Cyberspace Defense (CD) Course M01_L04 links ReferenceOnlyObject referenceObj Testing This Reference Object ReadOnlyText pageLocation Page x of y skipTopNavBtn SKIP TO CONTENT SKIP TO CONTENT SkipTopNavButtonClicked skipBtmNavBtn SKIP NAVIGATION SKIP NAVIGATION SkipBtmNavButtonClicked helpBtn Help Help. Select this button to open the help panel. HelpButtonClicked exitBtn Exit Exit. Select this button to exit the course. ExitButtonClicked courseMapBtn Course Map Course map. Select this button to access the course map. CourseMapButtonClicked glossaryBtn Glossary Glossary. Select this button open the glossary. GlossaryButtonClicked resourcesBtn Resources Resources. Select this button to access the resources for the course. ResourcesButtonClicked hideCCBtn Hide Captions Hide Captions. Select this button to hide the caption text. HideCCButtonClicked showCCBtn Show Captions Show Captions. Select this button to show the caption text. ShowCCButtonClicked turnAudioDescriptionsOffBtn Turn Audio Descriptions Off Turn Audio Descriptions Off. Select this button to turn off audio descriptions. AudioDescriptionsOffButtonClicked turnAudioDescriptionsOnBtn Turn Audio Descriptions On Turn Audio Descriptions On. Select this button to turn on audio descriptions. AudioDescriptionsOnButtonClicked skipReverseBtn Skip Backward Skip Backward. Select this button to skip a few frames back. SkipReverseButtonClicked skipForwardBtn Skip Forward Skip Forward. Select this button to skip a few frames ahead. SkipForwardButtonClicked replayBtn Replay Replay. Select this button to replay the current screen. ReplayButtonClicked transcriptBtn Transcript Transcript. Select this button for a transcript of the current page. ShowTextButtonClicked pauseBtn Pause Pause. Select this button to pause the course. PauseButtonClicked resumeBtn Resume Resume. Select this button to resume the course. ResumeButtonClicked previousPgBtn Back Back. Select this button to go to the previous screen. PreviousButtonClicked nextPgBtn Next Next. Select this button to go to the next screen. NextButtonClicked disacndv204_01 1 Welcome to the Principal Cybersecurity Services lesson. When you have completed this lesson, you will be able to identify the individual services that comprise cybersecurity services. You will also be able to identify the role that cybersecurity service providers, or CSPs, play in delivering these services to DoD Components. There are seven topics in this lesson. After you have completed this Introduction, you will learn about the four different types of cybersecurity services and the principal cybersecurity services each type includes. Next, you will learn about the key cybersecurity services that proactively protect the DoD information networks, or DoDIN. Then, you will learn about the main cybersecurity services that monitor, analyze, and detect anomalies that may indicate that the DoDIN have been compromised, or are about to be compromised. Next, you will learn about the cybersecurity services that respond to computer security incidents to limit their damaging effects on the DoDIN. Finally, you will learn how these services are sustained throughout their lifecycle. disacndv204_02 2 The DoD Cyberspace Defense Architect, Office of the DoD Chief Information Officer, establishes and oversees the DoD Cybersecurity Service Provider program. Cybersecurity services are an integral part of DoD warfighting readiness. A wide spectrum of cybersecurity services is necessary to protect and defend the DoDIN. Cybersecurity services, protect the network from adverse events, detect adverse events that do occur, respond to those adverse events, and then sustain all of the protect, detect, and response services throughout their lifecycles. The principal cybersecurity protection services consist of malware protection support; information operations conditions, or INFOCONs; information assurance vulnerability management, or IAVM, support; vulnerability assessment, or VA, support; external assessments; and cybersecurity education, training, and awareness, or ETA. The principal cybersecurity monitoring, analysis, and detection services include situational awareness with network security monitoring and intrusion detection; attack sensing and warning, or AS&W; and indications and warnings, or I&W. The principal cybersecurity incident response services include incident reporting, incident response, and incident analysis. These services provide the courses of action to take when computer security incidents occur. The principal sustainment services include Memorandums of Agreement, or MOAs, and contracts; cyberspace defense functional level policies and procedures; cyberspace defense technology development, evaluation, and implementation; personnel; security administration; and cyberspace defense information systems. You need to understand what each cybersecurity service entails, and the role of CSPs in providing each service to your DoD Component. disacndv204_03 3 disacndv204_03_01 3 Malware Protection Support Malware protection protects information systems and networks from known malware. It accomplishes this by implementing anti-virus software just inside the perimeter of the system. In other words, it prevents malware from entering and infecting the network servers and workstations. disacndv204_03_02 3 Host-Based Security System (HBSS) A host-based security system provides a second line of defense, by implementing system protection