12
Overview of Information Assurance (U) Dr. Theodore Mueller Deputy Director, DOCV Missile Defense Agency September 1, 2009 Approved for Public Release 09-MDA-4860 (28 AUG 09) Material cleared for public release can be reused in its original form any time, any place. Any updating, changing or combining of previously cleared material will form a new document that requires the material be re-submitted for a new public release clearance. Please re-submit any new material with the past clearance documentation. A marked copy of the document indicating where new information is placed will help speed the review.

Overview of Information Assurance (U) · Overview of Information Assurance (U) Dr. Theodore Mueller Deputy Director, DOCV Missile Defense Agency. September 1, 2009. Approved for Public

  • Upload
    others

  • View
    2

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Overview of Information Assurance (U) · Overview of Information Assurance (U) Dr. Theodore Mueller Deputy Director, DOCV Missile Defense Agency. September 1, 2009. Approved for Public

Overview of Information Assurance (U)

Dr. Theodore Mueller Deputy Director, DOCV Missile Defense Agency

September 1, 2009Approved for Public Release 09-MDA-4860 (28 AUG 09) Material cleared for public release can be reused in its original form any time, any place. Any updating, changing or combining of previously cleared material will form a new document that requires the material be re-submitted for a new public release clearance. Please re-submit any new material with the past clearance documentation. A marked copy of the document indicating where new information is placed will help speed the review.

Page 2: Overview of Information Assurance (U) · Overview of Information Assurance (U) Dr. Theodore Mueller Deputy Director, DOCV Missile Defense Agency. September 1, 2009. Approved for Public

2

Information Assurance (U)

• Definition – Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities

Three MDA Networks:1. Mission – Network directly supporting the missile

defense operational mission, i.e., directly contributes to target identification and missile launch

2. Test – Network indirectly supporting the operational mission, i.e., test network, assists the Warfighter

3. GENSER – Network supporting administrative classified and unclassified users

Approved for Public Release 09-MDA-4860 (28 AUG 09)

Page 3: Overview of Information Assurance (U) · Overview of Information Assurance (U) Dr. Theodore Mueller Deputy Director, DOCV Missile Defense Agency. September 1, 2009. Approved for Public

3

TestNetwork

BMDS View

War FighterNORTHCOM

War FighterPACOM

SAFC

SAFC

SAFC

SAFC

SAFC

Labs Range Labs

BoostHome

Mid-CourseHomeAllies

Troops

TerminalSAFC

FCFC FC

LegendSA : Strategic AwarenessFC: Fire ControlPhase of BMDSGoal of Protection

Labs Range

War FighterSTRATCOM

Range

TestNetwork

TestNetwork

Approved for Public Release 09-MDA-4860 (28 AUG 09)

Page 4: Overview of Information Assurance (U) · Overview of Information Assurance (U) Dr. Theodore Mueller Deputy Director, DOCV Missile Defense Agency. September 1, 2009. Approved for Public

4

MDA Mission is Worldwide(GMD Example)

GMD CommunicationsNetwork ConnectsAll Components

Aegis BMD Radar / ESI

External SystemInterface (ESI)

Link 16

GBMC2

• USS Lake Erie, Shiloh,and Port Royal

Pacific Ocean

GMD Fire Control Node (At Schriever AFB)

Colorado Springs

Remoted Workstations(At Cheyenne Mtn Ops Ctr)

Beale AFB

Upgraded EarlyWarning Radar

Eareckson Air Station

Cobra DaneUpgrade

In-Flight Interceptor

Communication System Data

Terminal

DSP/STSS

Boulder

BuckleyAFB

InterceptorsIn-Flight InterceptorCommunicationSystem DataTerminal

GMD FireControl Node

Ft. Greely

In-Flight Interceptor Communication SystemData TerminalInterceptors

Vandenberg AFB

Fylingdales -U.K.

