This document provides policy for the U.S. Government to develop an initial capability for supply chain risk management (SCRM) for National Security Systems. It establishes minimum requirements for identifying and managing supply chain risks early in a system's lifecycle through threat-informed acquisition and engineering practices. Departments and agencies must develop SCRM strategies and capabilities to protect critical systems from supply chain threats.
Enrollment Is The Start Not The End 2010 Mhs Conference Jan 27Kevin Berry
Presented during the 2010 MHS Conference. The Mission of the MHS is to provide Joint Force Commanders military medical capability for the National Defense, National Security and National Health. Military Treatment Facility leaders can find enrollment optimize solutions through mission analysis.
Enrollment Is The Start Not The End 2010 Mhs Conference Jan 27Kevin Berry
Presented during the 2010 MHS Conference. The Mission of the MHS is to provide Joint Force Commanders military medical capability for the National Defense, National Security and National Health. Military Treatment Facility leaders can find enrollment optimize solutions through mission analysis.
Analyze:
1. Foreign Stock
a. Samsung Electronics LTD. (Korean Stock Exchange)
b. Focus on phone explosions
*Monitor their performance throughout the semester (begin: 9/15/2016, end: 12/2/2016), reflecting on the performance of each at the end of the semester, and providing a forward looking discussion of their prospects as of end of the semester.
→ what happened, why, recommendation/opinion (hold, sell), future performance
*the more graphs/data the better!!
Grading of the project will be based on the following criteria: (1) the neatness of the written report, (2) the extensiveness and relevance of research information gathered regarding each asset, (3) the inclusion of your own opinions and observations in the report
Fill this out:
Price Information on Holdings
Foreign Stock
Ticker
Beginning Value on __/__/___
in Local Currency
Exchange Rate of Local Currency with USD on __/__/____
Beginning Value on __/__/___
in USD
Ending Value on __/__/___
in Local Currency on __/__/____
Exchange Rate of Local Currency with USD on __/__/____
Ending Value on __/__/___
in USD
Percentage Change in the Value of Local Currency
Percentage Change in the Value of Stock in Local Currency
Percentage Change in the Value of Stock in USD
Framework for Improving
Critical Infrastructure Cybersecurity
Version 1.0
National Institute of Standards and Technology
February 12, 2014
February 12, 2014 Cybersecurity Framework Version 1.0
Table of Contents
Executive Summary .........................................................................................................................1
1.0 Framework Introduction .........................................................................................................3
2.0 Framework Basics...................................................................................................................7
3.0 How to Use the Framework ..................................................................................................13
Appendix A: Framework Core.......................................................................................................18
Appendix B: Glossary....................................................................................................................37
Appendix C: Acronyms .................................................................................................................39
List of Figures
: Framework Core Structure .............................................................................................. 7
Figure 1
Figure 2: Notional Information and Decision Flows within an Organization .............................. 12
List of Tables
Table 1: Function and Category Unique Identifiers ..................................................................... 19
Table 2: Framework Core ..................................................................................................
TECHNICAL REPORT
CMU/SEI-99-TR-017
ESC-TR-99-017
Operationally
Critical Threat,
Asset, and
Vulnerability
EvaluationSM
(OCTAVESM)
Framework,
Version 1.0
Christopher J. Alberts
Sandra G. Behrens
Richard D. Pethia
William R. Wilson
June 1999
Pittsburgh, PA 15213-3890
Operationally
Critical Threat,
Asset, and
Vulnerability
EvaluationSM
(OCTAVESM)
Framework,
Version 1.0
CMU/SEI-99-TR-017
ESC-TR-99-017
Christopher J. Alberts
Sandra G. Behrens
Richard D. Pethia
William R. Wilson
June 1999
Networked Systems Survivability Program
Unlimited distribution subject to the copyright.
This report was prepared for the
SEI Joint Program Office
HQ ESC/DIB
5 Eglin Street
Hanscom AFB, MA 01731-2116
The ideas and findings in this report should not be construed as an official DoD position. It is published in the interest of
scientific and technical information exchange.
FOR THE COMMANDER
Norton L. Compton, Lt Col., USAF
SEI Joint Program Office
This work is sponsored by the U.S. Department of Defense. The Software Engineering Institute is a
federally funded research and development center sponsored by the U.S. Department of Defense.
Copyright 1999 by Carnegie Mellon University.
NO WARRANTY
THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS
FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY
KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO,
WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED
FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF
ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
Use of any trademarks in this report is not intended in any way to infringe on the rights of the trademark holder.
Internal use. Permission to reproduce this document and to prepare derivative works from this document for internal use is
granted, provided the copyright and "No Warranty" statements are included with all reproductions and derivative works.
External use. Requests for permission to reproduce this document or prepare derivative works of this document for external
and commercial use should be addressed to the SEI Licensing Agent.
This work was created in the performance of Federal Government Contract Number F19628-95-C-0003 with Carnegie
Mellon University for the operation of the Software Engineering Institute, a federally funded research and development
center. The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the
work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the
copyright license under the clause at 52.227-7013.
For information about purchasing paper copies of SEI reports, please visit the publications portion of our Web site
(http://www.sei.cmu.edu/publications/pubweb.html).
CMU/SEI-99-TR-017 i
Table of Con ...
