high value asset (hva) assessment introduction
TRANSCRIPT
August 2021
C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y
ASSESSMENT EVALUATION AND STANDARDIZATION (AES)
HIGH VALUE ASSET (HVA) ASSESSMENT INTRODUCTION
1
August 2021
Notice
Copyright 2021 Carnegie Mellon University.
This material is based upon work funded and supported by the Department of Homeland Security under Contract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center sponsored by the United States Department of Defense.
The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as an official Government position, policy, or decision, unless designated by other documentation.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
[DISTRIBUTION STATEMENT C] Distribution authorized to U.S. Government Agencies and their contractors (materials intended for administrative or operational use) (determination date: 2021-03-08). Other requests for this document shall be referred to 4500 Fifth Avenue, Pittsburgh, PA 15213.
Notice to DoD Subcontractors: This document may contain Covered Defense Information (CDI). Handling of this information is subject to the controls identified in DFARS 252.204-7012 – SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING
DM21-0236
August 2021
AES Program
Assessor Qualification Process
AES-HVA Process
Agenda
August 2021May 2021
AES PROGRAM
August 2021
Assessment Evaluation and Standardization (AES) Program
Produce a workforce of prepared and qualified assessors Ensure that assessors have the knowledge and skills necessary to conduct
assessments according to the CISA methodology and guidelines Standardize the way assessments are conducted throughout the federal; state,
local, tribal, and territorial (SLTT); and critical infrastructure space
Make reporting of assessment results consistent and repeatable so that this information can be used to analyze and inform cybersecurity practice
August 2021
Current AES Courses
6
Assessment Assessment Purpose Course Length
Maximum Class Size
Mode
Cyber Resilience Review (CRR)
External Dependency Management (EDM)
Evaluate an organization’s operational resilience and cybersecurity practices through an interview-based assessment
Evaluate an organization’s management of external dependencies through an interview-based assessment
5 days 10-30 students
Instructor Led Training (ILT) – Virtual, In-
Person
High Value Asset (HVA)*
Assess the HVA security architecture to identify technical concerns that could expose the organization to risk
4 days 3-10 teams; 3-6 students
per team
ILT – Virtual, In-Person
Risk and Vulnerability Assessment (RVA)
Collect data through on-site assessments and combine with national threat and vulnerability information to provide an organization with actionable remediation recommendations prioritized by risk
4 days 20-25 students
ILT – Virtual, In-Person
*Currently focused on non-tier 1 high value assets (HVAs) only
For more information about these assessments, visit https://www.cisa.gov/cyber-resource-hub
August 2021
Either an individual or a team conducts each assessment.
Individual assessors are qualified for a particular role.
Assessor Roles
7
Assessment Lead (AL)
Primary POC for assessment
Leads the assessment team
Manages the overall assessment execution
Debriefs and delivers the assessment report
Individual (CRR, EDM) or team (HVA, RVA)
Technical Lead (TL)
Leads the Technical Exchange Meeting
Writes the majority of the assessment report
Supports meetings throughout the assessment
Team (HVA, RVA)
Operator (OP)
Leads the Penetration Test
Tests results appendix of the assessment report; contributes to other portions
Supports meetings throughout the assessment
Team (HVA, RVA)
August 2021
Assessor Prerequisites
The minimum skills for an applicant are: Knowledge of cybersecurity, privacy principles, and their respective organizational
requirements including:• control systems, networks, risk management, incident management, situational awareness,
information assurance, and access control
Ability to expresses technical and non-technical information, both verbal and written to leadership and staff to ensure proper IT operations Experience and skill presenting complex technical issues to a wide audience with varying
levels of technical experience Experience using a variety of frameworks (i.e. NIST CSF/RMF, COBIT, NIST 800 Series,
ISO 270001, CERT Resilience Management Model (RMM)) to assist organizations in evaluating their security programs
August 2021
It is recommended that applicants hold one or more nationally-recognized information systems or cybersecurity certifications, for example: Certified Information Systems Auditor (CISA) Certified Information Security Manager (CISM) Certified in Risk and Information Systems Control (CRISC) Certified Information Systems Security Professional (CISSP) CISSP Information Systems Security Architecture Professional (CISSP-ISSAP) GIAC Defensible Security Architecture (GDSA) Offensive Security Certified Professional (OSCP) Offensive Security Certified Expert (OSCE) GIAC Certified Penetration Tester (GPEN)
Additional Assessor Prerequisites: Certifications
August 2021May 2021
ASSESSOR QUALIFICATION PROCESS
August 2021
Assessor Qualification Process
1. Orientation
7. CISA QualifiesAssessor
8. Maintain Qualification
2. Registration
3. Candidate Evaluation
4. Course
5. Capstone
6. Initial Assessment
3a. Operator Skills Test*
*HVA & RVA; operator role
August 2021
Ensures mutual understanding of process
CISA presents an overview of AES program AES process Roles Requirements for qualification
Step 1: Orientation
12
1. Orientation
7. CISA QualifiesAssessor
8. Maintain Qualification
2. Registration
3. Candidate Evaluation
4. Course
5. Capstone
6. Initial Assessment
3a. Operator
Skills Test*
*HVA & RVA; operator role
August 2021
Currently, performed via email request to CISA
