AuthS / Compliance

NSM (National Security Memorandum) / NSM-10 (to PQC).

• BLUF: This memorandum outlines the White House's policies and initiatives related to quantum computing.  It identifies key steps needed to maintain the nation’s competitive advantage in quantum information science (QIS) while mitigating the risks of quantum computers to the Nation’s cyber, economic, and national security.  It directs specific actions for agencies to take as the United States begins the multi-year process of migrating vulnerable computer systems to quantum-resistant cryptography. 

• NSM-10 on Promoting US Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems.

• NIST PQC Standardization and NSM-10. (13 Slides).

ONCD (Office of the National Cyber Director). 

• BtLUF/Summary: 

  1. Advises the President on Cybersecurity Policy and Strategy [The White House: ONCD]. ONCD is a U.S. government agency established in 2021.

  2. Leads the implementation of the National Cybersecurity Strategy [The White House: ONCD]

  3. Works to improve the overall cybersecurity posture of the United States [Wikipedia: ONCD]

• Websites -- Roadmap -- Fact Sheet:

  1. ONCD via the White House website: https://www.whitehouse.gov/oncd/

  2. National Cybersecurity Strategy: https://www.whitehouse.gov/oncd/national-cybersecurity-strategy/ 

  3. Roadmap: 

     • National Cybersecurity Strategy Implementation Plan (NCSIP), May 2024, v2.0: https://www.whitehouse.gov/wp-content/uploads/2024/05/NCSIP-Version-2-FINAL-May-2024.pdf 

  4. Fact Sheet: https://www.whitehouse.gov/oncd/briefing-room/2024/05/07/fact-sheet-NCSIP-version-2/ 

CMMC. 

• URL: https://dodcio.defense.gov/CMMC/about/ 

CIO DOD.

1. • CIO DOD: https://dodcio.defense.gov/ 

   • ZT Framework (OV-1, 2-Slides): https://dodcio.defense.gov/Portals/0/Documents/Library/ZT-StrategyPlacemats.pdf 

   • ZT Overlays (ZTO): (as of Jun 2024, v1.1)

     1. PDF: https://dodcio.defense.gov/Portals/0/Documents/Library/ZeroTrustOverlays.pdf

     2. Intro: The EO 14028 requires federal agencies to implement zero trust, a cybersecurity model designed to protect an enterprise’s infrastructure and assets. National Security Memorandum (NSM)-812 extends the requirements of EO 14028 to National Security Systems (NSS) and all other Department of Defense (DoD) and Intelligence Community (IC) systems. 

   • ZT-RA (Reference Architecture): (as of July 2022, v2.0) https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v2.0(U)_Sep22.pdf 

   • ZT Roadmap Course of Action (COA): Click Here. (1) Brownfield approach (Build upon, upgrade, add on an existing system, mature, renovate) to (2) Greenfield approach (Build-develop a new system).    

DoD Zero Trust Reference Architecture (ZT-RA): This document outlines the principles and key components of a ZTA for the DoD using DODAF. It serves as a roadmap for individual agencies within the DoD, including DISA, to implement their own ZT Strategies. -- STUDY THE FOLLOWING -- 

1. • ZT-RA (Reference Architecture): (PDF, July 2022, v2): https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v2.0(U)_Sep22.pdf 

   • High-Level Goals (5): [Pg 14-15 in ZT-RA]

   • Present-State & Future/Target-State (2): (1) Present-State [Pg 16, Figure 3, OV-1] -- (2) Future/Target-State [Pg 18, Figure 4, OV-1].

   • ZT Cybersecurity Architecture: [Pg 18, Para: 1]

   • • Data-Centric Security Architecture (3): [Pg 18, Para: 2] --  (1) Identifying sensitive data and critical applications for introducing ZT. (2) Identification of users and process flows for the development of the security policies. (3) Automation and orchestration capabilities will be an insertion point for new conditional access policies. The integration between these technologies will be achieved via APIs. The evolution of artificial intelligence (AI) and robotic process automation (RPA) will modernize and enrich the policy deployed. 