Analyze:
1. Foreign Stock
a. Samsung Electronics LTD. (Korean Stock Exchange)
b. Focus on phone explosions
*Monitor their performance throughout the semester (begin: 9/15/2016, end: 12/2/2016), reflecting on the performance of each at the end of the semester, and providing a forward looking discussion of their prospects as of end of the semester.
→ what happened, why, recommendation/opinion (hold, sell), future performance
*the more graphs/data the better!!
Grading of the project will be based on the following criteria: (1) the neatness of the written report, (2) the extensiveness and relevance of research information gathered regarding each asset, (3) the inclusion of your own opinions and observations in the report
Fill this out:
Price Information on Holdings
Foreign Stock
Ticker
Beginning Value on __/__/___
in Local Currency
Exchange Rate of Local Currency with USD on __/__/____
Beginning Value on __/__/___
in USD
Ending Value on __/__/___
in Local Currency on __/__/____
Exchange Rate of Local Currency with USD on __/__/____
Ending Value on __/__/___
in USD
Percentage Change in the Value of Local Currency
Percentage Change in the Value of Stock in Local Currency
Percentage Change in the Value of Stock in USD
Framework for Improving
Critical Infrastructure Cybersecurity
Version 1.0
National Institute of Standards and Technology
February 12, 2014
February 12, 2014 Cybersecurity Framework Version 1.0
Table of Contents
Executive Summary .........................................................................................................................1
1.0 Framework Introduction .........................................................................................................3
2.0 Framework Basics...................................................................................................................7
3.0 How to Use the Framework ..................................................................................................13
Appendix A: Framework Core.......................................................................................................18
Appendix B: Glossary....................................................................................................................37
Appendix C: Acronyms .................................................................................................................39
List of Figures
: Framework Core Structure .............................................................................................. 7
Figure 1
Figure 2: Notional Information and Decision Flows within an Organization .............................. 12
List of Tables
Table 1: Function and Category Unique Identifiers ..................................................................... 19
Table 2: Framework Core ..................................................................................................
TECHNICAL REPORT
CMU/SEI-99-TR-017
ESC-TR-99-017
Operationally
Critical Threat,
Asset, and
Vulnerability
EvaluationSM
(OCTAVESM)
Framework,
Version 1.0
Christopher J. Alberts
Sandra G. Behrens
Richard D. Pethia
William R. Wilson
June 1999
Pittsburgh, PA 15213-3890
Operationally
Critical Threat,
Asset, and
Vulnerability
EvaluationSM
(OCTAVESM)
Framework,
Version 1.0
CMU/SEI-99-TR-017
ESC-TR-99-017
Christopher J. Alberts
Sandra G. Behrens
Richard D. Pethia
William R. Wilson
June 1999
Networked Systems Survivability Program
Unlimited distribution subject to the copyright.
This report was prepared for the
SEI Joint Program Office
HQ ESC/DIB
5 Eglin Street
Hanscom AFB, MA 01731-2116
The ideas and findings in this report should not be construed as an official DoD position. It is published in the interest of
scientific and technical information exchange.
FOR THE COMMANDER
Norton L. Compton, Lt Col., USAF
SEI Joint Program Office
This work is sponsored by the U.S. Department of Defense. The Software Engineering Institute is a
federally funded research and development center sponsored by the U.S. Department of Defense.
Copyright 1999 by Carnegie Mellon University.
NO WARRANTY
THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS
FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY
KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO,
WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED
FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF
ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
Use of any trademarks in this report is not intended in any way to infringe on the rights of the trademark holder.
Internal use. Permission to reproduce this document and to prepare derivative works from this document for internal use is
granted, provided the copyright and "No Warranty" statements are included with all reproductions and derivative works.
External use. Requests for permission to reproduce this document or prepare derivative works of this document for external
and commercial use should be addressed to the SEI Licensing Agent.
This work was created in the performance of Federal Government Contract Number F19628-95-C-0003 with Carnegie
Mellon University for the operation of the Software Engineering Institute, a federally funded research and development
center. The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the
work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the
copyright license under the clause at 52.227-7013.
For information about purchasing paper copies of SEI reports, please visit the publications portion of our Web site
(http://www.sei.cmu.edu/publications/pubweb.html).
CMU/SEI-99-TR-017 i
Table of Con ...