Upgraded EarlyWarning Radar

Sea-Based TestXBR (SBX)

In-Flight Interceptor CommunicationSystem Data Terminal

Adak, Alaska

Thule AFB

Upgraded EarlyWarning Radar

Approved for Public Release 09-MDA-4860 (28 AUG 09)

Page 5: Overview of Information Assurance (U) · Overview of Information Assurance (U) Dr. Theodore Mueller Deputy Director, DOCV Missile Defense Agency. September 1, 2009. Approved for Public

5

MDA C&A Process ConceptIA Capability Maturity Model Integrated (CMMI)

Defined, Disciplined, Repeatable, and Defendable Process

ThreatComplexity

Test Approach

Test Type Cost

$$

$$ - $$$

$$$$

$

Level 5

Level 3

Level 4

Level 2

Level 1

CMMI Levels

Ris

k R

educ

tion

Com

plia

nce

Test Analysis

Focus

PROCESS

Basic

Sophisticated

Multiple/ Complex

Medium

Low

HighMission

ApplicationSecurity Testing

VulnerabilityAssessment

Documentation

Expanded External Interface Boundary

ESG Based Assessments

External Interface Boundary

“Fuzzing” CodeProtocol Attack

Exploit Development

C&A

White Team

Penetration

Blue Team (overt)

Red Team (covert)

*MDA Information Assurance Risk Assessment process

IAR A*

Approved for Public Release 09-MDA-4860 (28 AUG 09)

Page 6: Overview of Information Assurance (U) · Overview of Information Assurance (U) Dr. Theodore Mueller Deputy Director, DOCV Missile Defense Agency. September 1, 2009. Approved for Public

6

Potential Business Opportunities

Current Contractor: Dynetics – value at approximately $6.5mKey requirement – perform functions better, cheaper, and more

efficiently:Testing (Defense Information Assurance Certification and

Accreditation Process (DIACAP)) –Better – more sophisticated test tools, scenario driven tests, tools

that identify malicious code Cheaper – remote testing tools instead of deploying test teamsEfficient – tools that combine results of other tools, automated

analysisTraining (DoD 8570.01) –

Better – combine classroom, hand’s-on, tailored, multi-levelsCheaper – distant learning, export via CD or WebEfficient – centralized management, decentralized execution

Approved for Public Release 09-MDA-4860 (28 AUG 09)

Page 7: Overview of Information Assurance (U) · Overview of Information Assurance (U) Dr. Theodore Mueller Deputy Director, DOCV Missile Defense Agency. September 1, 2009. Approved for Public

7

Summary

• Information Assurance is mandated, growing in importance and here to stay

• Business opportunities exist in identifying key IA activities or processes and offering a way to perform them better, cheaper, and more efficiently

• Key activities include:- Testing- Analysis- Develop IA certification & Accreditation packages- Training- Tools- Archiving artifacts, findings, etc.

Cost Benefit Analysis must justify Government action to contactApproved for Public Release 09-MDA-4860 (28 AUG 09)

Page 8: Overview of Information Assurance (U) · Overview of Information Assurance (U) Dr. Theodore Mueller Deputy Director, DOCV Missile Defense Agency. September 1, 2009. Approved for Public

8

Page 9: Overview of Information Assurance (U) · Overview of Information Assurance (U) Dr. Theodore Mueller Deputy Director, DOCV Missile Defense Agency. September 1, 2009. Approved for Public

9

BACKUP

Page 10: Overview of Information Assurance (U) · Overview of Information Assurance (U) Dr. Theodore Mueller Deputy Director, DOCV Missile Defense Agency. September 1, 2009. Approved for Public

10

Controls Validation Testing

• Mandatory legal requirement under Title 10, US Code, Section 2224, OMB Circular A-130, and DOD regulations and policies

• 110 Information Assurance (IA) Controls are tested resulting in:

- No finding – Tested IA Control is compliant- CAT I allows primary security protections to be

bypassed, allowing immediate access by unauthorized personnel. Any identified weaknesses must be mitigated within 30 days

- CAT II – has the potential to lead to unauthorized system access or activity

- CAT III – may impact IA posture but are not required to be mitigated in order to receive an Authority to Operate

