Author name: Bruce

What is Critical Infrastructure Security?  Industrial Control Systems are Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC).  These are automated computer systems that run power plants, water treatment facilities, nuclear plants and other foundational resource generating establishments that are needed for entire cities.  So protection of these places is very important. How does risk management tie into critical infrastructure systems? According to Michael Chipley PhD GICSP PMP LEED AP President, the Industrial Control Systems (ICS) Platform IT (PIT) Risk Management Framework  (RMF) Knowledge Service website is very close to being released.  It will offer step-by-step guidance on how to load ICS PIT into Enterprise Mission Assurance Support Service (eMASS). More information on ICS PIT will is being put into NIST SP 800-82 R2, Guide to Industrial Control System Security.  As of March 2015 it is in Final Public Draft (expected to be release by May). More information: https://ics-cert.us-cert.gov/Industrial-Control-Systems-Joint-Working-Group-ICSJWG http://csrc.nist.gov/publications/drafts/800-82r2/sp800_82_r2_second_draft.pdf michael.t.chipley.ctr@mail.mil  

The Federal Risk Authorization Management Program (FedRAMP) is launching a site to clear up the cloudy confusion of federal cloud compliance world.  The site is fedRAMP.gov and it is intended for federal agencies and vendors of cloud based technologies and services.  They will be getting away from the old site: http://cloud.cio.gov/fedramp According to FedRAMP Director Matt Goodrich,  “We’ll be focusing on reaching a broader audience and get into the agencies and vendors who haven’t quite grasped what FedRAMP is and how it benefits them.  Using same message over and over again doesn’t work. At FedRAMP, we’ve been doing the same message for 2 1/2 years. We need to shake it up and say it again differently so we’re penetrating the different types of the market and agencies who haven’t quite gotten the message yet.”  The site will feature a training program. What is FedRAMP? Federal Risk and Authorization Program (FedRAMP) is a risk management program for assessing and monitoring the security of cloud products and services. FedRAMP focuses on 3 major areas of cloud security: Providing joint security assessments and authorizations based on a standardized baseline set of security controls Using approved Third Party Assessment Organizations to consistently evaluate a Cloud Service Provider’s ability to meet the security controls Coordinating continuous monitoring services Why is FedRAMP needed? The federal government is trying to get away from having each and every agency have their own homemade risk management process.  They are trying to save cost and confusion by consolidating and streamlining FedRAMP and other risk management process. Who does FedRAMP apply to? FedRAMP PMO – Housed within GSA and responsible for operational management. NIST – Maintains FISMA standards, and establishes technical standards. Joint Authorization Board (JAB) – performs rigorous technical reviews of CSP authorization packages for FedRAMP compliance and grants the provisional ATO; members are the CIOs from the Department of Homeland Security (DHS), the General Services Administration (GSA), and the Department of Defense CIO Council; coordinates cross agency communications. DHS – monitors and reports on security incidents and provides data for continuous monitoring. Agencies – use the FedRAMP process when conducting risk assessments, security authorizations, and granting an ATO to a cloud service. Third Party Assessment Organizations – perform initial and ongoing independent verification and validation of the security controls deployed within the Cloud Service Provider’s information system. Cloud Service Providers – implement the security controls within their products and services needed to meet the security requirements outlined in FedRAMP.    

DoD 8140 Cyberspace Workforce Management Policy will replace 8570.  8140 will be based on the National Cybersecurity Workforce Initiate. National Initiative for Cybersecurity Education (NICE) has developed a National Cybersecurity Workforce Framework which breaks down the most common cybersecurity jobs into tasks and skill sets.  This framework will explain requirements in cybersecurity roles just like other professions do.  For example, in order for lawyers to practice law they must pass the Bar.  They are trying to do something similar to this with system security analysis for the federal government in that you will have to have X certification and/or X degree. There is an interactive website that promotes this: http://niccs.us-cert.gov/training/tc/framework Among working IT professionals in the field there is a little controversy about how 8570 would focus too much on certifications and not at all on experience or even taking into account a degree.  This is a problem since you end up getting a lot of unqualified people working in sensitive jobs that they have no experience or mentor ship in just because they have passed a test.  I hope DoDD 8140 will remedy this. More on DoD 8140 8140 was expected to be published in January 2014.  Similar to 8570, DoD 8140 will provide a comprehensive view of the cybersecurity workforce but with changes to levels I, II, and III to apprentice, journeyman, and master.  It will be integrated into the job skills and functions you see in the National Initiative for Cybersecurity Education (NICE) framework, and mission area requirements from the U.S. Cyber Command (USCYBERCOM) workforce. DITC Directive – mentioned in the DoD Issurance numbering system “8140 Knowledge/Skills-Based Workforce” http://www.dtic.mil/whs/directives/corres/writing/Issuance_Numbering.pdf DISA – Operationally focused cyber training framework pdf (DoD 8140 workforce requirements initiative)

