Shift Left Feb 2013 Page-1 DISTRIBUTION STATEMENT A – Cleared for Open Publication by OSR on...
-
Upload
edwina-norman -
Category
Documents
-
view
213 -
download
1
Transcript of Shift Left Feb 2013 Page-1 DISTRIBUTION STATEMENT A – Cleared for Open Publication by OSR on...
![Page 1: Shift Left Feb 2013 Page-1 DISTRIBUTION STATEMENT A – Cleared for Open Publication by OSR on January 17 th, 2013 – SR case number 13-S-0851 Dr. Steven.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649f005503460f94c165f7/html5/thumbnails/1.jpg)
Shift LeftFeb 2013 Page-1
DISTRIBUTION STATEMENT A – Cleared for Open Publication by OSR on January 17th, 2013 – SR case number 13-S-0851
Dr. Steven J. Hutchison
Acting DASD(DT&E)/D,TRMC March, 2013
![Page 2: Shift Left Feb 2013 Page-1 DISTRIBUTION STATEMENT A – Cleared for Open Publication by OSR on January 17 th, 2013 – SR case number 13-S-0851 Dr. Steven.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649f005503460f94c165f7/html5/thumbnails/2.jpg)
Feb 2013 Page-2DISTRIBUTION STATEMENT A – Cleared for Open Publication by OSR on January 17th, 2013 – SR case number 13-S-0851
Working with stakeholders to develop a persistent, rapidly composable, secure representation of the operational environment
Test & Evaluation
Operations
Performance Reliability
DT&E for Complex Systems
System Integration Labs
Training
Experimentation
Modeling & Simulation
JIOR
JMETC
Interoperability Cybersecurity
Cyber Range
![Page 3: Shift Left Feb 2013 Page-1 DISTRIBUTION STATEMENT A – Cleared for Open Publication by OSR on January 17 th, 2013 – SR case number 13-S-0851 Dr. Steven.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649f005503460f94c165f7/html5/thumbnails/3.jpg)
Feb 2013 Page-3DISTRIBUTION STATEMENT A – Cleared for Open Publication by OSR on January 17th, 2013 – SR case number 13-S-0851
DoD Acquisition Model
![Page 4: Shift Left Feb 2013 Page-1 DISTRIBUTION STATEMENT A – Cleared for Open Publication by OSR on January 17 th, 2013 – SR case number 13-S-0851 Dr. Steven.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649f005503460f94c165f7/html5/thumbnails/4.jpg)
Feb 2013 Page-4DISTRIBUTION STATEMENT A – Cleared for Open Publication by OSR on January 17th, 2013 – SR case number 13-S-0851
Test, Evaluation, Certification
Late to Need!
DIACAP
Security T&E
![Page 5: Shift Left Feb 2013 Page-1 DISTRIBUTION STATEMENT A – Cleared for Open Publication by OSR on January 17 th, 2013 – SR case number 13-S-0851 Dr. Steven.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649f005503460f94c165f7/html5/thumbnails/5.jpg)
Feb 2013 Page-5DISTRIBUTION STATEMENT A – Cleared for Open Publication by OSR on January 17th, 2013 – SR case number 13-S-0851
20-20 Hindsight
What did we know?
What did we test?
To reduce discovery late in the acquisition lifecycle, • test in mission context,• against realistic threat,
and…..
Shift Left!
DOT&E COCOM/Service
Interop & IA Assessments
Fielded systems:• Interoperability issues• IA vulnerabilities
Compliance with IA Controls and
Interoperability Standards and Profiles:
necessary but not sufficient
in an environment
suited for that purpose
![Page 6: Shift Left Feb 2013 Page-1 DISTRIBUTION STATEMENT A – Cleared for Open Publication by OSR on January 17 th, 2013 – SR case number 13-S-0851 Dr. Steven.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649f005503460f94c165f7/html5/thumbnails/6.jpg)
Feb 2013 Page-6DISTRIBUTION STATEMENT A – Cleared for Open Publication by OSR on January 17th, 2013 – SR case number 13-S-0851
InteroperabilityNew CJCSI 6212 Language
• DOD Components will: – Ensure the Component Developmental Test and
Evaluation (DT&E), Operational Test and Evaluation (OT&E) processes include mission-oriented NR KPP assessments
• DISA will – ensure JITC leverages previous, planned and executed
DT&E and OT&E tests and results to support joint interoperability test certification and eliminate test duplication.
