Subj: CHIEF OF NAVAL OPERATIONS CYBERSECURITY SAFETY PROGRAM

Transcription

1 DEPARTMENT OF THE NAVY OFFICE OF THE CHIEF OF NAVAL OPERATIONS 2000 NAVY PENTAGON WASHINGTON DC OPNAVINST N2N6 OPNAV INSTRUCTION From: Chief of Naval Operations Subj: CHIEF OF NAVAL OPERATIONS CYBERSECURITY SAFETY PROGRAM Ref: (a) SECNAVINST (b) DoD Instruction of 7 January 2015 (c) DoD Instruction of 5 November 2012 (d) IATA-STD-004-DFIA-V3.0, Defense-in-Depth Functional Implementation Architecture (DFIA) Standard (e) National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, 16 April 2018 (f) Committee on National Security Systems Instruction No. 4009, Committee on National Security Systems Glossary of 6 April 2015 (g) IATA-STD-CSGC-011R0 V1.0, Navy Cybersecurity Safety (CYBERSAFE) Grading Criteria Standard (h) IATA-STD-CSGR-012R0 V1.0, Navy Cybersecurity Safety (CYBERSAFE) Grade Requirements Standard (i) SECNAVINST C (j) OPNAVINST D (k) IATA-STD-017-CSC-V1.0, Navy Cybersecurity Safety (CYBERSAFE) Certification Standard (l) IATA-STD-018-CSAU-V1.0, Navy Cybersecurity Safety (CYBERSAFE) Audit Standard (m) IATA-STD-TSN-015-V1.0, Trusted Systems and Networks Standard (n) SECNAVINST E 1. Purpose. The purpose of cybersecurity safety (CYBERSAFE) is to best position the U.S. Navy to fight and win with speed and agility in the increasingly contested and connected cyberdominated battlespace by providing maximum reasonable assurance of resiliency for mission critical industrial control systems, platform information technology (PIT), and information technology (IT) systems. 2. Background. As directed by reference (a), this instruction establishes CYBERSAFE policy, governance, and implementation management for the Navy CYBERSAFE Program. In addition to the mitigations required by reference (b), enclosure (14), CYBERSAFE implements the Department of Defense (DoD) trusted systems and networks strategy by identifying and protecting mission critical items (i.e., safety critical) as described in references (c) and (d). The

2 CYBERSAFE program supports cyber resiliency by hardening the most critical subset of the Navy s technical architecture across the entire National Institute of Standards and Technology Cybersecurity Framework of Identify, Protect, Detect, Respond, and Recover as described in reference (e). Each warfighting domain and its associated acquisition element(s) are responsible for the integration of CYBERSAFE into their individual domain cybersecurity plans and policies. 3. Applicability. This instruction applies to components of the Chief of Naval Operations (CNO), fleet and echelon 2 commanders, Military Sealift Command (MSC), systems commands (SYSCOM), type commands (TYCOM), program executive offices (PEO), program managers, and other U.S. Navy acquisition and development activities that procure, design, construct, maintain, modernize, or test and evaluate Navy defense business systems, national security systems, Navy industrial control systems, and Navy PIT (hereafter referred to as PIT-control ) systems. Per reference (f), PIT-control systems include combat and weapons systems; navigation systems; propulsion systems; and hull, mechanical, and electrical systems to include systems, infrastructures, or software contractually operated on behalf of the U.S. Navy. This instruction does not apply to any organization or activity exempted by statute or policy. 4. Policy a. On behalf of the CNO, the Deputy Chief of Naval Operations for Information Warfare (CNO N2N6) is the executive agent responsible for the oversight, coordination, and execution of the Navy s CYBERSAFE Program. b. The Navy CYBERSAFE Program builds upon DoD trusted systems and networks policy by further minimizing risk to the Navy s mission and warfighting capability that are due to vulnerabilities in system design, sabotage, or subversion of its mission critical functions or critical components by foreign intelligence, terrorists, or other hostile elements. CYBERSAFE achieves risk reductions through the selection and hardening of a subset of a critical component as specified in Navywide CYBERSAFE standards issued by the Information Technology/ Cybersecurity (IT/CS) Technical Advisory Board (TAB). c. The Navy CYBERSAFE Program builds upon the risk management framework process by incorporating a series of enhanced CYBERSAFE controls that are applied to SYSCOMdefined enclave control points and other critical components, as defined by references (c) and (d), and applicable IT/CS TAB standards. CYBERSAFE costs must be minimized through critical component subset gradation, per references (g) and (h). d. Per references (i) and (j), IT technical authority and cybersecurity technical authority must be exercised under the direction of the domain-specific SYSCOM technical authority, whose warrant is dual-certified by both Space and Naval Warfare Systems Command (SPAWARSYSCOM) and the applicable SYSCOM. 2

