DHS Safeguarding and Securing Cyberspace

Document Sample
DHS Safeguarding and Securing Cyberspace Powered By Docstoc
					                                                                                                                                              Safeguarding and Securing Cyberspace

Safeguarding and Securing Cyberspace
The Department has the lead for the federal government for securing civilian government computer systems, and works with industry and state, local, tribal and territorial
governments to secure critical infrastructure and information systems. The Department works to: analyze and reduces cyber threats and vulnerabilities; distribute threat warnings; and
coordinate the response to cyber incidents to ensure that our computers, networks, and cyber systems remain safe.

Cybersecurity Assessment                                       and Territorial governments. For more information
                                                               contact CSE@dhs.gov.
                                                                                                                               assessment addresses those operational or strategic
                                                                                                                               risks to the ESS infrastructure that are of national
Tools                                                                                                                          concern based upon the knowledge and subject matter
                                                               Cybersecurity Evaluation Tool (CSET) is a desktop               expertise of those participating in the sector‘s risk
Cyber Resiliency Review (CRR) is an assessment that            software tool that guides users through a step-by-step          assessment activities. The ESS-CRA describes an effort
the Cyber Security Evaluation Program offers to                process for assessing the cyber security posture of             that required resources and coordination from across
measure and enhance the implementation of key                  their industrial control system and enterprise                  all disciplines of ESS in order to assess cyber risks to
cybersecurity capacities and capabilities of critical          information technology networks. CSET is available              ESS critical infrastructure. This risk assessment
infrastructure and key resources (CIKR). The purpose           for download or in DVD format. To learn more or                 provides the basis for an ESS cyber risk management
of the CRR is to gather information regarding                  download a copy, visit http://www.us-                           plan or roadmap that will ensure that Federal
cybersecurity performance from specific CIKR in order          cert.gov/control_systems/satool.html. To obtain a               resources are applied where they offer the most
to gain an understanding of the relationships and              DVD copy, send an e-mail with your mailing address              benefit for mitigating risk by lowering vulnerabilities,
impacts of CIKR performance in protecting critical             to CSET@dhs.gov.                                                deterring threats, and minimizing the consequences of
infrastructure operations. The results can be used to                                                                          attacks and other incidents. The report also encourages
evaluate a provider independent of other assessments,          Cybersecurity Vulnerability Assessments through                 a similar risk-based allocation of resources within State
used with regional studies to build a common                   the Control Systems Security Program (CSSP)                     and local entities and the private sector. For more
perspective on resiliency, and used to examine                 provide on-site support to critical infrastructure asset        information, please contact essteam@hq.dhs.gov.
systems-of-systems (i.e., large and diverse operating          owners by assisting them to perform a security self-
and organizing models). The key goal of the CRR is             assessment of their enterprise and control system               Information Technology Sector Risk Assessment
to ensure that core process-based capabilities exist, are      networks against industry accepted standards, policies,         (ITSRA) provides an all-hazards risk profile that
measureable, and are meaningful as predictors for an           and procedures. To request on-site assistance, asset            public and private IT Sector partners can use to inform
organization‘s ability to manage cyber risk to national        owners may e-mail CSSP@dhs.gov.                                 resource allocation for research and development and
critical infrastructure. For more information about                                                                            other protective measures which enhance the security
the CRR, contact the CSEP program at CSE@dhs.gov.              Emergency Services Sector Cyber Risk Assessment                 and resiliency of the critical IT Sector functions. For
                                                               (ESS-CRA) is the first ESS-wide cyber risk assessment           more information, see
Cybersecurity Evaluation Program (CSEP) conducts               completed under the National Infrastructure                     http://www.dhs.gov/xlibrary/assets/nipp_it_baselin
voluntary cybersecurity assessments across all 18 CIKR         Protection Plan (NIPP) framework, and it will inform            e_risk_assessment.pdf or contact
sectors, within state governments and large urban              collaborative and synchronized management of cyber              ncsd_cipcs@hq.dhs.gov.
