Building Trustworthy Secure Systems for the United States Critical Infrastructure An Urgent National Imperative The Current Landscape Its a dangerous world in cyberspace Cyber Risk Function ID: 766562
Download Presentation The PPT/PDF document "Building Trustworthy, Secure Systems for..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Building Trustworthy, Secure Systems for the United States Critical InfrastructureAn Urgent National Imperative
The Current Landscape.It’s a dangerous world in cyberspace…
Cyber Risk.Function (threat, vulnerability, impact, likelihood)Defense Energy Transportation Manufacturing
Resilient Military Systems and the Advanced Cyber Threat Cyber Supply Chain Cyber Deterrence Defense Science Board Reports
Complexity.
Our appetite for advanced technology is rapidly exceeding our ability to protect it.
Data. Data. Everywhere.
Houston, we have a problem.
Protecting critical systems and assets—The highest priority for the national and economic security interests of the United States.
Defending cyberspace in 2018 and beyond.
Simplify. Innovate. Automate.
Identify and develop federal shared services. Move to FedRAMP-approved cloud services. Isolate and strengthen protection for high value assets. Reduce and manage the complexity of systems and networks… Engineer more trustworthy, secure, and resilient solutions. Federal Government’s Modernization Strategy
Reducing susceptibility to cyber threats requires a multidimensional strategy.System Harden the target First Dimension Limit damage to the target Second Dimension Make the target resilient Third Dimension
Cyber Resiliency. The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.
Cyber resiliency relationships with other specialty engineering disciplines.Reliability Fault Tolerance Privacy Security Safety Resilience and Survivability
CREFCYBER RESILIENCY ENGINEERING FRAMEWORKprotection. Damage limitation. Resiliency. Goals Objectives Techniques Approaches Strategic Design Principles Structural Design Principles Risk Management Strategy Constructs
Relationship among cyber resiliency constructs. TECHNIQUES Approaches Structural Design Principles Strategic Design Principles Why OBJECTIVES Understand Prevent/Avoid Prepare Continue Constrain Reconstitute Transform Re-architect What GOALS Anticipate Withstand Recover Adapt Risk Management Strategy How Inform selection and prioritization Inform selection and prioritization Inform selection and prioritization Inform selection and prioritization Inform selection and prioritization Inform selection prioritization Inform selection
CREFCYBER RESILIENCY ENGINEERING FRAMEWORKprotection. Damage limitation. Resiliency. Adaptive Response Analytic Monitoring Coordinated Protection Substantiated Integrity Privilege Restriction Dynamic Positioning Dynamic Representation Techniques Non-Persistence Diversity Realignment Redundancy Segmentation Deception Unpredictability
Business or mission analysisStakeholder needs and requirements definitionSystem requirements definitionArchitecture definitionDesign definition System analysis Implementation Integration Verification Transition Validation Operation Maintenance Disposal ISO/IEC/IEEE 15288:2015 Systems and software engineering — System life cycle processes NIST SP 800-160 Cyber Resiliency Constructs in System Life Cycle.
NIST SP 800-37, Revision 2 Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy
CATEGORIZE ASSESS AUTHORIZE MONITOR PREPARE IMPLEMENT SELECT Just released for public review and comment. Risk Management Framework (RMF) 2.0
A unified framework for managing security, privacy, and supply chain risks.RMF2.0 Security Risk Management Privacy Risk Management Supply Chain Risk Management Communication between C-Suite and Implementers and Operators Alignment with NIST Cybersecurity Framework Alignment with Security Engineering Processes
Transparency.Trust. Traceability.
On the Horizon…NIST Special Publication 800-37, Revision 2 Risk Management Framework for Information Systems and OrganizationsFinal Publication: October 2018 NIST Special Publication 800-53, Revision 5 Security and Privacy Controls for Information Systems and Organizations Final Publication: December 2018 NIST Special Publication 800-53A, Revision 5 Assessing Security and Privacy Controls in Information Systems and Organizations Final Publication: September 2019
On the Horizon… NIST Special Publication 800-160, Volume 2 Systems Security Engineering Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems Final Publication: October 2018 NIST Special Publication 800-160, Volume 3 Systems Security Engineering Software Assurance Considerations for the Engineering of Trustworthy Secure Systems Final Publication: December 2019 NIST Special Publication 800-160, Volume 4 Systems Security Engineering Hardware Assurance Considerations for the Engineering of Trustworthy Secure Systems Final Publication: December 2020
Some final thoughts.
Work smarter, not harder.
Institutionalize.The ultimate objective for security and privacy. Operationalize.
The essential partnership.IndustryGovernment Academia
Security. Privacy. Freedom.
100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930 Email Mobile ron.ross@nist.gov 301.651.5083 LinkedIn Twitter www.linkedin.com/in/ronross-cybersecurity @ronrossecure Web Comments csrc.nist.gov sec-cert@nist.gov RMF RISK MANAGEMENT FRAMEWORK Simplify. Innovate. Automate.