E’s Data Security Company Strategic Security Plan – 2015.docxmydrynan
E’s Data Security Company Strategic Security Plan – 2015
Table of Contents
1 EXECUTIVE SUMMARY 3
1.1 Introduction 3
1.2 Objectives 3
1.3 Determine company position 4
2 INTRODUCTION TO SECURITY 4
2.1 Develop 4
2.2 Information Security Employee Responsibilities 4
2.3 Establish Oversight Authority for Information Security 4
2.4 Establish Reporting Procedures for Leaders 5
2.5 Review of Pertinent or Sensitive Data 5
2.6 Purge Unneeded Data 5
3.3 Unauthorized Systems Access – 6
4.3 Educate employees on cyber threats and trends 6
5 EMERGENCY SITUATIONS 7
5.1 Chain of Command 7
5.2 Communications plan 7
5.3 Safety and Security Drills 7
6. SECURITY RISK MANAGEMENT 7
7 REFERENCES 9
1 EXECUTIVE SUMMARY
Per APA, Always Use Times new Roman 12 Font…
E’s Data Security Company was established in 2010. It is an organization that provides data security and network solutions to the state and local government of the US Virgin Islands. An executive summary is much more than just one sentence… Add much more detail here… I suggest you eliminate the executive summary and start with your introduction.. 1.1 Introduction
In April 2014 E’s Data Security Company began its first phase of implementing a security plan for use within the company. This began what began?? Add more clarity here… by hiring its first Chief Information Security Officer (CISO) for the sole purpose of creating a security program for IT purposes (Scalet, 2006). Initially, the efforts of this plan were focused on obtaining the proper staffing to provide support in the implementation of this plan. It is imperative to understand that the development of an IT Security Program is an ongoing process that is ever-evolving, and a shared responsibility (M.U.S.E., n.d.). By coordinating efforts with local, state, and federal government entities, this plan creates a comprehensive opportunity to address the need for such a plan. Due to the fact that this organization serves a small community, the planning process will mainly rely principally on informal relationships. The formalization of this planning process varies based on the frequency of a particular hazard and its impact on the community.
1.2 Objectives This plan is presented and lists a set of goals for oversight and program implementation.
A. Implement and maintain policies and procedures for data security. B. Implement and maintain procedures to test system resilience.
C. Implement and maintain education for employees regarding system vulnerabilities.
D. Implement and maintain physical security procedures.
E. Implement, maintain and review policies for emergency response(s). 1.3 Determine company position
In order tTo determine where the organization stands, an external and internal audit will be conducted to determine its competency (Entrepreneurs, 2011). What is the purpose of this section?? 2 INTRODUCTION TO SECURITY
2.1 Develop – In collaboration with government agencies, the strategic plan ...
Approved for public release; distribution is unlimited. Sy.docxjewisonantone
Approved for public release; distribution is unlimited.
System Assessment and Validation for Emergency Responders (SAVER)
Innovative Uses of Social Media in
Emergency Management
September 2013
Prepared by Space and Naval Warfare Systems Center Atlantic
The Innovative Uses of Social Media in Emergency Management report was funded under
Interagency Agreement No. HSHQDC-07-X-00467 from the U.S. Department of
Homeland Security, Science and Technology Directorate.
The views and opinions of authors expressed herein do not necessarily reflect those of the
U.S. Government.
Reference herein to any specific commercial products, processes, or services by trade
name, trademark, manufacturer, or otherwise does not necessarily constitute or imply its
endorsement, recommendation, or favoring by the U.S. Government.
The information and statements contained herein shall not be used for the purposes of
advertising, nor to imply the endorsement or recommendation of the U.S. Government.
With respect to documentation contained herein, neither the U.S. Government nor any of
its employees make any warranty, express or implied, including but not limited to the
warranties of merchantability and fitness for a particular purpose. Further, neither the
U.S. Government nor any of its employees assume any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, apparatus, product, or
process disclosed; nor do they represent that its use would not infringe privately owned
rights.
Cover images are courtesy of Federal Emergency Management Agency (FEMA) News
Photos.
Approved for public release; distribution is unlimited.
i
FOREWORD
The U.S. Department of Homeland Security (DHS) established the System Assessment and
Validation for Emergency Responders (SAVER) Program to assist emergency responders
making procurement decisions. Located within the Science and Technology Directorate (S&T)
of DHS, the SAVER Program conducts objective assessments and validations on commercial
equipment and systems and provides those results along with other relevant equipment
information to the emergency response community in an operationally useful form. SAVER
provides information on equipment that falls within the categories listed in the DHS Authorized
Equipment List (AEL). The SAVER Program mission includes:
Conducting impartial, practitioner-relevant, operationally oriented assessments and
validations of emergency responder equipment; and
Providing information, in the form of knowledge products, that enables decision-makers
and responders to better select, procure, use, and maintain emergency responder
equipment.
Information provided by the SAVER Program will be shared nationally with the responder
community, providing a life- and cost-saving asset to DHS, as well as to Federal, state, and local
responders.
The SAVER Program is supported by a network of Technical Agents who perf.
Approved for public release; distribution is unlimited. Sy.docxfestockton
Approved for public release; distribution is unlimited.
System Assessment and Validation for Emergency Responders (SAVER)
Innovative Uses of Social Media in
Emergency Management
September 2013
Prepared by Space and Naval Warfare Systems Center Atlantic
The Innovative Uses of Social Media in Emergency Management report was funded under
Interagency Agreement No. HSHQDC-07-X-00467 from the U.S. Department of
Homeland Security, Science and Technology Directorate.
The views and opinions of authors expressed herein do not necessarily reflect those of the
U.S. Government.
Reference herein to any specific commercial products, processes, or services by trade
name, trademark, manufacturer, or otherwise does not necessarily constitute or imply its
endorsement, recommendation, or favoring by the U.S. Government.
The information and statements contained herein shall not be used for the purposes of
advertising, nor to imply the endorsement or recommendation of the U.S. Government.
With respect to documentation contained herein, neither the U.S. Government nor any of
its employees make any warranty, express or implied, including but not limited to the
warranties of merchantability and fitness for a particular purpose. Further, neither the
U.S. Government nor any of its employees assume any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, apparatus, product, or
process disclosed; nor do they represent that its use would not infringe privately owned
rights.
