Integrating cybersecurity into NAVAIR OTPS acquisition

2016 IEEE AUTOTESTCON Pub Date : 2016-09-01 DOI:10.1109/AUTEST.2016.7589632

Thomas Combass, A. Shilling

{"title":"Integrating cybersecurity into NAVAIR OTPS acquisition","authors":"Thomas Combass, A. Shilling","doi":"10.1109/AUTEST.2016.7589632","DOIUrl":null,"url":null,"abstract":"Assessment of cybersecurity vulnerabilities and associated risks is a prevalent and escalating requirement for the Operational Test Program Set (OTPS) acquisition and development communities. In August of 1992, the Defense Information Systems Agency (DISA) developed the Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP); an assessment process for all Department of Defense (DoD) information systems. The accreditation and requirements process was service-specific and system-centric. In July 2006, the DoD Information Assurance Certification and Accreditation Process (DIACAP) was distributed. DIACAP implemented enterprise-wide Information Assurance (IA) through a standardized set of IA controls with continuous monitoring and annual reviews of the system's security posture. The current process, implemented in May 2014, is the Risk Management Framework (RMF). RMF is a more dynamic and integrated process than its predecessors. Instead of DoD defined security controls, RMF uses the Committee on National Security Systems Instructions (CNSSI) and National Institute of Standards and Technology (NIST) publications for its risk assessment guidelines and security control references respectively. Under RMF, all Information Technology (IT) is placed into four broad categories. These categories are Information Systems (IS), Platform IT (PIT), IT services and IT products. Fundamentally, all DoD IT assets must be categorized, security controls tailored, and implemented for the specific asset. Operational Test Program Sets (OTPS) mainly fall into the category of PIT. However, there may be circumstances where OTPSs fall into the category of an IS or any number of ambiguous areas. Since only generic high-level guidance is provided to evaluate PIT, guidelines for evaluating PIT OTPSs will be summarized. Also, since not all OTPSs are PIT and it may not be immediately clear which system category an OTPS falls, guidelines will be created to define these systems for proper evaluation. For the majority of OTPSs during the acquisition lifecycle; risk categorization, control selection, and assessment will occur. Case studies of OTPSs will be analyzed and discussed; OTPS PIT, OTPS IS, and ambiguous examples. In each of these cases, the question of task dependence versus the definition of what makes a particular OTPS a PIT or IS will be explored.","PeriodicalId":314357,"journal":{"name":"2016 IEEE AUTOTESTCON","volume":"25 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 IEEE AUTOTESTCON","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/AUTEST.2016.7589632","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Assessment of cybersecurity vulnerabilities and associated risks is a prevalent and escalating requirement for the Operational Test Program Set (OTPS) acquisition and development communities. In August of 1992, the Defense Information Systems Agency (DISA) developed the Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP); an assessment process for all Department of Defense (DoD) information systems. The accreditation and requirements process was service-specific and system-centric. In July 2006, the DoD Information Assurance Certification and Accreditation Process (DIACAP) was distributed. DIACAP implemented enterprise-wide Information Assurance (IA) through a standardized set of IA controls with continuous monitoring and annual reviews of the system's security posture. The current process, implemented in May 2014, is the Risk Management Framework (RMF). RMF is a more dynamic and integrated process than its predecessors. Instead of DoD defined security controls, RMF uses the Committee on National Security Systems Instructions (CNSSI) and National Institute of Standards and Technology (NIST) publications for its risk assessment guidelines and security control references respectively. Under RMF, all Information Technology (IT) is placed into four broad categories. These categories are Information Systems (IS), Platform IT (PIT), IT services and IT products. Fundamentally, all DoD IT assets must be categorized, security controls tailored, and implemented for the specific asset. Operational Test Program Sets (OTPS) mainly fall into the category of PIT. However, there may be circumstances where OTPSs fall into the category of an IS or any number of ambiguous areas. Since only generic high-level guidance is provided to evaluate PIT, guidelines for evaluating PIT OTPSs will be summarized. Also, since not all OTPSs are PIT and it may not be immediately clear which system category an OTPS falls, guidelines will be created to define these systems for proper evaluation. For the majority of OTPSs during the acquisition lifecycle; risk categorization, control selection, and assessment will occur. Case studies of OTPSs will be analyzed and discussed; OTPS PIT, OTPS IS, and ambiguous examples. In each of these cases, the question of task dependence versus the definition of what makes a particular OTPS a PIT or IS will be explored.

查看原文本刊更多论文

将网络安全集成到NAVAIR OTPS采办中

对网络安全漏洞和相关风险的评估是作战测试程序集(OTPS)获取和开发社区普遍且不断升级的需求。1992年8月，国防信息系统局(DISA)制定了国防信息技术安全认证和认可程序(DITSCAP);所有国防部(DoD)信息系统的评估过程。认证和需求过程是特定于服务和以系统为中心的。在2006年7月，国防部信息保障认证和认可程序(DIACAP)被分发。DIACAP通过一组标准化的信息保障控制来实现企业范围的信息保障(IA)，并对系统的安全状态进行持续监控和年度审查。2014年5月实施的现行流程是风险管理框架(RMF)。RMF是一个比它的前辈更加动态和集成的过程。代替国防部定义的安全控制，RMF分别使用国家安全系统指令委员会(CNSSI)和国家标准与技术研究所(NIST)出版物作为其风险评估指南和安全控制参考。在RMF下，所有资讯科技被分为四大类。这些类别是信息系统(IS)、平台IT (PIT)、IT服务和IT产品。从根本上说，所有的国防部IT资产都必须分类，安全控制必须量身定制，并针对特定的资产实现。Operational Test Program Sets (OTPS)主要属于PIT的范畴。但是，在某些情况下，otps可能属于IS或任何数量的模糊区域。由于仅提供了通用的高级指导来评估PIT，因此将总结评估PIT otps的指南。此外，由于并非所有的OTPS都是PIT，并且可能无法立即明确OTPS属于哪个系统类别，因此将创建指导方针来定义这些系统，以便进行适当的评估。对于大多数otps在采集生命周期;将进行风险分类、控制选择和评估。将分析和讨论otps的案例研究;OTPS坑、OTPS IS和一些模棱两可的例子。在每一种情况下，将探讨任务依赖性与使特定OTPS成为PIT或IS的定义之间的问题。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2016 IEEE AUTOTESTCON

自引率

0.00%

发文量