Cybersecurity Risk Management Framework Strategy Workshop

1. 1© Life Cycle Institute© Life Cycle Institute Cybersecurity Risk Management Framework Strategy for Defense Platform Systems Workshop

2. 2© Life Cycle Institute Cybersecurity ensures information technology systems are available, reliable and secure Cybersecurity is… Software and hardware based Technical and non-technical Based on information from NSA, DoD, DISA and DoN

3. 3© Life Cycle Institute Participants will learn how to: Explain the context of cybersecurity in Defense Platform IT (PIT) systems  Summarize how to apply the NIST Risk Management Framework to Defense Platform IT (PIT) systems  Estimate requirements and resources to address cybersecurity compliance in their organization/infrastructure 

4. 4© Life Cycle Institute Cybersecurity Risk Management Framework Strategy for Defense Platform Systems Workshop 1-day workshop .7 Continuing education units (CEUs) Private Workshops may be tailored to your specific needs and delivered at your site.

5. 5© Life Cycle Institute Who Should Attend Individuals and teams responsible for the application of Risk Management Framework People with funding authority for security. For example: – DoD Program Managers – Technical Managers – Technical Directors – Requirements Officers – IT Managers

6. 6© Life Cycle Institute Review the Five Functions of Cybersecurity Identify Protect Detect Respond Recover

7. 7© Life Cycle Institute Platform Information Technology (PIT) PIT process is a modified form of the DIACAP process. Differences include: • Signature approval cycle - the Certification Authority (CA- SPAWAR 05) is not involved in the PIT signature chain • Information Assurance Controls (IACs) is less restrictive than in DIACAP PIT Training • Because the PIT process is so similar to DIACAP, there is no separate training available. – DON-CIO PIT Policy of Feb 2010 applies until RMF transition. • Upon transition to RMF, PIT will be treated the same as any other IT system. Aboard or on a platform Standalone Interconnection to other platform IT Interconnection to other non- platform IT PIT Structures Computer resources that are physically part of, dedicated to, or essential in real time to the mission performance of special-purpose systems

8. 8© Life Cycle Institute Risk Management Framework (RMF) • Replaces DIACAP • 6-step process – aligns to DIACAP phases Categorize Select Implement Assess Authorize Monitor

9. 9© Life Cycle Institute RMF vs. DIACAP Security requirements and standards uniquely determined by each system. More granular than DIACAP. PIT is included. All systems inherit enterprise standards and requirements PIT systems have a separate process. Validator is a qualified, resourced, and permanent member of the CIO staff Validator is a qualified, resourced, and permanent member of the CIO staff 6 Steps (analogous to phases) 5 pre-defined phases. Each system works to a plan that aligns to the system life-cycle Accreditation status communicated via letter and status code (IATO, ATO) in EMASS Accreditation status communicated by assigned IA controls’ compliance ratings and letter and status code (ATO, IATO, ATT) in DIACAP Scorecard Automated tools, enterprise managed KS, requirements tied to architecture Automated tools, enterprise managed KS, requirements tied to architecture ATO means security risk is at an acceptable level to support mission and live data ATO means security risk is at an acceptable level to support mission and live data Continuous asynchronous monitoring; reaccreditation TBD; reviewed annually, FISMA reporting Continuous asynchronous monitoring; reaccreditation every 3-4 years; reviewed annually, FISMA reporting

10. 10© Life Cycle Institute Learn to apply RMF Identify cyber threats Assign control strategies Analyze the cost and benefits of secure designs

11. 11© Life Cycle Institute Reasons to Choose the Life Cycle Institute Extensive cybersecurity experience within DoD and commercial sector We provide vulnerability scanning, penetration testing, risk analysis and remediation services Our engineers are qualified mentors for industry-leading security trainers An active learning experience Learning by doing vs. lecture Group activities, assessments, case studies Network with peers Develop action plans to drive results post-training   

12. 12© Life Cycle Institute Education@LCE.com www.LCE.com 800-556-9589 The Life Cycle Institute is the learning, leadership and change management practice at Life Cycle Engineering.