Cyber risk assessment tools are key components of risk management systems, and as cybersecurity approaches complete integration, Mission-Based Cyber Risk Assessment will become more important than ever. Soon, the supply chain, system design, system hardening, operational readiness, and continuous monitoring will all be interdependent. Today, each of those items is somewhat stove-piped. The emerging management commitment to cyber, coupled with every aspect of system procurement, design, delivery, and operation is music to a cyber warrior’s ears. Cybersecurity is approaching complete integration into all aspects of system development and operational readiness. In order to stay current and protect your organization, read on to learn more about mission-based cyber risk assessment and other cyber risk assessment tools.

Introduction to MBCRA, One of the Best Cyber Risk Assessment Tools

Mission-Based Cyber Risk Assessment (MBCRA) is one of the most valuable cyber risk assessment tools. But what is MBCRA, and how can organizations implement it? MBCRA employs iterative design to facilitate cybersecurity integration throughout the whole acquisition life cycle. Cyber risk assessments are more effective the earlier in the lifecycle you conduct them, offering more insight into system requirements and initial design decisions. The risk assessment process offers valuable insight into everything from risk management to test strategy at the beginning of a program. These processes can then also shape risk management, system development,  programmatic decisions, and testing over time. 

How MBCRA Benefits the Military Sealift Command (MSC)

In order to effectively implement cyber risk assessment tools like MBCRA, upper management must commit to the program, bringing all aspects of cyber into view. Military Sealift Command (MSC) is one example of an organization with a strong cyber risk assessment framework. MSC controls 125 civilian-crewed ships that perform responsibilities including supplying U.S. Navy ships at sea and a variety of specialized missions. MSC not only applies the principles of DoD IT management and security, but also manages the risks of cybersecurity threats and vulnerabilities using an MBCRA framework. In our work with MSC, we have developed risk assessments and tested for vulnerabilities, determining the overall security of both deployed and prototypical IT systems. But what could an MBCRA risk management hierarchy look like for your organization?

Risk Management Hierarchy

MBCRAs can help entities like MSC stay abreast of cybersecurity risks. The earlier a risk assessment report is generated, the more influence it can have on MSC’s Tiers 1, 2, and 3 decision-makers to mitigate cyber vulnerabilities and inform other risk management activities that impact the program’s MSC Ashore and Afloat Mission Essential Functions (MEFs). MBCRAs can provide value to understanding the cybersecurity risks, cyber survivability, and operational resilience requirements within the Risk Management Hierarchy at Tier 1 (organization), Tier 2 (mission/business processes), and Tier 3 (information systems) levels. 

Tier 1: Organization

Tier 1 encompasses the organization-wide information security programs, policies, procedures, guidance, and procurements. When MBCRAs are employed, entities like MSC can achieve desirable impacts such as heightened risk responses and easier conformance with DoD policy/governance. The MBCRA Process can also help with investment decisions for future IT initiatives.

Tier 2: Mission/Business Processes

Tier 2 encompasses Enterprise Architecture (EA) and Security Architecture (SA) Design as well as a selection of suppliers, services, and contractors. At this level, MBCRAs can aid in the selection of common controls, improving the organization’s mission, business functions, and processes.

Tier 3: Information Systems

Tier 3 is focused on design decisions, implementation decisions, and operational decisions. At this level, MBCRAs aid in the implementation of decisions, improving operational decisions and efficiency.

Acquisition Life Cycle

Moving from lower fidelity to higher fidelity, the acquisition lifestyle is based on the DoD’s iterative cyber risk assessment. The life cycle progresses as described below.

Material Solution Analysis

While risk assessments are conducted continuously throughout the life cycle, it all begins with the pre-system acquisition. In the material solution analysis phase,  we assess the system’s capabilities and look for opportunities for improvement. This stage is the first chance we have to gauge systems supportability and affordability, balancing technology with operational requirements. 

Technology Maturation & Risk  Reduction

The purpose of this phase is to ensure the program is prepared to enter the engineering & manufacturing development stage, reducing risk, maturing requirements, and ensuring that programmatics are stable. Preliminary Design Review occurs at the tail-end of this stage. Capabilities Development, Document Validation, and the Request for Proposal Release Decision occur one after the other during this stage.

Engineering & Manufacturing Development

During this phase, we design and develop the system before production, finalizing a system or increment of capability and aiming for full system integration. We also streamline  manufacturing processes, completing system fabrication before we test and evaluate the system. Once it is evaluated, we move on to the production and deployment phase. Critical Design Review and Test Readiness Review occur during this stage. Interim Authority to Test and Authority to Operate are granted during this stage.

Production & Deployment

If a system satisfies the operational capacity during the production and deployment phase, we produce and deploy the system to the client. Oftentimes, this phase reveals issues or oversights that must be addressed, prompting redesigns. Operational Test Readiness Review and Initial Operational Test & Evaluation occur during this stage. Full Rate Production Decision Review occurs at the end of this stage.

Operations & Support

During this phase, our clients begin to utilize the systems we produce. The primary goal of this phase is to execute a support system that can sustain the system effectively.

Cybersecurity Test & Evaluation Phases

The Cybersecurity Test and Evaluation Methodology (CTE) provides a clear process for testing and evaluating an organization’s cyber protections. It creates a structured approach to reviewing an organization’s security controls, processes, and systems. CTE Methodology tests for vulnerabilities in a variety of ways, which can include security audits, vulnerability scans, penetration tests, and more. Through this process, we can gain an understanding of how successful the organization’s current cybersecurity is and uncover any potential vulnerabilities or risks.

