More Related Content Similar to Cybersecurity Risk Management Framework Strategy Workshop (20) More from Life Cycle Engineering (13) Cybersecurity Risk Management Framework Strategy Workshop1. 1© Life Cycle Institute© Life Cycle Institute
Cybersecurity Risk Management Framework Strategy
for Defense Platform Systems Workshop
2. 2© Life Cycle Institute
Cybersecurity ensures information
technology systems are available, reliable and
secure
Cybersecurity is…
Software and
hardware based
Technical and
non-technical
Based on
information from
NSA, DoD, DISA
and DoN
3. 3© Life Cycle Institute
Participants will learn how to:
Explain the context of cybersecurity in
Defense Platform IT (PIT) systems
Summarize how to apply the NIST Risk
Management Framework to Defense Platform
IT (PIT) systems
Estimate requirements and resources to
address cybersecurity compliance in their
organization/infrastructure
4. 4© Life Cycle Institute
Cybersecurity Risk Management Framework
Strategy for Defense Platform Systems
Workshop
1-day workshop
.7 Continuing education units (CEUs)
Private
Workshops may be tailored to your
specific needs and delivered at your
site.
5. 5© Life Cycle Institute
Who Should Attend
Individuals and teams responsible for the application of
Risk Management Framework
People with funding authority for security. For example:
– DoD Program Managers
– Technical Managers
– Technical Directors
– Requirements Officers
– IT Managers
6. 6© Life Cycle Institute
Review the Five Functions of Cybersecurity
Identify
Protect
Detect
Respond
Recover
7. 7© Life Cycle Institute
Platform Information Technology (PIT)
PIT process is a modified form of the
DIACAP process. Differences include:
• Signature approval cycle - the Certification
Authority (CA- SPAWAR 05) is not involved in
the PIT signature chain
• Information Assurance Controls (IACs) is less
restrictive than in DIACAP
PIT Training
• Because the PIT process is so similar to
DIACAP, there is no separate training available.
– DON-CIO PIT Policy of Feb 2010 applies
until RMF transition.
• Upon transition to RMF, PIT will be treated the
same as any other IT system.
Aboard or on a
platform
Standalone
Interconnection
to other platform
IT
Interconnection
to other non-
platform IT
PIT Structures
Computer resources that are physically part of, dedicated to, or essential
in real time to the mission performance of special-purpose systems
8. 8© Life Cycle Institute
Risk Management Framework (RMF)
• Replaces
DIACAP
• 6-step process
– aligns to
DIACAP phases
Categorize
Select
Implement
Assess
Authorize
Monitor
9. 9© Life Cycle Institute
RMF vs. DIACAP
Security requirements and standards
uniquely determined by each system. More
granular than DIACAP. PIT is included.
All systems inherit enterprise standards and
requirements PIT systems have a separate
process.
Validator is a qualified, resourced, and
permanent member of the CIO staff
Validator is a qualified, resourced, and permanent
member of the CIO staff
6 Steps (analogous to phases) 5 pre-defined phases. Each system works to a
plan that aligns to the system life-cycle
Accreditation status communicated via
letter and status code (IATO, ATO) in
EMASS
Accreditation status communicated by assigned
IA controls’ compliance ratings and letter and
status code (ATO, IATO, ATT) in DIACAP
Scorecard
Automated tools, enterprise managed KS,
requirements tied to architecture
Automated tools, enterprise managed KS,
requirements tied to architecture
ATO means security risk is at an acceptable
level to support mission and live data
ATO means security risk is at an acceptable level
to support mission and live data
Continuous asynchronous monitoring;
reaccreditation TBD; reviewed annually,
FISMA reporting
Continuous asynchronous monitoring;
reaccreditation every 3-4 years; reviewed
annually, FISMA reporting
10. 10© Life Cycle Institute
Learn to apply RMF
Identify cyber threats
Assign control strategies
Analyze the cost and
benefits of secure designs
11. 11© Life Cycle Institute
Reasons to Choose the Life Cycle Institute
Extensive cybersecurity experience within DoD and commercial sector
We provide vulnerability scanning, penetration testing, risk analysis and
remediation services
Our engineers are qualified mentors for industry-leading security trainers
An active learning experience
Learning by doing vs. lecture
Group activities, assessments, case studies
Network with peers
Develop action plans to drive results post-training
12. 12© Life Cycle Institute
Education@LCE.com
www.LCE.com
800-556-9589
The Life Cycle Institute is the learning, leadership and
change management practice at Life Cycle Engineering.
Editor's Notes Identify
Protect
Detect
Respond
Recover