I wrote a terrible executive summary for our security authorization package.  My manager and our customer called me out on it.  There were misspelling and grammatical errors. Needless to say, I was embarrassed.  I essentially cranked out a draft and posted it live. Huge mistake.  The immediate backlash I received was a humiliating reminded of the importance of executive summaries.  As I rewrote the executive summary, I started to think that its time to go back to school on my documentation skill set.  I started to ask myself, what is an executive summary? Why do we need one? And what is important within executive summaries?  I boiled it down to 6 tips.  6 Tips for Executive Summaries: Write Executive Summaries to your audience – There are many documents that have executive summaries.  Just to name a few: legal documents, business plans, proposals, investments proposals, policies, standards and of course system security plans all usually have executive summaries.  Each of these executive summaries serve a different purpose. For business and investment proposals executive summaries should have a quick impact to convince the reader to keep reading the rest of the document.  For a system security plan or system authorization package, you are highlighting main points of the package realizing that the reader may not be able to read 100% of the documentation.  The intent of the executive summary must be explained in the language of the audience you are speaking to. Audience language – Remember who you are writing to.  The majority of people reading your technical document will not be technical and they may not even be completely familiar with your field of expertise.  The executive summary is especially for managers, decision makers, authorizing officials and CEO types who are normally busy paper pushing in their ivory towers.  They are arm chair warriors that probably used to know all about what you do but now they have more money than time.  If you are hoping to impress the reader by expressing your technical knowledge with words that only mean something to other egg heads, then you are wrong.  The executive summary is not the area you want to do this in.  If anything, you want to express highly technical data in layman’s terms (where possible), which is the true mark of a great mind.  Also, most very technical readers who are already in the weeds of your subject matter will probably skip the executive summary anyway since they already know the 101 stuff.  The executive summary is the lure to make them bite so you can reel them in.  The rest of the document is going to be where you skin them and gut them with facts and stats.  By the time they get to the conclusion, you can put a fork in them because they are done… their goose is cooked.. ok.. i am done.. because if they cannot take the heat they should get out of the kitchen.. ok.. NOW, I am done. Summarize all the main points – One thing all executive summary types have in common is that they outline the document that they proceed.  So it is an overview of all of the main points of the remaining document which is why the executive summary is sometimes the last thing you write. Leave a good impression – Since the executive summary is the first thing your reader will see, it is important to grab their attention, highlight main points and get it right the first time. For Entrepreneurs presenting a business plan, a shoddy or even mediocre executive summaries with no impact is a waste of time.  In the same way that a bad executive summary in my security authorization package hurt the credibility of the rest of our system’s security plan.  Remember, the people reading this are usually manager types.  They walk a tight-rope in a world of words and political slippery slopes, and for them perception is reality.  They assume that if the executive summary is bad, then you must be the anti-christ. Get to the point – Being concise is important for security authorization packages, security plans and other technical executive summaries.  Keep in mind that the types of reader that actually need an executive summary are very busy people.  They do not have time for fluff. Get to the point as efficiently as possible. Proof Read it and Peer Review it – The last thing you need to do is to re-read what you wrote.  Spell check it, double check each sentence and have someone else read it to make sure it is accurate and written well. In my (recent) experience, the really terrible thing about writing a bad executive summary is that I have written a lot of these for business and technical packages.  Once you have all of the material, they are pretty easy.  Having a manager correct me on basic stuff was a real slap in the face.  Don’t let this happen to you.  You are better than that.  Your project and/or product deserves more. references and other places to get more info on Executive Summaries: http://www.fsb.miamioh.edu/fsb/content/programs/howe-writing-initiative/Writing%20an%20Executive%20Summary.pdf “Writing Guide: Executive Summaries”. Colorado State University. Retrieved 13 June 2011. Jump up to:a b c d e f “Executive Summary”. Howe Writing Initiative. Miami School of Business. Farmer School of Business. Retrieved 13 June 2011. http://www.iea.org/textbase/npsum/weo2009sum.pdf http://en.wikipedia.org/wiki/Executive_summary  