Cover images are courtesy of Federal Emergency Management Agency (FEMA) News
Photos.
Approved for public release; distribution is unlimited.
i
FOREWORD
The U.S. Department of Homeland Security (DHS) established the System Assessment and
Validation for Emergency Responders (SAVER) Program to assist emergency responders
making procurement decisions. Located within the Science and Technology Directorate (S&T)
of DHS, the SAVER Program conducts objective assessments and validations on commercial
equipment and systems and provides those results along with other relevant equipment
information to the emergency response community in an operationally useful form. SAVER
provides information on equipment that falls within the categories listed in the DHS Authorized
Equipment List (AEL). The SAVER Program mission includes:
Conducting impartial, practitioner-relevant, operationally oriented assessments and
validations of emergency responder equipment; and
Providing information, in the form of knowledge products, that enables decision-makers
and responders to better select, procure, use, and maintain emergency responder
equipment.
Information provided by the SAVER Program will be shared nationally with the responder
community, providing a life- and cost-saving asset to DHS, as well as to Federal, state, and local
responders.
The SAVER Program is supported by a network of Technical Agents who perf ...
DRAFT of NEW White House Cybersecurity Executive Order leakedDavid Sweigert
Posted as a courtesy by:
Dave Sweigert
CEH, CISA, CISSP, HCISPP, PCIP, PMP, SEC+
The latest draft of a cybersecurity executive order to be signed by President Trump has become an unusually precise, report-ordering extravaganza.
Executive orders – even those signed by Trump – tend to be relatively short and quite vague, with general policy goals listed and expected to be interpreted by others.
The new cybersecurity order is none of those. At over 2,200 words it is very long. It is also very precise, listing individuals and giving them specific tasks. Rather than focus on a particular goal – the creation of a new taskforce or the development of a singular report – the order calls for the production of no fewer than 10 reports, six of which will go direct to the President, on a range of aspects of cybersecurity.
(By comparison, even though President Obama put out a very lengthy executive order on cybersecurity, running to 3,000 words, it only asked for three reports to be created.)
To understand how what was originally a restatement of US policy toward cybersecurity with a call for a single report has evolved into an extensive work plan, you need to look at the unusual events of nine days ago.
Trump was expected to sign the cybersecurity order on January 31. To that end, a series of meetings were held at the White House during the day and it was supposed to end with the signing in the Oval Office in the late afternoon. But at the last minute, without explanation, the decision to sign was pulled.
Using cloud services: Compliance with the Security Requirements of the Spanis...Miguel A. Amutio
Cloud Security Alliance EMEA Congress
Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector
Text of the presentation by Miguel A. Amutio
ADAM ADLER FLORIDA - Adam Adler is the current Fund Manager at The Adler Fund, a private organization focusing on investing in the health and wellness, real estate, technology and healthcare space.
As the Founder of Fuse Science, Adam was the company’s CEO and primary investor. He personally signed over 20 world renown celebrity and athlete partnerships and endorsements for Fuse, including Tiger Woods, Andy Murray, David Ortiz, Paul Pierce, and Daymond John. He facilitated the transition to the public market in April 2011 and formed a team of top executives all strategically placed to bring shareholder value through bringing senior level expertise. Mr. Adler spearheaded the acquisition strategy Fuse implemented to bring global awareness around its platform technology.
Adam has substantial business and management experience, and a great understanding of the operation and responsibilities public companies. Adam’s true passion is remaining involved in the Chabad movement and supporting children’s hospitals.
Running head: IT SECURITY POLICY
IT SECURITY POLICY 4
Enterprise IT Security Policy Outline
IT Security Policy
Introduction
Enterprise IT security is a vital aspect especially when it comes to the protection of information assets. This is more so when these assets can be classified as of strategic national importance, otherwise regarded as critical infrastructure. From historical data, to current operations data, future plans and the systems that house these data, IT security is necessary to prevent them from being compromised by external parties. Enterprise IT security encompasses a wide range of areas in a bid to ensure that the implementation is done holistically without leaving room for potential malicious parties. One of the most important critical infrastructures is that belonging to NASA.
NASA Overview
The National Aeronautics and Space Administration is a federal government agency responsible for the American civilian space flight program and research. Established under the National Aeronautics and Space Act in 1958, NASA has conducted all federally funded civilian space programs and the corresponding research into the field. Apart from the manned and unmanned missions to space, it has also contributed in the building of the International Space Station, and its research has gone on to contribute to a myriad of consumer and industrial applications. The Jet Propulsion Laboratory is a division of NASA based in California that is responsible research and development mostly in robotic spacecraft. The center also operates the agency’s current fleet of robotic spacecraft. The information contained at this facility is vast and of great importance to NASA. This includes information on its current operations, plans for future development as well the trove of ground-breaking research being conducted by its team of scientists. To fully protect this vast information requires the implementation of a robust enterprise IT security policy that fully appreciates the importance of this facility and the necessity for its protection (“The Jet…”).
Policy Outline
1. Access Control
Under the framework core, Access Control is a category that falls under the function of protection. It mostly involves limiting access to cyber resources only to those who have prior authorization to do so. Implementing this will include:
a) Assigning user privileges according to responsibility. A robotics operator would not need to access the future strategic plans to adequately perform their duties.
b) Single User Sign-in for all user profiles. This will prevent multiple users from using the same credentials to access the resources (“Framework...,” 2014).
