Cybersecurity risk management

Abstract

Mission systems have become increasingly integrated with and dependent on the Information Technology (IT) and digital communications systems of cyberspace, resulting in increased susceptibility of those systems, and the missions they support, to cybersecurity attacks. Consequently, the integration of Cyberspace Operations with Terrestrial, Afloat, Air and Space Operations has become essential to the success of those missions, and the development, fielding, and operation of those mission systems in a secure manner have become vitally important. In general, approaches to cybersecurity for mission systems and for the development infrastructure that supports the production of those systems have focused on the implementation of technology as reactive mechanisms in the operational environment. Although those technical mechanisms are evolving and becoming increasingly sophisticated, they are not sufficient to provide the strength of protection and resiliency that is needed in today's complex and highly interconnected cyberspace domain. A more proactive approach is needed that builds in protective and resiliency mechanisms during acquisition and development, providing increased assurance that the security features, practices, procedures, and architecture of an information system are strong enough to mitigate all known operational risks, and accurately enforce Department of Defense (DoD) security policies. This paper presents a methodology for cybersecurity risk management (CSRM) for DoD mission systems that incorporates both qualitative and quasi-quantitative analyses for improved decision-making regarding effectiveness and return on investment (ROI). This methodology is designed to be used iteratively throughout the entire system lifecycle, during both system acquisition and operations. The methodology is in alignment with the Department of Homeland Security (DHS) National Infrastructure Protection Plan (NIPP), DoD's Defense Industrial Base (DIB) Critical Infrastructure and Key Resources Sector-Specific Plan, National Institute of Standards and Technology (NIST) risk management standards, International Organization for Standardization (ISO) risk management standards, DoD risk management standards, DoD policies and directives for the Global Information Grid (GIG), and other emerging national cybersecurity initiatives.