I talked a little about IT RMF Certifications in previous articles.  One of my previous co-workers asked me more about Risk Management Framework Training paths and I just wanted to add more on this subject.  From my experience, the best common body of knowledge for training in the RMF space is the ISC2 CAP: Risk Management Framework (RMF) Categorization of Information Systems Selection of Security Controls Security Control Implementation Security Control Assessment Information System Authorization Monitoring of Security Controls Based on www.isc2.org the ideal candidate will have the following: IT Security experience Information Assurance experience Information Risk Management experience Certification Systems Administration One – two years of general technical experience Two years of general systems experience One – two years of database/systems development/network experience Information Security Policy Technical or auditing experience within government, the U.S. Department of Defense, the financial or health care industries, and/or auditing firms Strong familiarity with NIST documentation A higher of NIST RMF study goes beyond the Certified Information System Security Professional (CISSP).  This body of knowledge is a concentration of the CISSP called Information System Security Engineering Professional (ISSEP).  There are (4) domains for the ISSEP: Systems Security Engineering Certification and Accreditation (C&A) / Risk Management Framework (RMF) Technical Management U.S. Government Information Assurance Related Policies and Issuances The ISSEP includes everything from CAP but also includes other policies, issuances and processes that you find within the government. The CAP and ISSEP both have the best path to understand and master the RMF.      

Speaking from my own experience I would say the following are my biggest lessons learned from working on large RMF projects: Know the risks of the system What is the Impact if the system goes down Fit the RMF Controls to the System Keep All stakeholders in the Loop Know the risks of the system.  As you go into an RMF project you should get to know the system and/or network environment well enough to understand not only the functions of the system and its assets, but where the known and potential vulnerabilities may be.  You will also need to do research on the most likely threats (internal and external to the system).  If you know basic characteristics and functionality of the system, vulnerabilities and likely threats to the vulnerabilities of the assets, you will be able to determine the qualitative or quantitative risks. Lesson I Learned:  Risk assessment is a continuous process.       What is the impact if the system goes down.  Once you have an idea of the risks to the asset, you will need to consider the impact to the organization and/or mission if the system does have its confidentiality, integrity or availability compromised.  How long can the system lose connectivity?  And what happens when availability is lost?  Who is contacted if availability is lost?  Who is the POC if secrets a leaked?  What is the most important area of protection on the system?  Is availability of the system more important than confidentiality and integrity?  You need to focus on the value of the data to the customer and the data owner. Lesson I learned:  Knowing the value of the data is the key to understanding the system itself and what needs to be protected.   Fit the RMF Controls to the system.  Once you know the systems asset characteristics, vulnerabilities,  most likely threats, and impact if the system goes down, you will have a better idea of what controls will be most useful.  You will have a solid argument on WHY certain controls can be skipped while others must be met.  AND you know the security posture and the security classification of the system.  The classification of the system comes from the Information System Owner.  Security Professionals can make recommendations, but we are not the decision makers, we don’t own the system so its not our call. YES, we are sometimes called upon to help make a decision or even develop a recommendation, but the final decision is in the hands of the System Owner.  Classification of the system will give a better idea of the importance of the confidentiality, integrity and availability of the data making it easier to select NIST 800-53 controls.  Once you know what controls need to be applied to mitigate known vulnerabilities, you have armed yourself with some facts to take to others involved in the project.  Lesson I learned:  The goal is not to apply every security control, but to make the system secure.   Keep All Stakeholders in the Loop.  Who are stakeholders?  These are the individuals and organizations with a vested interest in the success of the project as a whole.  The term stakeholders is not always used.  Sometimes its called RMF Team and it used to be called DIACAP Team.  What ever you call it, this group includes but is not limited to:  The System Owner, Information System Officer, Information System Security Manager, Information System Security Officer, Technical staff, User representative. Information System Owner is the person(s) controlling the budget of the project.  They are usually too busy to attend every meeting but without them there might not be a political will to continue.  The are sometime represented by the User representative who is mostly concerned with maintain functionality of the system as security controls are applied.  The Information System Security Managers (ISSM) involvement is managing the work of the Information System Security Officer (ISSO), making recommendations to the system owner and/or upper management who controls the budget.  Sometime the ISSO and the ISSM are the same person.  The ISSO works directly with the technical staff to apply security controls or produce/find security artifacts to support evidence of security controls.  The technical staff might consist of a system administrator, a system security engineer, a network/firewall engineer or whoever is going to be applying security controls on the system.  Lesson I learned:  The more the stakeholders know about what is going on, the better.   How do you inform the RMF Stakeholders need to know? Meetings, webcasts, one on one, emails or some combination of all.  You need to be straight forward and realistic with all parties involved.  For example, if there is a need for an approved enterprise firewall that will cost no less than 10,000USD, don’t try to sugar coat this fact by telling them they can get a cheap firewall from BestBuy.  Be honest about how much time the RMF process will take.  Its a lot of work and a lot of time it depends on others getting you the right documentation so you have to factor that in the total time.  If you don’t know, find out.  Do all your homework so that you can let the team know the details of the project, what is driving the need to the RMF, and the impact if it is not completed.   Lastly (and this is important) make sure the team knows that you are on their side.   They need to know that you are part of the team and want to enable the functionality in a secure way.  For some reason, some security professionals don’t care about customer service and want to bite the hand that feeds them.  You can give good service and good security.  In other words, you can be a security pro without being a DICK!  