2. Application Development
Application development can be done to improve existing systems by adding functionalities onto them or building entirely new applications. Wh.
(U fouo) committee on national security systems supply chain risk management (scrm) directive
1. UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY
CNSSD No. 505
7 March 2012
(U) SUPPLY CHAIN RISK
MANAGEMENT (SCRM)
THIS DOCUMENT PROVIDES MINIMUM REQUIREMENTS FOR NATIONAL SECURITY
SYSTEMS. IT ALSO MAY OFFER GUIDELINES FOR THOSE PERFORMING THE SAME
FUNCTIONS FOR UNCLASSIFIED SYSTEMS. YOUR DEPARTMENT OR AGENCY MAY
IMPLEMENT MORE STRINGENT REQUIREMENTS IF APPROPRIATE.
Committee on National Security Systems
2. UNCLASSIFIED//FOR OFFICIAL USE ONLY
CNSSD No. 505
UNCLASSIFIED//FOR OFFICIAL USE ONLY
CHAIR
FOREWORD
1. (U) In order to achieve cost efficiencies and innovations, the U.S. Government relies
on the commercial information and communications technology (ICT) sector for components
and services that support mission-critical networks, systems, and weapons. This reliance forces
the U.S. Government to depend on the trustworthiness of the commercial ICT supply chain.
However, trustworthiness in commercial ICT has become uncertain due to increasing
globalization and the participation of unfamiliar, unknown, and changing actors in the supply
chain. The U.S. Government must address the reality that the global marketplace provides
increased opportunities for adversaries to penetrate ICT supply chains to subvert the components
bound for U.S. Government critical systems to gain unauthorized access to data, alter data,
interrupt communications, or disrupt critical infrastructures. The marketplace threat analysis
process is well known, but the practices to mitigate ICT supply chain risks are still evolving.
This Directive provides policy for the U.S. Government to develop an initial capability for
supply chain risk management (SCRM) for National Security Systems (NSS).
2. (U) The U.S. Government must utilize enhanced government practices and, where
possible, drive improved commercial practices through market incentives and the competitive
process to achieve security objectives in NSS, new technologies and products, and managed
services to counter the dynamic threats our adversaries use against us.
3. (U//FOUO) National Security Presidential Directive-54, in conjunction with
Homeland Security Directive-23 (NSPD-54/HSPD-23) (Reference b), established “United States
policy, strategy, guidelines, and implementation actions to secure cyberspace.” It also directed a
Comprehensive National Cybersecurity Initiative (CNCI) to better protect United States (U.S.)
interests within cyberspace. CNCI initiative 11 requires the “development of a multi-pronged
approach for global supply chain risk management.”
4. (U) This Directive requires supply chain risk management (SCRM) to protect the
confidentiality, integrity, and availability of NSS, and to mitigate and manage the risks posed by
the threats described above.
5. (U) Additional copies of this Directive may be obtained from the Secretariat or at the
CNSS website: www.cnss.gov.
/s/
TERESA M. TAKAI
CNSS Secretariat (IE32). National Security Agency. 9800 Savage Road, STE 6716. Ft Meade, MD 20755-6716
Office: (410) 854-6805 Unclassified FAX: (410) 854-6814
CNSS@radium.ncsc.mil
3. UNCLASSIFIED//FOR OFFICIAL USE ONLY
CNSSD No. 505
1
UNCLASSIFIED//FOR OFFICIAL USE ONLY
(U) Supply Chain Risk Management (SCRM)
SECTION
PURPOSE.......................................................................................................... I
AUTHORITY ...................................................................................................II
SCOPE ............................................................................................................III
POLICY .......................................................................................................... IV
RESPONSIBILITIES .......................................................................................V
GUIDANCE.................................................................................................... VI
DEFINITIONS...................................................................................ANNEX A
REFERENCES ..................................................................................ANNEX B
BEST PRACTICES, TOOLS, AND RESOURCES .........................ANNEX C
(U) SECTION I – PURPOSE
1. (U//FOUO) In accordance with CNSSP No. 22, “Information Assurance Risk
Management Policy for National Security Systems” and the strategy established by the
Comprehensive National Cybersecurity Initiative (CNCI), this Directive assigns responsibilities,
and establishes the minimum criteria for the development and deployment of capabilities for the
protection of National Security Systems (NSS), as defined in Reference d, from supply chain
risk.
(U) SECTION II – AUTHORITY
2. (U) This Directive derives its authority from National Security Directive (NSD)-42,
(Reference A) which outlines the roles and responsibilities for securing NSS, as affirmed by E.O.
12333 (Reference E).
3. (U) Nothing in this Directive shall alter or supersede the authorities of the Director
of National Intelligence.
(U) SECTION III – SCOPE
4. (U) This directive applies to all departments, agencies, bureaus, and offices of the
U.S. Government; their employees; and supporting contractors and agents that own, operate, use,
maintain, procure, secure, develop, or manage NSS, as defined in Reference D.
4. UNCLASSIFIED//FOR OFFICIAL USE ONLY
CNSSD No. 505
2
UNCLASSIFIED//FOR OFFICIAL USE ONLY
5. (U) Organizations may implement more stringent requirements than those included
in this Directive as necessary to support their mission(s).