3 e. The SYSCOM commander is the sole CYBERSAFE certification authority for programs within their respective domain(s). Furthermore, SYSCOM commanders must document objective quality evidence per reference (k) with the advice and support of the PEO or program manager, the CYBERSAFE technical warrant holder, and the CYBERSAFE program director. Per reference (l), all CYBERSAFE certification packages are subject to echelon 1 audit and assessment. f. Navy CYBERSAFE technical and process standards will be adjudicated and issued by the IT/CS TAB. g. PEOs, program managers, and SYSCOM commanders must implement CYBERSAFE following references (a) through (c), this instruction, and all applicable IT/CS TAB standards. h. CYBERSAFE programs must closely coordinate with operational commanders to continually evaluate and improve the effectiveness of CYBERSAFE-related tactics, techniques, and procedures (TTP) for cyber hardening, as well as monitor fielding of incremental cybersecurity enhancements, and vulnerability mitigations as they relate to CYBERSAFE requirements. 5. Responsibilities a. CNO N2N6 (1) In coordination with Assistant Secretary of the Navy (Research, Development and Acquisition) (ASN(RD&A) and Department of the Navy (DON) Chief Information Officer (CIO), establish governance processes to implement the Navy CYBERSAFE Program at the SYSCOM level to: and (a) identify mission critical components of the Navy s IT and PIT-control systems; (b) develop operational strategies to implement the CYBERSAFE program. (2) Oversee the Navy s execution of CYBERSAFE activities, plans, and strategies. (3) Establish policy to incorporate CYBERSAFE into resourcing and requirements review boards and acquisition gate reviews in order to: (a) identify CYBERSAFE-related cybersecurity risks within the acquisition process and programs; (b) advocate for CYBERSAFE requirements via budget process; and 3

4 (c) advise the CNO regarding the cybersecurity risks throughout the Joint Capabilities Integration and Development System (JCIDS), acquisition gate and milestone reviews, and the Navy modernization process. (4) Ensure CYBERSAFE program training for U.S. Navy components and contractor personnel is commensurate with their assigned responsibilities. (5) Conduct CYBERSAFE program audits, assessments, and inspections as required to ensure implementation of references (k) through (m). b. Director for Navy Cybersecurity (OPNAV N2N6G) (1) Designate a Navy CYBERSAFE program director in writing. (2) Per reference (a), establish and update policy and governance as required to strengthen the cybersecurity authority, accountability, and rigor within the Navy s CYBERSAFE Program. (3) Report the results of all CYBERSAFE program audits, assessments, and inspections to the Chair, Navy Cyber Executive Committee via CNO N2N6. (4) Coordinate with appropriate Office of the Secretary of Defense elements, the DoD CIO, and the DON CIO and DON Chief Management Officer as required in support of the CYBERSAFE program, and ensure CYBERSAFE training of U.S. Navy components and contractor personnel. (5) Coordinate with the Office of the Chief of Naval Operations (OPNAV) resource sponsors, SYSCOMs, TYCOMs, warfare development centers, and fleet commanders on CYBERSAFE policy and technical requirements. (6) In coordination with the appropriate stakeholders, review Navy CYBERSAFE and related cybersecurity resourcing requirements and make prioritization recommendations to CNO N2N6 or DON CIO as required. (7) Coordinate the integration and inclusion of Navy-unique CYBERSAFE concepts into higher level policies and processes. c. OPNAV CYBERSAFE Program Director (1) Execute the Navy CYBERSAFE Program on behalf of the executive agent. (2) Function as the administrator and primary Navy point of contact for all matters relating to Navy CYBERSAFE Program policy. 4

