It's been a LONG time since I've posted on here and I wanted to return. One of the recent things I have been working on is trying to "settle the argument" of the DoD's SSE role versus its ISSE role. Below is what I drafted.
Enjoy!
dw
Within the Army’s Acquisition community, there exists today
a lack of clarity when defining and discussing the roles of a System Security
Engineer (SSE) and an Information System Security Engineer (ISSE). This
confusion is due in large part to there being some ambiguity in how the roles
are defined in different publications used within this community. Additionally,
it doesn’t help that the role names are so close to being identical.
Examination of the Official Verbiage
The logical starting point for this discussion is the
examination of what is actually written in the different publications relevant
to both System Security Engineering and Information System Security
Engineering. This discussion will cover the relevant Department of the Army
regulations, DoD’s guidance, and the descriptions of the roles as provided by
NIST.
Army Guidance
The US Army defines the Information System Security Engineer
(ISSE) as being “an individual or a group responsible for conducting information system
security engineering activities, including [AR25-2] [DA PAM25-2-14]:
-
System Architecture
-
System Design
-
System Development
-
System Configuration
Furthermore, Army regulations require that the Program
Manager (PM)/System Manager(SM) assign an Information System Security Engineer
to all IS and PIT systems [AR-25-2][DA PAM25-2-14]. The ISSE should be “fully
integrated into the systems engineering process.”
When discussing the Risk Management Framework (RMF)
specifically, the US Army, in [DA PAM25-2-14] articulates the requirement to integrate
system security engineering into existing processes. Unfortunately, this
statement on its own has caused some confusion as to the ISSE versus SSE role
within DoD and the US Army. There does exist some clarity, discussed later,
when examining publications from both NIST and DoD directly.
The confusion between the SSE and ISSE role is never firmly
answered amongst the multiple levels of regulations and guidance between
Defense Acquisitions through US Army, DoD, and ultimately NIST. However, some
clarity exists in the specific wording chosen in each document.
The ISSE role is specifically identified as being required
in [DA PAM25-2-14].
DoD Guidance
In two tables within [DoD 8570-01M], Table C4.T7 and Table
C10.T7, we find the following:
Table C4.T7.
IAM Level III Functions
M-III.2. Ensure that protection and detection capabilities are
acquired or developed using the IS security engineering approach and are
consistent with DoD Component level IA architecture.
Where “IS” is prepended intentionally to “security
engineering.” We also find the below, an even clearer articulation as to the
name of the role/function.
Table C10.T7.
IASAE Level III Functions
IASAE-III.18. Ensure that acquired or developed system(s) and
network(s) employ Information Systems Security Engineering and are consistent
with DoD Component level IA architecture.
NIST Guidance
Finally, we look at what the different NIST publications have
to say. In [NIST SP800-37] we find a specific definition that, when examined,
shows that there is a difference between SSE efforts and that of an ISSE. The
first definition is:
Systems Security Engineering – Process that captures and
refines security requirements and ensures their integration into information
technology component products and information systems through purposeful
security design or configuration.
Notice that the definition describes the integration of
security requirements into IT products and information Systems. This is not
synonymous with the integration of security requirements into a full system or
system-of-systems. However, one must consider the target audience of this
publication and its content, the Risk Management Framework. In broader scoped
NIST publications, as shown below, this definition is expanded to be
system-holistic and includes cybersecurity concerns, and not solely focused as
the definition above.
Another NIST publication in which its audience and content
must be considered is [NIST SP800-53A]. Two items within this publication
should be considered when examining the relationship between the SSE and ISSE
roles. In the “Target Audience” section, the document uses the term
“information Security Engineers” and does not use the terms Information System
Security Engineers nor System Security Engineers. Later in the document, when
discussing control SA-8 (Security Engineering Principles), the assessment
objective specifically states: “applies information system security engineering
principles” which clearly references the specific role/function of ISSE
efforts.
Finally, [NIST SP800-160 vol I] shows a clear delineation of
the two roles. It should be noted that this publication is title: “Systems
Security Engineering – Considerations for a Multidisciplinary Approach in the
Engineering of Trustworthy Secure Systems”. This is the first of two volumes of
NIST’s System Security Engineer guidance.
[NIST SP800-160 vol I] describes Systems Security
Engineering as focusing on “protection
of stakeholder and system assets so as to exercise control over asset loss and
the associated consequences” and the approach described within the publication
“helps to reduce the susceptibility of systems to a variety of simple, complex,
and hybrid threats including physical and cyber-attacks; structural failures;
natural disasters; and errors of omission and commission”. As this shows, the
publication specifically states that SSE efforts include but is not confined to
cyber aspects. The publication further states that:
“Systems
security engineering, as an integral part of systems engineering, helps to
ensure that the appropriate security principles, concepts, methods, and
practices are applied during the system life cycle to achieve stakeholder objectives
for the protection of assets—across all forms of adversity characterized as
disruptions, hazards, and threats.”
Again, this shows that NIST SP800-160 does not confine SSE
to only the cybersecurity realm, which the publication specifically articulates
a few sentences later:
“Systems security engineering leverages many security
specialties and focus areas that contribute to systems security engineering
activities and tasks. These security specialties and focus areas include, for
example: computer security; communications security; transmission security;
anti-tamper protection; electronic emissions security; physical security;
information, software, and hardware assurance; and technology specialties such
as biometrics and cryptography.”
Comparing the Guidance
It is obvious that there is no apparent agreement in ISSE
and SSE definitions between the US Army, DoD, and NIST publications. However,
as shown here, when the content and audience of each individual publication is
considered, the difference between the two roles becomes clearly defined.
