Cyber risk assessment tools are key components of risk management systems, and as cybersecurity approaches complete integration, Mission-Based Cyber Risk Assessment will become more important than ever. Soon, the supply chain, system design, system hardening, operational readiness, and continuous monitoring will all be interdependent. Today, each of those items is somewhat stove-piped. The emerging management commitment to cyber, coupled with every aspect of system procurement, design, delivery, and operation is music to a cyber warrior’s ears. Cybersecurity is approaching complete integration into all aspects of system development and operational readiness. In order to stay current and protect your organization, read on to learn more about mission-based cyber risk assessment and other cyber risk assessment tools.
Introduction to MBCRA, One of the Best Cyber Risk Assessment Tools
Mission-Based Cyber Risk Assessment (MBCRA) is one of the most valuable cyber risk assessment tools. But what is MBCRA, and how can organizations implement it? MBCRA employs iterative design to facilitate cybersecurity integration throughout the whole acquisition life cycle. Cyber risk assessments are more effective the earlier in the lifecycle you conduct them, offering more insight into system requirements and initial design decisions. The risk assessment process offers valuable insight into everything from risk management to test strategy at the beginning of a program. These processes can then also shape risk management, system development, programmatic decisions, and testing over time.
How MBCRA Benefits the Military Sealift Command (MSC)
In order to effectively implement cyber risk assessment tools like MBCRA, upper management must commit to the program, bringing all aspects of cyber into view. Military Sealift Command (MSC) is one example of an organization with a strong cyber risk assessment framework. MSC controls 125 civilian-crewed ships that perform responsibilities including supplying U.S. Navy ships at sea and a variety of specialized missions. MSC not only applies the principles of DoD IT management and security, but also manages the risks of cybersecurity threats and vulnerabilities using an MBCRA framework. In our work with MSC, we have developed risk assessments and tested for vulnerabilities, determining the overall security of both deployed and prototypical IT systems. But what could an MBCRA risk management hierarchy look like for your organization?
Risk Management Hierarchy
MBCRAs can help entities like MSC stay abreast of cybersecurity risks. The earlier a risk assessment report is generated, the more influence it can have on MSC’s Tiers 1, 2, and 3 decision-makers to mitigate cyber vulnerabilities and inform other risk management activities that impact the program’s MSC Ashore and Afloat Mission Essential Functions (MEFs). MBCRAs can provide value to understanding the cybersecurity risks, cyber survivability, and operational resilience requirements within the Risk Management Hierarchy at Tier 1 (organization), Tier 2 (mission/business processes), and Tier 3 (information systems) levels.
Tier 1: Organization
Tier 1 encompasses the organization-wide information security programs, policies, procedures, guidance, and procurements. When MBCRAs are employed, entities like MSC can achieve desirable impacts such as heightened risk responses and easier conformance with DoD policy/governance. The MBCRA Process can also help with investment decisions for future IT initiatives.
Tier 2: Mission/Business Processes
Tier 2 encompasses Enterprise Architecture (EA) and Security Architecture (SA) Design as well as a selection of suppliers, services, and contractors. At this level, MBCRAs can aid in the selection of common controls, improving the organization’s mission, business functions, and processes.
Tier 3: Information Systems
Tier 3 is focused on design decisions, implementation decisions, and operational decisions. At this level, MBCRAs aid in the implementation of decisions, improving operational decisions and efficiency.
Acquisition Life Cycle
Moving from lower fidelity to higher fidelity, the acquisition lifestyle is based on the DoD’s iterative cyber risk assessment. The life cycle progresses as described below.
Material Solution Analysis
While risk assessments are conducted continuously throughout the life cycle, it all begins with the pre-system acquisition. In the material solution analysis phase, we assess the system’s capabilities and look for opportunities for improvement. This stage is the first chance we have to gauge systems supportability and affordability, balancing technology with operational requirements.
Technology Maturation & Risk Reduction
The purpose of this phase is to ensure the program is prepared to enter the engineering & manufacturing development stage, reducing risk, maturing requirements, and ensuring that programmatics are stable. Preliminary Design Review occurs at the tail-end of this stage. Capabilities Development, Document Validation, and the Request for Proposal Release Decision occur one after the other during this stage.