areas. CSEP affords critical infrastructure sector             risk across the sector. The ESS-CRA is intended to
participants a portfolio of assessment tools,                  provide a risk profile that ESS partners can use to
                                                               enhance the security and resilience of the ESS
                                                                                                                               Cybersecurity Incident
techniques, and analytics, ranging from those that can
be self-applied to those that require expert facilitation      disciplines. By increasing the awareness of risks across        Resources
or mentoring outreach. The CSEP works closely with             the public and private sector domains, the ESS-CRA
internal and external stakeholders to measure key              serves as a foundation for ongoing national-level               Current Cybersecurity Activity is a regularly updated
performances in cybersecurity management. The                  collaboration to enhance the security and resilience of         summary of the most frequent, high-impact types of
Cyber Resiliency Review is being deployed across all           the ESS disciplines. The ESS-CRA is an initial effort to        security incidents currently being reported to the
18 Critical Infrastructure sectors, state, local, tribal,      assess ESS cyber risks across the ESS disciplines and           US‑CERT. For more information, see http://www.us-
                                                               serves as a baseline of national-level risk. The

                                                                                                                                      Safeguarding and Securing Cyberspace

cert.gov/current/ or contact info@us-cert.gov 888-        electronic crimes investigations. This program will          http://www.kb.cert.org/vuls or contact info@us-
282-0870.                                                 offer state and local law enforcement officers the           cert.gov 888-282-0870.
                                                          training necessary to conduct computer forensics
Cyber Investigation Section (CIS) CIS is designed to      examinations, respond to network intrusion incidents,        U.S. Computer Emergency Readiness Team (US-
target and proactively investigate major international    and conduct basic electronic crimes investigations.          CERT) Security Publications provide subscribers
criminals. This goal is accomplished through a            The NCFI will also train prosecutors, and judges on          with free, timely information on cybersecurity
combination of long-term undercover operations,           the importance of computer forensics to criminal             vulnerabilities, the potential impact of those
close partnerships with other US government               investigations. This training acts as a force multiplier     vulnerabilities, and actions required to mitigate the
agencies, and consistently refined strategic targeting.   for the Secret Service and other federal law                 vulnerability and secure their computer systems. For
In conjunction with this unique role, CIS has             enforcement agencies, thus reducing the volume of            more information, see http://www.us-
prototyped numerous advanced technical systems that       cyber crime cases impacting the federal judicial             cert.gov/security-publications/ or contact info@us-
allow for the integration and re-use of diverse forms     process. For more information, see                           cert.gov 888-282-0870.
of evidence from all US jurisdictions and foreign         www.ncfi.usss.gov.
partners. Also included under this unit are analysts
and Criminal Research Specialists who focus on            National Cyber Awareness System the US-CERT
                                                                                                                       Cybersecurity Technical
foreign language websites, money laundering               National Cyber Awareness System offers a variety of          Resources
activities, and digital/electronic currency. For more     up-to-date information on general cybersecurity
information, see                                          topics, threats and vulnerabilities via subscription lists   The Cross-Sector Cyber Security Working Group
http://www.secretservice.gov/ectf.shtml.                  and feeds for alerts, bulletins, and tips. For more          (CSCSWG) enhances cybersecurity protection efforts
                                                          information, visit http://www.us-cert.gov/cas/ or            by identifying opportunities to improve cross-sector
Cyber Forensics the products developed through this       contact info@us-cert.gov 888-282-0870.                       cybersecurity coordination; highlighting cyber
program are cyber forensic analysis devices used by                                                                    dependencies and interdependencies; and sharing
law enforcement in the daily investigation of criminal    U.S. Computer Emergency Readiness Team (US-                  cybersecurity products and findings. Each month,
and terrorist activity and the tools developed allow      CERT) Monthly Activity Summary provides monthly              more than 100 members attend the CSCSWG to
investigators to visualize, analyze, share, and present   updates made to the National Cyber Alert System. This        exchange cybersecurity information, ideas, concepts,
data derived from cell phones, GPS devices, computer      includes current activity updates, technical and non-        and activities. To review and resolve specific, critical
hard drives, networks, personal data assistants, and      technical alerts, bulletins, and tips, in addition to        cross-sector cybersecurity issues, member-driven, ad-
