Product Support Cybersecurity Considerations
DAU GLOSSARY DEFINITION
Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.
Per DoDI 5000.90, PMs are responsible for cybersecurity from the earliest exploratory phase and throughout all stages of the acquisition to include the following activities:
(a) System concept trades
(d) Test and evaluation (T&E)
(g) Sustainment, and
PSMs and life cycle logisticians are key players in each of these activities and assist the PM in ensuring that cybersecurity consderations is sufficiently considered for each one.
Further, per DoDI 5000.02, PMs will “recognize that cybersecurity is a critical aspect of program planning. It must be addressed early and continuously during the program life cycle to ensure cybersecurity operational and technical risks are identified and reduced and that fielded systems are capable, effective, and resilient.”
Too often the DoD acquisition workforce considers cybersecurity to be solely the responsibility of “cybersecurity experts". The reality is all functional areas within the defense acquisition workforce has a role to play. All DoD networks and weapon systems must sustain a sufficiently high level of cyber resilience throughout their lifecycle so the warfighter and end users can accomplish their mission.
PSM Role in Cybersecurity
Policy for cybersecurity risk management, to include risk management for logistics support of fielded equipment and the need to maintain the integrity of supply sources, is included in DoD Instruction (DoDI) 8500.01, Cybersecurity. Cybersecurity requirements map into and align with all 12 Integrated Product Support (IPS) Elements. For example, it is essential that the PSM address cybersecurity considerations in Life Cycle Sustainment Plans (LCSP), Counterfeit Parts Prevention Plans, Obsolescence Plans, Training Plans, sustainment budgets, Continuity of Operations Planning (COOP), and other documentation. These plans and strategies delineate how the PSM has accounted for cybersecurity in their programmatic and business decision processes. Specifically, the PSM must be part of the solution to protecting DoD networks, infrastructure and weapon systems from three (3) threat sources: Insider, Outsider and Nearsider.
- Insider – Someone with both physical and logical access to a system. The level of threat depends upon the level of access the insider has, their motivation, vulnerabilities in the system and other factors.
- Outsider – Someone with neither physical nor logical access to a system. The level of threat depends primarily on vulnerabilities in the system and the adversary threat tier. Adversary threat tier ranges from a high of 4 for Nation State adversaries to a low of 1 for nascent level adversaries.
- Nearsider – Someone with physical access but not necessarily logical access to a system. An example could be a cleaning or plant maintenance team that works in a facility. The level of threat depends upon the level of access the person has (escorted/unescorted), their motivation, vulnerabilities in the system and other factors.
The PSM also has a unique role in protecting systems from these threat sources because of their involvement in system activities beginning with vendors and ending in disposal. Some key activities with cybersecurity implications that the PSM must be involved in:
- Vendor Threat Mitigation
- Supply Chain Risk Management
- Hardware and Software Assurance
- Hardware and Software Provenance
- Supply Chain Integrity
- Trusted Systems and Networks
- Preferred Parts/Suitable Substitutes
- System maintenance
- Support equipment
- Vulnerability assessments
- System software patching
- System updates
- Maintenance of system Authority to Operate (ATO)
Deeper Dive: A deeper dive into some of these areas follows
- Disposal: Disposition of items which have reached the end of their life or have failed during their normal life span needs to consider cybersecurity implications. For example, classified information may be recoverable from hard drives even if it's been erased. Disposition of IT equipment must comply with NSA/CSS Policy Manual 9-12, NSA/CSS STORAGE DEVICE SANITIZATION.