tools on the host, which may be a single network workstation, computer or laptop. If a worm, virus, or human attacker succeeds in entering the information system, the HBSS provides a second chance to stop the attack before it further compromises the system. The most common type of host-based protection is desktop antivirus software that identifies and stops most known viruses. Another common form of host-based protection is the workstation or the computer personal firewall. This software works very much like a perimeter firewall, except that it protects only one device: the host computer or workstation. Much less common is the host-based intrusion detection system, or HIDS. These software security components observe the computer, either at the operating system or at the network interface, sniffing for malicious activity. If malicious activity is detected, the HIDS will either terminate the offending activity or send an alert to a security manager. The host- based security system can act as a sensor on the cyberspace defense systems' sensor grid. This provides visibility to the three tiers of CSPs on the health of the DoDIN. First, let's focus on the cybersecurity services that comprise the DoD's cybersecurity protection services. Malware protection support services include malware protection and host-based security system, or HBSS. Select each component of malware protection support services to learn more about it. disacndv204_04 4 SA, System Administrator Take a few moments to review the CSP Role in implementing antivirus services at Tier 1, Tier 2, and Tier 3. Because host- based protection must be implemented at each individual network workstation, computer, or laptop, the system administrators, or SAs, at each DoD installation also play a role. SAs install and maintain the host-based software on each machine. They also ensure that the individual machines are configured to the baseline standards determined by Tier 1 CSPs. disacndv204_05 5 Use of the DoD Information Operations Condition, or INFOCON, System is a readiness strategy that provides the ability to continuously maintain and sustain DoD's information systems and networks. An INFOCON provides a framework of prescribed actions necessary for establishing a level of confidence in the security of information systems supporting the DoDIN. The INFOCON strategy shifts the DoD from a threat-based, reactive system to a readiness-based, proactive one. The DoD INFOCON System is a uniform system of five progressive readiness conditions. INFOCON 5 is normal readiness and INFOCON 1 is maximum readiness. The impact of the INFOCON levels on system availability to the end user is limited at INFOCON 5, but can significantly affect system availability for short periods at INFOCON 1. The DoD INFOCON System is intended to raise or lower the defensive posture of the DoDIN uniformly, to respond to unauthorized activity on DoD information systems, and to mitigate the potential damage to DoD information systems and networks. disacndv204_06 6 USSTRATCOM has the authority to change the INFOCON level. Tier 2 and Tier 3 CSPs can set a more restrictive level than USSTRATCOM, but do not have the authority to set a less restrictive INFOCON. Take a moment to review the remaining CSP INFOCON responsibilities role at Tier 1, Tier 2, and Tier 3. disacndv204_07 7 TA, Technical Advisory IAVA, Information Assurance Vulnerability Alert IAVB, Information Assurance Vulnerability Bulletin disacndv204_07_01 7 Vulnerability Notifications TA, Technical Advisory IAVA, Information Assurance Vulnerability Alert IAVB, Information Assurance Vulnerability Bulletin IAVAs, IAVBs, and TAs have different levels of urgency, and therefore present different requirements for cybersecurity professionals. The urgency drives the type of notification that is appropriate. Urgency is determined by the risk to the DoD if the vulnerability were exploited. A TA is the least urgent and lowest risk type of notification. Therefore, corrective action is recommended, but not required. Potential escalation of these vulnerabilities is deemed unlikely, but the advisories are issued so that any risk of escalation in the future can be mitigated. A TA does not require acknowledgement within a specified amount of time since the vulnerability information has been received. Compliance reporting for TAs is not required; but, again, it is a best practice for cybersecurity professionals to take any necessary actions to address the vulnerabilities identified in TAs as soon as possible. An IAVB is used for vulnerabilities that are more urgent than those documented in TAs. Vulnerabilities presented in an IAVB pose a medium risk to the DoD, and, therefore, corrective action is recommended, but not required. IAVBs require an acknowledgement within an amount of time specified in the IAVB since the vulnerability information has been received. The local Authorizing Official, or AO, ensures compliance requirements and decisions are in support of local command requirements. Compliance reporting for IAVBs is not required, although individual DoD Components may require reporting compliance for IAVBs. However, it is still a best practice for cybersecurity professionals to take any necessary actions to address the vulnerabilities identified in IAVBs as soon as possible. The most urgent type of notification is an IAVA, which addresses severe network vulnerabilities resulting in immediate and potentially