I have known a few people with the the Certified Information Security Manager – CISM certification.  I don’t think it holds as much weight that the CISSP, but then again I am biased.  The industries that I have worked in (federal) give CISSP a pretty high level of trust for general security management type work.  But I have heard that the financial world (banks, investment firms) give more weight to CISA and CISM. The CISA (certified Information system auditor) and CISM are closely related and kind of cut from the same cloth.  They are both from ISACA.  Since both the CISM certification and CISA are on the DoD’s approved list of certifications, its a pretty valuable certification. I noticed that those with security manager aspirations go for the CISM.  Its a well respected certification and is often put on the same level as the CISSP for high level security positions.

Intro:  DoDI 8510.01, DoD Information Assurance Certification & Accreditation (DIACAP) is being replaced/modified DoD 8510, Risk Management Framework For DoD IT (The RMF) NEW 8500 based on NIST SP 800 series DIACAP to the RMF Authority Teri M. Takai Defense CIO (former ASD(NII)), Is the authority behind the transition from DIACAP to The RMF “The DON will continue to use the DoDI 8500.2 as the authoritative source for security controls until otherwise specified. However, understanding the changes represented in NIST SP 800-53r3 will be essential as DoD and the DON begin transitioning to this new set of security controls. To support the transition, the DON CIO developed this security control mapping document to demonstrate how existing DoD and IC security controls map to the security controls recommended by the NIST SP 800-53r3 publication.” —DON CIO Future of DIACAP DIACAP KS “C&A Transformation” pages that introduce some of the coming changes DIACAP has “Risk Management Framework Transformation Initiative” underway Provides information on use of NIST SP 800-53, NIST SP 800-37, CNSS Instruction 1253 Introduces changes being made to DoDD 8500.01, DoDI 8500.2, and DoDI 8510.01 http://youtu.be/7BC7tgCBtyo

