N-Wave Shareholders Meeting

May 23, 2012

N-Wave Security Update

Lisa Love Lisa.K.Love@noaa.gov

For Official Use Only

System is categorized as Low for Confidentiality, Integrity, and Availability

Full ATO received December 7, 2010

2011 Results

2010 Results

For Official Use Only

ContinuallyCommunicate with

Stakeholdersacross the Enterprise

and ContinuallyAssess Risk

ContinuallyCommunicate with

Stakeholdersacross the Enterprise

and ContinuallyAssess Risk

Continually monitorAdversariesThreatsVulnerabilitiesCountermeasuresMission changesPOA&M status

Continually monitorAdversariesThreatsVulnerabilitiesCountermeasuresMission changesPOA&M status

MonitorIdentify mission, business, and information sharing needs

Conduct initial risk assessment

Identify mission, business, and information sharing needs

Conduct initial risk assessment

CategorizeSelect minimum required risk mitigation controls based on impact levels

Refine controls based on updated risk assessment

Select minimum required risk mitigation controls based on impact levels

Refine controls based on updated risk assessment

Select

Ensure risk assessment and countermeasures are documented for required essential information

Ensure risk assessment and countermeasures are documented for required essential information

DocumentImplement countermeasures in developed systems (technical) or environment (admin, physical, operational)

Implement countermeasures in developed systems (technical) or environment (admin, physical, operational)

ImplementConduct assessment to determine effectiveness of countermeasures

Determine residual risk

Conduct assessment to determine effectiveness of countermeasures

Determine residual risk

Assess

Add/Remove countermeasures based on risk assessment

Confirm all countermeasures are selected

Add/Remove countermeasures based on risk assessment

Confirm all countermeasures are selected

SupplementReview residual riskDetermine acceptability of residual risk

Accept risk or require POA&M, or deny

Review residual riskDetermine acceptability of residual risk

Accept risk or require POA&M, or deny

Decide

For Official Use Only

Committed to providing excellent service

Security = boring

For Official Use Only

Proactive versus reactive Based on Strategic, Tactical and Operational Goals

Strategic – Considered Long term (2-3 yrs) Tactical – Mid Term (6 months-2 years) Operational – Short Term (0-6 months)

O&MChange ManagementContinuous Monitoring

New connectionsExtension of BackboneLimited Pen Testing

IPv6Full C&A – 2014Complete Multicast

For Official Use Only

AcquisitionLife cycle

SystemDevelopment

Life cycle

A&ALife cycle

RiskManagement

Life cycle

Mission and Business Plan

BudgetAcquisition

PlanManagement and MeasurementProcurement

Operations and Maintenance DisposalTest and

EvaluationDevelop-ment

DesignConcept Requirements

Decide MonitorAssess Docu-ment

Supple-ment

Categorize Select Implement

Certification Initiation MonitoringAccredi-tation

For Official Use Only

Operational ControlsPhysicalConfiguration ManagementContingency PlanningPersonnel SecuritySystem & Information Integrity

Management ControlsRisk ManagementPolicies and ProceduresPlanningSystem & Services Acquisitions

Technical ControlsBoundary ProtectionsAccess Controls, I&AAuditing

For Official Use Only

Managing Risks is KeyBalancing Risks against cost

AcceptMitigateTransferAvoid

Risk

Cost

For Official Use Only

User GroupUser Group

ERBERB

CCBCCB

NNCNNC

CIO CouncilCIO Council

FundingOversightStrategic PlanningFinancial Mgmt

RequirementsCONOPSSystem ArchitectureSystem DesignChange Mgmt

Configuration MgmtRequirement FulfillmentSystem MonitoringProblem Mgmt

Members Executive Level (CIO’s, CFO’s, etc)

NWave PMNNC RepNWave User Rep

System IT ManagersTechnical Staff (ISSO, SA’s, Network Admins, etc)

System OwnersLO Project ManagementIT Managers

Body Decision Domain

LO RepresentativesCIO Reps LO NOC RepNN System Owner

IT PrinciplesInvestment & Prioritization

IT PrinciplesInvestment & Prioritization

IT Infrastructure StrategyIT Architecture

IT Infrastructure StrategyIT Architecture

Service ManagementService Management

Sub Committee

For Official Use Only

Consists on inputs from the Engineer, COTR, and ISSO.– Other participants are NNC LO’s representatives:

• 4 types of changes which require NNC review– Budget, Operations costs– Security– Peering to other organizations– ERB changes where consensus is not reached

For Official Use Only

For Official Use Only

Changes within CCB scope are:◦ Server configuration changes◦ Network device changes ◦ Patching ◦ User access◦ Other administrative changes required to

maintain the network

For Official Use Only

Performance - tests and demonstrates performance requirements such as bandwidth, latency, etc

Functional - tests and demonstrates usability of system applications and tools

Security - verifies specific NIST 800-53 security controls are implemented satisfactorily