2007 Issue 2 - Raytheon

More documents

Recommendations

Info

Feature Addressing the Challenge of Information Warfare feature overview It is no surprise that information assurance, or information security, is a top priority concern for Raytheon and our customers. Information assurance protects systems and networks from loss of availability, integrity, confidentiality, authenticity and control or ownership. It includes measures taken to detect and respond to cyber threats. It is what makes systems and networks secure. This is critical to delivering Mission Assurance in the age of information warfare. When members of the armed forces rely on our technology, they depend on us to do the job right — regardless of whether they are facing an enemy on the battlefield or in cyberspace. Our military customers need secure systems that also handle multiple levels of security. Modern security classification practices have been used since the mid-20th century to protect sensitive information at various levels, granting individuals access to information according to their “need to know.” In today’s world, many military systems must create, transmit, store and process dynamically changing information at multiple levels of security and deliver it to the right users at the right time. Information must not leak from one security domain to another, either by accident or by the malicious intent of a user, administrator or an external attacker. Several articles in this issue discuss how Raytheon is addressing 4 2007 ISSUE 2 RAYTHEON TECHNOLOGY TODAY different challenges in engineering multilevel secure information systems. Raytheon has established a dependable and repeatable process for engineering information assurance into its systems. Our process incorporates federal standards and guidelines with Raytheon best practices to ensure that the systems we develop can be trusted. It covers engineering activities from information assurance requirements development through system certification and accreditation (C&A). The process addresses many challenges, such as developing a secure system that contains COTS hardware and software components that were not designed with information assurance in mind. Network architectures, links, routers and protocols must be secure, reliable and robust, delivering a high quality of service under attack. Our dependence on networks will only grow as the military realizes its vision for the Global Information Grid (GIG) and its Net-centric Enterprise Services (NCES). This global network of systems will manage and deliver information on demand to warfighters, their leaders and support teams. Networks will need to be self-healing; they must know their attackers, learn their goals and adaptively respond. One of the steps Raytheon is taking toward that goal is highlighted in the article on a honeypot for wireless networks. A honey- Our nation needs secure computers and networks that deliver Mission Assurance even in hostile cyberspace. Information warfare is a valid strategy for attacking military forces as well as a nation’s critical infrastructures. A war could be won in cyberspace without firing a shot, by successfully compromising information systems and networks that are essential to banking, utilities, industry and our national defense. pot is an information system that is used to attract, confuse and observe attackers, and to identify the threats they pose so that these threats can be mitigated. Raytheon is conducting internally funded research to address anticipated and real customer needs that no currently available security technology can meet. An example discussed in this issue is intrusion tolerance — the ability of a system to tolerate malicious faults. This enables a system to operate under sustained cyber attacks, including new and unknown attacks. Coupled with self-regeneration, the ability to automatically and fully restore all services after an attack, intrusion tolerance will be a major step forward in delivering Mission Assurance in hostile cyberspace. Raytheon recently participated in DARPA’s Self- Regenerative Systems (SRS) program, and is now working to transition the results of SRS and other DARPA programs described in this issue to make such capabilities realizable in future systems. Raytheon is also teaming with universities and small businesses to develop and apply technologies that address security challenges on many fronts, such as improving the survivability of wide area networks, and mitigating the “insider” threat presented by malicious users. • Tom Bracewell bracewell@raytheon.com