– DASD(DT&E) shall approve Developmental Test and Evaluation plans in support of Joint Interoperability Test Certification as documented in the TEMP.
– JITC shall advise DASD (DT&E) regarding the adequacy of test planning in support of Joint Interoperability Test Certification.
Increase emphasis on interoperability testing during DT&Eand visibility at Defense Acquisition Boards
![Page 7: Shift Left Feb 2013 Page-1 DISTRIBUTION STATEMENT A – Cleared for Open Publication by OSR on January 17 th, 2013 – SR case number 13-S-0851 Dr. Steven.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649f005503460f94c165f7/html5/thumbnails/7.jpg)
Feb 2013 Page-7DISTRIBUTION STATEMENT A – Cleared for Open Publication by OSR on January 17th, 2013 – SR case number 13-S-0851
Information Assurance Policy
![Page 8: Shift Left Feb 2013 Page-1 DISTRIBUTION STATEMENT A – Cleared for Open Publication by OSR on January 17 th, 2013 – SR case number 13-S-0851 Dr. Steven.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649f005503460f94c165f7/html5/thumbnails/8.jpg)
Feb 2013 Page-8DISTRIBUTION STATEMENT A – Cleared for Open Publication by OSR on January 17th, 2013 – SR case number 13-S-0851
Information AssurancePending Revisions to DoD 8500
• Adopt the term: “cybersecurity” • Implement Risk Management Framework (RMF) instead of
Mission Assurance Category/Confidentiality Level (MAC/CL)– new guidance from the National Institute of Standards and Technology
(NIST) and Committee on National Security Systems Instruction (CNSSI) documents on cybersecurity
• Lexicon Changes– Certification and Accreditation becomes Assessment and Authorization– Designated Approving Authority (DAA) becomes Authorizing Official (AO)– Certifying Authority becomes Security Control Assessor– Threat: any event with potential to cause harm to the network– Vulnerability: absence/weakness of safeguards to protect the network– Risk: likelihood that a threat will realize or exploit a vulnerability
Seeking to implement oversight of test planningin support of cybersecurity C&A(A&A)
![Page 9: Shift Left Feb 2013 Page-1 DISTRIBUTION STATEMENT A – Cleared for Open Publication by OSR on January 17 th, 2013 – SR case number 13-S-0851 Dr. Steven.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649f005503460f94c165f7/html5/thumbnails/9.jpg)
Feb 2013 Page-9DISTRIBUTION STATEMENT A – Cleared for Open Publication by OSR on January 17th, 2013 – SR case number 13-S-0851
Cybersecurity DT&E Process
Step 1Understand
Cybersecurity Requirements
Step 2Characterize
Attack Surface
Step 3Understand
Cybersecurity Kill Chain
Step 4Cybersecurity
DT&E
At Milestone A or B, with update at Milestone C: Understand system security requirements and develop an approach for cybersecurity DT&E.
Beginning at MS B: Characterize the attack surface: assess cybersecurity in component and system integration testing.
Post CDR: Assess cybersecurity of the system under test in a realistic mission environment; Blue Team testing to identify and mitigate known vulnerabilities; Red Team to identify potential exploits.
Prior to MS C: Full-up cybersecurity DT&E in a realistic mission environment, with use of cyber range, CNDSP, and cyber threat representation
![Page 10: Shift Left Feb 2013 Page-1 DISTRIBUTION STATEMENT A – Cleared for Open Publication by OSR on January 17 th, 2013 – SR case number 13-S-0851 Dr. Steven.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649f005503460f94c165f7/html5/thumbnails/10.jpg)
Feb 2013 Page-10DISTRIBUTION STATEMENT A – Cleared for Open Publication by OSR on January 17th, 2013 – SR case number 13-S-0851
Conclusion
To ensure timely fielding of proven capabilities to the Warfighter …
Shift Left!
• Improve production readiness
•Reduce discovery in IOT&E
• Improve acquisition outcomes
Mission contextInteroperabilityCybersecurity
![Page 11: Shift Left Feb 2013 Page-1 DISTRIBUTION STATEMENT A – Cleared for Open Publication by OSR on January 17 th, 2013 – SR case number 13-S-0851 Dr. Steven.](https://reader035.fdocuments.net/reader035/viewer/2022070410/56649f005503460f94c165f7/html5/thumbnails/11.jpg)
Feb 2013 Page-11DISTRIBUTION STATEMENT A – Cleared for Open Publication by OSR on January 17th, 2013 – SR case number 13-S-0851
Questions?