Approved for Public Release 09-MDA-4860 (28 AUG 09)

Page 11: Overview of Information Assurance (U) · Overview of Information Assurance (U) Dr. Theodore Mueller Deputy Director, DOCV Missile Defense Agency. September 1, 2009. Approved for Public

11

Certification and Accreditation Decisions

•Interim Authorization to Test - IATT • Special case for authorizing testing in an operational informational environment (pre-deployment / test environment) • Specified period of time

•Authorization to Operate - ATO• Applies only to operationally ready information systems (operational environment)

•Interim Authorization to Operate - IATO• Issued by CIO when CAT I weaknesses exist • IATO must be accompanied by Plan of Actions and Milestones (POA&M) • Intended to manage IA security weaknesses

•Denial of Authorization to Operate – DATO• Remains in effect until all corrective actions identified in the POA&M are implemented

Approved for Public Release 09-MDA-4860 (28 AUG 09)

Page 12: Overview of Information Assurance (U) · Overview of Information Assurance (U) Dr. Theodore Mueller Deputy Director, DOCV Missile Defense Agency. September 1, 2009. Approved for Public

12

Risk Assessment MethodologyAggregating Individual Issue Risk to Type, Site, Element Risks

Consequence Weight Path To Resolution/Mitigation Weight

Only Low Issues Where Mitigation Plan Already Implemented 0Identified Issues Allow Slowdown in processing capability 4 Only Low Issues Where Migitation Plan planned 5Identified Issues Allow Denial of service 8 Only Low Issues Where There Is No Mitigation Plan 25Identified Issues Allow Full or partial control by exploit or exploiter 8 Only Low Issues Where There Is No Path to Resolution - Government

Action Required (assumes 12 months or more to mitigation)65

Timeline to mitigation is between 6 and 12 months 10Identified Issues Allow lowdown in processing capability 50 Timeline to mitigation is greater than 12 months 25Identified Issues Allow Denial of service 100Identified Issues Allow Full or partial control by exploit or exploiter 150 Low To Medium Issues Where Mitigation Plan Already Implemented 5

Low to Medium Issues Where Migitation Plan planned 25Identified Issues Allow Slowdown in processing capability 50 Low to Medium Issues Where There Is No Mitigation Plan 30Identified Issues Allow Denial of service 275 Low to Medium Issues Where There Is No Path to Resolution -

Government Action Required (assumes 12 months or more to mitigation)75

Identified Issues Allow Full or partial control by exploit or exploiter 275 Timeline to mitigation is between 6 and 12 months 50Timeline to mitigation is greater than 12 months 75

Identified Issues Allow Slowdown in processing capability 75 Action Plan Status by DeveloperIdentified Issues Allow Denial of service 300 Up to High Issues Where Mitigation Plan Already Implemented 5Identified Issues Allow Full or partial control by exploit or exploiter 300 Up to High Issues Where Migitation Plan planned 45

Up to High Issues Where There Is No Mitigation Plan 75Up to High Issues Where There Is No Path to Resolution - Government Action Required (assumes 12 months or more to mitigation)

80

Timeline to mitigation is between 6 and 12 months 50Timeline to mitigation is greater than 12 months 80

Non-Critical Multiple Component

Critical Single Component

Critical Multiple Components

Multiple Issues for Single Component Aggregate to Component Risk

Target Consequence Action Plan Status by DeveloperNon-Critical Single Component (i.e., UST)

Action Plan Status by Developer

400+ 300-399 200-299 100-199 1-9980+61-8041-6021-400-20LI

KELI

HOOD

CONSEQUENCE

Process is standardized across MDA Mission, Test, and GENSER networks

Type & Site Risks Aggregated to GMD Element Risk

Technical Interchange Meetings (TIMs)•C&A Team•Government•Developer•Warfighter

GMD Element SSAA and Risk Assessment

GMD Type & SiteTest Results and Risk Assessments

Consequence Weight Path To Resolution/Mitigation Weight

Only Low Issues Where Mitigation Plan Already Implemented 0Identified Issues Allow Slowdown in processing capability 4 Only Low Issues Where Migitation Plan planned 5Identified Issues Allow Denial of service 8 Only Low Issues Where There Is No Mitigation Plan 25Identified Issues Allow Full or partial control by exploit or exploiter 8 Only Low Issues Where There Is No Path to Resolution - Government