   • • ZT Security Policy: [Pg 18-19, Para: 3-4] -- The first steps in a process flow from "User to Data" are authenticating and authorizing (A&A) a user which requires integration with an enterprise ICAM (Identity, Credential, and Access Management) solution, global device management and continuous vetting of identity and attributes. -- Azure offers IAM via (3): (1) Azure AD (Authenticates users and apps, MFA, SSO); (2) Azure Key Vault (Stores and manages secure data); (3) Azure RBAC-Role-Based Access Control (Defines who can access resources and data, including data in Key Vault).

   • • 5 Major Tenets / Foundational Elements: [Pg. 21] -- (1) Assume a Hostile Environment. There are malicious personas both inside and outside the environment. All users, devices, applications, environments, and all other NPEs are treated as untrusted. (2) Presume Breach. There are hundreds of thousands of attempted cybersecurity attacks against DoD environments every day. Consciously operate and defend resources with the assumption that an adversary has a presence within your environment. Enhanced scrutiny of access and authorization decisions to improve response outcomes. (3) Never Trust, Always Verify. Deny access by default. Every device, user, application/workload, and data flow are authenticated and explicitly authorized using least privilege, multiple attributes, and dynamic cybersecurity policies. (4) Scrutinize Explicitly. All resources are consistently accessed in a secure manner using multiple attributes (dynamic and static) to derive confidence levels for contextual access to resources. Access to resources is conditional and access can dynamically change based on action and confidence levels resulting from those actions. (5) Apply Unified Analytics. Apply unified analytics for Data, Applications, Assets, and Services (DAAS) to include behavioristics, and log each transaction.

   • • • 7 Pillars in the DOD ZTA: -- BLUF: A pillar is a key focus area for the implementation of ZT controls. 

     1. ZT Framework = 7 Pillars in the DOD ZTA: [Pg.21--]; Figure 5-6] 

     2. 7 Pillars & Goals/Capabilities: See "ZT Roadmap COA", slides 10, and 16 (which have a link to each Pillar's Goals/Capabilities). 

DoDAF. 

• DoDAF v2.02 (PDF): https://dodcio.defense.gov/Portals/0/Documents/DODAF/DoDAF_v2-02_web.pdf

• BLUF: A "Fit-for-Puropse" guide to the development, use, and maintenance of architectures within the US DoD and its contractors. 

  1. What is DoDAF: DoDAF is a framework that builds reference architecture(s). These reference architectures would then provide concrete design guidance based on the DoDAF principles and viewpoints.

  2. Function: Provides a structured approach for defining and documenting architectures.

  3. Focus: Establishes a common language, viewpoints, and artifacts for describing architectures within the DoD and its contractors.

  4. Benefits: Ensures consistency, clarity, and communication across different architecture projects.

  5. Analogy: Think of DoDAF as a blueprint template that specifies the sections, views, and details needed for a complete architectural blueprint, but it doesn't provide the specific design or layout of a particular building.

• Architectural Development (6-Steps). (PDF)

  1. Step 1: Determine Intended Use of the Architecture -- Defines the purpose and intended use of the architecture ("Fit-for-Purpose"); how the Architectural Description effort will be conducted; the methods to be used in architecture development; the data categories needed; the potential impact on others; and the process by which success of the effort will be measured in terms of performance and customer satisfaction. 

  2. Step 2: Determine Scope of the Architecture -- The scope defines the boundaries that establish the depth and breadth (distance from side-to-side) of the Architectural Description and establishes the architecture's problem set, helps define its context, and defines the level of detail required for the architectural content. 

  3. Step 3: Determine Data Required to Support Architecture Development -- 

  4. Step 4: Collect, Organize, Correlate, and Store Architectural Data -- 

  5. Step 5: Conduct Analyses in Support of Architecture Objectives -- 

  6. Step 6: Document Results by Decision-Maker Needs -- The creation of architectural views/artifacts based on queries of the underlying data. 

• Principles: (10)

  1. Integration: All aspects of a system (processes, data, IT infrastructure) to ensure they work together seamlessly.

  2. Stakeholder Needs: Address the requirements of all relevant parties (warfighters, commanders, support personnel).

  3. Iterative Development: (Continuous process) Continuously refine and improve as new information and technologies emerge.

  4. Modularity: Design with reusable, self-contained components for easier integration with other systems.

  5. Standards Compliance: Adhere to established technical standards to ensure interoperability and communication across the DoD.