I have been trying to sort out what organization within the DoD is the actual “DoD CERT”.  Since the DoD changes so frequently in organizational structure in an attempt to satiate new heads of agencies and keep up with rapidly changing threats and socio-economic structures, its hard to follow the nuances even if you are IN the DoD. Here is what I came up with, its no globalsecurity.org, but here is my take on it from an IT security/Risk Management perspective. According to Air University (au.af.mil), the DoD Joint Task Force – Global Network Operations (JTF-GNO) used to be called DoD Computer Emergency Response Team (DOD CERT).  Actually, back when JTF-GNO was still called JTF Computer Network Operations (JTF-CNO), it had a division that was DoD CERT. JTF-GNO has been absorbed into United States Cyber Command (USCYBERCOM).  So CyberCommand now assumes all the “DoD CERT” responsibilities.  Each unit within each branch of the DoD has slight variations on how incident reporting is handled but many of the major security incidents find their way to USCYBERCOM. USCYBERCOM is under United States Strategic Command (USSTRATCOM).  According to CJCSI 6510.01F, Information Assurance (IA) and Support to Computer Network Defense (CND) USSTRATCOM commander is to “Coordinate with and support as directed the National Cyber-Response Coordination Group (NCRCG) and U.S.-Computer Emergency Response Team (US-CERT)”.  Combat commanders are to “Conduct network defense crisis action and contingency planning in coordination with United States Cyber Command (USCYBERCOM)”.  So USCYBERCOM has pretty much taken the rols of DoD CERT. All of the other units and branches of the DoD report to USCYBERCOM via their own “cyber command”: Army Cyber Command (ARCYBER) controls Army Network Enterprise Technology Command / 9th Army Signal and And the Army Intelligence and Security Command which controls Army CERT Computer Network Operations.  ACERT – CNO – The Army website for free virus software is the site for the U.S. Army Computer Emergency Response Team – Computer Network Operations, which can be found at: https://www.acert.1stiocmd.army.mil You will need your Army Knowledge Online user name and password or your Common Access Card to log on to the site and download fully licensed versions of professional-grade antivirus software at no cost.The site also offers other computer protection software such as anti-spyware programs. – ACERT Facebook page LIKE THEM HERE Fleet Cyber Command  – With command of land, sea and air the US Navy Fleet Cyber is probably the most powerful communications military force in the history of mankind!  Their mission ..”Fleet Cyber Command is to serve as central operational authority for networks, cryptologic/signals intelligence, information operations, cyber, electronic warfare, and space capabilities in support of forces afloat and ashore” –navy.mil.  Beneath Fleet Cyber is are the following organizations.   Navy Cyber Defense Operations Command – NCDOC probably has the closest thing to a “DoD Cert” type organization. Naval Information Operation Commands Combined Task Force AFNOSC NSD (formerly AFCERT) ??? I am not sure about the Air Force.  Maybe 24th Air Force AFCYBER but I cannot pin it down.  USCYBERCOM.. I am not sure what they are doing.. 67th Network Warfare Wing 688th Information Operations Wing 689th Combat Communications Wing     Reference: http://www.dtic.mil/cjcs_directives/cdata/unlimit/6510_01.pdf http://www.dtic.mil/cjcs_directives/cdata/unlimit/6510_01.pdf http://www.us-cert.gov/    

Information security officer (aka Information system security officer, ISSO) is an important role in the risk management process.  In fact, they are often the foot soldiers “charging the hill” during the entire risk management framework process.. (or sometimes, “ice skating uphill”). The information system security role begins at the Initial phase of the System Development Lifecycle (SDLC).  According to the NIST SP 800-37, “The information system security officer is an individual responsible for ensuring that the appropriate operational security posture is maintained for an information system and as such, works in close collaboration with the information system owner”.  In the legacy DIACAP days this role was called  Information Assurance Officer (IAO).  The ISSO is created and managed by the Information System Security Manager (ISSM). The information security officer is often expected to do multiple security disciplines not limited to: technical, administrative or even  physical security. From a technical perspective, the ISSO can be tasked with doing continuous monitoring of threats, data loss prevention, detecting and resolving vulnerabilities using tools like security information and event managers (SIEM), vulnerability scanners, and anti-virus servers. They may assist the system administrators in implementing required security patches.  They may have to review code for security flaws, help with initial security architectures, conduct incident handling or any number of technical security tasks. The administrative “to do list” of an information security officer might include creating, editing or reviewing security policies.  They may write standards, guideline and best practices related to the security features of systems.  Paperwork and policy in security requires a LOT of meetings and coordination with other parts of an organization.  The ISSO must be very good at dealing with technical subject matter experts and managers at every level since they are often the one in the middle of everything. Information security officer’s are sometimes in-charge of making sure the physical security surrounding the information system is commensurate with the level of the information that needs to be protected.  That means that if the information on the asset is classified it may have to have MORE physical security than a system that has data processed on a web server for the public.  To do this, the ISSO will have to work with facility managers, security guard services and even building developers (in some cases).  They may also have to do crypto security. The overall job of the ISSO is to maintain the security posture and security baseline of the system. For this reason they often wear many hats.