Engineering & Manufacturing Development
During this phase, we design and develop the system before production, finalizing a system or increment of capability and aiming for full system integration. We also streamline manufacturing processes, completing system fabrication before we test and evaluate the system. Once it is evaluated, we move on to the production and deployment phase. Critical Design Review and Test Readiness Review occur during this stage. Interim Authority to Test and Authority to Operate are granted during this stage.
Production & Deployment
If a system satisfies the operational capacity during the production and deployment phase, we produce and deploy the system to the client. Oftentimes, this phase reveals issues or oversights that must be addressed, prompting redesigns. Operational Test Readiness Review and Initial Operational Test & Evaluation occur during this stage. Full Rate Production Decision Review occurs at the end of this stage.
Operations & Support
During this phase, our clients begin to utilize the systems we produce. The primary goal of this phase is to execute a support system that can sustain the system effectively.
Cybersecurity Test & Evaluation Phases
The Cybersecurity Test & Evaluation Phases are:
- Phase 1: Understand Cybersecurity Requirements
- Phase 2: Characterize Cyber Attack Surface
- Phase 3: Cooperative Vulnerability identification
- Phase 4: Adversarial Cybersecurity DT&E
- Phase 5: Cooperative Vulnerability & Penetration Assessment
- Phase 6: Adversarial Assessment
Applying the Framework
A logical Tier 3 (IT) integration point for MSC is to incorporate the SDi MBCRA process within the steps of the RMF process. In this way, MBCRA supports the system development lifecycle and the program by ensuring that the ISSM and the RMF team are informed of engineering, test, operations, and maintenance activities, and potential cyber vulnerability risks when performing Risk Assessment (RA) activities.
The MBCRA team provides further rigor to cybersecurity testing activities by ensuring the proper system categorization, identification of comprehensive security controls, thorough control implementation, assessment procedures, authorizing decisions, and monitoring and evaluation of decisions made throughout the process.
Sentient Digital’s MBCRA Process
Sentient Digital also integrates best practice frameworks, offering a combined top-down and bottom-up approach to cyber risk assessment that is best executed by an integrated team. Our approach is to implement a mission-based cyber risk assessment plan to focus on Tiers 1 through 3. When an MBCRA is employed within the acquisition lifecycle determines the level of impact on each of the risk tiers.
There are four major objectives of this process:
- Cyber Posture
- Design Maturation
- Vulnerability Verification
Sentient Digital employs an incremental analysis approach to review the entire system to identify potential cyber vulnerabilities, their associated mission impacts, potential cyber risks, and priority levels through the execution of our process. This process consists of three major assessment phases:
During this phase, we gather and review critical system documentation. We also define MBCRA’s scope.
During this phase, we perform a mission thread analysis. This multifaceted and integrated process begins with document EPA (Entry Point Access) and FCSC (First Cyber Susceptible Component) combos. During this phase, we also characterize info flows, identify and map vulnerabilities, perform mission impact analysis, perform likelihood analysis, perform intel analysis, identify system risks and priorities, develop attack path scenarios, update CTE methodology, and, finally, identify recommendations.
This stage is fully realized through the MBCRA final report and the creation of a risk management framework.
Talk to Sentient Digital about Cyber Risk Assessment Tools and Risk Management
Mission-Based Cyber Risk Assessment is a key component of any comprehensive cybersecurity plan. Whether you’re a government organization like MSC or a small business owner, implementing an iterative and solutions-oriented approach to cybersecurity can help keep your sensitive information secure.
To safeguard your data, look to Sentient Digital’s MBCRA framework as illustrated by the application to MSC. Our assessment phases make it easy to define scope, assess vulnerabilities, and recommend a risk management framework in three easy steps, breaking down how to optimize through incremental advancements. By creating a framework to aid in the transition to cyber risk assessment, we can move towards total cyber integration, which is the ultimate goal. However, complete cyber integration will only occur with total commitment from the top decision makers.
You can read more on CISA’s Risk Assessment page. It provides steps to help agencies implement mission-based cyber risk assessment protocols.
Once you’re ready to implement your own mission-based cyber risk assessment program, contact the experts at Sentient Digital for advice. With our extensive industry knowledge and decades of experience, we can provide the assistance you need to implement a risk assessment plan. Although cyber risk assessment tools may be complex, with our skilled guidance, your organization can safeguard its data in no time. Reach out to us today to learn more about how your agency can implement an MBCRA plan.