Cyberspace is one of the most critical domains in maintaining our nation’s superiority. However, the 2018 General Accounting Office (GAO) report on “Weapon Systems Cybersecurity” states, by using basic tools and techniques, testers were able to take control of major weapon systems under development with ease and operate largely undetected. Challenges of weapon systems cybersecurity include complex and intense software in systems, common tactical networks, lack of test infrastructure and tools, lack of test assets and cyber T&E workforce, data rights issues and many more. This workshop will focus on solutions and approaches to overcome these challenges with special emphasis on the Weapon Systems. Our goal is to share practical knowledge and information to rapidly enhance the Weapon Systems Cybersecurity posture.
At this workshop, we will have exhibits and dedicate a technical track for hands-on tool demonstrations and interactive sessions. We encourage the government, industry and academia to showcase their capabilities.
Please join us on Okaloosa Island in Fort Walton Beach, Florida, as members of the T&E community from academia, industry, and government discuss the evolving discipline of Cybersecurity T&E. Come share your thoughts, connect with others, and learn from some of the leading experts at this Workshop.
ABSTRACT SUBMISSION FORM
Abstracts will be accepted on a “Space Available” basis through September 30th
Air Force Cyber Test and Evaluation Guidebook
Instructor: Steven Newton, 47CTS/OL-A (COLSA)
The United States Air Force (USAF) Cyber Test and Evaluation (CT&E) Guidebook (USAF CT&E GB) provides guidance and best practices for conducting CT&E activities used to verify cyber survivability (i.e., cybersecurity and cyber resiliency) of USAF information and weapon systems. Importantly, when CT&E activities are implemented early in program acquisition, integrated with program activities, and performed iteratively, CT&E activities reduce potential cyber survivability-related cost, schedule and performance issues. The goal of this guidebook is to assist the acquisition community in delivering to the warfighter a comprehensively evaluated, cyber secure and cyber resilient system capable of operating and completing its mission in a cyber-contested environment. CT&E starts at acquisition initiation and continues throughout the lifecycle of the system. In summary, CT&E:
The USAF CT&E GB is intended for Program Managers, Chief Developmental Testers (CDTs), Lead Developmental Test and Evaluation (T&E) Organizations (LDTOs), Operational Test Agencies (OTAs)/Operational Test Organizations (OTOs), and cyber Participating Test Organizations (PTOs) for USAF acquisition programs.
This guidebook applies to all USAF acquisition programs and systems regardless of their classification level, acquisition category, or acquisition lifecycle phase unless otherwise noted or directed.
The USAF CT&E GB is one of a series of USAF cyber related documents sponsored by the USAF Cyber Resiliency Office for Weapon Systems (CROWS) as part of the USAF Cyber Campaign Plan. Namely, the USAF CT&E GB follows and complements the USAF Weapon System Program Protection/System Security Engineering (PP/SSE) Guidebook (USAF WS PP/SSE GB) and the USAF System Security Engineering Acquisition Guidebook (USAF SSE Acq GB).
Air Force’s New MBCRA (Mission Based Cyber Risk Assessment) and Integrated Engineering Approach
Instructor: Kevin McGowan, 47CTS/OL-A (COLSA)
The AF commonly uses numerous stove-piped cyber vulnerability assessment processes, executed in parallel, to characterize cyber attack surfaces and to identify potential cyber vulnerabilities and risks. This is an inefficient use of limited resources and results in products being generated for targeted audiences (i.e., not usable by multiple stakeholders). It also results in less informed products and decisions.
The Mission-based Risk Assessment Process for Cyber (MRAP-C) is the AF’s new iterative Mission Based Cyber Risk Assessment (MBCRA) process which builds upon best practices from the Cyber Table Top (CTT), Cyber Test Prioritization Methodology (CTPM), Cyber BlueBook (CBB), and integrated engineering processes. The MRAP-C combines bottom-up and top-down assessment approaches to identify critical components and system information, to assess potential cyber attack paths through the system, and to identify potential mission effects of cyber vulnerability exploitation. The MRAP-C analysis activities and Attack Path Vignettes generated during the MRAP-C process inform cooperative and adversarial DT and OT cyber test events, cyber test strategy, cyber test plans, cyber requirements, cyber test resource lists, and cyber recommendations development. It also fulfills Cyber Test and Evaluation Phase 1 and 2 requirements.
When combined with the USAF’s integrated Program Protection / Systems Security Engineering (PP/SSE) Standard Process, programs are equipped with an iterative engineering process which assesses cyber vulnerabilities and risks throughout the acquisition lifecycle. When executed by the program’s integrated Systems Security Working Group (SSWG), all member stakeholders are involved with performing the cyber vulnerability assessments and with performing key programmatic/engineering activities focused on developing a cyber secure and cyber survivable system for the warfighter.
This Tutorial provides an overview of the new USAF PP/SSE Standard Process, and the embedded MRAP-C MBCRA process, which is expected to become mandatory for all AF acquisition programs by the end of CY20.