The Cybersecurity Test & Evaluation Phases are: 

• Phase 1: Understand Cybersecurity Requirements
• Phase 2: Characterize Cyber Attack Surface
• Phase 3: Cooperative Vulnerability identification
• Phase 4: Adversarial Cybersecurity DT&E
• Phase 5: Cooperative Vulnerability & Penetration Assessment
• Phase 6: Adversarial Assessment

Take, for instance, a bank that wants to test and evaluate its ability to secure information online from potential hackers. With the Cybersecurity Test and Evaluation Methodology, we would start by outlining every aspect of the bank’s online systems and processes. This would include everything from how users are authenticated online to how they access information online, how transactions are fulfilled online, and how information is stored online. Next, the bank’s cybersecurity would be tested for vulnerabilities at every stage in the process and with a variety of different approaches. For example, cyber professionals would test whether they could outmaneuver the authentication process, insert malicious code into transaction requests, or identify sensitive data that is unencrypted. Once all vulnerabilities are accounted for, they can be prioritized and the bank can take action to mitigate them.

Applying the Framework

A logical Tier 3 (IT) integration point for MSC is to incorporate the SDi MBCRA process within the steps of the RMF process. In this way, MBCRA supports the system development lifecycle and the program by ensuring that the ISSM and the RMF team are informed of engineering, test, operations, and maintenance activities, and potential cyber vulnerability risks when performing Risk Assessment (RA) activities.

The MBCRA team provides further rigor to cybersecurity testing activities by ensuring the proper system categorization, identification of comprehensive security controls, thorough control implementation, assessment procedures, authorizing decisions, and monitoring and evaluation of decisions made throughout the process.

Sentient Digital’s MBCRA Process

Sentient Digital also integrates best practice frameworks, offering a combined top-down and bottom-up approach to cyber risk assessment that is best executed by an integrated team. Our approach is to implement a mission-based cyber risk assessment plan to focus on Tiers 1 through 3. When an MBCRA is employed within the acquisition lifecycle determines the level of impact on each of the risk tiers. 

There are four major objectives of this process: 

1. Cyber Posture
2. Design Maturation
3. Vulnerability Verification
4. Sustainment

Assessment Phases

Sentient Digital employs an incremental analysis approach to review the entire system to identify potential cyber vulnerabilities, their associated mission impacts, potential cyber risks, and priority levels through the execution of our process. This process consists of three major assessment phases:

Planning

During this phase, we gather and review critical system documentation. We also define MBCRA’s scope.

Assessment

During this phase, we perform a mission thread analysis. Mission thread analysis strategically outlines how we can review an organization’s processes that support its objectives. From a cybersecurity perspective, we’re searching for the ways information is involved in these processes, including how it is shared and at which points it may be at risk of a breach. With mission thread analysis, we can better prioritize the cybersecurity solutions an organization needs most by understanding which parts of the process are most critical and where a cyberattack could cause the most destruction.

Take, for instance, a military organization that requires secure communication between its command center, where orders and intel are communicated, and its forces on the ground carrying out a mission. To complete mission thread analysis, we would outline their communication processes from start to finish. That would include how a message is initially created, how it is shared over any networks, how it is received, and how it is acknowledged or replied to in turn. Next, we would look for possible vulnerabilities in this process, which could range from relying on only one channel for communication to leaving messages and data unencrypted. Finally, we would determine which vulnerabilities pose the highest risk to the mission so these can be prioritized for mitigation.

This multifaceted and integrated process begins with document EPA (Entry Point Access) and FCSC (First Cyber Susceptible Component) combos. During this phase, we also characterize info flows, identify and map vulnerabilities, perform mission impact analysis, perform likelihood analysis, perform intel analysis, identify system risks and priorities, develop attack path scenarios, update CTE methodology, and, finally, identify recommendations.

Recommendation

This stage is fully realized through the MBCRA final report and the creation of a risk management framework.

Talk to Sentient Digital about Cyber Risk Assessment Tools and Risk Management

Mission-Based Cyber Risk Assessment is a key component of any comprehensive cybersecurity plan. Whether you’re a government organization like MSC or a small business owner, implementing an iterative and solutions-oriented approach to cybersecurity can help keep your sensitive information secure. 

To safeguard your data, look to Sentient Digital’s MBCRA framework as illustrated by the application to MSC. Our assessment phases make it easy to define scope, assess vulnerabilities, and recommend a risk management framework in three easy steps, breaking down how to optimize through incremental advancements. By creating a framework to aid in the transition to cyber risk assessment, we can move towards total cyber integration, which is the ultimate goal. However, complete cyber integration will only occur with total commitment from the top decision makers.

You can read more on CISA’s Risk Assessment page. It provides steps to help agencies implement mission-based cyber risk assessment protocols. 

Once you’re ready to implement your own mission-based cyber risk assessment program, contact the experts at Sentient Digital for advice. With our extensive industry knowledge and decades of experience, we can provide the assistance you need to implement a risk assessment plan. Although cyber risk assessment tools may be complex, with our skilled guidance, your organization can safeguard its data in no time. Reach out to us today to learn more about how your agency can implement an MBCRA plan.