  6. Data-Driven Approach: Data from various sources (operational data, system performance metrics, user feedback) informs architecture decisions.

  7. Visualization: (the Artifacts) A variety of visualizations (diagrams, matrices) communicate architecture information to a diverse audience.

  8. Utility: (Useful) Design artifacts to be useful, informative, easy to understand, maintain, and update for a broad range of stakeholders.

  9. Cost Effectiveness: Deliver required capabilities within budget constraints.

  10. Security: In protecting sensitive information and systems.

CMS.Gov Website -- https://www.cms.gov/ 

Guides & Documentation.

• URL: https://www.cms.gov/data-research/cms-information-technology/cms-identity-management/guides-documentation 

CMS Forms List:

• BLUF: A list of documents like NIST.

• URL: https://www.cms.gov/medicare/forms-notices/cms-forms-list 

FedRAMP  (Federal Risk and Authorization Management Program).

• URL: https://www.fedramp.gov/ 

• Authorization Process: See website OV-1.

• Benefits & Value (3): (1) To provide a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by government agencies. Establishing a set of security standards and processes, (2) Helps agencies ensure that the cloud solutions they are adopting meet minimum security requirements and are better protected from cyber threats. (3) Reduces the cost and time required for each agency to conduct its security assessments, ultimately saving resources and improving the overall security of federal IT systems.

FIPS Publications:

• URL: https://csrc.nist.gov/publications/fips 

• FIPS 140-2: Security Requirements for Cryptographic Modules. https://csrc.nist.gov/pubs/fips/140-3/final 

• FIPS 140-3: Security Requirements for Cryptographic Modules. 

  1. https://csrc.nist.gov/pubs/fips/140-2/upd2/final -- Dec 2002

  2. https://csrc.nist.gov/projects/fips-140-3-transition-effort#schedule  -- May 2023

National Quantum Coordination Office (NQCO).

• BLUF: The  Federal Source and Gateway To Quantum R&D Across The U.S. Government.

• URL: https://www.quantum.gov/

NSA's ZT Maturity across 7 Pillars -- 

• NSA Cybersecurity Information Sheet (CSI): Advancing ZT Throughout 7 Pillar. [Pg.4]

NSF IUCRC -- Center for Quantum Technologies (CQT).

• BLUF: The Industry-University Cooperative Research Centers (IUCRC) program generates breakthrough research by enabling close and sustained engagement between industry innovators, world-class academic teams, and government agencies.

• Links:

  1. NSF (U.S. National Science Foundation): https://new.nsf.gov/ 

  2. NSF IUCRC: https://iucrc.nsf.gov/ 

  3. Center for Quantum Technologies (CQT).  The CQT is an NSF-funded Industry/University Cooperative Research Center (IUCRC) and a partnership between Purdue University, Indiana University, and the University of Notre Dame, as well as several industry and government members. The mission of the CQT is to collaborate with industry and government stakeholders to identify compelling needs and challenges in quantum technologies, and then develop novel solutions to address these opportunities.

NSTAC Report to the President:

• PDF: NSTAC REPORT TO THE PRESIDENT: Zero Trust and Trusted Identity Management (Feb 23, 2022).

• BLUF: ZT Comparisons [Pg.3];  5 Steps to ZT Implementation with Activities/Objectives [Pg.7-12]; 

508 Compliance.

• BLUF (2): (1) Section 508 Compliance refers to the accessibility standards established by the US federal government for electronic and information technology (EIT). (2) By following these guidelines, organizations can ensure equal access to information and technology for all individuals, regardless of abilities.

• GOAL: To ensure that individuals with disabilities have equal access to information and technology.

• Benefits & Value for: -- BLUF: The standards require that all EIT developed, procured, maintained, or used by federal agencies must be accessible to people with disabilities, with the following: (4)

  1. Blindness or low vision

  2. Deafness or hearing loss

  3. Mobility or dexterity impairments

  4. Cognitive or learning disabilities

• Key Requirements: (5)

  1. Accessible website design

  2. Closed captions for audio and video content

  3. Keyboard navigation for individuals who cannot use a mouse

  4. Clear and consistent navigation and content organization

  5. Compatibility with assistive technologies like screen readers and text enlargers

Gartner:

• BLUF: Gartner is a research and advisory company that provides insights and guidance to businesses worldwide. Services include: (1) Research: Provides advice on mission-critical priorities for leaders. (2) Consulting: Offers customized solutions to client needs, including on-site support and tools to measure IT performance. (3) Conferences: Involves business professionals across the organization

• PROGRAMS.

