Minimizing Compliance Resistance to Digital Transformation --- Design for regulatory approval as carefully as you design your automation

Copyright © 2017, Raytheon Company. All rights reserved.

DESIGN FOR REGULATORY APPROVAL AS CAREFULLY AS YOU DESIGN YOUR AUTOMATION

Global Business Services – IT

Keith Rodwell

Business Application Services Cloud Architect

Dec. 4, 2017

Approved for Public Release

This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.

2

FIRST – A DISCLOSURE

The specifics of what we’re doing are

sensitive, so information cannot be shared

Regulatory compliance is NOT a destination,

but instead a complex and twisty road full of

shear drops and sudden stops – even if we

had all of today’s answers, what you need to

do will be different tomorrow

There is no cookbook for regulatory compliance — your mileage will vary



3

RAYTHEON COMPANY – A TECHNOLOGY AND INNOVATION LEADER SPECIALIZING IN DEFENSE, CIVIL GOVERNMENT AND CYBERSECURITY SOLUTIONS THROUGHOUT THE WORLD.

2016 net sales: $24 billion

63,000 employees worldwide

Headquarters: Waltham, Massachusetts



4

OUR BUSINESSES ARE ORGANIZED BY KEY MISSION AREAS

IDSHeadquartered in Tewksbury, Massachusetts,

Integrated Defense Systems specializes in air

and missile defense, large land- and sea-

based radars, and systems for managing

command, control, communications,

computers, cyber and intelligence. It

also produces sonars, torpedoes and

electronic systems for ships.

FORCEPOINTTM

Headquartered in Austin, Texas, Forcepoint

safeguards users, data and networks against

accidental or malicious insider threats and

advanced outside attacks across the entire

threat life cycle, in the cloud, on the road and in

the office. A joint venture of Raytheon and

Vista Equity Partners, Forcepoint enables

better decision-making, more efficient security

and simplifies compliance as it protects and

empowers more than 20,000 commercial and

government organizations worldwide.

IISHeadquartered in Dulles, Virginia, Intelligence,

Information and Services designs and delivers

solutions and services that leverage its deep

expertise in cyber, analytics and automation.

Software, systems integration, and the support

and sustainment of Raytheon and other

companies’ systems for intelligence, military and

civil applications are delivered across five

markets: space, digital battlespace, cyber,

intelligent transportation and high-consequence

training.

RMSHeadquartered in Tucson, Arizona,

Raytheon Missile Systems is the world’s

premier missile maker, providing defensive

and offensive weapons for air, land, sea,

and space, including interceptors for U.S.

ballistic missile defense. The business also

builds net-enabled battlefield sensors and

includes Raytheon UK.

SASHeadquartered in McKinney, Texas, Space

and Airborne Systems builds radars and

other sensors for aircraft, spacecraft and

ships. The business also provides

communications, electronic warfare and

high-energy laser solutions, and performs

research in areas ranging from linguistics to

quantum computing.

INTEGRATED

DEFENSE SYSTEMS

INTELLIGENCE,

INFORMATION AND SERVICESMISSILE SYSTEMS

SPACE AND

AIRBORNE SYSTEMS

FORCEPOINT

POWERED BY RAYTHEON



5

GLOBAL PRESENCEALWAYS THERE. DEDICATED TO OUR GLOBAL CUSTOMERS.

Raytheon Company is deeply committed to

global partnerships, providing solutions and

services to valued customers in more than

80 countries and building upon international

relationships to best meet the national

security and technology needs of nations

around the world.



6

USER AND COMPLIANCE PRESSUREUSERS AND DEVELOPERS WANT IT ALL

REGULATORY WANTS THE LEAST NEEDED

Go! Go! Go!

Cloud – Yippee!

Faster, Better and Cheaper!

Enough Insight?

Audit?

Reputation?

Protect Us?

Controls?