other digital media. For more information, contact        other newsworthy events or highlights. For more              hoc CSCSWG groups may be created that encourage
SandT-CyberLiaison@hq.dhs.gov.                            information, see http://www.us-cert.gov/security-            bi-directional collaboration, dialogue, and debate. In
                                                          publications/#reports; contact info@us-cert.gov 888-         the past, members have created subgroups to address
Industrial Control Systems Cyber Emergency                282-0870.                                                    information sharing, performance metrics, and
Response Team (ICS-CERT) The ICS-CERT focuses                                                                          incentivizing cybersecurity implementation. In 2011,
on control system security across all critical            U. S. Computer Emergency Readiness Team (US-                 a subgroup was created to review, discuss, and
infrastructure and key resource (CIKR) sectors. The       CERT) Operations Center Report cybersecurity                 provide recommendations to strengthen a healthy and
ICS-CERT supports asset owners with reducing the risk     incidents (including unexplained network failures),          resilient ―cyber ecosystem.‖ CSCSWG members have
of cyber attacks by providing alerts and advisories,      the discovery of malicious code, and vulnerability           also contributed to several national cybersecurity
conducting incident response activities, and              information at https://forms.us-cert.gov/report/.            policy documents since its inception, including
performing technical analysis of malware, artifacts,      Contact the US-CERT Operations Center at soc@us-             coordinating on aspects of the Comprehensive
and vulnerabilities. For more information, visit          cert.gov 888-282-0870.                                       National Cybersecurity Initiative, reviewing and
http://www.us-cert.gov/control_systems/ics-cert or                                                                     commenting on the Obama Administration‘s 60 Day
contact ICS-CERT at ics-cert@dhs.gov.                     U.S. Computer Emergency Readiness Team (US-                  Policy Review, and the resulting Cyberspace Policy
                                                          CERT) Vulnerability Notes Database includes                  Review. For more information, email
National Computer Forensics Institute (NCFI) Is the       technical descriptions of each vulnerability, as well as     ncsd_cipcs@hq.dhs.gov.
result of a partnership between the Secret Service and    the impact, solutions and workarounds, and lists of
the State of Alabama. The goal of this facility is to     affected vendors. For more information, see                  Cybersecurity Advisors (CSAs) act as principal field
provide a national standard of training on a variety of                                                                liaisons in cybersecurity and provide a federal resource
                                                                                                                                     Safeguarding and Securing Cyberspace

to regions, communities, and businesses. Their             communicate and obtain buy-in for the effort among         managing employees to mitigate insider threats,
primary goal is to assist in the protection of cyber       stakeholders and leadership. A cybersecurity strategy      communicating with gaming machine vendors about
components essential within the nation‘s critical          provides sectors and State governments with an             vulnerabilities, securing newly digital IP surveillance
infrastructure and key resources (CIKR). Equally           actionable plan to manage both strategic and               systems, and conducting cybersecurity assessments.
important is their role in supporting cybersecurity risk   operational cyber risks to their core business             For more information, email ncsd_cipcs@hq.dhs.gov.
management efforts at the state and local homeland         capabilities and products and services. By outlining
security initiatives. CSAs will work with established      specific goals, objectives, and milestones, a sector or    Cybersecurity in the Retail Subsector Webinar
programs in state and local areas, such as Protective      State can continuously enhance their overall               provides retail employees and managers with an
Security Advisors, FEMA emergency management               cybersecurity posture and adapt to the hanging cyber       overview of the cyber threats and vulnerabilities
personnel, and fusion center personnel. For more           risk landscape. For more information, email                facing the industry. The webinar also reviews the
information, contact the program at CSE@dhs.gov.           ncsd_cipcs@hq.dhs.gov.                                     types of cyber systems and infrastructure used by the
                                                                                                                      retail industry and steps that retail personnel can take
Cyber Exercise Program (CEP) was established in            Department of Homeland Security Science and                to address the unique vulnerabilities to those cyber
2004 to strengthen the reliability and resiliency of the   Technology Directorate Cyber Security Division             resources. The webinar is available on HSIN-CS at
Nation‘s critical cyber infrastructure through the         (DHS S&T CSD) DHS S&T CSD‘s mission is to                  https://connect.hsin.gov/p78334832/. For more
development, design, and conduct of scenario-based         develop and transition new technologies, tools, and        information contact CFSTeam@hq.dhs.gov.