severe threats to DoD systems and information. IAVAs require corrective action on an urgent basis. IAVAs require an acknowledgement within an amount of time specified in the IAVA once the vulnerability information has been received. IAVAs also require compliance reporting, directing a response time for the first report on the status of corrective action. Compliance reporting indicates that directed actions are being taken to correct the vulnerability. The IAVA will also direct any changes to the standard monthly reporting requirement. disacndv204_07_02 7 IAVM Process IAVA, Information Assurance Vulnerability Alert When vulnerabilities have been reported to or identified by USCYBERCOM, the command determines the urgency of the information and decides whether to issue an IAVA, IAVB, or technical advisory. The notification is then sent out to Combatant Command, Service, agency, and field activity points of contact. The points of contact then distribute the information down their notification chain. When the system administrator or other appropriate personnel receive the notification, they must acknowledge receipt of the information within the specified time period. The acknowledgement reporting goes back up the notification chain to the originating Combatant Command, Service, agency, or field activity point of contact, who reports the acknowledgement back to USCYBERCOM. The system administrators or other appropriate personnel must also comply with mandated actions in the notification, and respond with what degree of compliance has been achieved within the specified timeframe. If necessary, a plan of action and milestones, or POA&M, is developed for assets that will be non-compliant until mitigation actions are completed. The compliance reporting goes back up the notification chain to the originating point of contact, who again reports back to USCYBERCOM. When vulnerabilities in DoD information systems are reported or identified, this information must be shared within the DoD at global, regional, and local levels so that appropriate actions can be taken to protect DoD information systems. Vulnerability information is distributed within the Department of Defense through the Information Assurance Vulnerability Management, or IAVM, Program. The DoD IAVM Program focuses on the status of DoD networks to mitigate or eliminate known vulnerabilities. The IAVM Program provides the ability to quickly notify Services, combatant commands, Defense agencies, field activities, and other DoD Components of vulnerabilities and the actions needed to correct those vulnerabilities. The IAVM Program also assesses the impact of vulnerabilities on the DoD infrastructure, monitors the status and closure of vulnerabilities, and reports on compliance with required actions to address vulnerabilities. There are three types of vulnerability notifications: an information assurance vulnerability alert, or IAVA, an information assurance vulnerability bulletin, or IAVB, and a technical advisory, or TA. The DoD IAVM Program's reporting process applies to all types of vulnerability notifications. Select Vulnerability Notifications and IAVM process to learn more. disacndv204_08 8 Take a moment to review the CSP role in IAVM support at Tier 1, Tier 2, and Tier 3. disacndv204_09 9 SCCVI, Secure Configuration and Compliance Validation Initiative ACAS, Assured Compliance Assessment Solution Malicious code eradication, Tools that detect and remove malicious code of all types, such as virus and keystroke logging software disacndv204_09_01 9 SCCVI, Secure Configuration and Compliance Validation Initiative ACAS, Assured Compliance Assessment Solution Malicious code eradication, Tools that detect and remove malicious code of all types, such as virus and keystroke logging software VA Tools DoD Enterprise vulnerability assessment tools include SCCVI and ACAS, as well as other tools, such as malicious code eradication tools. SCCVI is a legacy system scanning tool that assesses vulnerabilities and downloads information assurance vulnerability management, or IAVM information. SCCVI uses eEye Digital Security's Retina Network Security Scanner and its Remote Enterprise Management, or REM, console. SCCVI is able to conduct scans to identify network assets impacted by a vulnerability; pass information regarding impacted network assets; and report IAVM compliance status to the Vulnerability Management System, or VMS, database. SCCVI also allows multiple scanners to be managed from a centralized location; and provides the ability for scanners to report their findings to a centralized location. ACAS, which is replacing the SCCVI tool, is an automated tool using an integrated software solution that is scalable to an unlimited number of locations. ACAS uses the NESSUS Vulnerability Scanner's User Interface to derive scanning information on impacted network assets. ACAS provides the required automated network vulnerability scanning, configuration assessment, application vulnerability scanning, device configuration assessment, and network discovery. Malicious code eradication tools, after evaluation, are being deployed to prevent the presence of malicious code on DoD information systems. These tools detect and remove multiple types of malicious code, such as: virus spyware, adware, Trojans, hacker tools, and peer-to-peer software. Vulnerability Assessment, or VA, is a systematic examination of an information system to determine