Showing posts with label FISMA. Show all posts
Showing posts with label FISMA. Show all posts

January 16, 2008

Enterprise Architecture Terms and Taxonomy

A key foundation to developing enterprise architecture is getting the EA terms and taxonomy right for the organization, so that there is a common language and understanding by business and technical subject matter experts of what all things EA means.

Here are some fundamental terms and a high-level taxonomy for them (prior to having these, I found considerable confusion in the enterprise as to what many of these terms meant and they were used incorrectly and interchangeably by various users):

1) C4&IT—Any equipment or interconnected system or subsystem of equipment, or techniques used in the automatic acquisition, storage, manipulation, management, transmission, or reception of digital, voice, or video data or information to the appropriate levels of command. This includes command and control, networks, common operational picture systems, information assurance services, communication products and standards, computers, ancillary equipment, software, firmware, procedures, services (including support services) and related resources. (short definition─Command, Control, Communications, Computers, and Information Technology)

2) FISMA Systems—An application or general support system that meets the requirements of the Federal Information Systems Management Act (FISMA) of 2002, including completion of certification and accreditation, risk assessments, policies, and procedures, security plans, security awareness training, annual security testing, remediation procedures, incident response procedures, and contingency plans. (short definition—systems as defined by FISMA).

a. Application Systems—A discrete set of information resources [i.e. applications] organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. (short definition—one or more applications).

i. Applications—the use of information resources (information and information technology) [i.e. hardware, software, and database] to satisfy a specific set of user requirements. (short definition—combination of hardware, software, and database).

b. General Support Systems—An interconnected set of information resources under the same direct management control that share common functionality. It normally includes hardware, software, information, data, applications, communications, and people [i.e. infrastructure]. (short definition—IT infrastructure).

3) Products and Standards

a. Products—Includes hardware, the physical parts of a computer system, and software, the programs or other “instructions” that a computers needs to perform specific tasks.

b. Standards-- Guidelines that reflect agreement on products, practices, or operations by nationally or internationally recognized industrial, professional, trade associations, or government bodies.

The way to read the taxonomy is that C4&IT at the top is the CIO world of work and it is composed of Command, Control, Communication, Computers, and IT. C4&IT decomposes to FISMA Systems (since all systems must be FISMA compliant). FISMA Systems decompose to Application Systems (and their applications) and General Support Systems (infrastructure). And these systems (applications systems and general support systems) decompose into hardware and software products and standards.

The short working definitions are fairly straight forward and the longer definitions are based on public information definitions from National Institute of Science and Technology (NIST), Office of Management and Budget (OMB), The Department of Homeland Security (DHS), and The Department of Defense (DOD).

These terms and taxonomy should help enterprise architects and their users differentiate C4&IT, Systems, Application Systems, General Support Systems, Products, and Standards, and maybe even widgets by inference. :-)