cyber exercises. The CEP can build a Cyber Tabletop        techniques to protect and secure systems, networks,
Exercise Package (CTEP) for most any critical              infrastructure, and users, improving the foundational      Control Systems Security Program (CSSP)
infrastructure/key resource sector and has already co-     elements of our nation‘s critical infrastructure and the   Cybersecurity Training is provided through an
produced CTEPs for the Chemical, Critical                  world‘s information infrastructure; and, to provide        instructor-led introductory course for control system
Manufacturing, and the Healthcare and Public Health        coordination and research and development leadership       and IT professionals or a five-day advanced course
Sectors. The CTEP provides organizations all the           across federal, state, and municipal government;           which includes hands-on instruction in an actual
materials needed to plan and conduct a discussion-         international partners; the private sector; and            control system environment. On-line introductory
based cyber exercise. The CTEP includes two scenarios      academia to improve cybersecurity research                 cybersecurity courses are also available. For more
designed to help assess security policies and              infrastructure. DHS S&T CSD frequently works with          information, see http://www.us-
procedures for both the ―business‖ and ―operational‖       the private sector to develop requirements and engage      cert.gov/control_systems/cstraining.html or contact
aspects of an organization. Highly customizable, it        transition partners for the tools, technologies and        CSSP@dhs.gov.
gives the planner the flexibility to use organizational    techniques that result from CSD‘s work. For more
goals and objectives, or choose goals and objectives       information about CSD and its specific projects,           Control Systems Security Program (CSSP) reduces
included in the package. Also included in the package      workshop information and presentations,                    industrial control system risks within and across all
are planning guides, templates, checklists to guide and    cybersecurity news, events and outreach information,       critical infrastructure and key resource sectors. CSSP
track the planning process, Situation Manuals, and         see http://www.cyber.st.dhs.gov/ or contact SandT-         coordinates cybersecurity efforts among federal, state,
post-exercise instructions. For more information,          Cyber-Liaison@hq.dhs.gov.                                  local, and tribal governments, as well as industrial
please contact CEP@DHS.GOV.                                                                                           control system owners, operators, and vendors. CSSP
                                                           Cybersecurity in the Gaming Subsector Webinar              provides many products and services that assist the
Cybersecurity Strategy Development, led by the             focused on cybersecurity threats, vulnerabilities, and     industrial control system stakeholder community to
National Cyber Security Division‘s (NCSD) Critical         best practices specific to the gaming and casino           improve their cybersecurity posture and implement
Infrastructure Protection Cyber Security (CIP-CS)          industry. More than 100 gaming industry                    risk mitigation strategies. To learn more about the
program helps sectors and States outline and develop       representatives participated in the Webinar, which         CSSP, visit http://www.us-cert.gov/control_systems/
robust cybersecurity strategies by providing the basic     was designed to raise awareness of cybersecurity           or e-mail CSSP@dhs.gov.
framework that can be tailored to needs of the             within the Gaming Subsector. The Critical
individual sector or State. The detailed guidance          Infrastructure Protection Cybersecurity (CIP CS)           The Cybersecurity Assessment and Risk
outlines key sections of a cybersecurity strategy and      program and Office of Intelligence and Analysis (I&A)      Management Approach (CARMA), created by the
provides tips for developing each section. It also         discussed some of the latest cyber threats specific to     National Cyber Security Division‘s (NCSD) Critical
provides general information on the purpose and            the Gaming Subsector and steps industry can take to        Infrastructure Protection Cyber Security (CIP CS)
benefits of developing a strategy that can be used to      improve their cyber resilience. These steps include        program, developed a flexible, repeatable, and
                                                                                                                                     Safeguarding and Securing Cyberspace

reusable cyber risk management approach to help            with an overview of the cyber threats and
CIKR sectors, state and local governments, and other       vulnerabilities facing the industry. Viewers of the        Domain Name System Security Extensions
public and private sector organizations manage cyber       Webinar will gain a heightened sense of the                (DNSSEC) Deployment Coordinating Initiative
critical infrastructure risk. CARMA incorporates           importance of strengthening cybersecurity in the retail    provides cryptographic support for domain name
lessons from a wide variety of cyber risk management       workplace. The Webinar also will review the types of       system (DNS) data integrity and authenticity. DHS
activities. CARMA accounts for the virtual and             cyber systems and infrastructure used by the retail        sponsors a community-based, international effort to
distributed nature of cyber critical infrastructure and    industry and steps that retail personnel can take to       transition the current state of DNSSEC to large-scale
the complexity of the missions and services it             address the unique vulnerabilities to those cyber          global deployment, including sponsorship of the
supports; considers strategic security goals and can       resources. Also includes One-pager/invitation. The         DNSSEC Deployment Working Group, a group of
guide all levels of cyber risk efforts; and allows         Webinar is available on HSIN-CS at                         experts active in the development or deployment of
infrastructure owners and operators to integrate their     https://connect.hsin.gov/p78334832/. For more              DNSSEC. It is open for anyone interested in
established cyber risk frameworks into the approach        information, please contact the Commercial Facilities      participation. The DNSSEC website contains articles,
or use the approach as a foundation for broader            SSA at CFSTeam@dhs.gov.                                    published research papers, DNSSEC tools, case studies,
enterprise risk management efforts. CARMA is a                                                                        workshop information, and presentation materials.
