IT SCC AI Policy Principles
Given the increasing attention to Artificial Intelligence, its benefits, and its potential
harms, the ITSCC has developed a set of AI Policy Principles for U.S. policymakers,
focusing specifically on cybersecurity and privacy.
Managing ICT Supply Chain Risk: The Outsourcing Network Services Assessment Tool (ONSAT)
Description: The ONSAT provides any organization a comparative understanding of the supply chain risks associated with outsourcing network services to second and third party vendors. Given today’s availability of open sourcing and flexible infrastructure, outsourcing Information and Communications Technology (ICT) services and virtualized functions is an attractive concept for reasons of cost and efficiency. To make informed ICT supply chain risk management decisions, organizations must understand the Total Cost of Ownership for alternative decision options. In addition to the cost of initial implementation and the cost of operations and maintenance, the Total Cost of Ownership includes the cost of associated business and security risks. Similar to operations and maintenance cost, the cost of risk, lasts for the lifecycle of the outsourcing agreement.
Jointly developed and tested by a public-private consortium, the ONSAT is a working prototype that implements a consistent evidence-based approach to assess if, and how well, existing and potential outsourcing partners and their suppliers implement security and business practices. The tool assembles the scores from separate Business Trust and Security Maturity Questionnaires along with a tool-calculated score for financial cost utility to deliver an Overall Total Value Score for comparative analysis -internally, to inform outsourcing decisions and risk management processes, and -externally, to communicate an overall trust level based on risk posture.
The ONSAT Business Questionnaire is derived from the Committee on Foreign Investment in the United States’ (CFIUS) Joint Voluntary Notice questions and the categories in the ONSAT Security Questionnaire are mapped to the NIST Cybersecurity Framework and nine additional commonly-used standards and decision frameworks associated with risk management including NIST special publications, International Standard ISO/IEC 27001, DoD's Cybersecurity Maturity Model, the Cloud Security Alliance Consensus Assessments Initiative Questionnaire, NIST Baldrige Cybersecurity Excellence Builder, and Carnegie Mellon University Software Engineering Institute Reports on Insider Threat and Fraud in the U.S. Financial Services Sector.
The ONSAT is comprised of a downloadable Spreadsheet (password to unlock for data entry is: “ONSAT”) and a detailed User Manual, and is associated with The Open Group Guide, An Approach to Assessing Vendors to Lower Potential Risk of Outsourced Network Services, (https://publications.opengroup.org/guides/g197).
Analytic Approaches to Detect Insider Threat
Description: This whitepaper identifies how modern architectures can be used to collect data and invoke analytics to detect insider threats. The work expands upon published insider threat agent attack research by providing analytic indicators for early attack detection, and identifies the data needed for the analytics. The work presents a complete discussion of data sources within a representative system architecture and examines the use of “big data” architectures to capture, manage, and make the data accessible to analytic tools which power the insider threat analytics. The material is structured in a manner that facilitates organizational tailoring of the guidance based upon information technology limitations, legal authorities, corporate policies, business concerns, and workplace culture.
Security Tenets for Life Critical Embedded Systems
Description: Addresses antiquated, deficient security models for life critical embedded systems (LCES) and devices. This whitepaper captures and prioritizes core technical principles, or tenets, applicable across any industry or organization with LCES. The tenets may be used by system developers and operators to improve the overall security of such systems.
Cyber Resiliency Technical Guidance Documents
Description: This collection of 28 documents provides guidance on how an organization can best protect itself from cyber-attack. The material is written for C-suite decision makers (level 1) and technical implementers (level 2).
IT Sector Cyber Resilience White Paper
Description: This white paper explores resiliency from the public and private sector perspectives in order to better understand the commonalities and differences that Government and Industry have as it pertains to the cybersecurity and resilience of our critical infrastructure. The paper identifies areas where IT Sector stakeholders can coordinate resilience activities in building a cyber resilient critical infrastructure community.
DNS Risk Asessment
Description: This updated assessment of the Provide Domain Name Resolution Services and Provide Internet Routing, Access, and Connection Services Critical Functions Risk describes how specific existing and emerging threats, technologies, and standards affect the risk profiles of the IT Sector’s DNS and Internet routing critical functions.
Collective Defense
Description: Cybersecurity defenders across government and industry face a daunting but serious reality that self- defense alone can no longer be the governing practice. The need for a clearly defined Collective Defense apparatus, built upon the foundation of trust between industry and government, has become an issue of both national security and economic necessity.