Public Cloud:– Highest diversity of services today

Government Cloud:– SRG-compliant subset of public cloud

Regulatory Allowed:– Governed subset

Services Definitions:– Supported services based on application

needs and bounded by what is allowed

7

SCOPE SERVICES TO WHAT IS NEEDED AND ALLOWED

Government Cloud Capabilities

Public CloudCapabilities

RegulatoryAllowed

ServicesDefinitions



8

ITAR, EAR, CUI and NIST 800-171

International Traffic in Arms

Regulations (ITAR)– U.S. government export and

import of defense-related articles

and services regulations

Be familiar with the regulations you’re designing to meet

Controlled Unclassified

Information (CUI)– Data that must be safeguarded

and/or dissemination controlled by

U.S. government regulation

NIST 800-171– Protecting CUI in nonfederal

information systems and

organizations

Export Administration

Regulations (EAR)– Commercial import and

export regulations



9

Different questions leading to the same objective — protecting the business

TWO CRITICAL REGULATORY GROUPS’ CONCERNS

Export/Import– Will there be Foreign Person access?

– Will export-controlled data be accessed?

– Are required controls in place?

– If an unintentional export happens:

Can we detect it and act promptly?

Do we meet reporting requirements?

HAVE WE DONE ENOUGH TO PROTECT AGAINST UNLICENSED AND UNAUTHORIZED EXPORTS?

HAVE WE DONE ENOUGH TO ENSURE COMPLIANT CONFIDENTIALITY, INTEGRITY AND AVAILABILITY?

IT Security– Does it access sensitive data?

– Are appropriate/compliant controls in place?

– Does it provide sufficient insight for event

correlation and intrusion prevention?

– Is pass required testing and review?

– If there are any gaps, have they

been disclosed and is a Plan

of Actions and Milestones

(POAM) in place?



10

ISSUES YOU’LL LIKELY ENCOUNTER

Identity– Automation identities aren’t

granted the right to modify their

own identity

– Issued tokens expire to policy

– Stored identity is protected by

enterprise encryption keys

Connectivity– Most foundations won’t be

internet facing

– Intrusion detection and prevention

will be in your packet pathway

– Cloud-to-cloud communications

aren’t direct

Free and open is not remotely equivalent to compliant and controlled

Security– Not everything will be allowed (like ECR)

– Authenticate before access still applies

– Encryption technologies must be compliant

and certified

– Encryption keys must be issued by existing

key stores

– Application Security Groups are

governed and controlled like firewalls

– Where an information system “lives”

is complicated by microservices

– Cloud foundry doesn’t natively

support security roles



11

APPROACHES

Place regulatory checks and

validation in automation– Detect, block and alert Foreign Person

access to export-restricted services

– Enforce Application Security Group

change approval prior to implementation

– Manage application APIs based on data

classifications and acceptable uses

– Utilize pipelines to implement

compliance

– Create microservices that enforce

declared data controls in lieu of direct

database access

Prioritize regulatory insight– Establish log and event processing

practices that highlight elevations in

privilege, changes in configuration

and unexpected behavior

– Create dashboards that show

complete history of actions taken

by people, pipelines, platforms

and services

– Understand and implement

audit trail retention periods

with tools to navigate through

context

Care and feeding of compliance approvers must be testable



12

Government Cloud Capabilities

Public CloudCapabilities

RegulatoryAllowed

ServicesDefinitions

Contain scope – what is used– Only what you need now

– Avoid nice-to-have: limit creep

Contain scope – what is offered– Implement high-value and compliant first

– Socialize road maps prior to publishing

Measured steps– Incremental changes in lieu of monolithic

– Align with needs from both groups

CONTROL AND ARTICULATE SCOPES



13

ST 800-171

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf

ITAR

https://www.pmddtc.state.gov/regulations_laws/itar.html

Keith’s contact information

[email protected]

ADDITIONAL RESOURCES



http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf

https://www.pmddtc.state.gov/regulations_laws/itar.html

mailto:[email protected]

Technology

Minimizing Compliance Resistance to Digital Transformation --- Design for regulatory approval as carefully as you design your automation