27-07-2012, 11:21 AM
Trusted Defense Systems
[attachment=29183]
Increased Priority for Program Protection
Threats: Nation-state, terrorist, criminal, rogue developer who:
Gain control of systems through supply chain opportunities
Exploit vulnerabilities remotely
Vulnerabilities: All systems, networks, applications
Intentionally implanted logic (e.g., back doors, logic bombs, spyware)
Unintentional vulnerabilities maliciously exploited (e.g., poor quality or fragile code)
Consequences: Stolen critical data & technology; corruption, denial of critical warfighting functionality
Challenges Being Addressed
Policy and guidance for security is not streamlined
There is a lack of useful methods, processes and tools for acquirers and developers
Criticality is usually identified too late to budget and implement protection
Horizontal protection process is insufficiently defined
Lack of consistent method for measuring cost and success of “protection”
Intelligence data is not available to programs for risk awareness
Security not typically identified as an operational requirement, and is therefore lower priority
Systems Security Engineering
Systems Security Engineering Definition:
An element of system engineering that applies scientific and engineering principles to identify security vulnerabilities and minimize or contain risks associated with these vulnerabilities
(MIL-HDBK-1785: Systems Security Engineering Program Management Requirements)
Codify guidance and best practice
To identify software, hardware vulnerabilities
To support program protection planning
To support secure systems design
Work is needed to fully expand this discipline
Foundational science and engineering, competencies (as compared to other SE Specialties: reliability, safety, etc)
Methods and tools: V&V, architecting for security
Community and design team recognition of SSE as a key design consideration.
Standardization Efforts
Buying with Confidence
Open Group engagement to develop secure commercial product standards
Technology supply chain security standard through ISO
Supply Chain Risk Mitigation
Countering Counterfeits Tiger Team
DFAR for safeguarding unclassified DoD information on DIB networks
Object Management Group software assurance frameworks
Building with Integrity
NDIA System Assurance Guidebook, adopted by NATO Standardization Agency
ISO 15026: Standard for Systems and Software Assurance
Criticality Analysis Working Group
Systems Security Engineering research roadmap
DHS Software Assurance
Horizontal Protection
DoD-wide Critical Program Information identification process
Acquisition Security Database adoption and implementation
Vision of Success
The requirement for assurance is allocated among the right systems and their critical components
DoD understands its supply chain risks
DoD systems are designed and sustained at a known level of assurance
Commercial sector shares ownership and builds assured products
Technology investment transforms the ability to detect and mitigate system vulnerabilities.
[attachment=29183]
Increased Priority for Program Protection
Threats: Nation-state, terrorist, criminal, rogue developer who:
Gain control of systems through supply chain opportunities
Exploit vulnerabilities remotely
Vulnerabilities: All systems, networks, applications
Intentionally implanted logic (e.g., back doors, logic bombs, spyware)
Unintentional vulnerabilities maliciously exploited (e.g., poor quality or fragile code)
Consequences: Stolen critical data & technology; corruption, denial of critical warfighting functionality
Challenges Being Addressed
Policy and guidance for security is not streamlined
There is a lack of useful methods, processes and tools for acquirers and developers
Criticality is usually identified too late to budget and implement protection
Horizontal protection process is insufficiently defined
Lack of consistent method for measuring cost and success of “protection”
Intelligence data is not available to programs for risk awareness
Security not typically identified as an operational requirement, and is therefore lower priority
Systems Security Engineering
Systems Security Engineering Definition:
An element of system engineering that applies scientific and engineering principles to identify security vulnerabilities and minimize or contain risks associated with these vulnerabilities
(MIL-HDBK-1785: Systems Security Engineering Program Management Requirements)
Codify guidance and best practice
To identify software, hardware vulnerabilities
To support program protection planning
To support secure systems design
Work is needed to fully expand this discipline
Foundational science and engineering, competencies (as compared to other SE Specialties: reliability, safety, etc)
Methods and tools: V&V, architecting for security
Community and design team recognition of SSE as a key design consideration.
Standardization Efforts
Buying with Confidence
Open Group engagement to develop secure commercial product standards
Technology supply chain security standard through ISO
Supply Chain Risk Mitigation
Countering Counterfeits Tiger Team
DFAR for safeguarding unclassified DoD information on DIB networks
Object Management Group software assurance frameworks
Building with Integrity
NDIA System Assurance Guidebook, adopted by NATO Standardization Agency
ISO 15026: Standard for Systems and Software Assurance
Criticality Analysis Working Group
Systems Security Engineering research roadmap
DHS Software Assurance
Horizontal Protection
DoD-wide Critical Program Information identification process
Acquisition Security Database adoption and implementation
Vision of Success
The requirement for assurance is allocated among the right systems and their critical components
DoD understands its supply chain risks
DoD systems are designed and sustained at a known level of assurance
Commercial sector shares ownership and builds assured products
Technology investment transforms the ability to detect and mitigate system vulnerabilities.