Activity-in-Diagram: Phase 3: Identify Cybersecurity Vulnerabilities

CreatorTim Ramey

Description

[Cooperative Vulnerability Identification]
"The purpose of the third phase is to begin testing early to verify cybersecurity and operational resilience and identify vulnerabilities and inform implementing any needed mitigations. Using multiple tailored test events, vulnerability identification informs contractor and government system designers, developers, and engineers of needed system cyber survivability and operational resilience improvements to reduce risk. Phase 3 is iterative during contractor development and includes regression testing to verify implemented mitigations. Phase 3 is also iterative during government DT&E." [Guidebook]

"Purpose � Identify known cybersecurity vulnerabilities in hardware, software, interfaces, operations, and architecture; to assess the mission risk associated with those vulnerabilities; and to determine appropriate mitigations or countermeasures to reduce the risk." [DAU CALIT]

Owning Diagram A0: Assess Cybersecurity Risk

Decomposition

A3: Phase 3: Identify Cybersecurity Vulnerabilities

Input

Mission-Based Cyber Risk Assessment (MBCRA)

cyber attack surface analysis report

RMF security plan

Output

need for additional requirement

CVI reports

ACD Test Plan

cybersecurity evaluation

TEMP updates

MBCRA updates

Control

Test and Evaulation Master Plan (TEMP)

cybersecurity T&E strategy

Cheif Developmental Tester

Mechanism

Cybersecurity DT&E Technical Experts

Lead DT&E Organization

Attachments

phase 3.png