comprehensive, functions-based risk management             Cybersecurity Information Products and                     See http://www.dnssec-deployment.org/.
strategy that focuses on cyber critical infrastructure     Recommended Practices provide current
and effectively identifies, assesses, and manages shared   cybersecurity information resources and recommend          Industrial Control System Cybersecurity Standards
risks. For more information, email                         security practices to help industry understand             and References provide an extensive collection of
ncsd_cipcs@hq.dhs.gov.                                     emerging control systems cyber security issues and         cybersecurity standards and reference materials as a
                                                           mitigate vulnerabilities. This information will help       ready resource for the industrial control system
Cybersecurity Education and Workforce                      users reduce their exposure and susceptibility to cyber    stakeholder community. To view the collection, visit
Development Program (CEWD) fosters effective               attacks and exploits. For a complete list and access to    http://www.us-
cybersecurity education and workforce development          cybersecurity information products, visit                  cert.gov/control_systems/csstandards.html. For
programs by facilitating the availability of               http://www.us-                                             more information, contact CSSP@dhs.gov.
professionals qualified to support the nation‘s            cert.gov/control_systems/csdocuments.html. For
cybersecurity needs. To support national                   more information, contact CSSP@dhs.gov.                    Information Technology Sector Specific Plan (IT
cybersecurity workforce development, CEWD                                                                             SSP) outlines the IT Sector security partners‘ joint
developed the IT Security Essential Body of Knowledge      Cybersecurity Webinars, as an information sharing          implementation of the NIPP risk management
(EBK), an umbrella framework that links                    mechanism, can increase the level of participation and     framework. It describes an approach for identifying,
competencies and functional perspectives to IT             activity among public and private sector stakeholders      assessing, prioritizing, and protecting critical IT Sector
security roles to accurately reflect a national            by engaging them in a cybersecurity discussion. The        functions, establishing shared IT Sector goals and
perspective. For more information, see                     National Cyber Security Division‘s (NCSD) Critical         objectives, and aligning initiatives to meet them. To
http://www.us-cert.gov/ITSecurityEBK/.                     Infrastructure Protection Cyber Security (CIP-CS)          view the IT SSP, visit http://www.dhs.gov/sector-
                                                           Program can help plan, coordinate, and execute a           specific-plans. For more information, contact
Cybersecurity in the Emergency Services Sector             cybersecurity webinar in partnership with sector           ncsd_cipcs@hq.dhs.gov.
