HIGH VALUE ASSET (HVA) ASSESSMENT INTRODUCTION

August 2021

C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y

ASSESSMENT EVALUATION AND STANDARDIZATION (AES)

HIGH VALUE ASSET (HVA) ASSESSMENT INTRODUCTION

1

August 2021

Notice

Copyright 2021 Carnegie Mellon University.

This material is based upon work funded and supported by the Department of Homeland Security under Contract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center sponsored by the United States Department of Defense.

The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as an official Government position, policy, or decision, unless designated by other documentation.

NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

[DISTRIBUTION STATEMENT C] Distribution authorized to U.S. Government Agencies and their contractors (materials intended for administrative or operational use) (determination date: 2021-03-08). Other requests for this document shall be referred to 4500 Fifth Avenue, Pittsburgh, PA 15213.

Notice to DoD Subcontractors: This document may contain Covered Defense Information (CDI). Handling of this information is subject to the controls identified in DFARS 252.204-7012 – SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING

DM21-0236

August 2021

AES Program

Assessor Qualification Process

AES-HVA Process

Agenda

August 2021May 2021

AES PROGRAM

August 2021

Assessment Evaluation and Standardization (AES) Program

Produce a workforce of prepared and qualified assessors Ensure that assessors have the knowledge and skills necessary to conduct

assessments according to the CISA methodology and guidelines Standardize the way assessments are conducted throughout the federal; state,

local, tribal, and territorial (SLTT); and critical infrastructure space

Make reporting of assessment results consistent and repeatable so that this information can be used to analyze and inform cybersecurity practice

August 2021

Current AES Courses

6

Assessment Assessment Purpose Course Length

Maximum Class Size

Mode

Cyber Resilience Review (CRR)

External Dependency Management (EDM)

Evaluate an organization’s operational resilience and cybersecurity practices through an interview-based assessment

Evaluate an organization’s management of external dependencies through an interview-based assessment

5 days 10-30 students

Instructor Led Training (ILT) – Virtual, In-

Person

High Value Asset (HVA)*

Assess the HVA security architecture to identify technical concerns that could expose the organization to risk

4 days 3-10 teams; 3-6 students

per team

ILT – Virtual, In-Person

Risk and Vulnerability Assessment (RVA)

Collect data through on-site assessments and combine with national threat and vulnerability information to provide an organization with actionable remediation recommendations prioritized by risk

4 days 20-25 students

ILT – Virtual, In-Person

*Currently focused on non-tier 1 high value assets (HVAs) only

For more information about these assessments, visit https://www.cisa.gov/cyber-resource-hub

https://www.cisa.gov/cyber-resource-hub

August 2021

Either an individual or a team conducts each assessment.

Individual assessors are qualified for a particular role.

Assessor Roles

7

Assessment Lead (AL)

Primary POC for assessment

Leads the assessment team

Manages the overall assessment execution

Debriefs and delivers the assessment report

Individual (CRR, EDM) or team (HVA, RVA)

Technical Lead (TL)

Leads the Technical Exchange Meeting

Writes the majority of the assessment report

Supports meetings throughout the assessment

Team (HVA, RVA)

Operator (OP)

Leads the Penetration Test

Tests results appendix of the assessment report; contributes to other portions

Supports meetings throughout the assessment

Team (HVA, RVA)

August 2021

Assessor Prerequisites

The minimum skills for an applicant are: Knowledge of cybersecurity, privacy principles, and their respective organizational

requirements including:• control systems, networks, risk management, incident management, situational awareness,

information assurance, and access control

Ability to expresses technical and non-technical information, both verbal and written to leadership and staff to ensure proper IT operations Experience and skill presenting complex technical issues to a wide audience with varying

levels of technical experience Experience using a variety of frameworks (i.e. NIST CSF/RMF, COBIT, NIST 800 Series,

ISO 270001, CERT Resilience Management Model (RMM)) to assist organizations in evaluating their security programs

August 2021

It is recommended that applicants hold one or more nationally-recognized information systems or cybersecurity certifications, for example: Certified Information Systems Auditor (CISA) Certified Information Security Manager (CISM) Certified in Risk and Information Systems Control (CRISC) Certified Information Systems Security Professional (CISSP) CISSP Information Systems Security Architecture Professional (CISSP-ISSAP) GIAC Defensible Security Architecture (GDSA) Offensive Security Certified Professional (OSCP) Offensive Security Certified Expert (OSCE) GIAC Certified Penetration Tester (GPEN)

Additional Assessor Prerequisites: Certifications

August 2021May 2021

ASSESSOR QUALIFICATION PROCESS

August 2021

Assessor Qualification Process

1. Orientation

7. CISA QualifiesAssessor

8. Maintain Qualification

2. Registration

3. Candidate Evaluation

4. Course

5. Capstone

6. Initial Assessment

3a. Operator Skills Test*

*HVA & RVA; operator role

August 2021

Ensures mutual understanding of process

CISA presents an overview of AES program AES process Roles Requirements for qualification

