CYBERSAFE Overview AFCEA C 4 ISR Symposium 28

CYBERSAFE Overview AFCEA C 4 ISR Symposium 28 April 2015 Presented by: Mr. Brian Marsh Assistant Chief Engineer (Certification & Mission Assurance) SPAWAR 5. 0 Statement A: Approved for public release, distribution is unlimited (27 APRIL 2015)

CYBERSAFE BLUF ▼ The CYBERSAFE Program is focused on ensuring effective cybersecurity design, procurement, and operation of the Navy’s most critical warfighting systems ▼ SPAWAR will play multiple key roles from both a Navy Enterprise and a SYSCOM perspective ▼ CYBERSAFE will bring heightened consideration to the cybersecurity elements of many SPAWAR Programs But first, let’s discuss CYBERSAFE in the context of Navy cybersecurity 2

Current Cyber Environment Source: Symantec 2015 Internet Security Threat Report Extreme challenge to keep pace with exponential increase in cybersecurity requirements 3

SPAWAR’s Role in Navy Cybersecurity Information Technology / Information Assurance Technical Authority Board (IT/IA TAB) Joint Regional Security Stack (JRSS) Task Force Cyber Awakening Technical Specs/Standards Developer Authority to Operate (ATO) – Security Control Assessor (SCA) As Navy’s IA Technical Authority, SPAWAR will assume additional roles in CYBERSAFE 4

CYBERSAFE Overview Objective Scope Establish a CYBERSAFE Program to provide maximum reasonable assurance of a hardened subset of critical warfighting components Construct Navy Cybersecu rity CYBERSAFE Platform PMs PEOs ▼ Focused on limited subset of select network components that enable Mission Critical capabilities CYBERSAFE CERTIFICATION AUTHORITY CYBERSAFE PMO Technical Authority IT/IA TA ▼ CYBERSAFE components may Security & QA Authority SYSCOMs require additional controls beyond RMF ▼ CYBERSAFE Office to become an element within the overall Navy cybersecurity construct CYBERSAFE Program will focus on Mission Assurance of critical warfighting capabilities 5

CYBERSAFE Facets Cyber System Level CSL 2: Platform Combat CSL 3: Networked Combat Cyber Condition Grade A: Mission Critical X FULL NET • -------------- Grade B: Mission Essential Y SEMI NET • -------------- Material Grade C: Non-Mission Essential Z NO NET • -------------- TECHNICAL CAPABILITIES CSL 1: Platform Safety CYBERSAFE Grade Design Procure & Build Operate Hierarchy of system to end-to-end mission Level of cyber protection incorporated into system design Operating mode of platform based on likelihood of cyber attack CSL 4: Sustained Functionality Combat IT/IA TAB to develop criteria for leveraging facets to identify CYBERSAFE critical items 6

Enterprise Role SPAWAR’s Role in CYBERSAFE SPAWAR is Technical Authority for CYBERSAFE – Cross-Enterprise Role – Define criteria to identify CYBERSAFE Critical Items – Develop specs & standards for CYBERSAFE Critical Items SYSCOM Role – Interface with SYSCOM TAs to resolve CYBERSAFE issues SPAWAR to establish a CYBERSAFE Entity – Cross-SPAWAR Role (Led by SPAWAR 5. 0) – Identify SPAWAR’s CYBERSAFE Critical Items – Ensure specs & standards are incorporated into acquisition and implemented into capabilities – Perform certification of SPAWAR CYBERSAFE Critical Items COMSPAWAR assigned CHENG as SPAWAR’s Lead for CYBERSAFE 7

SPAWAR IA Standards Plan IA Standards Work Plan approved by the IT/IA TAB 8

SPAWAR IA Standards Plan Plus… New task to develop initial CYBERSAFE Standards CYBERSAFE Certification Criteria CYBERSAFE Grade A/B/C Criteria Requirements for CYBERSAFE Grades A/B/C Systems Inspection and Audit Criteria for CYBERSAFE SPAWAR will play a lead role in developing the technical underpinnings for CYBERSAFE 9

SPAWAR Equities ▼ SPAWAR 5. 0 work with PEOs to identify SPAWAR CYBERSAFE Items ▼ Baseline Configuration Pilot will assist in identifying Control Points ▼ Potential CANES aligns with CYBERSAFE Grade A criteria as it provides networking, compute, and storage for mission critical Programs with CYBERSAFE components: applications and data § CANES Due to its role as entryway to the ship, ADNS is a critical § BFTN Control Point that enables connectivity for mission critical systems and components § JALN § ADNS NMT’s vital SATCOM capabilities provide assured C 2 to Naval § DCGS-N Commanders in support of Ballistic Missile Defense § GCCS-M/J § NMT SPAWAR will not identify CYBERSAFE Critical Items until TAB issues § MUOS selection criteria 10

CYBERSAFE Way Ahead ▼ CYBERSAFE Implementation Plan approved by CNO on 21 April ▼ CYBERSAFE release CYBERSAFE Instruction and § IT/IA TAB begin. Office work ontocriteria CYBERSAFE 100 -Day Plan development 2015 Timeline Aug Submit CYBERSAFE POA&M ▼ Establish SPAWAR Tiger Team § Led by SPAWAR 5. 0 Apr CYBERSAFE Instruction and 100 -Day Plan Apr - FOC § Cross-SYSCOM representation § Leverage TAB criteria and Baseline Pilot to identify CYBERSAFE Items § Develop POA&M for developing implementing, and maintaining CYBERSAFE Entity at SPAWAR FO C Apr CNO Approval IT/IA TAB develop criticality criteria. SPAWAR Tiger Team develops implementation approach. Oct CYBERSA FE FOC 11

Summary ▼ Building upon the foundation provided by IA TA, CYBERSAFE is a key component of a common Navy plan for Cyber that: § Promotes a holistic approach to securing critical warfighting capabilities § Mandates use of common specifications and standards in acquisition and implementation § Ensures compliance with common specifications and standards through certification process ▼ CYBERSAFE will increase awareness of cybersecurity requirements for many SPAWAR Programs § IT/IA TAB will set criteria for identifying CYBERSAFE Critical Items 12

13