the adequacy of its security measures. Vulnerability assessment identifies security deficiencies, which could include security deficiencies in hardware, software and vulnerabilities caused by misconfigurations. Vulnerability assessment provides data that can aide in predicting the effectiveness of proposed security measures. After the proposed security measures have been implemented, VA can determine if they are adequately protecting the system. The enterprise-wide tools that the DoD uses to provide vulnerability assessment include the Secure Configuration and Compliance Validation Initiative, or SCCVI, which is nearing the end of its life cycle. The SCCVI tool is being replaced by the Assured Compliance Assessment Solution, or ACAS. DoD also has available various malicious code eradication tools, such as antivirus applications. Select VA tools to learn about what each tool does. disacndv204_10 10 Take a moment to review the CSP role in vulnerability assessment support at Tier 1, Tier 2, and Tier 3. disacndv204_11 11 External assessments are independent, threat-based activities that simulate an opposing force trying to break into a DoD information system. They are usually performed at the request of a DoD information system owner. External assessments help find information system vulnerabilities that adversaries can exploit. The teams, sometimes called "Red Teams" created for external assessments, suggest countermeasures based on the vulnerabilities they find during external assessment activities, so DoD information system owners can better protect their systems. Information system owners and developers can then make informed risk management decisions regarding their information systems, networks, and supporting infrastructure based on external assessment teams' assessments. disacndv204_12 12 Take a moment to review the CSP role in external assessments at Tier 1, Tier 2, and Tier 3. disacndv204_13 13 CSP, Cybersecurity Service Provider Cybersecurity Education, Training, and Awareness, or ETA, forms the basis for a robust cybersecurity capability and ensures a consistent level of knowledge across the DoD. Although Cybersecurity ETA is considered one of the principal cybersecurity protection services for all of the DoD, cyberspace defense-specific Cybersecurity ETA services are internal to the CSPs, rather than a service that they deliver to DoD Components. To perform cybersecurity services for DoD information systems and networks, CSP personnel must be trained to perform the required cybersecurity services. When DoD Components enter a relationship with a certified and accredited CSP organization, their expectation is that the personnel working for that organization are adequately trained to protect their DoD information systems. DoD 8570.01-M, The "Information Assurance Workforce Improvement Program" manual requires DoD cybersecurity professionals to be trained and certified in their cybersecurity role. CSP professionals must also meet specific DoD training and certification requirements. disacndv204_14 14 Take a moment to review the CSP roles in cybersecurity education, training, and awareness at Tier 1, Tier 2, and Tier 3. disacndv204_15 15 Knowledge Check 1 500 425 Select the best response; then select Submit. Which of the following services detects unauthorized activity and notifies affected parties? A. INFOCON B. Situational Awareness C. Attack, Sensing & Warning D. VA Support E. Indications and Warnings (I&W) F. IAVM Support G. External Assessments Correct. Attack, sensing, and warning activities detect unauthorized activity and notify affected parties. Incorrect. Attack, sensing, and warning activities detect unauthorized activity and notify affected parties. Which of the following services is a readiness strategy that provides a framework of prescribed actions? A. INFOCON B. Situational Awareness C. Attack, Sensing & Warning D. VA Support E. Indications and Warnings (I&W) F. IAVM Support G. External Assessments Correct. INFOCON is a readiness strategy that provides a framework of prescribed actions. Incorrect. INFOCON is a readiness strategy that provides a framework of prescribed actions. Which of the following services detects and reports time-sensitive intelligence on foreign developments? A. INFOCON B. Situational Awareness C. Attack, Sensing & Warning D. VA Support E. Indications and Warnings (I&W) F. IAVM Support G. External Assessments Correct. Indications and warnings are intelligence activities to detect and report time-sensitive intelligence on foreign developments. Incorrect. Indications and warnings are intelligence activities to detect and report time-sensitive intelligence on foreign developments. Which of the following services provides a common operational picture of the DoDIN and the missions it supports? A. INFOCON B. Situational Awareness C. Attack, Sensing & Warning D. VA Support E. Indications and Warnings (I&W) F. IAVM Support G. External Assessments Correct. Situational awareness provides a common operational picture of the DoDIN and the missions it supports. Incorrect. Situational awareness provides a common operational picture of the DoDIN and the missions it supports. Which of the following services ensures awareness of newly identified system vulnerabilities? A. INFOCON B. Situational Awareness C. Attack, Sensing & Warning D. VA Support E. Indications and Warnings (I&W) F. IAVM Support G. External Assessments Correct. IAVM support