5 (3) Chair the CYBERSAFE working group. (a) The CYBERSAFE working group will: Program; 1. provide direct liaison regarding implementation of the Navy CYBERSAFE 2. convene at least quarterly and at other times as directed by the chair; and 3. identify and elevate CYBERSAFE program issues for adjudication. (b) The CYBERSAFE working group is comprised of the members listed below in subparagraphs 5c(3)(b)1 through 5c(3)(b) CYBERSAFE director 2. ASN(RD&A) 3. SYSCOM CYBERSAFE program directors 4. United States Fleet Forces Command (USFLTFORCOM) representative 5. United States Pacific Fleet (USPACFLT) representative 6. United States Fleet Cyber Command (USFLTCYBERCOM) representative 7. Authorizing official representative 8. Commander Navy Installations Command (CNIC) representative 9. MSC representative 10. Naval Information Forces (NAVIFOR) representative 11. OPNAV resource sponsors (as needed) representative 12. Cybersecurity (formerly information assurance (IA)) technical authority 13. Other activity representatives (as needed) (4) Oversee CYBERSAFE program audits, assessments and inspections. Review and analyze results to identify trends and inform strategic adjustments. 5

6 (5) Establish CYBERSAFE readiness reporting procedures. d. OPNAV Resource Sponsors (includes CNO N2N6, Deputy Chief of Naval Operations for Integration of Capabilities and Resources (CNO N8), Deputy Chief of Naval Operations for Fleet Readiness and Logistics (CNO N4), Deputy Chief of Naval Operations for Warfare Systems (CNO N9), and Deputy Chief of Naval Operations for Manpower, Personnel, Training, and Education (CNO N1)) (1) On a prioritized basis, ensure the incorporation of CYBERSAFE requirements into all relevant requirements development documents (i.e., JCIDS, cyber survivability endorsement, systems engineering plan, systems engineering technical review (SETR) artifacts) and acquisition processes (i.e., acquisition gate and milestone reviews) for U.S. Navy fleet and shore systems. (2) Ensure identification and tracking of CYBERSAFE additional costs in the Program Budget Information System (PBIS) through the use of a three-character high interest item code ECS (for enterprise cyber safe) in PBIS budget-level detail of applicable line items. (3) In conjunction with the PEOs and program managers, ensure CYBERSAFE program measures are integrated and implemented across the full lifecycle of certified systems and platforms and are reflected in system technical specifications, in-service maintenance, lifecycle support plans, program protection plans, and modernization programs and contracts. (4) In consultation with appropriate stakeholders, integrate, prioritize, and adjudicate CYBERSAFE resourcing issues in support of Navy, DoD, and National Command Authority guidance within the DoD JCIDS and the Defense Acquisition System processes. (5) Provide a representative to the CYBERSAFE working group. e. SYSCOMs, SYSCOM Equivalents, and MSC (1) Develop and implement a CYBERSAFE program led by a designated program director and executed following this instruction and all applicable DoD trusted systems and networks, acquisition, and CYBERSAFE IT/CS TAB standards. (2) Integrate CYBERSAFE hardening requirements into current program baselines, and acquisition gate and milestone reviews. Identify and submit CYBERSAFE-specific resource requirements to the appropriate resource sponsor(s) for inclusion into the appropriate PBIS program and resourcing budget submissions. (3) Designate a technical warrant holder to execute cybersecurity technical authority (formerly IA technical authority) under direction of a domain-specific SYSCOM technical 6