(U//FOUO) SECTION IV – POLICY
6. (U//FOUO) U.S. Government departments and agencies shall establish an
organizational supply chain risk management (SCRM) capability to identify and manage supply
chain risk to NSS early and throughout their entire system lifecycle through the use of
acquisition and engineering mitigations informed by all-source supply chain threat information.
7. (U//FOUO) Elements acquired for use within NSS shall be commensurately assured
based on:
a. (U//FOUO) The criticality of the system to the mission, and
b. (U//FOUO) The role of the element in achieving, protecting, or impacting the
mission critical functions of the system.
(U//FOUO) SECTION V – RESPONSIBILITIES
8. (U//FOUO) Heads of U.S. Government departments and agencies shall develop and
document a strategy for the planned evolution of the department or agency-specific SCRM
capability that shall include:
a. (U//FOUO) Integrating SCRM practices and risk mitigations, including threat
support to acquisition, into department or agency-specific system and acquisition life cycle
processes, security capabilities, and an enterprise-wide risk management policy consistent with
National Institute of Standards and Technology (NIST) Special Publication 800-39 and the CNCI
11 SCRM Strategy and Implementation Plan.
b. (U//FOUO) Initiating SCRM capability within one year of this directive’s issue
date to begin incremental implementation and to gain the experience necessary to identify and
develop the plans, tools, and skills necessary to achieve a full-scale SCRM capability. Initial
SCRM capabilities shall include:
1) (U//FOUO) Establishing processes and policy for using all-source threat
information, in coordination with the Office of the Director of National Intelligence (ODNI),
Office of the National Counterintelligence Executive (ONCIX).
2) (U//FOUO) Developing and implementing minimum standards for threat
assessments to inform risk management decisions for mission-critical elements of NSS.
5. UNCLASSIFIED//FOR OFFICIAL USE ONLY
CNSSD No. 505
3
UNCLASSIFIED//FOR OFFICIAL USE ONLY
3) (U//FOUO) Identifying and prioritizing NSS for initial implementation of
SCRM best practices (See ANNEX C).
c. (U//FOUO) Resourcing plans, to include major milestones to implement a full-
scale SCRM capability to protect NSS within six years of the date of issue of this directive.
d. (U//FOUO) Processes which prioritize mission-critical elements of NSS for
SCRM and which apply SCRM across the lifecycle of NSS, including systems acquisitions and
commodity purchases.
e. (U//FOUO) Identifying the appropriate lead organization for the governance and
support of the full-scale SCRM capability. The lead organization shall:
1) (U//FOUO) Establish agency-specific policies and procedures for SCRM.
2) (U//FOUO) Coordinate with internal and external organizational stakeholders
for the implementation and governance of the enterprise SCRM capability.
3) (U//FOUO) Establish a mechanism and procedures for addressing threat that
current engineering and acquisition mitigations and countermeasures cannot address.
4) (U//FOUO) Develop awareness, education, and training for personnel on
supply chain risks and mitigations.
5) (U//FOUO) Establish a process for documenting how supply chain risks have
been addressed and using this information for future risk mitigation and SCRM activities.
6) (U//FOUO) Provide regular reporting, as directed by the National Security
Staff, on implementation progress and effectiveness of SCRM capabilities as part of the CNCI,
through the appropriate CNCI leadership, including the SCRM Senior Steering Group.
9. (U//FOUO) The Office of the Director of National Intelligence (ODNI), Office of
the National Counterintelligence Executive (ONCIX), shall develop standards, methodologies,
and tools to assist departments and agencies in implementing threat assessments to inform risk
management decisions for mission-critical elements of NSS.
(U) SECTION VI – GUIDANCE
10. (U//FOUO) SCRM Capability
a. (U//FOUO) Threat support to acquisition - Organizations shall use all-source
intelligence assessments on potential suppliers (e.g., re-sellers, component manufacturers,
product manufacturers, system integrators) to inform acquisition and risk management decisions
for critical elements, subsystems, and systems used within NSS, in accordance with applicable
6. UNCLASSIFIED//FOR OFFICIAL USE ONLY
CNSSD No. 505
4
UNCLASSIFIED//FOR OFFICIAL USE ONLY
laws, regulations, Executive Orders, and policies. Departments and agencies shall work with
ONCIX to develop and implement all-source intelligence threat assessments in acquisition
decision making, in accordance with the CNCI 11 SCRM Strategy and Implementation Plan. The
ONCIX provides the minimum standards, along with methodologies, tools, and best practices to
conduct counterintelligence analysis on supply chain threats. Agencies will follow ONCIX’s
guidelines when developing threat assessments. ONCIX supports the U. S. Government by
serving as the national clearing house for threat information affecting the supply chain, enabling
these organizations to develop and implement effective mitigation strategies.
b. (U//FOUO) SCRM processes, tools, and techniques - ANNEX C identifies
numerous SCRM processes, tools, and techniques to facilitate the implementation of SCRM
USG-wide. Departments and agencies shall adopt and tailor these recommended SCRM
processes, tools, and techniques, and apply them to the procurement and operation of mission
critical elements within NSS, to include those which:
1) (U//FOUO) Control the quality, configuration, and security of software,
hardware, and systems throughout their lifecycles, including commercial elements or sub-
elements.
