Building Trustworthy Secure Systems for the United States
Building Trustworthy, Secure Systems for the United States Critical Infrastructure An Urgent National Imperative NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
The Current Landscape. It’s a dangerous world in cyberspace… NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2
Cyber Risk. Function (threat, vulnerability, impact, likelihood) Energy Transportation Manufacturing Defense NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3
§ Resilient Military Systems and the Advanced Cyber Threat § Cyber Supply Chain § Cyber Deterrence Defense Science Board Reports NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4
Complexity. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5
Our appetite for advanced technology is rapidly exceeding our ability to protect it. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6
Data. Everywhere. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7
Houston, we have a problem. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8
Protecting critical systems and assets— The highest priority for the national and economic security interests of the United States. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9
Defending cyberspace in 2018 and beyond. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10
Simplify. Innovate. Automate. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11
§ Federal Government’s Modernization Strategy § Identify and develop federal shared services. § Move to Fed. RAMP-approved cloud services. § Isolate and strengthen protection for high value assets. Reduce and manage the complexity of systems and networks… Engineer more trustworthy, secure, and resilient solutions. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12
Reducing susceptibility to cyber threats requires a multidimensional strategy. Harden the target System First Dimension Limit damage to the target Second Dimension Make the target resilient Third Dimension NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Cyber Resiliency. The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14
Privacy Fault Tolerance Reliability Cyber resiliency relationships with other specialty engineering disciplines. Safety Security Resilience and Survivability NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15
CREF CYBER RESILIENCY ENGINEERING FRAMEWORK PROTECTION. DAMAGE LIMITATION. RESILIENCY. Constructs § Goals § Objectives § Techniques § Approaches § Strategic Design Principles § Structural Design Principles § Risk Management Strategy NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16
Relationship among cyber resiliency constructs. Why What OBJECTIVES • • Understand Prevent/Avoid Prepare Continue Constrain Reconstitute Transform Re-architect Inform selection and prioritization GOALS Inform selection prioritization Inform selection • • Anticipate Withstand Recover Adapt Inform selection and prioritization STRATEGIC DESIGN PRINCIPLES How Inform selection and prioritization TECHNIQUES RISK MANAGEMENT STRATEGY APPROACHES Inform selection and prioritization STRUCTURAL DESIGN PRINCIPLES Inform selection and prioritization NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17
CREF CYBER RESILIENCY ENGINEERING FRAMEWORK PROTECTION. DAMAGE LIMITATION. RESILIENCY. § Adaptive Response § Non-Persistence § Analytic Monitoring § Diversity § Coordinated Protection § Realignment Techniques § Substantiated Integrity § Redundancy § Privilege Restriction § Segmentation § Dynamic Positioning § Deception § Dynamic § Unpredictability Representation NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18
Cyber Resiliency Constructs in System Life Cycle. ISO/IEC/IEEE 15288: 2015 Systems and software engineering — System life cycle processes § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture definition § Design definition § System analysis § Implementation § Integration § Verification NIST SP 800 -160 § Transition § Validation § Operation § Maintenance § Disposal NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19
§ NIST SP 800 -37, Revision 2 Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20
Risk Management Framework (RMF) 2. 0 Just released for public review and comment. CATEGORIZE SELECT MONITOR PREPARE IMPLEMENT AUTHORIZE ASSESS NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21
A unified framework for managing security, privacy, and supply chain risks. Communication between C-Suite and Implementers and Operators Security Risk Management RMF 2. 0 Alignment with NIST Cybersecurity Framework Privacy Risk Management Alignment with Security Engineering Processes Supply Chain Risk Management NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Transparency. Traceability. Trust. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23
On the Horizon… § NIST Special Publication 800 -37, Revision 2 Risk Management Framework for Information Systems and Organizations Final Publication: October 2018 § NIST Special Publication 800 -53, Revision 5 Security and Privacy Controls for Information Systems and Organizations Final Publication: December 2018 § NIST Special Publication 800 -53 A, Revision 5 Assessing Security and Privacy Controls in Information Systems and Organizations Final Publication: September 2019 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24
On the Horizon… § NIST Special Publication 800 -160, Volume 2 Systems Security Engineering Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems Final Publication: October 2018 § NIST Special Publication 800 -160, Volume 3 Systems Security Engineering Software Assurance Considerations for the Engineering of Trustworthy Secure Systems Final Publication: December 2019 § NIST Special Publication 800 -160, Volume 4 Systems Security Engineering Hardware Assurance Considerations for the Engineering of Trustworthy Secure Systems NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Final Publication: December 2020 25
Some final thoughts. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 26
Work smarter, not harder. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27
Institutionalize. Operationalize. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY The ultimate objective for security and privacy.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Government Academia The essential partnership. Industry NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 30
Security. Privacy. Freedom. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 31
RMF RISK MANAGEMENT FRAMEWORK SIMPLIFY. INNOVATE. AUTOMATE. 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899 -8930 Email Mobile Linked. In Twitter www. linkedin. com/in/ronross-cybersecurity @ronrossecure Web Comments ron. ross@nist. gov csrc. nist. gov NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 301. 651. 5083 sec-cert@nist. gov 32
- Slides: 32