ensures awareness of newly identified system vulnerabilities. Incorrect. IAVM support ensures awareness of newly identified system vulnerabilities. Which of the following services includes simulating an opposing force to detect vulnerabilities? A. INFOCON B. Situational Awareness C. Attack, Sensing & Warning D. VA Support E. Indications and Warnings (I&W) F. IAVM Support G. External Assessments Correct. External assessments include simulating an opposing force to detect vulnerabilities. Incorrect. External assessments include simulating an opposing force to detect vulnerabilities. Which of the following services proactively scans systems and networks to detect vulnerabilities? A. INFOCON B. Situational Awareness C. Attack, Sensing & Warning D. VA Support E. Indications and Warnings (I&W) F. IAVM Support G. External Assessments Correct. VA Support proactively scans systems and networks to detect vulnerabilities. Incorrect. VA Support proactively scans systems and networks to detect vulnerabilities. Now try this. disacndv204_16 16 Knowledge Check 1 500 425 Refer to the CSP Roles in Cybersecurity Services Job Aid under Resources to answer these questions. Select the best response; then select Submit. Which CSP has the authority to change the INFOCON level from INFOCON 2 to INFOCON 3? A. Tier 1 B. Tier 2 C. Tier 3 Correct. Tier 1 CSPs have the authority to change INFOCON levels. Tier 2 and Tier 3 CSPs can only implement a more stringent INFOCON than the INFOCON set by Tier 1. Incorrect. Tier 1 CSPs have the authority to change INFOCON levels. Tier 2 and Tier 3 CSPs can only implement a more stringent INFOCON than the INFOCON set by Tier 1. Which CSP implements the system protection services enterprise-wide tools and ensures host-based systems are configured to standards? A. Tier 1 B. Tier 2 C. Tier 3 Correct. Tier 3 CSPs implement the system protection services enterprise-wide tools and ensures host-based systems are configured to standards. Incorrect. Tier 3 CSPs implement the system protection services enterprise-wide tools and ensures host-based systems are configured to standards. Which CSP initiates IAVAs and manages the vulnerability management system (VMS)? A. Tier 1 B. Tier 2 C. Tier 3 Correct. DISA, which is a Tier 1 CSP, initiates IAVAs and manages the VMS. Incorrect. DISA, which is a Tier 1 CSP, initiates IAVAs and manages the VMS. Which CSP assesses the impact of vulnerability assessments on cyberspace defense and coordinates changes to in progress or planned VAs? A. Tier 1 B. Tier 2 C. Tier 3 Correct. Tier 2 CSPs assess the impact of vulnerability assessments on cyberspace defense and coordinate changes to in-progress or planned VAs. Incorrect. Tier 2 CSPs assess the impact of vulnerability assessments on cyberspace defense and coordinate changes to in-progress or planned VAs. Which CSP supports external assessments by complying with direction on external assessment notification, reporting, and coordination requirements? A. Tier 1 B. Tier 2 C. Tier 3 Correct. Tier 3 CSPs support external assessments by complying with Tier 1 and Tier 2 direction on external assessment notification, reporting, and coordination requirements. Incorrect. Tier 3 CSPs support external assessments by complying with Tier 1 and Tier 2 direction on external assessment notification, reporting, and coordination requirements. Now check your knowledge of the CSPs' roles in cybersecurity protection services. disacndv204_17 17 Information systems and their missions, The first element of the Cyberspace Defense COP is the DoD global information and computing networks, and the military and business operations they support. This includes notification of any impending changes in configuration, capacity, utilization, assurance posture, user priorities or criticality of support for military operations. Threats to DoD information systems, The first element of the Cyberspace Defense COP is the DoD global information and computing networks, and the military and business operations they support. This includes notification of any impending changes in configuration, capacity, utilization, assurance posture, user priorities or criticality of support for military operations. Cyberspace defense operations, The third element of the Cyberspace Defense COP is a shared picture of cyberspace defense operations. This includes INFOCON levels and compliance, status and compliance with the IAVM program, schedule and status of vulnerability assessments, status of cyberspace defense courses of action, and any impending changes to cybersecurity services. Now, let's focus on the cybersecurity monitoring, analysis, and detection services, starting with situational awareness. Situational awareness is necessary to defend DoD's highly interconnected information systems. Key to situational awareness is effective Network Security Monitoring and Intrusion Detection. Situational awareness is enabled by a suite of information systems that support and create a common operational picture, or COP. The Cyberspace Defense COP consists of several elements. The first element is a shared picture of the DoD global information and computing networks and the military and business operations they support. The second element of the Cyberspace Defense COP is a shared picture of the threat to DoD information systems developed from all sources. The third element of the Cyberspace Defense COP is a shared picture of cyberspace defense