Webinar is a one-hour overview of the types of cyber       stakeholders by identifying webinar topics to address
systems and infrastructure that the Emergency Services     goals and objectives; assisting the host organization      The National Cyber Security Division‟s (NCSD)
Sector utilizes. The webinar also addresses the threats    with determining participants, timeframe, and              Critical Infrastructure Protection Cyber Security
and vulnerabilities to those cyber resources and is        speakers; developing a webinar outline; inviting other     (CIP-CS) program developed a flexible, repeatable,
available on the Homeland Security Information             Department of Homeland Security (DHS) components           and reusable cyber risk management approach to help
Network – Critical Sectors (HSIN-CS) Emergency             to participate and coordinate on topics of interest; and   CIKR sectors, state and local governments, and other
Services Sector Portal. For access and more                working with the sponsoring sector or organization to      public and private sector organizations manage cyber
information, contact ESSTeam@hq.dhs.gov.                   provide follow-up materials. CIP-CS has partnered          critical infrastructure risk. This approach—the
                                                           with the Commercial Facilities and Emergency               Cybersecurity Assessment and Risk Management
Cybersecurity in the Retail Sector Webinar This            Services Sectors to produce webinars. For more             Approach (CARMA)—incorporates lessons from a
webinar will provide retail employees and managers         information, email ncsd_cipcs@hq.dhs.gov.                  wide variety of cyber risk management activities.
                                                                                                                                      Safeguarding and Securing Cyberspace

CARMA is a comprehensive, functions-based risk             inform sectors‘ strategic planning efforts by including     common vision, goals, and objectives for cyber
management strategy that focuses on cyber critical         contextual information in addition to the news article.     systems security in the sector. It also provides
infrastructure and effectively identifies, assesses, and   The additional context helps increase understanding of      milestones to focus specific efforts and activities for
manages shared risks. For more information, email          how cybersecurity impacts critical infrastructure           achieving the vision, goals, and objectives over the
ncsd_cipcs@hq.dhs.gov.                                     protection efforts. Sector-Specific Agencies (SSAs) and     next 10 to 15 years, addressing the Nuclear Sector‘s
                                                           other organizations, including State and Federal            most urgent challenges, as well as its longer-term
Network Security Information Exchange (NSIE)               government agencies, may share the Read File with           needs to reduce the cyber security risk to nuclear
The National Security Telecommunications Advisory          their stakeholders, many of whom may not be aware           industrial cyber systems. For more information, please
Committee (NSTAC) recommended the establishment            of cybersecurity issues relevant to their activities. For   contact the NPPD/IP Nuclear SSA at
of an Industry-government partnership to reduce the        more information, email ncsd_cipcs@hq.dhs.gov.              NuclearSSA@hq.dhs.gov.
vulnerability of the Nations‘ telecommunications
systems to electronic intrusion. The NSTAC formed          The Research Data Repository Project is the only            Roadmap to Secure Control Systems in the
separate government and Industry Network Security          freely-available legally collected repository of large-     Chemical Sector The Roadmap to Secure Control
Information Exchanges to share ideas on technologies       scale datasets containing real network and system           Systems in the Chemical Sector describes a plan for
and techniques for addressing and mitigating the risks     traffic. A primary impetus of this project is to also       voluntarily improving cybersecurity in the Chemical
to the public network and its supporting                   provide a streamlined legal framework to centralize a       Sector. It brings together Chemical Sector
infrastructures. For more information, visit               controlled distribution of datasets, while protecting       stakeholders, government agencies, and asset owners
http://www.ncs.gov/nstac/reports/fact_sheet/NSTA           researchers, data providers and data hosts. The intent      and operators with a common set of goals and
C_08.pdf.                                                  is to accelerate design, production, and evaluation of      objectives. For more information, please contact the
                                                           next-generation cyber security solutions, including         NPPD/IP Chemical SSA at
National Vulnerability Database (NVD) is the U.S.          commercial products. Data providers legally provide         ChemicalSector@hq.dhs.gov.
government repository of standards-based                   the data to be shared through the repository, data
vulnerability management data represented using the
Security Content Automation Protocol (SCAP). This
                                                           hosts provide the infrastructure to store the repository
                                                           data and transfer it to authorized recipients, and the
                                                                                                                       Software Assurance (SwA)
data enables automation of vulnerability management,       coordinating center provides a centralized mechanism
security measurement, and compliance. NVD includes         for cataloging available data and manages the               Software Assurance Program (SwA) Software
databases of security checklists, security-related         submission and review of data requests. The goal of         Assurance is the level of confidence that software is
software flaws, mis-configurations, product names,         the distributed structure is to provide secure,             free from vulnerabilities, either intentionally designed
                                                                                                                       into the software or accidentally inserted and that
and impact metrics. For more information, visit            centralized access to multiple sources of data and
http://nvd.nist.gov/ or contact nvd@nist.gov.              promote data sharing while protecting the privacy of        software applications function in the intended
                                                           the data producers and the security of their networks       manner. Grounded in the National Strategy to Secure
Open Source Infrastructure Cyber Read File                 and data. PREDICT continually adds new data                 Cyberspace, the SwA Program develops practical
compiles important cybersecurity and cyber                 containing the latest cybersecurity attacks so that the     guidance and tools, and promotes research and
                                                                                                                       development of secure software engineering.