Internet of Things (IoT) Acquisition Guidance Document
Description: This document highlights areas of elevated risk resulting from the software-enabled and connected aspects of IoT technologies and their role in the physical world. It provides information on certain vulnerabilities and weaknesses, suggests solutions for common challenges, and identifies factors to consider before purchasing or using Internet of Things devices, systems, and services. The recommendations in the document are designed to improve the effectiveness of supply chain, vendor, and technology evaluations prior to the purchase of Internet of Things devices, systems, and services. Adoption of these recommendations by all organizations will help strengthen the Nation’s cyber resilience by ensuring the cybersecurity of IoT technologies is addressed throughout the acquisition lifecycle. The document was developed by a working group composed of members of the Information Technology (IT) Government Coordinating Council (GCC) and IT Sector Coordinating Council (SCC) to help stakeholders incorporate security considerations when acquiring Internet of Things devices, systems, and services.
Cyber Resiliency: Requirements for Recoverable Systems
Description: Despite decades of efforts by industry and academia, successful intrusions of computer systems are still commonplace. Once a cyber-intrusion occurs, a resilient computer system must be able to repair or compensate for the damage. This publication specifies the requirements for Recoverable Systems: systems that will be able to address the problems that arise after a successful destructive cyber-intrusion. Recoverable Systems repair or re-provision computing platforms that have been compromised by malware or misconfiguration.
Resilient Time Guidance for Network Operations, CIOs, and CISOs
Description: Today, nearly all organizations rely on accurate time to sustain their daily network operations. Consequently, network operators must understand time and how it affects their networks. Regardless of which timing protocol an organization uses to receive its time – Network Time Protocol (NTP), Precision Time Protocol (PTP), or via Global Positioning System (GPS) – it is important to know the source of your time and to regularly monitor and test your time systems to ensure they are available and operating properly. Through a collaborative effort, government and industry experts have developed guidance to inform network operators on time resilience and security practices in enterprise systems. The guidance addresses gaps in available time testing practices, increasing awareness of time-related issues within systems, and increasing awareness of the linkage between time and cybersecurity. Additional jointly-developed guidance includes fact sheets on resilient time for C-Suite leaders (https://ics-cert.us-cert.gov/sites/default/files/documents/Corporate_Leadership_Resilient_Timing_Overview-CISA_Fact_Sheet_508C.pdf) and technical practitioners (https://ics-cert.us-cert.gov/sites/default/files/documents/Technical-Level_Resilient_Timing_Overview-CISA_Fact_Sheet_508C.pdf). Collectively, these efforts have informed the development of national guidance on resilient position, navigation, and time, as promulgated in Executive Order 13905 (https://www.federalregister.gov/documents/2020/02/18/2020-03337/strengthening-national-resilience-through-responsible-use-of-positioning-navigation-and-timing).
Given the increasing attention to Artificial Intelligence, its benefits, and its potential
harms, the ITSCC has developed a set of AI Policy Principles for U.S. policymakers,
focusing specifically on cybersecurity and privacy.
Managing ICT Supply Chain Risk: The Outsourcing Network Services Assessment Tool (ONSAT)
Description: The ONSAT provides any organization a comparative understanding of the supply chain risks associated with outsourcing network services to second and third party vendors. Given today’s availability of open sourcing and flexible infrastructure, outsourcing Information and Communications Technology (ICT) services and virtualized functions is an attractive concept for reasons of cost and efficiency. To make informed ICT supply chain risk management decisions, organizations must understand the Total Cost of Ownership for alternative decision options. In addition to the cost of initial implementation and the cost of operations and maintenance, the Total Cost of Ownership includes the cost of associated business and security risks. Similar to operations and maintenance cost, the cost of risk, lasts for the lifecycle of the outsourcing agreement.
Jointly developed and tested by a public-private consortium, the ONSAT is a working prototype that implements a consistent evidence-based approach to assess if, and how well, existing and potential outsourcing partners and their suppliers implement security and business practices. The tool assembles the scores from separate Business Trust and Security Maturity Questionnaires along with a tool-calculated score for financial cost utility to deliver an Overall Total Value Score for comparative analysis -internally, to inform outsourcing decisions and risk management processes, and -externally, to communicate an overall trust level based on risk posture.
The ONSAT Business Questionnaire is derived from the Committee on Foreign Investment in the United States’ (CFIUS) Joint Voluntary Notice questions and the categories in the ONSAT Security Questionnaire are mapped to the NIST Cybersecurity Framework and nine additional commonly-used standards and decision frameworks associated with risk management including NIST special publications, International Standard ISO/IEC 27001, DoD's Cybersecurity Maturity Model, the Cloud Security Alliance Consensus Assessments Initiative Questionnaire, NIST Baldrige Cybersecurity Excellence Builder, and Carnegie Mellon University Software Engineering Institute Reports on Insider Threat and Fraud in the U.S. Financial Services Sector.
The ONSAT is comprised of a downloadable Spreadsheet (password to unlock for data entry is: “ONSAT”) and a detailed User Manual, and is associated with The Open Group Guide, An Approach to Assessing Vendors to Lower Potential Risk of Outsourced Network Services, (https://publications.opengroup.org/guides/g197).