operations. disacndv204_18 18 Take a moment to review the CSP role in situational awareness at Tier 1, Tier 2, and Tier 3. disacndv204_19 19 Attack Sensing and Warning, or AS&W, is defined as the detection, correlation, identification, and characterization of intentional unauthorized activity on DoD information systems, including computer intrusion or attack, coupled with the notification to commanders and decision-makers so an appropriate response can be developed. AS&W also includes the collection and dissemination of intelligence related to a computer attack and may include recommendations for a response to and an assessment of the impact of an attack or intrusion. AS&W focuses both on actual intrusions and preparatory actions or on preliminary network conditions that may indicate an attack is likely, is planned, or is underway. disacndv204_20 20 Take a moment to review the CSP role in Attack Sensing and Warning at Tier 1, Tier 2, and Tier 3. disacndv204_21 21 Indications and Warnings, or I&W, are defined as those intelligence activities intended to detect and report time-sensitive intelligence information on foreign developments that could involve a threat to the United States, or allied military, political, or economic interests, or U.S. citizens abroad. I&W includes forewarning of enemy actions or intentions; the imminence of hostilities; insurgent activity; nuclear or non-nuclear attack on the U.S., its overseas forces, or allied nations; hostile reactions to U.S. reconnaissance activities; and terrorist attacks. disacndv204_22 22 Take a moment to review the CSP role in Indications and Warning at Tier 1, Tier 2, and Tier 3. disacndv204_23 23 Knowledge Check 1 500 425 Select the best response for each statement; then select Submit. ReadOnlyText Indicate the service to which each description applies. Detects intentional unauthorized activity on information systems and networks Situational Awareness Indications & Warnings (I&W) Attack Sensing & Warning(AS&W) Correct. AS&W detects and identifies intentional unauthorized activity on information systems and networks. Incorrect. AS&W detects and identifies intentional unauthorized activity on information systems and networks. Consists of intelligence activities to detect and report time-sensitive intelligence information on foreign developments Situational Awareness Indications & Warnings (I&W) Attack Sensing & Warning(AS&W) Correct. Indications & Warnings consist of intelligence activities to detect and report time-sensitive intelligence information on foreign developments. Incorrect. Indications & Warnings consist of intelligence activities to detect and report time-sensitive intelligence information on foreign developments. Provides a common operational picture (COP) Situational Awareness Indications & Warnings (I&W) Attack Sensing & Warning(AS&W) Correct. Situational awareness provides a common operational picture (COP). Incorrect. Situational awareness provides a common operational picture (COP). Now check your knowledge of the cybersecurity monitoring, analysis, and detection services. disacndv204_24 24 Knowledge Check 1 500 425 Select True or False for each statement; then select Submit. ReadOnlyText Refer to the CSP Roles in Cybersecurity Services Job Aid under Resources to answer these questions. Tier 1 CSPs provide DoD Component-unique situational awareness requirements. True False Correct. This is false. Tier 2 CSPs provide DoD Component-unique situational awareness requirements. Incorrect. This is false. Tier 2 CSPs provide DoD Component-unique situational awareness requirements. Tier 1 CSPs provide the intelligence community with PIR requirements and with I&W requirements. True False Correct. This is true. Tier 1 CSPs provide the intelligence community with PIR requirements and with I&W requirements. Incorrect. This is true. Tier 1 CSPs provide the intelligence community with PIR requirements and with I&W requirements. Tier 2 CSPs work with Tier 3 CSPs to ensure timely and accurate common operational picture (COP). True False Correct. This is true. Tier 2 CSPs work with Tier 3 CSPs to ensure timely and accurate common operational picture (COP). Incorrect. This is true. Tier 2 CSPs work with Tier 3 CSPs to ensure timely and accurate common operational picture (COP). Tier 3 CSPs support key cyberspace defense personnel in identifying AS&W requirements. True False Correct. This is false. Tier 2 CSPs support key cyberspace defense personnel in identifying AS&W requirements. Incorrect. This is false. Tier 2 CSPs support key cyberspace defense personnel in identifying AS&W requirements. Now check your knowledge of the roles each tier plays in Cyberspace Defense. disacndv204_25 25 USCYBERCOM, United States Cyber Command CIRT or CERT®, Computer Incident Response Team/Computer Emergency Response Team RCERTs, Regional Computer Emergency Response Teams JIMS, Joint Incident Management System Incident response services are intended to report, respond to, and analyze computer security incidents that occur on DoD information systems. CSPs are responsible for developing and implementing the incident response course of action, or COA, that must be followed for all incidents that occur on DoD information systems. The incident response COA includes identifying the incident, assessing its impact, informing the appropriate entities up the reporting chain, and responding to the incident. Incidents must be reported up the reporting