7 authority whose warrant is dual-certified by SPAWARSYSCOM and the applicable SYSCOM to execute the responsibilities listed in the below subparagraph 5e(4) and the following subparagraphs 5e(3)(a) through 5e(3)(c). (a) Verify the selection, prioritization, and gradation of CYBERSAFE critical components per reference (g) considering both technical and mission needs. (b) Ensure the adequate selection, implementation, and documentation of CYBERSAFE requirements under reference (h). (c) Ensure all CYBERSAFE certifications are supported by sufficient objective quality evidence under IT/CS TAB standards and per reference (k). (4) In coordination with PEOs, program managers, and resource sponsors, identify and grade CYBERSAFE control point(s) and critical component(s) following references (c) and (d), and all applicable IT/CS TAB standards. At a minimum, references (b) and (c) require the incorporation of cybersecurity and supply chain risk management requirements during the engineering, design, component selection, and test and evaluation phases. Reference (n) and the SETR process further requires documentation in the following SETR artifacts: system engineering plan, capability development document, platform protection plan, test and evaluation master plan, and the operational testing readiness review. (a) Programs using the JCIDS and Defense Acquisition Process must ensure any request for proposal or similar contracting document include references (g) and (h) CYBERSAFE requirements and objective quality evidence documentation sufficient to support CYBERSAFE certification, per reference (k). The identification and gradation of CYBERSAFE components must be complete within 90 days following source selection (milestone B) and full CYBERSAFE certification prior to the initial production decision (low rate initial production or other). (b) For all other (non-jcids) Navy modernization and shore infrastructure projects, ensure CYBERSAFE component identification and gradation is incorporated into the SETR process per reference (n). As a consideration in source selection, ensure any request for proposal or similar contracting document include references (g) and (h) CYBERSAFE requirements and objective quality evidence documentation sufficient to support CYBERSAFE certification per reference (k). (c) Mission critical CYBERSAFE items require additional supply chain risk management controls and analysis which must be completed prior to exit from acquisition gate 6 review. Similarly, for Navy modernization projects involving mission critical CYBERSAFE items, complete supply chain risk management controls and analysis prior to developmental test readiness reviews, operational test readiness reviews, and system deployment. 7

8 (5) Ensure all CYBERSAFE certifications comply with references (k) and (l). OPNAVINST (6) Pursuant to certification, technical warrant holders may locally develop and maintain domain-specific CYBERSAFE security controls (i.e., technical, procedural, operational, or management safeguards) in addition to prescribed information assurance technical authority (IATA) standard CYBERSAFE security controls. All such domain-specific security controls must be consistent with or complementary to the IT/CS TAB standards. When a locally developed control is used to support a certification decision, the technical warrant holders will submit the control to the TAB for potential inclusion into the broader Navy wide IT/CS TAB standards. (7) In collaboration with the operational fleet commander, warfare development center, and TYCOMs, establish appropriate CYBERSAFE doctrine, organization, training, materiel, leadership and education, personnel, facilities, and policy required to sustain end-to-end lifecycle management and maintenance of CYBERSAFE components. (8) As practicable, establish and maintain a National Security Agency certified red team to conduct developmental, operational, and penetration test and evaluation as required by reference (b). (9) In support of fleet commander incident response and emergent operational requirements, establish and maintain a short-notice cyber defense response capability composed of domain-specific technical experts. (10) Coordinate with PEOs and program managers to provide the Naval Intelligence Activity (NIA) and Office of Naval Intelligence (ONI) with CYBERSAFE intelligence requirements to include updated source supplier listings for CYBERSAFE critical components. (11) Provide technical support to USFLTCYBERCOM and NAVIFOR in the development of TTPs for the operational maneuver and hardening of mission critical IT and PITcontrol systems. (12) Provide a representative to the CYBERSAFE working group. f. Navy PEOs and Program Managers or Equivalents (1) In coordination with the cognizant SYSCOM commander, identify and submit CYBERSAFE resource requirements to appropriate resource sponsor for inclusion into program and budget submissions. (2) Ensure CYBERSAFE program measures are integrated and implemented across the full lifecycle of certified systems, enclaves, and platforms as directed by references (a) and (c) and funded by the resource sponsor. 8

