Mark J. Cotteleer, Simon S. Goldenberg, I. Wing, Oyindamola Alliyu, Stephen Kania, Veda Mujumdar, B. Sniderman
{"title":"增材制造系统的网络安全需求:国防部环境中的新实施和实施资源","authors":"Mark J. Cotteleer, Simon S. Goldenberg, I. Wing, Oyindamola Alliyu, Stephen Kania, Veda Mujumdar, B. Sniderman","doi":"10.1145/3462223.3485624","DOIUrl":null,"url":null,"abstract":"The Office of the Inspector General (OIG) for the US Department of Defense (DoD) released Audit of the Cybersecurity of Department of Defense Additive Manufacturing Systems (DODIG-2021-098) [1] in July 2021, to determine \"whether DoD [sites] secured additive manufacturing (AM) systems to prevent unauthorized changes and ensure the integrity of the design data.\" The audit report recommends requiring \"all AM systems to obtain an authority to operate in accordance with DoD policy before their use\" [1], and requiring \"AM system owners to immediately identify and implement security controls to minimize risk until obtaining an authority to operate.\" [1] The DoD Chief Information Officer (CIO) responded that existing DoD regulations require both of these for \"all IT systems, including AM systems\" [1]. Such cyber security rules can help guard against vulnerabilities such as design file theft or digital thread hacking, as well as unauthorized prints on AM systems that can impact the safety and integrity of parts used in defense systems, expose critical intellectual property to bad actors and even cause manufacturing facilities to shut down. To improve AM system vendors' understanding of these cybersecurity requirements for DoD and the US Government (USG), we discuss in this paper the process for obtaining an Authority To Operate (ATO) certification for an IT system per DoD and USG cybersecurity regulations, i.e., the Risk Management Framework (RMF) process from the US National Institute of Standards and Technology (NIST) [2]. We also describe resources for AM system vendors to understand and implement the RMF process for obtaining an ATO certification, particularly in the DoD environment. [1] Department of Defense Office of Inspector General. 2021. Audit of the Cybersecurity of Department of Defense Additive Manufacturing Systems (DODIG-2021-098). https://www.dodig.mil/reports.html/article/2683843/audit-of-the-cybersecurity-of-department-of-defense-additive-manufacturing-syst/ Full report at: https://media.defense.gov/2021/Jul/07/2002757308/-1/-1/1/DODIG-2021-098.PDF [2]NIST Information Technology Laboratory Computer Security Resource Center. 2021. About the Risk Management Framework (RMF): A Comprehensive, Flexible, Risk-Based Approach https://csrc.nist.gov/projects/risk-management/about-rmf","PeriodicalId":113006,"journal":{"name":"Proceedings of the 2021 Workshop on Additive Manufacturing (3D Printing) Security","volume":"353 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-11-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Cybersecurity Requirements for AM Systems: New Enforcement in DoD Environments, and Resources for Implementation\",\"authors\":\"Mark J. Cotteleer, Simon S. Goldenberg, I. Wing, Oyindamola Alliyu, Stephen Kania, Veda Mujumdar, B. Sniderman\",\"doi\":\"10.1145/3462223.3485624\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The Office of the Inspector General (OIG) for the US Department of Defense (DoD) released Audit of the Cybersecurity of Department of Defense Additive Manufacturing Systems (DODIG-2021-098) [1] in July 2021, to determine \\\"whether DoD [sites] secured additive manufacturing (AM) systems to prevent unauthorized changes and ensure the integrity of the design data.\\\" The audit report recommends requiring \\\"all AM systems to obtain an authority to operate in accordance with DoD policy before their use\\\" [1], and requiring \\\"AM system owners to immediately identify and implement security controls to minimize risk until obtaining an authority to operate.