Step 1: Orientation

12

1. Orientation



2. Registration


4. Course

5. Capstone


3a. Operator

Skills Test*


August 2021

Currently, performed via email request to CISA

In the future, automated system using Service Now (expected in FY22)

Step 2: Registration

13

1. Orientation



2. Registration


4. Course

5. Capstone


3a. Operator

Skills Test*


August 2021

Confirmation that all applicants have a baseline cybersecurity knowledge to be successful in the course

Individual administration, on-line

Machine-scoreable questions

Preparatory materials sent prior to exam

Passing score: 70%

Passing score required to take the course

Limited to 3 attempts

Step 3: Candidate Evaluation (CE)

14

1. Orientation



2. Registration


4. Course

5. Capstone


3a. Operator

Skills Test*


August 2021

Additional prerequisite evaluation required for all assessors that will be Operators

Individual, timed evaluation Limited to 3 attempts within 24 hour period

Lab and quiz that evaluates penetration testing skills

Step 3a: Operator Skill Test (OST)

15

1. Orientation



2. Registration


4. Course

5. Capstone


3a. Operator

Skills Test*


August 2021

Course durations vary depending on assessment

Exercises allow students to practice assessment activities

Instructor-led and delivered via collaboration platform (e.g., Zoom for Government) and Learning Management System (LMS) (e.g., Moodle)

On-line, on-demand courses expected in FY22

Step 4: Course

16

1. Orientation



2. Registration

3, Candidate Evaluation

4. Course

5. Capstone


3a. Operator

Skills Test*


August 2021

Comprehensive exam that covers all phases of the assessment, administered at the end of the course Format may vary depending on the assessment

• All candidates will take a machine-scorable exam • Candidates may be required to work through scenarios,

collaborate in teams, or lead presentations as part of demonstrating assessment skills

Passing score: 70%

Step 5: Capstone

17

1. Orientation



2. Registration


4. Course

5. Capstone


3a. Operator

Skills Test*


August 2021

After successfully completing the Capstone Exam, candidates will be required to perform an initial assessment

Some assessments need to be completed as part of a team, depending on assessment type

The candidate must submit an accurate and comprehensive report that meets CISA standards and methodologies

Step 6: Initial Assessment

18

1. Orientation



2. Registration


4. Course

5. Capstone


3a. Operator

Skills Test*


August 2021

CISA performs quality check of assessment report

If the report is approved: The candidate will be qualified as an assessor after successful

submission and acceptance of a report

If unsuccessful: The candidate will be required to perform remedial activities for

qualification• These activities will vary depending on the nature and weight

of report issues• Then the candidate will be required to complete another

assessment and submit a successful report

Step 7: CISA Qualifies Assessor

19

1. Orientation



2. Registration


4. Course

5. Capstone


3a. Operator

Skills Test*


August 2021

Step 8: Maintain Qualification

Assessors will be qualified for 3 years.

If the methodology and guidance significantly change during the 3-year period CISA will inform Qualified Assessors of these changes Assessor ‘refresher’ activities may be required

Required to perform 3 assessments in the 3-year qualification cycle and expected to perform one assessment per year. In small organizations where it is not possible to conduct 3

assessments, a waiver must be granted by CISA 3 months prior to the end of the qualification period.

1. Orientation



2. Registration


4. Course

5. Capstone


3a. Operator

Skills Test*


August 2021May 2021

AES-HVA COURSE PROCESS

CYBER QUALIFICATION INITIATIVE (AES)

AES PROCESS

August 2021

Part of a CISA initiative intended to help government departments and agencies understand their operational resilience and ability to manage cyber risk

Purpose: assess the HVA security environment and organizational processes through interviews, artifact examination, and technical testing

Designed to understand the HVA security architecture to understand its resilience and provide recommendations for improvement

Most activities typically occur over a consecutive three-day period Elapsed time may be 5-6 weeks, depending on report review turnaround

Key deliverable is a Final HVA Assessment Report

HVA Assessment Overview

August 2021

4-day course• Day 1 – background, HVA roles, methodology (planning)• Day 2 – methodology (execution), discussion topics• Day 3 – methodology (post-execution), final report• Day 4 – assessment process review, capstone

Audience• Primary Stakeholders (.gov and .mil)

− Departments and Agencies− National Guard

• Indirect Stakeholders (primary stakeholder sponsorship required)− Contractors

AES-HVA Course Overview

August 2021

Schedule expected to be released October 1, 2021

HVA Revision 2 planned for Q1 2022

AES-HVA Course Schedule

August 2021

Contact us soon to get started!

Email

CISA AES Program Lead Tara Brewer at

[email protected]

For more information about CISA, visit https://www.cisa.gov/about-cisa/

August 2021

Documents

HIGH VALUE ASSET (HVA) ASSESSMENT INTRODUCTION