9 (3) Ensure CYBERSAFE requirements and associated standards are reflected in system technical specifications, in-service maintenance and modernization programs, and contracts. (4) Coordinate with SYSCOMs to document IT and PIT-control system CYBERSAFE components in acquisition artifacts per the above subparagraph 5e(4). (5) Ensure appropriate selection of CYBERSAFE control points and critical components following all applicable DoD trusted systems and networks and IT/CS TAB standards. (6) Incorporate CYBERSAFE strategies into requirements, acquisition, modernization, sustainment, and engineering documents as discussed in subparagraph 5e(4). (7) Identify a CYBERSAFE program liaison to: (a) serve as the CYBERSAFE point of contact within the PEO or program office; (b) function as liaison for internal and external CYBERSAFE matters, to include acquisition, upgrade, or maintenance issues; (c) disseminate guidance for implementing CYBERSAFE requirements and provide coordination, consultation, and assistance on CYBERSAFE matters for acquisition, upgrade, or maintenance; and (d) coordinate with the individual program managers to ensure audit readiness of CYBERSAFE certifications. (8) Ensure the integration of cybersecurity and CYBERSAFE technical standards into acquisition and modernization programs and their associated acquisition gate and milestone reviews, and SETR artifacts. (9) Coordinate with SYSCOMs and USFLTCYBERCOM in support of NAVIFOR development of TTPs for operations conducted across mission critical IT and PIT-control systems. (10) As part of supply chain risk management, coordinate with SYSCOMs to provide NIA and ONI with CYBERSAFE intelligence requirements to include updated source supplier listings for CYBERSAFE critical components. (11) Support USFLTCYBERCOM operations across mission critical IT and PIT-control systems to detect unapproved alterations to certified systems. (12) Provide a representative to the CYBERSAFE working group. 9

10 g. USFLTFORCOM, USPACFLT, and CNIC (1) Implement CYBERSAFE policies and governance through the operation and maintenance of assigned platforms (e.g., ships, aircraft, submarines, shore infrastructure). (2) Incorporate CYBERSAFE operational, casualty, and maintenance procedures into existing fleet and shore certifications and exercises. (3) In coordination with SYSCOMs and PEOs, develop and assess the technical requirements necessary for fleet and shore execution of TTPs that enable cyber maneuvering to mitigate adversary actions and maintain operational mission capability in a denied or degraded cyber environment. (4) Provide a representative to the CYBERSAFE working group. h. NAVIFOR (1) In close coordination with the warfare development centers, SYSCOMs, PEOs and USFLTCYBERCOM, develop fleet and shore TTPs to enhance the mission assurance and cyber resiliency of mission critical IT and PIT-control systems. (2) Ensure fleet and shore personnel are trained in execution of CYBERSAFE TTPs, in order to enhance secure operation and cyber maneuver of all mission critical IT and PIT-control systems. (3) Ensure pre-deployment work up cycles assess organic ability to maneuver mission critical IT and PIT-control systems in a representative threat environment. (4) Provide a representative to the CYBERSAFE working group. i. NIA and ONI (1) In support of the Navy s CYBERSAFE program managers, acquisition professionals, resource sponsors, and operational commanders, conduct intelligence analysis and provide informational briefings and products on the threat environment and adversary cyber warfare capabilities in support of U.S. Navy and Joint network security. (2) Support PEOs and SYSCOM commanders by conducting threat analysis of critical component suppliers. (3) Provide a representative to the CYBERSAFE working group. 10