chain using the Joint Incident Management System, or JIMS. As each level in the chain receives incident report information, that level performs the required COA. It is important to note that incidents must be reported to both the DoD Component affected by the incident and to USCYBERCOM. disacndv204_26 26 Take a moment to review the CSP role in Incident Response at Tier 1, Tier 2, and Tier 3. disacndv204_27 27 Knowledge Check 1 500 425 Select the best response; then select Submit. Which of the following statements best describes the purpose of Cybersecurity Response Services? Provide a Course of Action for Defense-wide information sharing regarding computer incidents and vulnerabilities Provide a Course of Action to develop a cyberspace defense common operational picture to determine when incidents have occurred Provide a Course of Action to investigate and prosecute the individuals responsible for computer incidents Provide a Course of Action for identifying, assessing, reporting, and responding to computer security incidents Correct. Cybersecurity Response Services are incident response services that provide a Course of Action for identifying, assessing, reporting, and responding to computer security incidents. Incorrect. Cybersecurity Response Services are incident response services that provide a Course of Action for identifying, assessing, reporting, and responding to computer security incidents. Now, check your understanding of Cybersecurity Response Services. disacndv204_28 28 Knowledge Check 1 500 425 Refer to the CSP Roles in Cybersecurity Services Job Aid under Resources to answer these questions. Select the best response for each statement; then select Submit. ReadOnlyText Indicate the service to which each description applies. Ensures that information regarding course of action development and execution is timely and accurate Tier 1 Tier 2 Tier 3 Correct. Tier 2 CSPs ensure that information regarding course of action development and execution is timely and accurate. Incorrect. Tier 2 CSPs ensure that information regarding course of action development and execution is timely and accurate. Responsible for managing the cyberspace defense course of action development and execution process Tier 1 Tier 2 Tier 3 Correct. Tier 1 CSPs are responsible for managing the DoD cyberspace defense course of action development and execution process. Incorrect. Tier 1 CSPs are responsible for managing the DoD cyberspace defense course of action development and execution process. Works with other tiers to ensure effective lines of command, control, communication, and coordination Tier 1 Tier 2 Tier 3 Correct. Tier 2 CSPs work with the other tiers to ensure effective lines of command, control, communication, and coordination. Incorrect. Tier 2 CSPs work with the other tiers to ensure effective lines of command, control, communication, and coordination. Follows direction regarding the course of action development and execution Tier 1 Tier 2 Tier 3 Correct. Tier 3 CSPs follow Tier 1 and Tier 2 direction regarding the course of action development and execution. Incorrect. Tier 3 CSPs follow Tier 1 and Tier 2 direction regarding the course of action development and execution. Now check your knowledge about the CSPs' roles in incident response. disacndv204_29 29 MOA, Memorandum of Agreement SLA, Service Level Agreement Sustainment services include the review of memorandums of agreement, or MOAs; service level agreements, or SLAs; and contracts to ensure cybersecurity services are being provided and maintained as outlined in the MOAs, SLAs, and contracts between the CSPs and their clients. disacndv204_30 30 TTPs, Tactics, Techniques, and Procedures SOPs, Standard Operating Procedures Sustainment services ensure cyberspace defense functional level policies and procedures are in place. Sanitization procedures protect classified information from unauthorized disclosure. Law Enforcement/Counter Intelligence, or LE/CI, procedures and policies protect sensitive information and preserve evidence for investigations. Other procedures are used to validate existing cyberspace defense policies and procedures; tactics, techniques, and procedures, or TTPs; and standard operating procedures, or SOPs. Finally, procedures exist to ensure support plans, financial plans, and metrics are in place to support cybersecurity services. disacndv204_31 31 AS&W, Attack Sensing and Warning Sustainment services ensure that cyberspace defense technology is developed, evaluated, and implemented in concert with the latest threats and emerging technologies available, both in the government and private sector. This includes AS&W procedures for cybersecurity services themselves, the creation of cybersecurity tool deployment procedures, and testing prior to operational use of those services, followed by post-deployment testing of those services. disacndv204_32 32 Sustainment services ensure that sustainment personnel are correctly identified in any contract or service level agreement, receive technical training on the cybersecurity tools that are deployed, and are maintaining technical currency, such as by participating in government and industry external forums, for example, Black Hat briefings. disacndv204_33 33 OPSEC, Operations Security Security Administration ensures the data provided by CSPs is protected. To this end, Security Administration ensures cybersecurity services are in compliance with physical security