System Security Engineering – the processes of examining and
applying security requirements holistically to a system or system of systems.
These requirements are derived from multiple domains including cybersecurity,
physical security, etc.
Information System Security Engineering – the process of
examining and applying cybersecurity requirements to a system or system of
systems. These requirements are primarily derived via the RMF process and are
defined by NIST Controls [NIST SP800-53r4] and DISA’s Control Correlation
Identifiers.
What is an ISSE?
Looking at some of the referenced definitions above, it
becomes simple to state from a very high level the actions associated with the
ISSE role. Specifically, recall that [AR25-2] [DA PAM25-2-14] identify four primary areas of the ISSE
focus. These four areas are:
-
System Architecture
-
System Design
-
System Development
-
System Configuration
The word System
has been defined within [ISO/IEC/IEEE 15288:2015] as:
-
A set of interacting elements (i.e., system
elements) organized to achieve one or more stated purposes.
In order to understand the role of the ISSE within the scope
of the Risk Management Framework, we must refine the definition of System to the following:
-
A set of interacting elements (i.e., system
elements) organized to process Department of Defense (DoD) data and/or connect
to a DoD Network.
With the appropriated scoped definition of System, we can further define these four
target areas and the ISSE’s role within each.
System Architecture
According to [ISO/IEC/IEEE 15288:2015], System Architecture
can be defined as “fundamental concepts or properties of a system in its
environment embodied in its elements, relationships, and in the principles of
its design and evolution”. In other words, a [normally] high-level description
of a system and its internal and external interactions.
The ISSE role regarding system architecture is examine and
evaluate the proposed interactions and environment of the system. The ISSE best
serves the program by asking specific questions about these high level
interactions, the operational environment, and potential alternatives.
An example of the ISSE function at this level be the
examination of proposed wireless protocols, the spectrum management/saturation
of the operational environment, and the feasibility of the sub-systems connecting
via a proposed wireless protocol.
System Design
Design is defined by [ISO/IEC/IEEE 15288:2015] in two ways:
-
Information, including specification of system
elements and the relationships, that is sufficiently complete to support a
compliant implementation of the architecture
-
Provides the detailed implementation-level
physical structure, behavior, temporal relationships, and other attributes of
system elements
Typically overlooked by ISSEs, or even excluded by design
leads, the system design area is a critical area where the expertise of the
ISSE should be leveraged heavily. The ISSE should be examining the protocols,
transmission mediums, and system instrumentation/performance requirements, at
both the hardware and software levels. This examination should identify
conflicts and potential cost drivers that may have alternatives.
An example of the ISSE function during this process would be
that of examining proposed hardware items to verify their ability to support a
required encryption schema in terms of both cycle time and system power.
Another example would be the examination of the physical design to ensure that
cyber-physical requirements can be sufficiently and appropriately satisfied.
System Development
Development refers to the process, life cycle, or framework
that is utilized within the program in order to implement the system
architecture and design into a given system or system of systems.
The role of the ISSE during System Development really
involves the entire lifecycle of the program and will vary depending upon the
specific process, framework, or lifecycle used to develop the system/system of
systems.
The primary role of the ISSE with this domain is to insure
that the appropriate inject points exist in each phase of the development in
order to ensure that cybersecurity requirements and affects are account for at
the appropriate juncture.
System Configuration
Configuration refers to the specific items and details that
are the realization of the architecture, design, and development processes.
This phase has the lowest level of granularity and is intended to manage a
system/system of systems from development through disposal. Items are tracked
specifically by manufacturer information and serial number. Changes to the
system, to include item replacements are both approved prior to action and
documented.
The ISSE typically does not play a direct role in maintaining
a system’s configuration. However, the ISSE should be involved in all
cyber-related configuration changes and updates. This involvement requires that
the ISSE provide expertise in the potential and known impacts of a given
potential change to the system.
What is an SSE?
As stated above, the SSE role is one that applies security
requirements holistically to a system. These requirements come from both
security-based engineering domains such as cyber and physical, and from
non-security-based engineering domains such as human factors engineering
(Ergonomics) and Reliability, Availability, and Maintainability (RAM)
Engineering.
Traditionally and by best practice, the SSE comes from the
Systems Engineering field and has a broad understanding of many engineering
disciplines. This means that an ISSE with additional engineering experience can
most likely fill the role of an SSE, the less-granular understanding of
cybersecurity engineering makes the SSE a poor choice to fill the ISSE role.
Although not specified in the literature, it is generally
safe to assume that, like the ISSE, the SSE provides engineering assistance in
four domains:
-
System Architecture
-
System Design
-
System Development
-
System Configuration
The difference however, and an important one, is the
definition of System as relates the SSE supporting these four areas. For that,
we go back to the original definition as found in [ISO/IEC/IEEE 15288:2015]:
-
A set of interacting elements (i.e., system
elements) organized to achieve one or more stated purposes.
This means that the general actions of the SSE within these
four areas are the same as the ISSE with the understanding that the SSE is not
looking solely at Cybersecurity requirements but at many requirements from
multiple security and non-security engineering disciplines.
[NIST SP 800-160 vol 1] goes into great, very granular,
detail regarding the System Security Engineering process and the function of
the System Security Engineer. There are numerous and specific tasks as well as
an excellent framework (which makes prudent use of a closed-loop feedback) for
this process.
Conclusion
The roles of the ISSE and SSE are separate, although at
times complementary, functions within the system development life cycle. This
should be obvious to the reader when considering the target audience, wording,
and scope of the references cited herein.