the professionals Some common ground Scientist: A scientist is one engaging in a systematic activity to acquire knowledge. Scientists perform research toward increasing understanding of nature, including physical, mathematical and social realms. Scientists use empirical methods to study things. Engineer: An engineer is applies knowledge of applied science and applied mathematics to develop solutions for technical problems. Engineers design materials, structures, technology, inventions, machines and systems. Engineers use ingenuity to create things. Technician: A technician is a worker in a field of technology who is proficient in the relevant skills and techniques of that technology. Technicians apply methods and skill to build, operate and maintain things. Manager: One who handles, controls, or directs an activity or other enterprise, including allocation of resources and expenditures. A manager uses qualitative methods to control the build, operation, and maintenance of things.

Comparing the Professionals A sampling of SE - notice the mix Notice the feedbacks • Chief Engineer/LSE • Systems Architect/Designer • Requirements Engineer • Functional Analyst • Systems Analyst • IV&V engineer • O&M Support Engineers • Specialty Engineers

Comparing the Professionals (The RMF/ICD 503) • • Starting Point CATEGORIZE Information System Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. MONITOR SELECT Security Controls Select baseline security controls; apply tailoring guidance and supplement controls as needed base on risk assessment Continuously track changes to the information system that may affect security controls and reassess control effectiveness. IMPLEMENT AUTHORIZE Security Controls Information System Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. ASSESS Security Controls Determine security control effectiveness (i. e. , controls implemented correctly, operating as intended, meeting security for information systems). • • Information System Owner Information Owner/Steward Risk Executive (Function) Authorizing Official • AO Designated Representative Chief Information Officer Senior Information Security Officer Information System Security Officer Information Security Architect Common Control Provider Information System Security Engineer Security Control Assessor

ISSE per ICD 503 (RMF) Information System Security Engineer (ISSE) (or Information Security Architect) Identify security controls that are provided by the organization as common controls for organizational informational systems and document the controls in a Security Plan. Select security controls for the IS.

ISO per ICD 503 (RMF) Information System Owner (or Program Manager) Categorize the IS and document the results in the Security Plan. Describe the IS in the Security Plan. Register the IS with the appropriate organizational program management offices. Select security controls for the IS and document the controls in the Security Plan. Develop a strategy for the continuous monitoring of security control effectiveness and any proposed or actual changes to the IS and its operational environment. Implement the security controls specified in the Security Plan. Document the security control implementation in the Security Plan. Provide a functional description of the control implementation. Conduct initial remedial actions on security controls based on the findings and recommendations of the SAR and reassess remediated controls as appropriate. Prepare the POA&M based on the findings and recommendations of the SAR excluding any remedial actions taken. Assemble the Security Authorization artifacts and submit to the Authorizing Official for adjudication. Determine the security impact of proposed or actual changes to the IS and its operational environment. Conduct remedial actions based on the results of ongoing monitoring activities, risk assessment, and outstanding items in the POA&M. Update the Security Plan, security assessment report, and plan of action and milestones based on the results of the continuous monitoring process. Report the security status of the information system (including the effectiveness of security controls employed within and inherited by the system) to the AO and other appropriate organizational officials on an ongoing basis in accordance with the monitoring strategy. Implement an information system decommissioning strategy, when needed, which executes required actions when a system, or system component, is removed from service or transferred to another system.

Comparing the Professionals RECAP Incomplete Models? No V No Gates Continuous monitor mentality Technician/Manager focus BOK is Broke In systems engineering, there is active leadership from the engineers In SSE, the ISSEs are primarily advisor SE’s are pro-active SSEs react SE’s are builders, SSE’s are advisors to passive risk managers Risk managers should be pro-active

Next steps? NIST SP 800 series evolving (leads the way) INCOSE WG is creating handbook NICE QUESTIONS?