You are here

Design and Develop a Methodology, Framework and Tool to Assess, Simplify and Automate Cybersecurity Controls and Reporting

Description:

TECHNOLOGY AREA(S): Air Platform 

OBJECTIVE: Design and develop a methodology, framework and tool to assess, simplify and automate cybersecurity controls and reporting 

DESCRIPTION: The DOD has moved to the Risk Management Framework (RMF) to manage the cyber posture of aircraft platforms. As a part of the RMF process, each platform must complete an analysis of cyber controls to be documented in the Security Controls Traceability Matrix (SCTM). The basis for the controls is in the National Institute of Standards and Technology (NIST) Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations. AFLCMC has documented a subset of the NIST controls applicable to an aircraft platform, referred to as the aircraft overlay, as well as a set of controls that provide cyber resilience, referred to as the cyber resiliency controls. Many of the controls are organizationally–based and may be governed by DOD and/or Air Force (AF) Instructions, guidance, handbooks, and operating instructions. Evidence of implementation of NIST controls should then be documented by unit self-inspection results contained in the Management Internal Control Toolset (MICT) and/or inspection data contained in the Inspector General Evaluation Management System (IGEMS). MICT is a web-based and real-time automated self-assessment (SA) program for accessing SA checklist from the repository within MICT. IGEMS is a web-based software program serving as an inspection tool comprised of planning, executing, reporting, and corrective action management. In addition, the NIST controls are based on an enterprise information technology system and do not lend themselves to be understood by aircraft operators and maintainers. The goal of this STTR Topic is to create a tool to simplify and automate security controls analysis and reporting. The tool and framework must mine the data from different DoD and AF Instructions, Guidance, and Operating Instructions to establish mapping between NIST controls and governing instructions which then can support verification of implementation, compliance, and effectiveness of the controls by searching through MICT and IGEMS, and other identified sources. The tool will analyze and determine which portions of the identified sources are related and match to the appropriate NIST controls. The language analyzing portion of the tool would allow verification of implementation and compliance via MICT or IGEMS. The tool would guide the users with platform-applicable questions to determine a control’s applicability to implement for the aircraft overlay and cyber resiliency controls. Based upon the user’s responses, the tool would tailor the applicable cybersecurity controls. The tool will maintain access to repositories of controls, correlated data, and questions. The tool would allow changes, updates and import of new data, controls, and questions. The tool would populate the results into a SCTM template. A sample of pre-determined documents will be identified by the Government that meet the criteria and would normally be selected if going through the process manually. The tool’s ability to also select this sample of documents will be the gauge of accuracy. Furthermore, a sample of the controls selected by the tool will be manually checked for accuracy. The metric for evaluating proposed framework and tool is 80% accuracy of selecting the set of sample documents and security controls for aircrafts. 

PHASE I: Design a methodology, framework and tool to mine data from different DoD and AF Instructions, Guidance, Operating Instructions and MICT, to determine their applicability to aircraft overlay and cyber resiliency, maintain the database for cybersecurity controls and questions and populate the results to SCTM template. Provide a proof-of-concept design and methodology to demonstrate the feasibility of the proposed tool and framework. 

PHASE II: Based on the result from Phase I, refine and extend the prototype system design to a toolset that could assess, simplify, and automate cybersecurity controls and reporting by mining different Air Force or DoD instructions, and operating instructions and guidance. Demonstrate the capability, effectiveness and usability of the framework and tool. 

PHASE III: The proposed methodology, framework and tool should be enhanced to automate and simplify cybersecurity controls and reporting for both military and commercial applications. The tool can be used to track rapidly changing Risk Management Framework guidance. The tool can be used to track rapidly changing commercial guidance and policies. 

REFERENCES: 

1. NIST Publication 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft; 2. Management Internal Control Toolset (MICT) https://www.dau.mil/cop/bes/Pages/Topics/Unit%20Self-Assessment%20Program%20USAP.aspx; 3. Inspector General Evaluation Management System (IGEMS) https://static.e-publishing.af.mil/production/1/saf_ig/publication/afi90-201/afi90-201.pdf; 4. NIST SP 800-37 Rev. 2 - A System Life Cycle Approach for Security and Privacy https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final

KEYWORDS: Security, Cyber, Risk Management Framework, Tool 

US Flag An Official Website of the United States Government