2) (U//FOUO) Detect the occurrence, reduce the likelihood of occurrence, and
mitigate the consequences of products containing counterfeit elements or malicious functions.
3) (U//FOUO) Develop requirements or capabilities to detect the occurrence of
vulnerabilities within custom and commodity hardware and software through enhanced test and
evaluation.
4) (U//FOUO) Enhance security through the implementation of system security
engineering throughout the system life cycle.
5) (U//FOUO) Optimize acquisition and contracting to define requirements and
source selection criteria that reduce supply chain risk, give preference to vendors that minimize
supply chain risk in verifiable ways, and evaluate security with other desirable factors, such as
low cost, rapid deployment, or new features.
6) (U//FOUO) Implement acquisition processes to document and monitor risk
mitigation methods and requirements and provide for the update of documentation throughout
the system lifecycle.
11. (U//FOUO) Supply Chain for Application-Specific Integrated Circuits (ASICS)
(U//FOUO) The Department of Defense instituted the Microelectronics Trusted
Integrated Circuit Supplier Accreditation Program assigning authority for the program to the
Trusted Access Program Office (TAPO) in the National Security Agency. TAPO developed and
implemented the program and assigned responsibility for daily operation and accreditation
authority to the Defense Microelectronic Activity (DMEA). DMEA accredits integrated circuit
service providers for Design, Aggregator/Broker, Mask and Wafer Fabrication, Packaging, and
Test services across a broad technology range for specialized governmental applications, both
7. UNCLASSIFIED//FOR OFFICIAL USE ONLY
CNSSD No. 505
5
UNCLASSIFIED//FOR OFFICIAL USE ONLY
classified and unclassified. When a need for trusted microelectronics services exists, an
accredited supplier shall be used.
Enclosures:
ANNEX A – Definitions
ANNEX B – References
ANNEX C – Best Practices, Tools, and Resources
8. UNCLASSIFIED//FOR OFFICIAL USE ONLY
2
UNCLASSIFIED//FOR OFFICIAL USE ONLY
A- 1
ANNEX A to
CNSSD No. 505
ANNEX A
(U) ANNEX A – DEFINITIONS
(U) Definitions in CNSS Instruction No. 4009, “National Information Assurance
Glossary,” apply to this Directive. Additional terms specific to this Directive that are not defined
in CNSSI No. 4009 can be found below. These definitions provide clarification required for
purposes of supply chain risk management and are not included in the CNSSI No. 4009. They
are to be used exclusively in the context of this Directive.
a. (U) All-source intelligence - Intelligence products and/or organizations and
activities that incorporate all sources of information, most frequently human resources
intelligence, imagery intelligence, measurement and signature intelligence, signals intelligence,
and open source data in the production of finished intelligence.
b. (U) Application-Specific Integrated Circuits (ASICs) - Custom-designed and/or
custom-manufactured integrated circuits.
c. (U) Mission-critical element - A system component or subsystem that delivers
mission critical functionality to a system or that may, by virtue of system design, introduce
vulnerability to mission critical functions.
d. (U) Mission-critical functionality - Any system function, the compromise of
which would degrade the effectiveness of that system in achieving the core mission for which it
was designed.
e. (U) Supply chain risk - The risk that an adversary may sabotage, maliciously
introduce unwanted function, or otherwise subvert the design, integrity, manufacturing,
production, distribution, installation, operation, or maintenance of an item of supply or a system
so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of a system
(Ref: The Ike Skelton National Defense Authorization Act for Fiscal Year 2011, Section 806).
f. (U) Supply Chain Risk Management (SCRM) - A systematic process for
managing supply chain risk by identifying susceptibilities, vulnerabilities, and threats throughout
the supply chain and developing mitigation strategies to combat those threats whether presented
by the supplier, the supplied product and its subcomponents, or the supply chain (e.g., initial
production, packaging, handling, storage, transport, mission operation, and disposal).
9. UNCLASSIFIED//FOR OFFICIAL USE ONLY
CNSSD No. 504
B-1
UNCLASSIFIED//FOR OFFICIAL USE ONLY
ANNEX B to
CNSSD No. 505
(U) ANNEX B – REFERENCES
(U) The following references provide amplifying or supplementary information. Future
updates to referenced documents shall be considered applicable to this policy.
a. (U) National Security Directive No. 42, National Policy for the Security of
National Security Telecommunications and Information Systems, July 5, 1990
b. (U) National Security Presidential Directive 54/Homeland Security Presidential
Directive 23, Cybersecurity Policy, January 8, 2009.
c. (U) Public Law 107-347 [H.R. 2458], codified at 44 U.S.C. § et seq., The E-
Government Act of 2002, Title III, the Federal Information Security Management Act of 2002,
December 17, 2002.
d. (U) Committee for National Security Systems Instruction Number 4009, National
Information Assurance (IA) Glossary, 26 April 2010.
e. (U) Executive Order 12333, United States Intelligence Activities, December 4,
1981, as amended.
f. (U) Executive Order 13526, Classified National Security Information, December
29, 2009, as amended.
g. (U) Executive Order 12968, Access to Classified Information, August 2, 1995, as
amended.
h. (U) Committee on National Security Systems Instruction Number 1253, Security
Categorization and Control Selection for National Security Systems, October 2009.
i. (U) Director of Central Intelligence Directive 7/6, Community Acquisition Risk
Center, March 02, 2005.1
j. (U) Supply Chain Risk Management (SCRM) Program Management Office,
Globalization Task Force(GTF), Key Practices and Implementation Guide for the DoD
Comprehensive National Cybersecurity Initiative 11 Supply Chain Risk Management Program,
February 25, 2010.
k. (U) Committee for National Security Systems Policy Number 22, Information
Assurance Risk Management Policy for National Security Systems, February, 2009.