- RMF lifecycle planning, ATO, Continuous ATO: All IT systems must have an authorization to operate (ATO) issued by the responsible Authorizing Official (AO). ATOs are required for both networks and weapon systems. An ATO is issued prior to operational testing of the system based upon a support package provided to the AO including cybersecurity design, analysis and test information gathered during the development of a system. The ATO is normally issued with a three-year validity period, at which point it must be reissued. During the three-year authorization period, the system is continuously monitored to ensure that the security controls implemented when the ATO was granted are still affording a sufficient level of protection. As threats evolve and increases in capability accrue over time, the security posture of the system can degrade. Continuous ATO is a new concept by which systems that are using an agile or DevSecOps approach to development can maintain their ATO as the design progresses. In Continuous ATO, the security processes in the development activity are the focus. The AO will assess the development process to ensure that cybersecurity is being baked into the design and tested with each product build.
- Acquisition Documentation: Of particular interest to the logistics community are the requirements to include cybersecurity in acquisition documentation such as the LCSP and counterfeit parts prevention plan. The LCSP must address cybersecurity and system security engineering considerations in sustainment, training, obsolescence, disposal and maintenance. The counterfeit parts prevention plan should align with the supply chain risk management plan and ensure the provenance of every hardware and software component in the system.
- SCRM: Provenance of any software or hardware configuration item is of extreme importance to the DoD. Provenance covers origination and chain of custody of items down to and including the piece part level. In a 2012 Senate Armed Services Committee report on counterfeit electronic parts, approximately 1,800 cases of suspect counterfeit parts in the defense supply chain were identified. Those parts were supplied by more than 650 companies, each of which relied on their own network of suppliers. DoD and defense contractors were frequently unaware of the ultimate source of electronic parts used in defense systems. Counterfeit parts which may include malware can lead to complete loss of mission capability, making a detailed and well maintained supply chain risk management plan a wise investment of resources. Critical component and critical function assessments are required by DoDI 5200.44 and results of the CC/CF assessment are included in the Program Protection Plan.
- CMMC: The Defense Industrial Base (DIB) is the target of more frequent and complex cyberattacks. To protect American ingenuity and national security information, the DoD developed the Cybersecurity Maturity Model Certification (CMMC) 2.0 program to reinforce the importance of DIB cybersecurity for safeguarding the information that supports and enables our warfighters. Please refer to the CMMC page for the latest developments.
- Sustainment - Patches/SW updates: In terms of cyber sustainment, it’s imperative that the latest SW patches are implemented throughout the lifecycle of the system, in a similar fashion to updating your cell phone with the latest available SW version. In certain instances, SW providers discontinue support for a variety of reasons, causing obsolescence issues. These instances should be managed and mitigated in a similar fashion to other DMSMS issues in each program.
- Logistics in Cloud Cyber: Cloud solutions can be considered in both Development and Operations stages in a program’s lifecycle. The Product Support and Cyber teams are critical to determining the best cloud solution for a program. Factors to consider include:
- Technical Effectivity
- Lifecycle cost
- Longterm operations and maintenance
- Continuity of Operations (COOP)
- The Lifecycle Sustainment Plan should speak to these considerations, and an Analysis of Alternatives or Business Case Analysis is often a prudent means by which programs can reach a decision on the most appropriate cloud solution
- Agile/DevSecOps: It’s important that the program strategically plans for Product Support integration to ensure that the “Ops” phase does not become a bottleneck inhibiting Agile SW releases. Product Support team members should attain access to the Dev environment, and focus on key Integrated Product Support elements such as Design Interface, Manpower and Personnel, and Maintenance Planning and Management. The Development phase should include user-required fixes, which are often maintained by the Product Support team. User manuals and training are required for use, and should be developed in parallel with the development team.
- Funding types: Any and all program funding codes may be used to fund cybersecurity efforts from early R&D through O&M. It’s imperative that PMs include sustainment funding for cybersecurity, training, SW and HW updates for meeting evolving cyber threats, ATO maintenance, disposal, obsolescence and continuous monitoring/testing.
- Contracts: There are mandatory DFARS clauses that must be included in all contracts. For example DFARS 252.204.7012 is a mandatory clause requiring all contractors to monitor their development and business networks for cyber intrusions and to report any discovered intrusions through official US Government channels.