In the future, automated system using Service Now (expected in FY22)
Step 2: Registration
13
1. Orientation
7. CISA QualifiesAssessor
8. Maintain Qualification
2. Registration
3. Candidate Evaluation
4. Course
5. Capstone
6. Initial Assessment
3a. Operator
Skills Test*
*HVA & RVA; operator role
August 2021
Confirmation that all applicants have a baseline cybersecurity knowledge to be successful in the course
Individual administration, on-line
Machine-scoreable questions
Preparatory materials sent prior to exam
Passing score: 70%
Passing score required to take the course
Limited to 3 attempts
Step 3: Candidate Evaluation (CE)
14
1. Orientation
7. CISA QualifiesAssessor
8. Maintain Qualification
2. Registration
3. Candidate Evaluation
4. Course
5. Capstone
6. Initial Assessment
3a. Operator
Skills Test*
*HVA & RVA; operator role
August 2021
Additional prerequisite evaluation required for all assessors that will be Operators
Individual, timed evaluation Limited to 3 attempts within 24 hour period
Lab and quiz that evaluates penetration testing skills
Step 3a: Operator Skill Test (OST)
15
1. Orientation
7. CISA QualifiesAssessor
8. Maintain Qualification
2. Registration
3. Candidate Evaluation
4. Course
5. Capstone
6. Initial Assessment
3a. Operator
Skills Test*
*HVA & RVA; operator role
August 2021
Course durations vary depending on assessment
Exercises allow students to practice assessment activities
Instructor-led and delivered via collaboration platform (e.g., Zoom for Government) and Learning Management System (LMS) (e.g., Moodle)
On-line, on-demand courses expected in FY22
Step 4: Course
16
1. Orientation
7. CISA QualifiesAssessor
8. Maintain Qualification
2. Registration
3, Candidate Evaluation
4. Course
5. Capstone
6. Initial Assessment
3a. Operator
Skills Test*
*HVA & RVA; operator role
August 2021
Comprehensive exam that covers all phases of the assessment, administered at the end of the course Format may vary depending on the assessment
• All candidates will take a machine-scorable exam • Candidates may be required to work through scenarios,
collaborate in teams, or lead presentations as part of demonstrating assessment skills
Passing score: 70%
Step 5: Capstone
17
1. Orientation
7. CISA QualifiesAssessor
8. Maintain Qualification
2. Registration
3. Candidate Evaluation
4. Course
5. Capstone
6. Initial Assessment
3a. Operator
Skills Test*
*HVA & RVA; operator role
August 2021
After successfully completing the Capstone Exam, candidates will be required to perform an initial assessment
Some assessments need to be completed as part of a team, depending on assessment type
The candidate must submit an accurate and comprehensive report that meets CISA standards and methodologies
Step 6: Initial Assessment
18
1. Orientation
7. CISA QualifiesAssessor
8. Maintain Qualification
2. Registration
3. Candidate Evaluation
4. Course
5. Capstone
6. Initial Assessment
3a. Operator
Skills Test*
*HVA & RVA; operator role
August 2021
CISA performs quality check of assessment report
If the report is approved: The candidate will be qualified as an assessor after successful
submission and acceptance of a report
If unsuccessful: The candidate will be required to perform remedial activities for
qualification• These activities will vary depending on the nature and weight
of report issues• Then the candidate will be required to complete another
assessment and submit a successful report
Step 7: CISA Qualifies Assessor
19
1. Orientation
7. CISA QualifiesAssessor
8. Maintain Qualification
2. Registration
3. Candidate Evaluation
4. Course
5. Capstone
6. Initial Assessment
3a. Operator
Skills Test*
*HVA & RVA; operator role
August 2021
Step 8: Maintain Qualification
Assessors will be qualified for 3 years.
If the methodology and guidance significantly change during the 3-year period CISA will inform Qualified Assessors of these changes Assessor ‘refresher’ activities may be required
Required to perform 3 assessments in the 3-year qualification cycle and expected to perform one assessment per year. In small organizations where it is not possible to conduct 3
assessments, a waiver must be granted by CISA 3 months prior to the end of the qualification period.
1. Orientation
7. CISA QualifiesAssessor
8. Maintain Qualification
2. Registration
3. Candidate Evaluation
4. Course
5. Capstone
6. Initial Assessment
3a. Operator
Skills Test*
*HVA & RVA; operator role
August 2021May 2021
AES-HVA COURSE PROCESS
CYBER QUALIFICATION INITIATIVE (AES)
AES PROCESS
August 2021
Part of a CISA initiative intended to help government departments and agencies understand their operational resilience and ability to manage cyber risk
Purpose: assess the HVA security environment and organizational processes through interviews, artifact examination, and technical testing
Designed to understand the HVA security architecture to understand its resilience and provide recommendations for improvement
Most activities typically occur over a consecutive three-day period Elapsed time may be 5-6 weeks, depending on report review turnaround
Key deliverable is a Final HVA Assessment Report
HVA Assessment Overview
August 2021
4-day course• Day 1 – background, HVA roles, methodology (planning)• Day 2 – methodology (execution), discussion topics• Day 3 – methodology (post-execution), final report• Day 4 – assessment process review, capstone
Audience• Primary Stakeholders (.gov and .mil)
− Departments and Agencies− National Guard
• Indirect Stakeholders (primary stakeholder sponsorship required)− Contractors
AES-HVA Course Overview
August 2021
Schedule expected to be released October 1, 2021
HVA Revision 2 planned for Q1 2022
AES-HVA Course Schedule
August 2021
Contact us soon to get started!
CISA AES Program Lead Tara Brewer at
For more information about CISA, visit https://www.cisa.gov/about-cisa/
August 2021