protecng the naon’s crical assets · 2019-07-15 · § business or mission analysis §...
TRANSCRIPT
![Page 1: Protecng the Naon’s Crical Assets · 2019-07-15 · § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture](https://reader034.vdocuments.net/reader034/viewer/2022050601/5fa9055e53971463a3761e2c/html5/thumbnails/1.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Protec'ngtheNa'on’sCri'calAssetsWhenCyberHygieneIsNotEnough
![Page 2: Protecng the Naon’s Crical Assets · 2019-07-15 · § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture](https://reader034.vdocuments.net/reader034/viewer/2022050601/5fa9055e53971463a3761e2c/html5/thumbnails/2.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Pushingcomputerstotheedge.
![Page 3: Protecng the Naon’s Crical Assets · 2019-07-15 · § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture](https://reader034.vdocuments.net/reader034/viewer/2022050601/5fa9055e53971463a3761e2c/html5/thumbnails/3.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
242
![Page 4: Protecng the Naon’s Crical Assets · 2019-07-15 · § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture](https://reader034.vdocuments.net/reader034/viewer/2022050601/5fa9055e53971463a3761e2c/html5/thumbnails/4.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Kine'cspace.Cyberspace.
![Page 5: Protecng the Naon’s Crical Assets · 2019-07-15 · § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture](https://reader034.vdocuments.net/reader034/viewer/2022050601/5fa9055e53971463a3761e2c/html5/thumbnails/5.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
CyberRisk.Func%on(threat,vulnerability,impact,likelihood)
Defense
Energy
Transporta%on
Manufacturing
![Page 6: Protecng the Naon’s Crical Assets · 2019-07-15 · § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture](https://reader034.vdocuments.net/reader034/viewer/2022050601/5fa9055e53971463a3761e2c/html5/thumbnails/6.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Theadversariesarerelentless.
![Page 7: Protecng the Naon’s Crical Assets · 2019-07-15 · § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture](https://reader034.vdocuments.net/reader034/viewer/2022050601/5fa9055e53971463a3761e2c/html5/thumbnails/7.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Cyberadversaries…
Na'onstates.Terroristgroups.
Criminalenterprises.Disgruntledindividuals.
![Page 8: Protecng the Naon’s Crical Assets · 2019-07-15 · § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture](https://reader034.vdocuments.net/reader034/viewer/2022050601/5fa9055e53971463a3761e2c/html5/thumbnails/8.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Hos'leac'ons…
Exfiltrateinforma'on.Preposi'onmaliciouscode.
Disruptorbringdowncapability.Createdecep'on.
![Page 9: Protecng the Naon’s Crical Assets · 2019-07-15 · § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture](https://reader034.vdocuments.net/reader034/viewer/2022050601/5fa9055e53971463a3761e2c/html5/thumbnails/9.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Complexity.
AMacksurface.
![Page 10: Protecng the Naon’s Crical Assets · 2019-07-15 · § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture](https://reader034.vdocuments.net/reader034/viewer/2022050601/5fa9055e53971463a3761e2c/html5/thumbnails/10.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
§ Resilient Military Systems and the Advanced Cyber Threat
§ Cyber Supply Chain
§ Cyber Deterrence
Defense Science Board Reports
![Page 11: Protecng the Naon’s Crical Assets · 2019-07-15 · § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture](https://reader034.vdocuments.net/reader034/viewer/2022050601/5fa9055e53971463a3761e2c/html5/thumbnails/11.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Protec'ngcri'calsystemsandassetsandmakingthemcyberresilient—Thehighestpriorityforthena8onalandeconomicsecurityinterestsoftheUnitedStates.
![Page 12: Protecng the Naon’s Crical Assets · 2019-07-15 · § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture](https://reader034.vdocuments.net/reader034/viewer/2022050601/5fa9055e53971463a3761e2c/html5/thumbnails/12.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Defendingcyberspacein2020andbeyond.