infrastructure news articles across CIKR sectors and       research community will have the most recent
provides a repository of cybersecurity open source         information to help improve the quality of research         Resources including articles, webinars, podcasts, and
information. The Read Files are intended to increase       results. For more information visit                         tools for software security automation and process
awareness of cybersecurity issues—thus aiding sectors      https://www.predict.org, or contact PREDICT-                improvement are constantly updated at the SwA
during strategic cybersecurity risk management             contact@rti.org.                                            Community Resources and Information Clearinghouse
                                                                                                                       located at https://buildsecurityin.us-cert.gov/swa/.
planning. Modeled on the Department of Homeland
Security‘s Daily Open Source Infrastructure Report, the    Roadmap to Enhance Cyber Systems Security in the            For more information, contact
monthly Open Source Infrastructure Cyber Read File         Nuclear Sector The Roadmap to Enhance Cyber                 software.assurance@dhs.gov.
focuses on cybersecurity and cyber infrastructure.         Systems Security in the Nuclear Sector describes
Articles are drawn from open source news resources         coordinated activities to improve cyber systems             Automating Software Assurance Under SwA
                                                                                                                       sponsorship, MITRE, in collaboration with
and are organized by date and the sector(s) they           security in the Nuclear Sector. It provides nuclear
affect. In the Open Source Infrastructure Cyber Read       control and cyber systems vendors, asset owners and         government, industry, and academic stakeholders, is
File, CIP CS applies knowledge of how issues could         operators, and relevant government agencies, with a         improving the measurability of security through
                                                                                                                                     Safeguarding and Securing Cyberspace

enumerating baseline security data, providing             acceptable level of operating capacity; it‘s ‗"rugged."     cert.gov/swa/ttpe_research.html); Evaluating and
standardized languages as means for accurately            Several initiatives have focused on developing rugged       Mitigating Software Supply Chain Security Risk, May
communicating the information, and encouraging            software that is attack-aware and self-defending. See       2010 (https://buildsecurityin.us-
sharing of this information with users by developing      https://buildsecurityin.us-cert.gov/swa/resilient.html      cert.gov/swa/downloads/MitigatingSWsupplyChainR
repositories (see Security Automation & Measurement:      for details.                                                isks10tn016.pdf); and SwA Pocket Guide Series - free,
http://buildsecurityin.us-                                                                                            downloadable documents on critical software
cert.gov/swa/measurable.html). Sponsored by the           Software Assurance (SwA) Forum and Working                  assurance topics (https://buildsecurityin.us-
Software Assurance Program, MITRE issues electronic       Group Sessions Four times per year, under the co-           cert.gov/swa/pocket_guide_series.html).
newsletters and information on the following              sponsorship of organizations in DHS, the Department
technologies employed in automating SwA: Common           of Defense (DoD), and the National Institute of             Software Assurance (SwA) Email Newsletter
Vulnerabilities and Exposures (CVE); Common               Standards and Technology (NIST), the SwA Forum              provides excellent updates and new information
Weakness Enumeration (CWE); Common Attack                 and Working Group Sessions provide a venue for              related to the SwA program. To subscribe to the
Pattern Enumeration and Classification (CAPEC); Open      participants to share their knowledge and expertise in      newsletter, email listproc@nist.gov and put
Vulnerability and Assessment Language (OVAL); and         software security while interacting and networking          ‗subscribe‘ in the subject line and ‗subscribe
Malware Attribute Enumeration and Characterization        with key leaders in industry, government, and               sw.assurance‘ in the body of the email.