\\\" [1] The DoD Chief Information Officer (CIO) responded that existing DoD regulations require both of these for \\\"all IT systems, including AM systems\\\" [1]. Such cyber security rules can help guard against vulnerabilities such as design file theft or digital thread hacking, as well as unauthorized prints on AM systems that can impact the safety and integrity of parts used in defense systems, expose critical intellectual property to bad actors and even cause manufacturing facilities to shut down. To improve AM system vendors' understanding of these cybersecurity requirements for DoD and the US Government (USG), we discuss in this paper the process for obtaining an Authority To Operate (ATO) certification for an IT system per DoD and USG cybersecurity regulations, i.e., the Risk Management Framework (RMF) process from the US National Institute of Standards and Technology (NIST) [2]. We also describe resources for AM system vendors to understand and implement the RMF process for obtaining an ATO certification, particularly in the DoD environment. [1] Department of Defense Office of Inspector General. 2021. Audit of the Cybersecurity of Department of Defense Additive Manufacturing Systems (DODIG-2021-098). https://www.dodig.mil/reports.html/article/2683843/audit-of-the-cybersecurity-of-department-of-defense-additive-manufacturing-syst/ Full report at: https://media.defense.gov/2021/Jul/07/2002757308/-1/-1/1/DODIG-2021-098.PDF [2]NIST Information Technology Laboratory Computer Security Resource Center. 2021. About the Risk Management Framework (RMF): A Comprehensive, Flexible, Risk-Based Approach https://csrc.nist.gov/projects/risk-management/about-rmf\",\"PeriodicalId\":113006,\"journal\":{\"name\":\"Proceedings of the 2021 Workshop on Additive Manufacturing (3D Printing) Security\",\"volume\":\"353 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2021-11-15\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 2021 Workshop on Additive Manufacturing (3D Printing) Security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3462223.3485624\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2021 Workshop on Additive Manufacturing (3D Printing) Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3462223.3485624","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Cybersecurity Requirements for AM Systems: New Enforcement in DoD Environments, and Resources for Implementation
The Office of the Inspector General (OIG) for the US Department of Defense (DoD) released Audit of the Cybersecurity of Department of Defense Additive Manufacturing Systems (DODIG-2021-098) [1] in July 2021, to determine "whether DoD [sites] secured additive manufacturing (AM) systems to prevent unauthorized changes and ensure the integrity of the design data." The audit report recommends requiring "all AM systems to obtain an authority to operate in accordance with DoD policy before their use" [1], and requiring "AM system owners to immediately identify and implement security controls to minimize risk until obtaining an authority to operate." [1] The DoD Chief Information Officer (CIO) responded that existing DoD regulations require both of these for "all IT systems, including AM systems" [1]. Such cyber security rules can help guard against vulnerabilities such as design file theft or digital thread hacking, as well as unauthorized prints on AM systems that can impact the safety and integrity of parts used in defense systems, expose critical intellectual property to bad actors and even cause manufacturing facilities to shut down. To improve AM system vendors' understanding of these cybersecurity requirements for DoD and the US Government (USG), we discuss in this paper the process for obtaining an Authority To Operate (ATO) certification for an IT system per DoD and USG cybersecurity regulations, i.e., the Risk Management Framework (RMF) process from the US National Institute of Standards and Technology (NIST) [2]. We also describe resources for AM system vendors to understand and implement the RMF process for obtaining an ATO certification, particularly in the DoD environment. [1] Department of Defense Office of Inspector General. 2021. Audit of the Cybersecurity of Department of Defense Additive Manufacturing Systems (DODIG-2021-098). https://www.dodig.mil/reports.html/article/2683843/audit-of-the-cybersecurity-of-department-of-defense-additive-manufacturing-syst/ Full report at: https://media.defense.gov/2021/Jul/07/2002757308/-1/-1/1/DODIG-2021-098.PDF [2]NIST Information Technology Laboratory Computer Security Resource Center. 2021. About the Risk Management Framework (RMF): A Comprehensive, Flexible, Risk-Based Approach https://csrc.nist.gov/projects/risk-management/about-rmf
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