Action Required (assumes 12 months or more to mitigation)65

Timeline to mitigation is between 6 and 12 months 10Identified Issues Allow lowdown in processing capability 50 Timeline to mitigation is greater than 12 months 25Identified Issues Allow Denial of service 100Identified Issues Allow Full or partial control by exploit or exploiter 150 Low To Medium Issues Where Mitigation Plan Already Implemented 5

Low to Medium Issues Where Migitation Plan planned 25Identified Issues Allow Slowdown in processing capability 50 Low to Medium Issues Where There Is No Mitigation Plan 30Identified Issues Allow Denial of service 275 Low to Medium Issues Where There Is No Path to Resolution -

Government Action Required (assumes 12 months or more to mitigation)75

Identified Issues Allow Full or partial control by exploit or exploiter 275 Timeline to mitigation is between 6 and 12 months 50Timeline to mitigation is greater than 12 months 75

Identified Issues Allow Slowdown in processing capability 75 Action Plan Status by DeveloperIdentified Issues Allow Denial of service 300 Up to High Issues Where Mitigation Plan Already Implemented 5Identified Issues Allow Full or partial control by exploit or exploiter 300 Up to High Issues Where Migitation Plan planned 45

Up to High Issues Where There Is No Mitigation Plan 75Up to High Issues Where There Is No Path to Resolution - Government Action Required (assumes 12 months or more to mitigation)

80

Timeline to mitigation is between 6 and 12 months 50Timeline to mitigation is greater than 12 months 80

Non-Critical Multiple Component

Critical Single Component

Critical Multiple Components

Multiple Issues for Single Component Aggregate to Component Risk

Target Consequence Action Plan Status by DeveloperNon-Critical Single Component (i.e., UST)

Action Plan Status by Developer

400+ 300-399 200-299 100-199 1-9980+61-8041-6021-400-20LI

KELI

HOOD

CONSEQUENCE

Consequence Weight Path To Resolution/Mitigation Weight

Only Low Issues Where Mitigation Plan Already Implemented 0Identified Issues Allow Slowdown in processing capability 4 Only Low Issues Where Migitation Plan planned 5Identified Issues Allow Denial of service 8 Only Low Issues Where There Is No Mitigation Plan 25Identified Issues Allow Full or partial control by exploit or exploiter 8 Only Low Issues Where There Is No Path to Resolution - Government

Action Required (assumes 12 months or more to mitigation)65

Timeline to mitigation is between 6 and 12 months 10Identified Issues Allow lowdown in processing capability 50 Timeline to mitigation is greater than 12 months 25Identified Issues Allow Denial of service 100Identified Issues Allow Full or partial control by exploit or exploiter 150 Low To Medium Issues Where Mitigation Plan Already Implemented 5

Low to Medium Issues Where Migitation Plan planned 25Identified Issues Allow Slowdown in processing capability 50 Low to Medium Issues Where There Is No Mitigation Plan 30Identified Issues Allow Denial of service 275 Low to Medium Issues Where There Is No Path to Resolution -

Government Action Required (assumes 12 months or more to mitigation)75

Identified Issues Allow Full or partial control by exploit or exploiter 275 Timeline to mitigation is between 6 and 12 months 50Timeline to mitigation is greater than 12 months 75

Identified Issues Allow Slowdown in processing capability 75 Action Plan Status by DeveloperIdentified Issues Allow Denial of service 300 Up to High Issues Where Mitigation Plan Already Implemented 5Identified Issues Allow Full or partial control by exploit or exploiter 300 Up to High Issues Where Migitation Plan planned 45

Up to High Issues Where There Is No Mitigation Plan 75Up to High Issues Where There Is No Path to Resolution - Government Action Required (assumes 12 months or more to mitigation)