![Page 13: Protecng the Naon’s Crical Assets · 2019-07-15 · § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture](https://reader034.vdocuments.net/reader034/viewer/2022050601/5fa9055e53971463a3761e2c/html5/thumbnails/13.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13
CyberResiliency.
Theabilitytoan'cipate,withstand,recoverfrom,andadapttoadversecondi'ons,
stresses,aMacks,orcompromisesonsystemsthatuseorareenabledbycyberresources.
![Page 14: Protecng the Naon’s Crical Assets · 2019-07-15 · § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture](https://reader034.vdocuments.net/reader034/viewer/2022050601/5fa9055e53971463a3761e2c/html5/thumbnails/14.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14
§ Iden'fyanddevelopsharedservices(enterprise-wide).§ Transi'ontocloudservicesandsolu'ons(public/private).
§ Isolateandstrengthenprotec'onforhighvalueassets.
§ Reduceandmanagethecomplexity.
§ Engineertrustworthy,secure,andresilientsolu'ons.
§ Transi'ontoamul'dimensionalprotec'onstrategy.
Moderniza%onStrategyforAchievingCyberResiliency
![Page 15: Protecng the Naon’s Crical Assets · 2019-07-15 · § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture](https://reader034.vdocuments.net/reader034/viewer/2022050601/5fa9055e53971463a3761e2c/html5/thumbnails/15.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Achievingcyberresiliencyrequiresamul'dimensionalprotec'onstrategy.
SystemHardenthe
target
FirstDimension
Limitdamagetothetarget
SecondDimension
MakethetargetcyberresilientThirdDimension
![Page 16: Protecng the Naon’s Crical Assets · 2019-07-15 · § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture](https://reader034.vdocuments.net/reader034/viewer/2022050601/5fa9055e53971463a3761e2c/html5/thumbnails/16.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16
NEXTGENERATIONSTANDARDSANDGUIDELINES
CYBERRESILIENCYENGINEERING
PROTECTION.DAMAGELIMITATION.RESILIENCY.
§ RiskManagementFramework§ SystemsSecurityEngineering§ EnhancedProtec'onofCUI§ SecurityandPrivacyControls
![Page 17: Protecng the Naon’s Crical Assets · 2019-07-15 · § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture](https://reader034.vdocuments.net/reader034/viewer/2022050601/5fa9055e53971463a3761e2c/html5/thumbnails/17.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17
NISTSpecialPublica'on800-171,Revision2Protec7ngControlledUnclassifiedInforma7oninNonfederalSystems
andOrganiza7ons
Ini%alPublicDraIPublicCommentPeriod
June19throughJuly19,2019
![Page 18: Protecng the Naon’s Crical Assets · 2019-07-15 · § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture](https://reader034.vdocuments.net/reader034/viewer/2022050601/5fa9055e53971463a3761e2c/html5/thumbnails/18.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18
NISTSpecialPublica'on800-171BProtec7ngControlledUnclassifiedInforma7oninNonfederalSystems
andOrganiza7onsEnhancedSecurityRequirementsforCri7calProgramsandHighValueAssets
Ini%alPublicDraI
PublicCommentPeriod
June19throughJuly19,2019
![Page 19: Protecng the Naon’s Crical Assets · 2019-07-15 · § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture](https://reader034.vdocuments.net/reader034/viewer/2022050601/5fa9055e53971463a3761e2c/html5/thumbnails/19.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19
RiskManagementFramework(RMF2.0)
CATEGORIZE
ASSESS
AUTHORIZE
MONITOR
PREPARE
IMPLEMENT
SELECT
CyberResiliencyControlsfromNISTSP800-53
![Page 20: Protecng the Naon’s Crical Assets · 2019-07-15 · § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture](https://reader034.vdocuments.net/reader034/viewer/2022050601/5fa9055e53971463a3761e2c/html5/thumbnails/20.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Aunifiedframeworkformanagingsecurity,privacy,andsupplychainrisks.