standards, protective measures for cybersecurity tools and systems, Operations Security, or OPSEC, standards and personnel security measures, which include procedures for foreign nationals. disacndv204_34 34 BCP, Business Continuity Plan DRP, Disaster Recovery Plan COOP, Continuity of Operations Plan Sustainment services include cyberspace defense information systems that show how the cybersecurity products provided to customers are being protected. The types of protection applied to or performed on cyberspace defense systems include defense-in-depth strategy, anti-malware program for CSP information; Backup and Business Continuity Plans, Disaster Recovery Plans, and Continuity of Operations Plans; intrusion detection; INFOCON; vulnerability assessments scans; annual external assessments; IAVM compliance; accreditation procedures; lifecycle configuration management, or CM, plans; and site identification of confidentiality of sensitive data during transmission between subscriber and provider. disacndv204_35 35 Knowledge Check 1 500 425 Select the best response; then select Submit. Which of the following Sustainment services shows how cybersecurity services provided to customers are being protected? A. MOAs/SLAs/Contracts B. Cyberspace Defense Functional Level Policies/Procedures C. Cyberspace Defense Technology Development, Evaluation, and Implementation D. Sustainment Personnel E. Security Administration F. Cyberspace Defense Information Systems Correct. Cyberspace Defense Information Systems service shows how cybersecurity services provided to customers are being protected. Incorrect. Cyberspace Defense Information Systems service shows how cybersecurity services provided to customers are being protected. Which of the following Sustainment services ensures personnel receive technical training on cybersecurity tools that are deployed? A. MOAs/SLAs/Contracts B. Cyberspace Defense Functional Level Policies/Procedures C. Cyberspace Defense Technology Development, Evaluation, and Implementation D. Sustainment Personnel E. Security Administration F. Cyberspace Defense Information Systems Correct. Sustainment Personnel service ensures personnel receive technical training on cybersecurity tools. Incorrect. Sustainment Personnel service ensures personnel receive technical training on cybersecurity tools. Which of the following Sustainment services ensures data provided from CSPs is protected? A. MOAs/SLAs/Contracts B. Cyberspace Defense Functional Level Policies/Procedures C. Cyberspace Defense Technology Development, Evaluation, and Implementation D. Sustainment Personnel E. Security Administration F. Cyberspace Defense Information Systems Correct. Security Administration service ensures data from CSPs is protected. Incorrect. Security Administration service ensures data from CSPs is protected. Which of the following Sustainment services ensures cybersecurity services are staying current with existing threats and emerging technologies? A. MOAs/SLAs/Contracts B. Cyberspace Defense Functional Level Policies/Procedures C. Cyberspace Defense Technology Development, Evaluation, and Implementation D. Sustainment Personnel E. Security Administration F. Cyberspace Defense Information Systems Correct. Cyberspace Defense Technology Development, Evaluation, and Implementation ensure cybersecurity services are staying current with existing threats and emerging technologies within both the government and private sector. Incorrect. Cyberspace Defense Technology Development, Evaluation, and Implementation ensure cybersecurity services are staying current with existing threats and emerging technologies within both the government and private sector. Which of the following Sustainment services ensures how cybersecurity services are being provided to customers? A. MOAs/SLAs/Contracts B. Cyberspace Defense Functional Level Policies/Procedures C. Cyberspace Defense Technology Development, Evaluation, and Implementation D. Sustainment Personnel E. Security Administration F. Cyberspace Defense Information Systems Correct. Sustainment services include reviewing MOAs, SLAs, and contracts to ensure cybersecurity services are being provided as outlined in the MOAs and contracts. Incorrect. Sustainment services include reviewing MOAs, SLAs, and contracts to ensure cybersecurity services are being provided as outlined in the MOAs and contracts. Which of the following Sustainment services ensures information is properly sanitized before being shared with customers? A. MOAs/SLAs/Contracts B. Cyberspace Defense Functional Level Policies/Procedures C. Cyberspace Defense Technology Development, Evaluation, and Implementation D. Sustainment Personnel E. Security Administration F. Cyberspace Defense Information Systems Correct. Cyberspace Defense Functional Level Policies/ Procedures includes procedures for sanitizing information shared with customers to prevent unauthorized disclosure of classified information. Incorrect. Cyberspace Defense Functional Level Policies/ Procedures includes procedures for sanitizing information shared with customers to prevent unauthorized disclosure of classified information. Now try this. disacndv204_36 36 Congratulations! You have completed the Principal Cybersecurity Services lesson. You should now be able to identify the individual services that comprise cybersecurity services and the role that cybersecurity service providers play in delivering cybersecurity services.