Cyber Table Top (CTT) Workshop For Participants & Facilitators
Instructor: Vincent Lamolinara – Defense Acquisition University
The tutorial introduces and applies the Cyber Table Top (CTT) mission-based cyber risk assessment (MBCRA) method to help discover cyber vulnerabilities, gauge their risk, propose mitigations and inform other competencies, documents and events across the DoD acquisition lifecycle. The workshop will establish an understanding of the threat and “thinking like a Hacker”; provide a “wheel of access” methodology to identify and diagram surface-attack characteristics; include cross-competency personnel, including users, to identify and prioritize cyber-attacks / vulnerabilities in a Red / Blue / White Team “wargame” mission scenario; and provide a construct to characterizes and report risk and mitigations in order to design and maintain cyber resilient systems and personnel in the acquisition and operational phases of an Information or Platform weapons system. Participants will conduct exercises in each phase to reinforce and apply the concepts and methodology will learn how cybersecurity principles apply to their career fields. Students will create a surface attack taxonomy, role play different competencies including engineering, test, cybersecurity, logistics, safety, intelligence, contracts and the adversary. The case studies and scenarios will build up in complexity culminating in a mini-CTT execution and Cyber Risk outbrief (to a simulated PM) for an exemplar weapons systems at the UNCLAS level. Students will also apply CTT results to inform Test, AoA ICD/CDD/CPD, RFP/SOW, Specification, Architecture and upgrade / patch / ECP requirements as well as acquisition and risk management strategy. This workshop will allow enable students to participate in CTT efforts in their respective programs. Tailorable to the specific customer needs. Objectives : Given a cybersecurity scenario, use Surface-attack characterization and Cyber Table Top Methodology to discover cyber vulnerabilities, gauge their risk, propose mitigations and inform other competencies, documents and events across the DoD acquisition lifecycle.
Target Attendees: The acquisition workforce, including industry partners, who design, build, procure, maintain, and provision cybersecurity capabilities.
Introduction to Cybersecurity Test and Evaluation
Instructors: Pete Christensen and Jean Petty, The MITRE Corporation
The purpose of this tutorial is to familiarize attendees with Cybersecurity and Test and Evaluation as it applies to US Federal Government Programs and the U.S DOD. Note that the ideas and concepts presented also apply in principal to any acquisition program. Topics that will be addressed include Cyberspace as an operational domain, Cybersecurity threats, malware, DHS and DOD systems acquisition and associated Cyber T&E policy and process including “Cloud” Programs, requirements analysis, evaluation frameworks, cyber tabletop exercises, cooperative vulnerability assessments, adversarial assessments, cyber ranges and lessons learned.
Security Testing at the Speed of Trust: Evolving DevSecOps Security Practices at JITC
Instructor: Arless “Derek” Holloway, Cyber Situational Awareness, Systems/Analytics Test Team Lead( JTD), Jacobs / Joint Interoperability Test Command (JITC)
Security and risk management leaders at JITC labor over “How” do they secure current, legacy and cloud resources consistently within their limited constraints. Integrating security into DevOps to deliver “DevSecOps” requires changing mindsets, processes and technology. Jacobs’ role in this transformation is to help the JITC organization tailor it’s operational culture and technical processes to support the new ways of developing, running, and supporting applications made possible by containers and other more loosely coupled application components. This paper reports about challenges and lessons learned during pilot project case studies to define new artifacts and processes for the independent validation and verification of systems at Defense Information Systems Agency (DISA). Why Can’t JITC be Agile? Developer Self-Service – In DISA’s Compliance Oriented World. Cloud services have provided streamlined ways to achieve innovation through the principles of DevOps and Developer Self-Service. This paradigm presents problems for regulated customers like DISA who are still under regulatory mandate to follow strict security, governance, and accreditation standards. Additional in the past these components were typically delivered during the production deployment phase. Jacobs’case studies explore more streamlined alternatives to these waterfall deliverables in order to fit the velocity of the DevSecOps lifecycle. Key Issues that this paper tackles are: Defining Risk in order to justify streamlined documentation for Medium and Low Risk releases; Defining ways in which information security must adapt to development processes and tools, not the other way around; Define a lightweight Security Test and Evaluation Strategy based on risk and the most likely threat vectors to be exploited; and, Lessons learned from work with the Risk Management Executive (REM) to accredit the DEVOPS Toolchain.