RMF2.0
SecurityRiskManagement
PrivacyRiskManagement
SupplyChainRiskManagement
Communica%onbetweenC-SuiteandImplementersandOperators
AlignmentwithNISTCybersecurityFramework
AlignmentwithSecurityEngineeringProcesses
![Page 21: Protecng the Naon’s Crical Assets · 2019-07-15 · § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture](https://reader034.vdocuments.net/reader034/viewer/2022050601/5fa9055e53971463a3761e2c/html5/thumbnails/21.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21
NISTSpecialPublica'on800-160,Volume2CyberResiliencyConsidera7onsfortheEngineering
ofTrustworthySecureSystems
![Page 22: Protecng the Naon’s Crical Assets · 2019-07-15 · § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture](https://reader034.vdocuments.net/reader034/viewer/2022050601/5fa9055e53971463a3761e2c/html5/thumbnails/22.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22
CyberResiliencyEngineeringFramework
TECHNIQUES APPROACHES STRUCTURALDESIGN
PRINCIPLES
STRATEGICDESIGNPRINCIPLES
Why
OBJECTIVES • Understand • Prevent/Avoid • Prepare • Con'nue • Constrain • Recons'tute • Transform • Re-architect
What
GOALS • An'cipate • Withstand • Recover • Adapt
RISKMANAGEMENT
STRATEGY
How
Informselec%onandpriori%za%on
Informselec%onandpriori%za%on
Informselec%onandpriori%za%on Informselec%onandpriori%za%on
Informselec%onandpriori%za%on
Informselec%on
priori%za%on
Informselec%on
![Page 23: Protecng the Naon’s Crical Assets · 2019-07-15 · § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture](https://reader034.vdocuments.net/reader034/viewer/2022050601/5fa9055e53971463a3761e2c/html5/thumbnails/23.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23
§ Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture definition § Design definition § System analysis § Implementation § Integration
§ Verification § Transition
§ Validation § Operation
§ Maintenance § Disposal
ISO/IEC/IEEE15288:2015SystemsandsoSwareengineering—Systemlifecycleprocesses
NISTSP800-160
CyberResiliencyConstructsinSystemLifeCycle.
![Page 24: Protecng the Naon’s Crical Assets · 2019-07-15 · § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture](https://reader034.vdocuments.net/reader034/viewer/2022050601/5fa9055e53971463a3761e2c/html5/thumbnails/24.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24
NISTSpecialPublica'on800-53,Revision5SecurityandPrivacyControlsfor
Informa7onSystemsandOrganiza7ons
ComingSoon
![Page 25: Protecng the Naon’s Crical Assets · 2019-07-15 · § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture](https://reader034.vdocuments.net/reader034/viewer/2022050601/5fa9055e53971463a3761e2c/html5/thumbnails/25.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 25
Somefinalthoughts.
![Page 26: Protecng the Naon’s Crical Assets · 2019-07-15 · § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture](https://reader034.vdocuments.net/reader034/viewer/2022050601/5fa9055e53971463a3761e2c/html5/thumbnails/26.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 26
Simplify.Innovate.Automate.
![Page 27: Protecng the Naon’s Crical Assets · 2019-07-15 · § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture](https://reader034.vdocuments.net/reader034/viewer/2022050601/5fa9055e53971463a3761e2c/html5/thumbnails/27.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27
Security.Privacy.Freedom.
![Page 28: Protecng the Naon’s Crical Assets · 2019-07-15 · § Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture](https://reader034.vdocuments.net/reader034/viewer/2022050601/5fa9055e53971463a3761e2c/html5/thumbnails/28.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28
100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930
Email Mobile [email protected] 301.651.5083
LinkedIn Twi_er www.linkedin.com/in/ronross-cybersecurity @ronrossecure
Web Comments csrc.nist.gov [email protected]
ContactInforma'onFISMAIMPLEMENTATIONPROJECT
SIMPLIFY.INNOVATE.AUTOMATE.