  1. Cybersecurity:

     • IT Roadmap for Cybersecurity.

• QUOTES.

  1. ZTA; PQC -- “By 2029, advances in quantum computing will make conventional asymmetric cryptography unsafe to use.” — Gartner Report 

KeyFactor:

• BLUF: Keyfactor.com, a participant in NIST’s Post-Quantum Cryptography Project, has been tapped by the EOP to advise on PQC threats and is already helping agencies like the Navy and FAA secure their cryptographic future. To assist in developing PQC strategy, ensuring all digital identities are secure and future-proof.

MITRE ATT&CK Website:

• BLUF: The MITRE ATT&CK® is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and the cybersecurity product and service community.

• URL: https://attack.mitre.org/ 

What is SAFe (Scaled Agile Framework)?

• A set of practices and guidelines that help organizations adopt Agile methodologies at scale for software development 

• SAFe combines Agile software development, Lean product development, and systems thinking to create a framework for large-scale Agile adoption.

• VALUE: It focuses on aligning teams around a common goal, facilitating collaboration across departments, and delivering value to customers faster.

• SAFe offers different configurations depending on the organization's size and needs.

• It's important to remember that SAFe implementation is an iterative process.  Organizations should be prepared to adapt and adjust their approach as they learn and gain experience.

• URL: https://scaledagileframework.com/ 

Steps to Implement SAFe: (12)

SAFe recommends a structured roadmap for implementation.

1. Reaching the Tipping Point: Building a strong internal case for adopting SAFe and establishing leadership buy-in.

2. Train Lean-Agile Change Agents: Identifying and training individuals who will champion the SAFe transformation within the organization.

3. Train Executives, Managers, and Leaders: Equipping leaders at all levels with the necessary knowledge and understanding of SAFe principles.

4. Create a Lean-Agile Center of Excellence (LACE): Establishing a dedicated team to guide the SAFe implementation and support ongoing adoption.

5. Identify Value Streams and ARTs (Agile Release Trains): Mapping your value delivery process and creating cross-functional teams (ARTs) responsible for delivering specific functionalities.

6. Create the Implementation Plan: Developing a detailed roadmap outlining the implementation timeline, resources, and success metrics.

7. Prepare for ART Launch: Setting up the environment, tools, and processes for the ARTs to function effectively.

8. Train Teams and Launch the ART: Training team members on SAFe practices and officially launching the first ART.

9. Coach the ART Execution: Providing ongoing coaching and support to ensure the ARTs function smoothly and deliver value.

10. Launch More ARTs and Value Streams: Gradually expanding the use of SAFe by launching additional ARTs and value streams.

11. Extend to the Portfolio: Connecting the ARTs and value streams to the overall organizational portfolio management strategy.

12. Sustain and Improve: Continuously monitoring, evaluating, and refining the SAFe implementation to ensure ongoing effectiveness.

What is SCRUM:

• Focus: Iterative (repetition of a process) and incremental software development methodology.

• Goal: Deliver working software in short cycles (Sprints) with continuous improvement.

• Key Elements:

  1. Roles: Product Owner, Scrum Master, Development Team.

  2. Artifacts: (3)

     1. Product Backlog:

        • BLUF: Like a restaurant menu, listing all available dishes (potential product features). 

        • Imagine it as: A prioritized list of features, user stories, and fixes for your product.

        • What it includes: Everything that could potentially be added to the product, from essential features to future enhancements.

        • Who owns it? The Product Owner is responsible for managing the Product Backlog, and prioritizing items based on business value and user needs.

        • How it's used: During Sprint Planning, the Scrum Team selects items from the top of the Product Backlog to be included in the upcoming Sprint. The Product Backlog is constantly evolving as new ideas emerge, priorities change, or feedback is received.

     2. Sprint Backlog:

        • BLUF: Like a chef's order for a specific meal (Sprint), detailing the ingredients and steps needed to prepare the chosen dishes (Product Backlog items). 

