This presentation presents a model for cyber mission assurance (CMA) in a system of interest to aid in the engineering of adequate security to realize system resiliency. The model uses CAMEO in a UAF framework that links the attainment of CMA targets to security functions allocated in a system architecture and realized through security mechanisms.
The model leverages the NIST Cyber Security Framework Core as the basis for the activities necessary to allocate security within a system. The CSF Security Outcomes are set as targets (5 level ordinal scale) based on the loss consequence of the system, and the threat context of the operating environment. The CSF Security Outcomes (aka sub-categories) elicit a set of system cybersecurity requirements that will achieve the CMA targets, and then assess their sufficiency based on strength of mechanism, security assurance and process maturity of the security outcomes. The allocation of security in the system is measured through the verification of requirements that are chosen to meet measures of effectiveness (MOE) and measures of performance (MOP) to meet the mission capability required.
The Security functions are used along with the MOEs to make architectural decisions for the security architecture allocated to the system. The requirements are verified as sufficient, and then used with the MOPs to select security mechanisms that satisfy Technical Performance Measures (TPMs) for security in the technical domain, physical environment, and processes.
At the end of the system validation, a Cybersecurity Authorization Package is created that details the target CMAs and the objective evidence provided that the traceable SCSRs, Security Mechanisms, and all the associated assurance and maturity have been met across the SDLC and the development and implementation environment. This allows the System Owner to accept the risk to operating the system in the Mission Context.
Perry Dombowsky is a System Security Engineer with 40 years of experience in military systems, communications and networking, and designing security into systems for information systems at all classification levels as well as in operational technology systems for maritime transportation and military platforms.
Drew Smeaton is a Systems Security Engineer with almost 40 years of experience in military systems, public key infrastructure, information system security, and securing operational technology systems in maritime transportation and military platforms.
Drew and Perry are founding partners of SSENG Group (pronounced – S, S , Eng) short for “systems security engineering group”, a company dedicated to furthering the education of system security engineering and advancing the “engineering” of security within systems. They are both members of INCOSE, AFCEA, and ISC2.