Certification and Standards for Army Blue Teams Sharmila B. Vaswani-Bowles - Cyber Acquisition Blue Team (CABT) Management Office Lead Ensuring Cyber Resiliency In All Phases of Acquisition Rolando Lopez - Lead Computer Engineer 1
The Cybersecurity Challenge in Acquisitions How a Typical Weapon System Program Lifecycle Looks Today Ris Risk k Mana Management F gement Framew amewor ork k (RMF) (RMF) Cyber yber Blue lue Cyber yber Red ed T Tea eam m Tea eam Ev m Even ents ts Ev Even ents ts 2
The Cybersecurity Gaps Policy/ Process/ Execution Gaps • Compliance with RMF has not ensured cyber-secure systems • Cyber Red Teams have been effective, but identifying vulnerabilities late in the acquisition lifecycle is problematic • No strict certification and standardization requirements for Blue Teams (like there are for Red Teams) - PMs turn to whomever they can get to provide cooperative cybersecurity support • No mature or easily accessible central source for identified vulnerabilities and lessons learned • No centralized mechanism for reporting or communicating cybersecurity team activities 3
Current Army Acquisition Cyber Team Comparison Blue Team Red Team (NSA Certified) • Insider • Outsider • Cooperative • Adversarial • Broad Focus • Threat Representative • As Early/Often as Possible • Late in the Acquisition Cycle 4
Cyber Acquisition Blue Team (CABT) Guiding Definition The definition at the core of CABT Management Office’s certified Blue Team is as follows: A group of individuals that conduct operational network vulnerability evaluations and provide mitigation techniques to customers who have a need for an independent technical review of their network security posture. The mission of Cyber Acquisition Blue Teams is to: • Identify security threats and risks in the operating environment. • Analyze network environments and their current state of security readiness. • Provide recommendations that integrate into an overall community security solution, increasing the customer's cybersecurity readiness posture. Source: CNSSI 4009, “Committee on National Security Systems (CNSS) Glossary,” APR 2015 5
CABT - Concept of Support General Central Information Assistance Early Cybersecurity Cyber Blue Vulnerability Sharing & Cyber in Acquisition Information to Team Events Aggregation & Trends Reporting Lifecycle PM’s Analysis Cyber SMEs Incorporate Vulnerability Vulnerabilities Trends and lessons habitually aligned, cybersecurity in assessments centrally collected learned reporting always on call program plans and analyzed and documents Formal and Information on Blue Advise and informal testing Identify trends Team capabilities assist throughout Assist with and lessons the entire lifecycle contract language Present PM with learned Readily and easily mitigation options available to PMs/ Cyber Tabletop Pulled from PEOs Can apply facilitation and Provide PM with programs across lessons learned participation solid information to the Army in Sharing of tools, from entire Blue assess risk addition to public TTPs, SOPs, etc. Team community Advise on supply and Intel sources chain risks 6 SME: Subject Matter Expert TTP: Tactics, Techniques and Procedures SOP: Standing Operating Procedures
CABT Management Office - Lines of Effort POL OLICY ICY & & DOC OCTRINE INE CE CERTIFY TIFY INFOR INFORM ENABLE Facilitate Sharing of Gather Data, Information, Tools, TTPs, Certification Synthesize SOPs, Best Practices, etc. Evaluation Lessons Teams Learned, Educate and Connect Certification Evaluator PMs, CABTs Scoring & Standards CABT Manual Metrics Certification Events CABT Portal, Lessons Learned Repository, C3D, etc. Quarterly Trends Reporting to Guidebooks, Re-Certifications, Spot ASA(ALT) Handbooks, and SOPs Checks & Revocations 7