Share/Save/Bookmark

January 13, 2008

Fire Sale Attack and Enterprise Architecture

Fire Sale─“Matt Farrell (Justin Long), a character in the movie Live Free or Die Hard, used this term to describe the plot by Thomas Gabriel (Timothy Olyphant) to systematically shut down the United States computer infrastructure. The plan crashes the stock market, communications and utilities infrastructure, crippling America's economy and causing nation-wide chaos. The term was coined because of the phrase "everything must go" meaning all of the world's technology based off of a computer system, virtually everything.” (Wikipedia)
The New York Times, 4 June 2007, in an article titled, “When Computers Attacks,” states how governments are preparing for the worst in terms of cyber attacks.
Anyone who follows technology or military affairs has heard the predictions for more than a decade. Cyberwar is coming. Although the long-announced, long-awaited computer-based conflict has yet to occur, the forecast grows more ominous with every telling: an onslaught is brought by a warring nation, backed by its brains and computing resources; banks and other businesses in the enemy states are destroyed; governments grind to a halt; telephones disconnect.”
What systems are at risk?
All computers are at risk that connect “to the Internet through the industrial remote-control technologies known as Scada systems, for Supervisory Control and Data Acquisition. The technology allows remote monitoring and control of operations like manufacturing production lines and civil works projects like dams. So security experts envision terrorists at a keyboard remotely shutting down factory floors or opening a dam’s floodgates to devastate cities downstream.
But how bad would a cyberwar really be — especially when compared with the blood-and-guts genuine article? And is there really a chance it would happen at all? Whatever the answer, governments are readying themselves for the Big One.
For example, “China, security experts believe, has long probed United States networks.Congress, China’s military has invested heavily in electronic countermeasures and defenses against attack, and concepts like “computer network attack, computer network defense and computer network exploitation.” According to a 2007 Defense Department annual report to
What are we doing?
The United States is arming up, as well. Robert Elder, commander of the Air Force Cyberspace Command, told reporters in Washington at a recent breakfast that his newly formed command, which defends military data, communications and control networks, is learning how to disable an opponent’s computer networks and crash its databases.
How serious is the threat of cyber attack?
An all-out cyberconflict could ‘could have huge impacts,’ said Danny McPherson, an expert with Arbor Networks. Hacking into industrial control systems, he said, could be ‘a very real threat.’”
Is our nation’s architecture prepared to secure our enterprises and this country from a fire sale-type or other cyber terrorism attacks? Here are some actions that have been taken based on a CRS Report for Congress on “Computer Attacks and Cyber Terrorism” (17 October 2003)
  • In 2002, The Federal Information Management Security Act (FISMA) was enacted giving the office of OMB responsibility for coordinating information security and standards developed by civilian federal agencies.
  • In 2003, The National Strategy to Secure Cyberspace was published by the administration to encourage the private sector to improve computer security for critical infrastructure.
  • DHS has established the National Cyber Security Division (NSCD) to oversee the Cyber Security National Tracking and Response Center to conduct analysis of threats and vulnerabilities, issue alerts and warnings, improve information sharing, and respond to major cyber security incidents.
  • The Cyber Warning and Information Network (CWIN) is an early warning system for cyber attacks.
  • In 2003, there was established a new Terrorist Threat Integration Center (TTIC) to monitor and analyze threat information (composed of CIA, FBI, DOD, DHS, and Department of State officials)
Additionally, “The United States Computer Emergency Readiness Team (US-CERT) is a partnership between the Department of Homeland Security and the public and private sectors. Established in 2003 to protect the nation's Internet infrastructure, US-CERThttp://www.us-cert.gov/) coordinates defense against and responses to cyber attacks across the nation.
According to the CRS Report For Congress, in July 2002, The U.S. Naval War College hosted a three day seminar style war game called ‘Digital Pearl Harbor;” 79% of participants believed that a strategic cyber attack was likely within 2 years.
While the dreaded cyber attack did not occur as feared by the war game participants, the scenario of a devastating cyber attack remain a real possibility that we must be prepared to confront and defeat.
As in the movie Live Free or Die Hard, a major cyber attack on this country could quickly bring us to our knees, if successful. We have become a nation born and bred on computers and automation. I challenge you to think of many things that you do that does not in some way involve these. We have formed a day-to-day dependency on all things computers, as individuals and as a nation.
In our enterprise architecture, we must continue to focus on comprehensive security frameworks for our organizations that address technical, managerial, and operational security areas. While the Federal Enterprise Architecture treats Security as a cross-cutting area, I believe that Security should be its own perspective (even though it crosses all domains), so that it can be given focus as an area that each and every agency and organization addresses. We must do more than create alerts, warning, and reporting capabilities. We need both “computer vaccines” that can quickly cure and rid us from the encroachment of a cyber attack, as well as hunter-killer offensive capabilities that can paralyze any warring nation or terrorist organization that would dare to attack us.
I remember hearing a saying that once something is created, it is bound to eventually be used. So it was with the atomic bomb. So it will be with cyber warfare, and we must be prepared to defend this nation.

Share/Save/Bookmark