11 j. USFLTCYBERCOM/Commander, 10th Fleet (1) Identify a CYBERSAFE program liaison to: (a) serve as the lead CYBERSAFE operational requirements point of contact for CYBERSAFE hardening maneuvers in support of fleet and shore operators; and (b) in coordination with NAVIFOR, coordinate fleet and shore exercises to develop, test, train, and maintain TTPs to harden Navy IT and PIT-control systems in response to conditions in the operational environment. (2) Ensure technical and scientific cyber warfare development advances are communicated to SYSCOM chief engineers, for internal need to know assessment, to assure expansive understanding of the threat environment will enable vulnerability assessments to keep pace with advances in technology. (3) Coordinate with SYSCOMs, PEOs, and program managers in execution of NAVIFOR developed TTPs for operations conducted across CYBERSAFE control points and critical components. (4) Compile and disseminate global or regional cyber risk assessments based on threat intelligence and vulnerability assessments to U.S. Navy operational commands, SYSCOMs, TYCOMs, and warfare development centers. Identify the impact of any assessed risks and recommend mitigations per cybersecurity and CYBERSAFE standards. (5) Provide a representative to the CYBERSAFE working group. k. IT/CS TAB (1) As jointly directed by CNO and ASN(RD&A) and per reference (j) the IT/CS TAB has superseded the IT/Information Assurance (ITIA) TAB. The existing ITIA TAB charter and all IATA standards will remain in force until issuance of a new charter reflecting the change. The purpose of the IT/CS TAB is to ensure a consistent approach and implementation across the Navy enterprise through promulgation of standards and requirements. (2) The IT/CS TAB will be chaired by the SPAWARSYSCOM chief engineer and composed of the chief engineers from each SYSCOM. (3) The IT/CS TAB is the definitive body for validation of all CYBERSAFE standards and will serve as the preferred adjudicative forum for issue and conflict resolution. (4) The IT/CS TAB chair will facilitate TAB deliberations on current or draft CYBERSAFE technical standards. 11

12 (5) Ensure the qualification and training of SYSCOM cybersecurity (formerly IA) technical warrant holders who execute CYBERSAFE. The cybersecurity technical authority must provide IA training in support of the dual technical warrant holder process following the Navy s risk management framework and reference (i). (6) Provide a representative to the CYBERSAFE working group. l. All Other Organizational Entities within the Navy. Comply with respective SYSCOM and PEO CYBERSAFE approved operating and casualty procedures and the requirements of this instruction. 6. Records Management a. Records created as a result of this instruction, regardless of format or media, must be maintained and dispositioned for the standard subject identification codes 1000 through series per the records disposition schedules located on the Department of the Navy/Assistant for Administration (DON/AA), Directives and Records Management Division (DRMD) portal page at Management/Approved%20Record%20Schedules/Forms/AllItems.aspx. b. For questions concerning the management of records related to this instruction or the records disposition schedules, please contact your local records manager or the DON/AA DRMD program office. 7. Review and Effective Date. Per OPNAVINST A, CNO N2N6 will review this instruction annually around the anniversary of its issuance date to ensure applicability, currency, and consistency with Federal, DoD, Secretary of the Navy, and Navy policy and statutory authority using OPNAV 5215/40 Review of Instruction. This instruction will be in effect for 5 years, unless revised or cancelled in the interim, and will be reissued by the 5-year anniversary date if it is still required, unless it meets one of the exceptions in OPNAVINST A, paragraph 9. Otherwise, if the instruction is no longer required, it will be processed for cancellation as soon as the need for cancellation is known following the guidance in OPNAV Manual of May MATTHEW J. KOHLER Deputy Chief of Naval Operations for Information Warfare Releasability and distribution: This instruction is cleared for public release and is available electronically only via Department of the Navy Issuances Web site, 12