(MAEC). Structured Threat Information eXpression          academia. The gatherings are unique in focus by
(STIX) is a quickly evolving, collaborative               bringing together private sector stakeholders to            Software Assurance (SwA) Checklist for Software
community-driven effort to define and develop a           protecting key information technologies, most of            Supply Chain Risk Management SwA developed and
language to represent structured threat information.      which are enabled and controlled by software. During        deployed the ―SwA Checklist for Software Supply
The STIX language is meant to convey the full range of    the Forums, the SwA Program offers free tutorials.          Chain Risk Management‖ which identifies common
cyber threat information and strives to be fully          Several of these tutorials are available on line from the   elements of publicly available software assurance
expressive, flexible, extensible, automatable, and as     Software Engineering Institute's Virtual Training           models. The SwA Checklist provides a consolidated
human-readable as possible. It is actively being          Environment (VTE) at                                        view of current software assurance goals and best
adopted or considered for adoption by a wide range        https://www.vte.cert.org/vteweb/go/3719.aspx.               practices in the context of an organized SwA initiative.
of cyber threat-related organizations and communities                                                                 The checklist includes mappings between the SwA
around the world. All interested parties are welcome      Software Assurance (SwA) Resources To support               Checklist practices and practices identified in existing
to participate in evolving STIX as part of its open,      SwA in higher education, SwA and the Software               SwA maturity models and related capability maturity
collaborative community and leverage the upcoming         Engineering Institute (SEI) have developed Software         models. This mapping provides a valuable reference
STIX web site and collaborative forums. For more          Assurance Curriculum Materials                              for those wishing to improve their software assurance
information, see                                          (https://buildsecurityin.us-cert.gov/swa/mswa.html)         capabilities. For more information, see
http://www.mitre.org/work/tech_papers/2010/10_            which are freely available for download. This               https://buildsecurityin.us-
1420/10_1420.pdf.                                         curriculum is formally recognized by the Institute of       cert.gov/swa/proself_assm.html#checklist.
                                                          Electrical and Electronics Engineers (IEEE) and the
Resilient Software Software Assurance promotes the        Association for Computing Machinery (ACM). At the           Software Assurance (SwA) Outreach As part of an
security and resilience of software across the            Forum and Working Group Sessions, SwA distributes           extensive outreach effort, the SwA participates in
development, acquisition, and operational lifecycle; as   CDs of SwA resources. Included on the CDs are               conferences and webinars with the International
such, SwA is scoped to address Trustworthiness,           guides, reports, and brochures on numerous topics           Information Systems Security Certification Consortium
Dependability (correct and predictable execution),        such as: SwA Capability Benchmarking Documents              (ISC)2, the Information Systems Security Association,
Conformance, and Survivability. The focus on              (https://buildsecurityin.us-                                Open Web Application Security Project (OWASP), and
Resilience and Survivability enables stakeholders to      cert.gov/swa/proself_assm.html); SwA Ecosystem              other organizations interested in application security.
understand and proactively take action to design,         Page (https://buildsecurityin.us-                           More about SwA relevant webinars is available on the
build, acquire, and operate software and software-        cert.gov/swa/ecosystem.html); FAQs and Fact Sheets          BSI and CRIC websites. Please visit
enabled services with knowledge that software must        on SwA Forums and Working Groups                            https://buildsecurityin.us-
be able to operate in non-benign environments.            (https://buildsecurityin.us-cert.gov/swa/faq.html);         cert.gov/swa/webinars.html for more information.
Moreover, if compromised, damage to the software          Whitepapers from the Software Assurance Community           Moreover, SwA supports online communities of
will be minimized and it will recover quickly to an       (https://buildsecurityin.us-                                interest, such as the Software Assurance Education
                                                        Safeguarding and Securing Cyberspace

Discussion Group on LinkedIn
d=3430456) and the Software Assurance Mega-

The Top 25 Common Weakness Enumerations
(CWE) In cooperation with the System
Administration, Audit, Network Security (SANS)
Institute, SwA and MITRE issued the report, ―Improve
Security and Software Assurance: Tackle the CWE Top
25 – The Most Dangerous Programming Errors.‖ The
Top 25 CWEs represent the most significant
exploitable software constructs that have made
software so vulnerable. Communicating and
addressing these problematic issues will serve to
improve software security, both during development
and while in operation. Read more and see the list of
―Top 25 CWE Programming Errors‖ at