        • Imagine it as: A more detailed breakdown of work for a specific Sprint (a short development cycle in Scrum).

        • What it includes: A list of tasks that the Development Team needs to complete the Product Backlog items selected for the Sprint. This might include user story breakdowns, bug fixes, design tasks, and testing activities.

        • Who creates it? The Scrum Team collaboratively creates the Sprint Backlog during Sprint Planning.

        • How it's used: The Sprint Backlog serves as the Development Team's roadmap for the Sprint. They track progress against the list throughout the Sprint and adjust it if needed based on daily stand-up meetings or unforeseen challenges.

     3. Increment:

        • BLUF: The completed meal served to the customer (stakeholder), representing the progress made during that meal period (Sprint). 

        • Imagine it as: The usable product functionality delivered at the end of a Sprint.

        • What it includes: All the completed Product Backlog items from the Sprint, integrated and tested to work together as a potentially shippable unit.

        • Who creates it? The Development Team is responsible for developing and delivering the Increment.

        • How it's used: The Increment is showcased and reviewed during the Sprint Review meeting. It demonstrates the team's progress and allows stakeholders to provide feedback. Each Sprint builds upon the previous Increment, resulting in a progressively more feature-rich product.

  3. Events: (4)

     1. Sprint Planning: 

        • What it is: A collaborative meeting held at the beginning of a Sprint (a short development cycle in Scrum, typically 1-4 weeks).

        • Goal: Define the goals and workload for the upcoming Sprint.

        • Who participates: The Scrum Team, including the Product Owner (represents stakeholders), Development Team (engineers, designers), and Scrum Master (facilitates the process).

        • Activities:

          1. Review the Product Backlog (prioritized list of features) and select items to be completed in the Sprint.

          2. Estimate the effort required for each selected item.

          3. Create the Sprint Backlog (a list of tasks needed to complete the selected Product Backlog items).

          4. Define the Sprint Goal (a high-level objective for the Sprint).

     2. Daily Scrum: 

        • What it is: A brief (15-minute) daily stand-up meeting held throughout the Sprint.

        • Goal: Keep everyone informed about progress, identify roadblocks, and adjust plans as needed.

        • Who participates: The Scrum Team.

        • Activities:

          1. Each team member answers three questions:

             1. What did I do yesterday?

             2. What will I do today?

             3. Are there any impediments in my way?

          2. The team discusses and finds solutions for any roadblocks.

     3. Sprint Review: 

        • What it is: A meeting held at the end of a Sprint to showcase the completed work.

        • Goal: Get feedback from stakeholders, review progress towards the Sprint Goal, and ensure the product remains valuable.

        • Who participates: The Scrum Team and stakeholders (customers, product managers).

        • Activities:

          1. The Development Team demonstrates the completed work increment.

          2. Stakeholders provide feedback and suggestions.

          3. The Product Owner discusses how the feedback might influence future product development.

          4. The Sprint Backlog may be adjusted based on learnings and feedback..

     4. Sprint Retrospective. 

        • What it is: A meeting held after the Sprint Review to reflect on the past Sprint.

        • Goal: Identify areas for improvement in the Scrum process itself, not the product.

        • Who participates: The Scrum Team.

        • Activities:

          1. Discuss what went well during the Sprint.

          2. Discuss what challenges were faced.

          3. Identify areas for improvement in the team's processes, tools, or communication.

          4. Define actionable items to implement changes for the next Sprint.

• Strengths: Fast feedback loops, adaptability, increased stakeholder engagement.

• -- ME --:  Focus on CSF; able to Pivot quickly; deliver 2-3 projects successfully; get feedback quickly; 

• Weaknesses: May not be suitable for large, complex projects. Requires strong team communication and self-organization.

Certificate of Competence in Zero Trust (CCZT) -- CCZT Training.

CSA's ZT Guiding Principles (11) -- PDF // Presentation.

CSA's ZT Training Curriculum -- Overview / Plan. 

CSA's ZT Training Mind Map -- Mind Map (OV-1).

NSA's ZT Maturity across 7 Pillars -- NSA Cybersecurity Info Sheet (CSI): Advancing ZT Throughout 7 Pillar. [Pg.4]

Overview of ZTA (Video:45:41)-- 8 Principles (10:10)