返回

DoDP:国防部首席信息官网络安全风险管理架构(2025) 2页

VIP文档

ID:74639

阅读量:0

大小:2.52 MB

页数:2页

时间:2025-09-25

金币:1

上传者:PASHU
Starting with lower environments in the Build
Phase, through deployment to production
environments in Onboarding Phase
Systems connected to DODIN
Automation Critical
Controls
Continuous Monitoring
(CONMON), control,
and ATO
Cyber
Survivability
Training Enterprise Services
& Inheritance
ReciprocityOperationalizationDevSecOps Cybersecurity
Assessments
STRATEGIC TENETS
RESOURCE CYBERSECURITY AND SURVIVABILITY REQUIREMENTS ACROSS SYSTEM LIFECYCLE
NextGen CSSP fully
onboards system/capability
NextGen CSSP partially
onboards system/capability
- isolation, re-sensoring,
additional risk review
- or -
NextGen CSSP risk
management performs risk
review, validates critical
controls and mandatory
artifacts
Implementation of
Requirements
Feed data to
Information System
Continuous
Monitoring (ISCM)
Alignment System
Submit system for
evaluation
Assess &
Remediate
Mission customization
for Information
Security Continuous
Monitoring (ISCM)
Penetration
testing (high
risk systems)
Automated
test report
dashboard
analyst
Vulnerability
remediation &
assessment
team
Capability need
identified
Select functional,
cybersecurity, and cyber
survivability requirements
Team formation includes:
Mission Owner, System
Owner/Program Manager,
Engineers, CSSP
System accepted for ISCM
for continuous monitoring,
enabling cATO
Data elements redirected
to operational ISCM
Repeatable playbook to
manage real-time risk
monitoring via automated
dashboards and alerts
High risk is elevated and
addressed - CSSP watch
officer makes decisions to
disconnect
Assess &
Remediate
DOD
INFORMATION
NETWORK
(DODIN)
PHASE 5: OPERATIONS
RMF STEP(S): Prepare,
Categorize, Select
PHASE 1: DESIGN
RMF STEP(S): Implement
PHASE 2: BUILD (IOC)
RMF STEP(S): Assess
PHASE 3: TEST (FOC)
RMF STEP(S): Authorize
PHASE 4: ONBOARD
RMF STEP(S): Monitor
CYBER SECURITY RISK MANAGEMENT CONSTRUCT
This construct is intended to produce a culture, mindset and process that reimagines cyber risk management to be faster in keeping with the
rate of change; more effectively assesses and conveys risk; and is less burdensome to cyber and acquisition professionals while ultimately
providing operational combatant commanders with an accurate understanding of cyber risk to mission.
CLEARED
For Open Publication
Department of Defense
OFFICE OF PREPUBLICATION AND SECURITY REVIEW
Sep 23, 2025
资源描述:

【美国国防部】【2025年9月23日】发布《网络安全风险管理架构》;该文件的目的是打造适配变化速度、更有效评估传达风险、减轻网络及采购专业人员负担,并为作战指挥官提供网络风险对任务影响准确认知的网络风险管理文化、思维与流程;该文件内容包括:一是明确系统生命周期5个阶段(设计、构建、测试、上线、运营)及对应RMF(风险管理框架)的准备/分类/选择、实施、评估、授权、监控步骤;二是提出跨生命周期的资源网络安全和生存能力要求,规定团队需由任务所有者、系统所有者/项目经理、工程师、CSSP组成;三是细化信息系统持续监控(ISCM)实施要求,包括通过自动化仪表板实时风险监控、高风险情况升级处理,以及NextGen CSSP对系统的完全上线、部分上线、风险管理审查三种处理方式;该文件的结论是通过上述架构可实现更高效精准的网络风险管理,支撑作战指挥官对网络风险的准确认知与决策。

当前文档最多预览五页,下载文档查看全文

此文档下载收益归作者所有

当前文档最多预览五页,下载文档查看全文
温馨提示:
1. 部分包含数学公式或PPT动画的文件,查看预览时可能会显示错乱或异常,文件下载后无此问题,请放心下载。
2. 本文档由用户上传,版权归属用户,天天文库负责整理代发布。如果您对本文档版权有争议请及时联系客服。
3. 下载前请仔细阅读文档内容,确认文档内容符合您的需求后进行下载,若出现内容与标题不符可向本站投诉处理。
4. 下载文档时可能由于网络波动等原因无法下载或下载错误,付费完成后未能成功下载的用户请联系客服处理。
最近更新
更多
大家都在看
近期热门

分享

购物车

关闭