CABT Certification Process PREPARATION APPLICATION VERIFICATION VALIDATION POST-CERTIFICATION • Secure funding, personnel, • Register to CABT Portal • Fund and host on-site • Execute deficiency POA&M • Conduct self-assessment • Support re-evaluation as facilities and admin support evaluation Blue Team • Create policies, procedures • Submit application package • Provide documentation and needed Candidate • Establish training program • Adjust and resubmit as • Receive certification memo access to facilities • Prepare application package • Provide personnel for Organization necessary signed by the Certifying • Coordinate for on-site interviews and Official evaluation demonstrations • Create POA&M for all uncorrected deficiencies CERTIFIED • Manage certification • Form evaluation team and • Conduct on-site evaluation: • Prepare and route certification • Track Blue Team activities • Conduct spot checks for processes, standards, and review application package In-brief, interviews, analysis, memorandum to Certifying CABT • Provide constructive feedback systems completion of scoring matrix, Authority adherence to standards Management • Provide standards, checklists, • Provide signed certification • Review annual self-assessment on any non-concurrence spot corrections, and out-brief Office • Provide deficiency report, • Conduct recertification every 3 examples issues memo to candidate, keep • Provide information access, • Coordinate on-site evaluation review POA&M copies years • Re-evaluate as needed clarification with team and candidate • Facilitate training opportunities • Assist providing training, • Provide personnel to support • Provide personnel to support • Advise, assist & support lessons learned, ride-alongs, Certification Evaluation Team Certification Evaluation Team regarding open network NSA-Certified documents, etc. as needed as needed activities Red Teams • Assist providing training, • Provide personnel to support • Provide personnel to support • Adhere to standards • Support CABT-MO Lessons lessons learned, ride-alongs, Certification Evaluation Team Certification Evaluation Team Certified documents, etc. as needed as needed Learned process • Actively share information & CABTs tools w/community • Annual self-assessment • Full recertification every 3 years 8
Evaluation Scoring Metrics • The ESM is the scoring document used by the Certification Evaluation Team (CET) during the execution of a CABT certification assessment. ̶ The ESM serves to inform the decision to certify a Candidate CABT and accompanies the CABT Management Office’s recommendation for/against certification to the Certifying Authority. • The ESM contains: ̶ High-level rules/guidance that the CET members should follow during an assessment; ̶ 118 prioritized (I, II, III) evaluation items in Question-Answer format; and ̶ Minimum Requirement statements that further define the expected “answers” to each ESM item that the CET members are seeking. 9
̶ ̶ ̶ ̶ Lessons Learned Initiative • Aggregating vulnerabilities can cause issues • Repository of system vulnerabilities can increase classification • Analyze data from Blue Team events to derive and share trends & lessons learned Meets the intent without all the issues of a vulnerabilities repository “Sanitize” data to safeguard system anonymity Utilize other means (e.g., CABT Portal, C3D, etc.) for the sharing of tools, CABT info, and other subjects of interest Soliciting feedback from PMs and prospective blue teams 10
Organizational and Personnel Blue Team Standards Bridging from Blue Team Organizational Standards Assessment to Blue Team Personnel Standards Assessment • Currently, a Blue Team is assessed at the organizational level by the Evaluator Scoring Metrics (ESM) when undergoing the certification process. • As the certified Blue Team community matures in capability, we would like to assess the effectiveness of the Blue Teams’ personnel training programs to ensure competence of individual Blue Team members. • This approach requires striking a delicate balance between the need to standardize a baseline level of individual competence and the need to provide Blue Team organizations the agility to maintain their respective mission-centric training programs. 11
Future Efforts Assess Blue Team Personnel Standards Using a Cybersecurity Capture- the-Flag (CTF) Event • Map the ESM items to well-vetted Knowledge, Skills, and Abilities (KSAs). − Sources include: NIST NICE Framework − Conduct a gap analysis and create additional KSAs as required to ensure 100% coverage of the ESM items • Create a Cybersecurity CTF event which assesses the skills and abilities of participating Blue Team members. − Individual objectives for capturing flags can be tailored to personnel skill levels (e.g., Apprentice, Journeyman, Master/Lead) − Pilot the CTF on the DoD National Cyber Range and host it on the U.S. Army’s Persistent Cyber Training Environment (PCTE) platform 12
Recommend
More recommend
