Defense Industrial Base Outreach
Date: June 28, 2019 | 1:30 - 3pm
Location: DreamPort Facility in Columbia MD
This event is full. Registration is closed.
Call for Automated Cybersecurity Posture Determination
Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure and their systems, placing the Nation's security, economy, and public safety and health at risk. Similar to financial and reputational risks, cybersecurity risk affects a company's bottom line as well as our nations' security. Further, it can harm an organization's ability to innovate and to gain and maintain the United States' competitive advantage.
To better address these risks, the Cybersecurity Enhancement Act of 2014 (CEA) updated the role of the National Institute of Standards and Technology (NIST) to include identifying and developing a cybersecurity risk framework for voluntary use by critical infrastructure owners and operators. Through CEA, NIST must identify "a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls that may be voluntarily adopted by owners and operators of critical infrastructure to help them identify, assess, and manage cyber risks." This formalized NIST's previous work developing Framework Version 1.0 under Executive Order (EO) 13636, "Improving Critical Infrastructure Cybersecurity" (February 2013), and provided guidance for future Framework evolution. The Framework developed under EO 13636, uses a common language to address and manage cybersecurity risk in a cost-effective way based on business and organizational needs without placing additional regulatory requirements on businesses.
The Defense Federal Acquisition Regulation Supplement (DFARS), Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires contractors to provide "adequate security" for covered defense information that is processed, stored, or transmitted on the contractor's internal information system or network. The department must mark, or otherwise identify in the contract, any covered DoD information that is provided to the contractor, and must ensure that the contract includes the requirement for the contractor to mark covered defense information developed in performance of the contract. To provide adequate security, the contractor must, at a minimum, implement NIST SP 800.171r1 – Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.
The Framework offers a flexible way to address cybersecurity, including cybersecurity's effect on physical, cyber, and people dimensions. It is applicable to organizations relying on technology, whether their cybersecurity focus is primarily on information technology (IT), industrial control systems (ICS), cyber-physical systems (CPS), or connected devices more generally, including the Internet of Things (IoT). The Framework can assist organizations in addressing cybersecurity as it affects the privacy of customers, employees, and other parties.
DreamPort, USCYBERCOM's Mission Accelerator®, seeks to identify and evaluate companies that have automated collection and analysis methods that do not require human intervention for measuring the cybersecurity posture of at least 20 Defense Industrial Base companies against NIST SP 800.171r1, and to promote transparency and innovation by enabling the public, academics, experts, and industry to comment on how best this can be accomplished.
First, the USCYBERCOM and DreamPort will host an information session on 28 June 2019 at 1:30pm with all interested parties to discuss specific requirements as well as other topics raised by questions and comments received in advance. The information session will be at DreamPort (7000 Columbia Gateway Drive, Columbia, MD). Second, interested parties are encouraged to submit written responses to any or all of the following REQUIREMENTS listed below. All responses are limited to 20 pages inclusive of product descriptions, marketing materials, competitive analysis, etc. All security controls are outlined in the attached MS Excel spreadsheet. Each submission must complete the attached spreadsheet indicating their ability to automatically complete an assessment of each control. In addition, each company must include a presentation not to exceed 10 slides that address their approach to meeting the REQUIREMENTS presented below. Further details will be provided at the 28 June 2019 industry presentation.
Requirement 1
The product(s) should have the ability to continuously and quantitatively assess the level and confidence of security controls (refer to the security requirement family table listed below and the sample breakout that maps to NIST SP 800.53). The quantitative assessment should test against the relevant NIST SP 500.53 controls.
| Family | Family |
|---|---|
| Access Control | Media Protection |
| Awareness and Training | Personnel Security |
| Audit and Accountability | Physical Protection |
| Configuration Management | Risk Assessment |
| Identification and Authentication | Security Assessment |
| Incident Response | System and Communications Protection |
| Maintenance | System and Information Integrity |
What follows is an example.
| Security Requirements | NIST SP 800-53 Relevant Security Controls | |
|---|---|---|
| 3.1 Access Controls | ||
| Basic Security Requirements | ||
| 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). 3.1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute. |
AC-2 | Account Management |
| AC-3 | Access Enforcement | |
| AC-17 | Remote Access | |
| Derived Security Requirements | ||
| 3.1.3 Control the flow of CUI in accordance with approved authorizations. | AC-4 | Information Flow Enforcement |
Requirement 2
Technical controls can be tested and/or verified by automated systems such as vulnerability scanners, application scanners, or configuration management systems to name a few. The product(s) should have the ability to measure and quantify not only Technical controls, but Policy controls where feasible.
Requirement 3
The product(s) should have the ability to aggregate measurements resulting from testing into a quantifiable score consistent with NIST defined maturity-levels and appropriately align results to the five core functions of the NIST Cybersecurity Framework.
Requirement 4
The product(s) should have the ability to evaluate the state of each control against different attack vectors e.g., target, attacker role, attack vector, and link.
Requirement 5
The product(s) should have the ability to map out the network environment and provide the ability to view the network at different levels of granularity (e.g., drill-downs) in an intuitive manner.
Requirement 6
The product(s) should have the ability to provide recommendations when vulnerabilities or attack susceptibilities are identified within the network environment and aggregate that information against common targets associated with the vulnerability or susceptibility.
Requirement 7
The product(s) should have the ability to measure and quantify vulnerabilities and present patterns and risk over time.
Requirement 8
The product(s) should have the ability to model supply chain vulnerabilities and dependencies across third- and fourth-party suppliers, and present patterns and risk over time.
Requirement 9
The product(s) should have the ability to aggregate data across multiple organizations e.g., geographically separated organizations and partners.
Requirement 10
The product(s) should have the ability to display data on a map and assert a cyber posture by company and industry. Each submission must include at least three industries on the map.
Each company will be given 21 days after the industry conference to provide their responses to USCYBERCOM and DreamPort. Each submission will be reviewed, and the top five submissions will be invited to DreamPort to demonstrate their tools and results at DreamPort. The DreamPort team will work with each company so they can run their product(s) on a live network to prove they can automatically assess a security control. The top presentation that meets, or exceeds, all the REQUIREMENTS will receive $25,000.
Register with the Defense Industrial Base Outreach.
Companies should also fill out the NIST-SP-800-171_800-53_Mapping v1 matrix and email it to contact at misi dot tech – This is a matrix that we recommend each potential vendor complete to demonstrate their capability maps to all policy and technical controls.
Register
Register with the Defense Industrial Base Outreach.
Information Session: June 28, 2019 | 1:30 - 3pm
Responses Due: July 19, 2019
Prize: $25,000
Send Questions to: contact at misi dot tech
Companies should also fill out the NIST-SP-800-171_800-53_Mapping v1 matrix and email it to contact at misi dot tech – This is a matrix that we recommend each potential vendor complete to demonstrate their capability maps to all policy and technical controls.
Register with the Defense Industrial Base Outreach
About USCYBERCOM
USCYBERCOM plans, coordinates, integrates, synchronizes, and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries. Visit http://www.cybercom.mil/ to learn more.