Ensuring That Our Systems Can Be Trusted The systems we build must be trustworthy. That is because the information they provide is used to make decisions on matters of national defense, national security and public safety. Often, these decisions directly concern the safety of the military personnel and public officials of the United States and our allies. Therefore, the end users of our systems — our customers — demand trustworthy information. All information technology (IT) systems must be certified and accredited in accordance with national policies, federal standards and agency guidelines — regardless of the sensitivity of the information processed on those systems. These standards and guidelines define the certification and accreditation (C&A) processes 1 and information assurance (IA) requirements 2 used to ensure that IT systems can be trusted to protect the confidentiality, availability, integrity and non-repudiation 3 of the information they process. Proving that our systems are trustworthy is the focus of our customers’ C&A processes. The end goal of C&A is to achieve the approval to operate a system by verifying that it provides protection at an acceptable level of residual risk. The customers’ C&A processes do not tell us how to successfully turn a system concept into a secure, certifiable system, and they do not provide a common, unified process for achieving C&A. A common process was first developed by the Information Assurance Technical Framework Forum (IATFF) and termed the Information System Security Engineering (ISSE) process. It provides a standard, dependable way to engineer certifiable 5 Decommission System • Disposition of the DIACAP registration information and system-related data 4 Decommission Maintain authority to operate and conduct reviews • Maintain situational awareness (revalidation of IA controls must occur at least annually) • Impact IA posture Figure 1. DIACAP Activities Summary systems and to implement C&A processes. In 2005, Raytheon integrated the ISSE process into its common engineering and product development process. The C&A processes and Raytheon’s ISSE process are integrated into system development from the program startup through deployment. They affect requirements analysis, system design, development, testing and deployment. Certification and Accreditation Our customers’ C&A processes are all variations on DoD IA C&A Process Guidance (DIACAP). DIACAP is derived from the DoD Information Technology Security Certification and Accreditation Process (DITSCAP), an earlier standard that it recently superceded. Different customers have tailored versions of the C&A process, but they all work largely as DIACAP does today. The DIACAP process (see Figure 1) consists of five phases or activities: 1. Initiate and Plan IA C&A (Definition) – Define and agree on the system requirement and mission security levels 2. Implement and Validate Assigned IA Controls (Verification) – Verify that the DoD Information Systems • AIS Applications • Enclaves • Platform IT Interconnections • Outsourced IT-Based Processes • Issue certification determination • Make accreditation decision Feature • Register system with DoD component IA program • Assign IA controls • Assemble DIACAP team • Review DIACAP intent • Initiate DIACAP implementation plan • Execute and update DIACAP implementation plan • Conduct validation activities • Compile validation resuls in DIACAP scorecard design works and provides the right security 3. Make Certification Determination and Accreditation Decision (Validation) – Test the system to ensure it meets all relevant security requirements and can operate at an acceptable level of risk 4. Maintain Authority to Operate and Conduct Reviews (Post Accreditation) – Ensure that the system maintains its security configuration and all changes are properly documented 5. Decommission System The C&A process and system development begin with analyzing program objectives, identifying the specific standards and guidelines applicable to the program, and translating these into system level requirements. At this stage, it is important to forge an agreement with the key stakeholders involved in the system development and C&A process. A continuing partnership must be established at the beginning of the program between the customer program office and Continued on page 6 1 C&A processes are defined by DITSCAP, DIACAP, DoDIIS C&A Guideline, NIACAP, NISCAP and NIST SP 800-37. 2 Principal IA requirements documents are DCID 6/3, DoD 8500.2 IA controls and NIST SP 800-53A. 3 Non-repudiation is a property achieved through cryptographic methods which prevents an individual or entity from denying having performed a particular action related to data (such as mechanisms for non-rejection or authority (origin); for proof of obligation, intent, or commitment; or for proof of ownership). 3 1 Initiate and plan IA C&A 2 Make certification determination and accreditation decisions Implement and validate assigned IA contracts RAYTHEON TECHNOLOGY TODAY 2007 ISSUE 2 5
Page 1 and 2: Technology Today HIGHLIGHTING RAYTH
Page 3: Technology Today is published quart
Page 7 and 8: ISSE Process DIACAP DoDIIS NIST Dis
Page 9 and 10: al information systems (MNIS). MNIS
Page 11 and 12: Data Validation Data Feed 1 Large F
Page 13 and 14: diagnose attacks/bugs/errors; gener
Page 15 and 16: ated a functional prototype wireles
Page 17 and 18: Feature Information Assurance and S
Page 19 and 20: Figure 1. User CONOPS/E-mail Figure
Page 21 and 22: L E A D E R S C O R N E R Heidi Shy
Page 23 and 24: onTechnology Warfighter Challenges
Page 25 and 26: Short-term Benefits Faster Code Dev
Page 27 and 28: onTechnology The Benefits of Galliu
Page 29 and 30: µ, ε Space k = ω εµ M A T E R
Page 31 and 32: 2007 SEPG Conference Continuing its
Page 33 and 34: Getting to Know Your Raytheon Certi
Page 35 and 36: Vision/Direction Architecture/Style
Page 37 and 38: When you help a student master the
Page 39 and 40: International Patents Issued to Ray

2007 Issue 2 - Raytheon

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?