TENA and JMETC Solutions for Cyber Test and Training
Instructor: Gene Hudgins, KBR
Together, TENA and JMETC enable interoperability among ranges, facilities, and simulations in a timely and cost-efficient manner. TENA provides for real-time system interoperability, as well as interfacing existing range assets, C4ISR systems, and simulations; fostering reuse of range assets and future software systems. JMETC is a distributed, LVC capability which uses a hybrid network architecture; the JMETC Secret Network (JSN), based on the SDREN, is used for secret testing and the JMETC Multiple Independent Levels of Security (MILS) Network (JMN) is the T&E enterprise network solution for all classifications and for cyber testing. JMETC provides readily available connectivity to the Services’ distributed test and training capabilities and simulations, as well as industry resources. This tutorial will address the current impact of TENA and JMETC on distributed systems engineering as well as their significance to the cyber Test and Training community.
|Maj. Gen. Christopher P. Azzano
|Brigadier General Evan C. Dertien
|Brigadier General Scott Cain
|Col. Bryan Choi
|Amy Henninger, PhD, CEH, CISSP, CMSP
Senior Advisor for Software and Cybersecurity
Deputy Executive Agent, Cyber Test Ranges
Early Bird Registration until October 5th
$645 – Regular Registration*
$495 – ITEA Member / Government Employee / Active Duty Military
Regular Registration October 6th through 20th
$745 – Regular Registration*
$595 – ITEA Member / Government Employee / Active Duty Military
Late Registration after October 20th
$845 – Regular Registration*
$695 – ITEA Member / Government Employee / Active Duty Military
*Regular Registration rate includes one-year membership to ITEA.
New T&E Professional (less than 5 years of T&E experience) VERIFICATION REQUIRED – Includes two Lunches, the Networking Reception, and a one-year ITEA membership for Non-ITEA Member.
SUBSTITUTION AND CANCELLATION POLICY: Substitutions are permitted. Refunds are not available within ten (10) days prior to the start of the event. Requests for cancellation submitted between ten (10) to 45 days prior to start date of the event will be subject to a $250 cancellation fee. Requests for cancellation greater than 45 days prior to the start date of the event will be subject to a $100 cancellation fee.
Each of the 4-hour Pre-Workshop Tutorials provide 4 contact hours of instruction (4 CEUs) that are directly applicable to your professional development program, including the Certified Test and Evaluation Professional Credential (CTEP).
In addition to the Pre-Workshop Tutorials, the Workshop provides 4 contact hours of instruction (4 CEUs) for each half-day, 8 contact hours of instruction (8 CEUs) for each full-day, or 20 contact hours of instruction (20 CEUs) for attending the full Workshop, that are directly applicable to your professional development program, including the Certified Test and Evaluation Professional Credential (CTEP).
ITEA is a 501(c)(3) professional education association dedicated to the education and advancement of the test and evaluation profession. Registration fees, membership dues, and sponsorships are tax deductible.
Your sponsorship dollars help defer the cost of the Symposium and support the ITEA scholarship fund, which assists deserving students in their pursuit of academic disciplines related to the test and evaluation profession. Sponsorship and related benefits will become effective on receipt of payment.
NOTE: This ITEA event is a non-competitive environment meant for a free exchange of ideas and information.
Exhibit Hall will be limited to Tabletops ONLY, and space is very limited.
Please submit your Exhibit Application as soon as possible to ensure your get a prime location and that your organization is promoted in The ITEA Journal of Test and Evaluation.
Please showcase your organization’s products and services and join these other industry leaders:
1500 Miracle Strip Pkwy SE
Fort Walton Beach, FL 32548
Phone: (800) 874-8962
Hotel Room Reservations
Click the below link, select the dates and room type you are interested in on the booking screen and click BOOK NOW.
Guests may also book over the phone at 850-337-9194
Rate: starting at $162.00 USD per night plus tax
Last day to book: 02/28/20
Cancellation Policy: 48 hours prior to arrival
Deposit Policy: None
NOTE: A nightly resort fee of $15 per room will apply, which supports premium internet connectivity and complimentary parking.
ABSTRACT SUBMISSION FORM
Abstracts will be accepted on a “Space Available” basis through September 30
Sessions will be unclassified and open to the general T&E community, however, restricted sessions (up to FOUO) may be made available. Abstracts will be reviewed for a presentation during a conference session or as a poster paper. Presentations will be published in proceedings and made available to all attendees.
Abstracts should be non-commercial in scope, pertinent to conference topic, no longer than 500 words, and releasable to the general public. Visit the ITEA website for the Abstract submission form that must be submitted to email@example.com.
TOPICS FOR CONSIDERATION
Workshop Chair – Min Kim, 96th Cyberspace Test Group
Technical Program Co-Chairs
– Bob Baggerman, ATAC
– Scott Thompson, EWA
– Jennifer Sen, Jacobs
– Shelby Pearce, Jacobs
– Joshua Turnier, Reliance Test & Technology
– John Rafferty, F35 PSC / EWD
Tutorial Chair – Gene Hudgins, KBR
Exhibit and Sponsor Chair – Steven Schrader, GSEC, CISSP, C|EH, C|NDA, DAF, 605th Test & Evaluation Sq
Registration – James Gaidry, CAE – firstname.lastname@example.org
03 - 05 Nov 2020
The Island by HOTEL RL