July 26, 2024
Report
Countering Weapons of Mass Destruction (CWMD) Device Cybersecurity Characterization Process and Profile
Abstract
Countering Weapons of Mass Destruction (CWMD) recognizes that threats in the cyberspace domain continue to grow, which requires CWMD devices and supporting systems to be both cybersecure (ability to protect or defend from cyber-attacks) and resilient (ability to maintain required capability in the face of adversity) to cyber threats. The CWMD cybersecurity characterization approach in this document supports existing cyber resilience activities within the Acquisition Lifecycle Framework. Similarly, this process supports existing Department of Homeland Security Cyber Resilience Test and Evaluation activities, which consist of iterative processes, starting at the initiation of system acquisition and continuing throughout the entire device and system life cycle. Cyber resilience is the ability of an information system to continue to operate while under attack, even if in a degraded or debilitated state, and to rapidly recover operational capabilities for essential functions after a successful attack. The goal of the security characterization task for CWMD is to support the development of a CBRN device-dependent profile that aligns with device network capabilities and maps to recommended security controls to create a characterization security profile impact levels. The impact levels for CWMD devices should be characterized as Low (L), Moderate (M), High (H) to align with the low, moderate, high control baselines. To estimate the impact levels, the device’s security-related attributes are translated into the security objectives: Confidentiality (C), Integrity (I), and Availability (A), known as the CIA triad. The potential impact for each device can be L, M, H, for devices that connect and transmit different types of data and may have different impact levels. National Institute of Standards and Technology Federal Information Processing Standards Publication 199 states, “the potential impact values assigned to the respective security objectives shall be the highest value from among those security categories that have been determined for each type of information resident on the information system.” As CWMD is determining the cybersecurity impact levels of CBRN devices based on network connections and data transfers, the impact levels are aligned with the associated attributes of network connections and communications. For example, if the device system is connected to a wireless network and transmits different data types based on the confidentiality of the data, the highest impact value for each security objective should represent the device’s CIA impact level. This document is intended to be used by test managers, test team, and program managers.Published: July 26, 2024