10. UNCLASSIFIED//FOR OFFICIAL USE ONLY
CNSSD No. 504
B-2
UNCLASSIFIED//FOR OFFICIAL USE ONLY
ANNEX B to
CNSSD No. 505
l. (U) Comprehensive National Cybersecurity Initiative (CNCI) 11 Supply Chain
Risk Management Strategy and Implementation Plan, October, 2008. Classified: SECRET
NOFORN
m. (U) National Institute of Standards and Technology (NIST) Special Publication
(SP) 800-39, Managing Information Security Risk: Organization, Mission, and Information
System View, March 2011.
n. (U) OMB Policy Letter 91-3, Reporting Nonconforming Products, April 9, 1991.
o. (U) NIST Special Publication 800-37 Revision 1, Guide for Applying the Risk
Management Framework to Federal Information Systems: A Security Life Cycle Approach,
February 2010.
p. (U) Executive Order 13587, Structural Reforms to Improve the Security of
Classified Networks and the Responsible Sharing and Safeguarding of Classified Information,
October 7, 2011.
11. UNCLASSIFIED//FOR OFFICIAL USE ONLY
C-1
UNCLASSIFIED//FOR OFFICIAL USE ONLY
ANNEX C to
CNSSD No. 505
ANNEX C – BEST PRACTICES, TOOLS, AND RESOURCES
1. (U) The following resources provide SCRM, systems security engineering, and
detailed risk management guidance and best practices for use in government systems.
a. (U) Draft NISTIR 7622, Piloting Supply Chain Risk Management for Federal
Information Systems, June 2010. This document provides a set of practices that can be used for
those information systems categorized at the FIPS (Federal Information Processing Standards) 199
high-impact level. These practices are intended to promote the acquisition, development, and
operation of information systems or system-of-systems to meet cost, schedule, and performance
requirements in today’s environment with globalized suppliers and active adversaries. Integrated
within the information systems development life cycle (SDLC), these practices provide risk
mitigating strategies for the acquiring federal agency to implement.
b. (U) National Defense Industrial Association (NDIA) System Assurance
Committee, 2008. Engineering for System Assurance, Arlington, VA. This document provides
guidance on how to build assurance into a system throughout its life cycle. It identifies and
discusses system engineering activities, process, tools and considerations to address system
assurance. Assurance guidance used by the DoD and its contractors is also included in the
document.
c. (U) The US-CERT maintains the Software Assurance (SwA) Pocket Guide
Series on software assurance in acquisition and outsourcing, system development, system life-
cycle, and measurement. SwA Pocket Guides are developed collaboratively by the SwA Forum
and Working Groups which function as a stakeholder community that welcomes additional
participation in advancing and refining software security. The SwA Pocket Guide Series can be
found on https://buildsecurityin.us-cert.gov/swa/pocket_guide_series.html.
2. (U) The DoD SCRM best practices for NSS provide guidance on
the successful implementation of SCRM pilots that incorporate all-source threat information,
summarize the DoD pilot experience, and identify trusted suppliers of integrated circuits as
accredited by the Defense Microelectronic Agency. They include:
a. (U) Key Practices and Implementation Guide for the DoD Comprehensive
National Cybersecurity Initiative 11: Supply Chain Risk Management Pilot Program. February
25, 2010. (https://diacap.iaportal.navy.mil/ks/pages/scrm.aspx)
b. (U) Concept of Operations for the DoD Comprehensive National
Cybersecurity Initiative 11: Supply Chain Risk Management Pilot Program. August 25, 2009.
c. (U) Comprehensive National Cybersecurity Initiative (CNCI) DoD Supply
Chain Risk Management (SCRM) Pilot Program Report, April 26, 2011.
12. UNCLASSIFIED//FOR OFFICIAL USE ONLY
C-2
UNCLASSIFIED//FOR OFFICIAL USE ONLY
ANNEX C to
CNSSD No. 505
3. (U) SCRM assistance and references from the Department of Homeland Security,
Global Cyber Security Office can be found by contacting DHS_SCRM@dhs.gov. Agencies may
contact Software.Assurance@dhs.gov for assistance in the development of a software assurance
capability.
4. (U) Selected SCRM industry standards listed below pertain to quality assurance for
electronic components.
a. (U) EIA-4899 - Standard for Preparing an Electronic Component Management
Plan
b. (U) IDEA-STD-1010 – Diminishing Manufacturing Sources and Material
Shortages (DMSMS) Guidebook
c. (U) SAE-AS9120 – Quality Management Systems for Aerospace Product
Distributors
d. (U) SAE-AS5553 – Counterfeit Electronic Parts; Avoidance, Detection,
Mitigation and Disposition