Analytic Approaches to Detect Insider Threat
Description: This whitepaper identifies how modern architectures can be used to collect data and invoke analytics to detect insider threats. The work expands upon published insider threat agent attack research by providing analytic indicators for early attack detection, and identifies the data needed for the analytics. The work presents a complete discussion of data sources within a representative system architecture and examines the use of “big data” architectures to capture, manage, and make the data accessible to analytic tools which power the insider threat analytics. The material is structured in a manner that facilitates organizational tailoring of the guidance based upon information technology limitations, legal authorities, corporate policies, business concerns, and workplace culture.
Security Tenets for Life Critical Embedded Systems
Description: Addresses antiquated, deficient security models for life critical embedded systems (LCES) and devices. This whitepaper captures and prioritizes core technical principles, or tenets, applicable across any industry or organization with LCES. The tenets may be used by system developers and operators to improve the overall security of such systems.
Cyber Resiliency Technical Guidance Documents
Description: This collection of 28 documents provides guidance on how an organization can best protect itself from cyber-attack. The material is written for C-suite decision makers (level 1) and technical implementers (level 2).
IT Sector Cyber Resilience White Paper
Description: This white paper explores resiliency from the public and private sector perspectives in order to better understand the commonalities and differences that Government and Industry have as it pertains to the cybersecurity and resilience of our critical infrastructure. The paper identifies areas where IT Sector stakeholders can coordinate resilience activities in building a cyber resilient critical infrastructure community.
DNS Risk Asessment
Description: This updated assessment of the Provide Domain Name Resolution Services and Provide Internet Routing, Access, and Connection Services Critical Functions Risk describes how specific existing and emerging threats, technologies, and standards affect the risk profiles of the IT Sector’s DNS and Internet routing critical functions.
Collective Defense
Description: Cybersecurity defenders across government and industry face a daunting but serious reality that self- defense alone can no longer be the governing practice. The need for a clearly defined Collective Defense apparatus, built upon the foundation of trust between industry and government, has become an issue of both national security and economic necessity.
Internet of Things (IoT) Acquisition Guidance Document
Description: This document highlights areas of elevated risk resulting from the software-enabled and connected aspects of IoT technologies and their role in the physical world. It provides information on certain vulnerabilities and weaknesses, suggests solutions for common challenges, and identifies factors to consider before purchasing or using Internet of Things devices, systems, and services. The recommendations in the document are designed to improve the effectiveness of supply chain, vendor, and technology evaluations prior to the purchase of Internet of Things devices, systems, and services. Adoption of these recommendations by all organizations will help strengthen the Nation’s cyber resilience by ensuring the cybersecurity of IoT technologies is addressed throughout the acquisition lifecycle. The document was developed by a working group composed of members of the Information Technology (IT) Government Coordinating Council (GCC) and IT Sector Coordinating Council (SCC) to help stakeholders incorporate security considerations when acquiring Internet of Things devices, systems, and services.
Cyber Resiliency: Requirements for Recoverable Systems
Description: Despite decades of efforts by industry and academia, successful intrusions of computer systems are still commonplace. Once a cyber-intrusion occurs, a resilient computer system must be able to repair or compensate for the damage. This publication specifies the requirements for Recoverable Systems: systems that will be able to address the problems that arise after a successful destructive cyber-intrusion. Recoverable Systems repair or re-provision computing platforms that have been compromised by malware or misconfiguration.
Resilient Time Guidance for Network Operations, CIOs, and CISOs
Description: Today, nearly all organizations rely on accurate time to sustain their daily network operations. Consequently, network operators must understand time and how it affects their networks. Regardless of which timing protocol an organization uses to receive its time – Network Time Protocol (NTP), Precision Time Protocol (PTP), or via Global Positioning System (GPS) – it is important to know the source of your time and to regularly monitor and test your time systems to ensure they are available and operating properly. Through a collaborative effort, government and industry experts have developed guidance to inform network operators on time resilience and security practices in enterprise systems. The guidance addresses gaps in available time testing practices, increasing awareness of time-related issues within systems, and increasing awareness of the linkage between time and cybersecurity. Additional jointly-developed guidance includes fact sheets on resilient time for C-Suite leaders (https://ics-cert.us-cert.gov/sites/default/files/documents/Corporate_Leadership_Resilient_Timing_Overview-CISA_Fact_Sheet_508C.pdf) and technical practitioners (https://ics-cert.us-cert.gov/sites/default/files/documents/Technical-Level_Resilient_Timing_Overview-CISA_Fact_Sheet_508C.pdf). Collectively, these efforts have informed the development of national guidance on resilient position, navigation, and time, as promulgated in Executive Order 13905 (https://www.federalregister.gov/documents/2020/02/18/2020-03337/strengthening-national-resilience-through-responsible-use-of-positioning-navigation-and-timing).