80

Timeline to mitigation is between 6 and 12 months 50Timeline to mitigation is greater than 12 months 80

Non-Critical Multiple Component

Critical Single Component

Critical Multiple Components

Multiple Issues for Single Component Aggregate to Component Risk

Target Consequence Action Plan Status by DeveloperNon-Critical Single Component (i.e., UST)

Action Plan Status by Developer

400+ 300-399 200-299 100-199 1-9980+61-8041-6021-400-20LI

KELI

HOOD

CONSEQUENCE

Single Type or Site Issue Risks

Consequence Weight Likelihood WeightHuman Intentional

X threat valueIdentified Issues Allow Slowdown in processing capability 4 X Espionage valueIdentified Issues Allow Denial of service 8 Sabotage valueIdentified Issues Allow Full or partial control by exploit or exploiter 8 Vandalism value

Theft of Asset valueIdentified Issues Allow lowdown in processing capability 50 Unauthorized Disclosure valueIdentified Issues Allow Denial of service 100 Unauthorized Facility access valueIdentified Issues Allow Full or partial control by exploit or exploiter 150 Denial of Service value

Human unintentionalIdentified Issues Allow Slowdown in processing capability 50 Inadvertent Disclosure valueIdentified Issues Allow Denial of service 200 Modification of Data valueIdentified Issues Allow Full or partial control by exploit or exploiter 200 Administrative Error value

DOS by authorized user valueIdentified Issues Allow Slowdown in processing capability 50 Environmental NaturalIdentified Issues Allow Denial of service 200 Floods valueIdentified Issues Allow Full or partial control by exploit or exploiter 200 Earthquake value

lighting valueIdentified Issues Allow Slowdown in processing capability 50 tornado valueIdentified Issues Allow Denial of service 200 ice storms valueIdentified Issues Allow Full or partial control by exploit or exploiter 200 Environmental Fabricated

power disturbance/outage valueIdentified Issues Allow Slowdown in processing capability 50 electrical valueIdentified Issues Allow Denial of service 200 fire - major valueIdentified Issues Allow Full or partial control by exploit or exploiter 200 fire - minor value

hardware failure value

software failure value

communications failure/Loss value

Site to Element RAP Sheet

Critical Multiple Type Affected/Redundancy Available

Critical Muliple Type Affected/Redundancy Not Available

Target Consequence

Critical Single Type Affected/Redundancy Available

Critical Single Type Affected/Redundancy Not Available

Site Fails Non-Critical Single Type Effected

Site Fails Non-Critical Multiple Types

400+ 300-399 200-299 100-199 1-9980+61-8041-6021-400-20LI

KELI

HOOD

CONSEQUENCE

Multiple Issue Risks Aggregated toType or Site Risk

Consequence Weight Likelihood Weight

Type Carries a Low Risk Rating 15Low With Redundancy 100 Type Carries a Medium Risk Rating 25Low Without Redundancy 150 Type Carries a High Risk Rating 45

Medium With Redundancy 150Medium Without Redundancy 200 No Known Information suggesting a targeted exploit 0

Known Information suggests potential of a targeted exploit 25High With Redundancy 200High Without Redundancy 250

No known Information at Site Hosting Type X impacts Risk 0Role is contained within the Element 5 Known Information Exists at Site Hosting Type X: Import Site RAP Value 25Role is critical to BMDS Interconnectivity / Communication

250

Boost 199Midcourse 299Terminal 99Element Role is critical to BMDS Interconnectivity 299

Element Y Weighting Within BMDS

Site Factors

Type X to Element Y to BMDS RAP Sheet

High

Functionality of Type X

Type X Criticality vis-à-vis Element Y Imported Risk Rating from Type XLow

MediumIntelligence Factors

400+ 300-399 200-299 100-199 1-9980+61-8041-6021-400-20LI

KEL

IHO

OD

CONSEQUENCE

P

Approved for Public Release 09-MDA-4860 (28 AUG 09)