SlideShare une entreprise Scribd logo
1  sur  13
Télécharger pour lire hors ligne
Copyright © 2017, Raytheon Company. All rights reserved.
DESIGN FOR REGULATORY APPROVAL AS
CAREFULLY AS YOU DESIGN YOUR AUTOMATION
Global Business Services – IT
Keith Rodwell
Business Application Services Cloud Architect
Dec. 4, 2017
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
2
FIRST – A DISCLOSURE
 The specifics of what we’re doing are
sensitive, so information cannot be shared
 Regulatory compliance is NOT a destination,
but instead a complex and twisty road full of
shear drops and sudden stops – even if we
had all of today’s answers, what you need to
do will be different tomorrow
There is no cookbook for regulatory compliance — your mileage will vary
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
3
RAYTHEON COMPANY – A TECHNOLOGY AND
INNOVATION LEADER SPECIALIZING IN DEFENSE,
CIVIL GOVERNMENT AND CYBERSECURITY
SOLUTIONS THROUGHOUT THE WORLD.
 2016 net sales: $24 billion
 63,000 employees worldwide
 Headquarters: Waltham, Massachusetts
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
4
OUR BUSINESSES ARE ORGANIZED
BY KEY MISSION AREAS
IDS
Headquartered in Tewksbury, Massachusetts,
Integrated Defense Systems specializes in air
and missile defense, large land- and sea-
based radars, and systems for managing
command, control, communications,
computers, cyber and intelligence. It
also produces sonars, torpedoes and
electronic systems for ships.
FORCEPOINTTM
Headquartered in Austin, Texas, Forcepoint
safeguards users, data and networks against
accidental or malicious insider threats and
advanced outside attacks across the entire
threat life cycle, in the cloud, on the road and in
the office. A joint venture of Raytheon and
Vista Equity Partners, Forcepoint enables
better decision-making, more efficient security
and simplifies compliance as it protects and
empowers more than 20,000 commercial and
government organizations worldwide.
IIS
Headquartered in Dulles, Virginia, Intelligence,
Information and Services designs and delivers
solutions and services that leverage its deep
expertise in cyber, analytics and automation.
Software, systems integration, and the support
and sustainment of Raytheon and other
companies’ systems for intelligence, military and
civil applications are delivered across five
markets: space, digital battlespace, cyber,
intelligent transportation and high-consequence
training.
RMS
Headquartered in Tucson, Arizona,
Raytheon Missile Systems is the world’s
premier missile maker, providing defensive
and offensive weapons for air, land, sea,
and space, including interceptors for U.S.
ballistic missile defense. The business also
builds net-enabled battlefield sensors and
includes Raytheon UK.
SAS
Headquartered in McKinney, Texas, Space
and Airborne Systems builds radars and
other sensors for aircraft, spacecraft and
ships. The business also provides
communications, electronic warfare and
high-energy laser solutions, and performs
research in areas ranging from linguistics to
quantum computing.
INTEGRATED
DEFENSE SYSTEMS
INTELLIGENCE,
INFORMATION AND SERVICES
MISSILE SYSTEMS
SPACE AND
AIRBORNE SYSTEMS
FORCEPOINT
POWERED BY RAYTHEON
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
5
GLOBAL PRESENCE
ALWAYS THERE.
DEDICATED TO OUR
GLOBAL CUSTOMERS.
Raytheon Company is deeply committed to
global partnerships, providing solutions and
services to valued customers in more than
80 countries and building upon international
relationships to best meet the national
security and technology needs of nations
around the world.
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
6
USER AND COMPLIANCE PRESSURE
USERS AND DEVELOPERS
WANT IT ALL
REGULATORY WANTS
THE LEAST NEEDED
Go! Go! Go!
Cloud – Yippee!
Faster, Better and Cheaper!
Enough Insight?
Audit?
Reputation?
Protect Us?
Controls?
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
 Public Cloud:
– Highest diversity of services today
 Government Cloud:
– SRG-compliant subset of public cloud
 Regulatory Allowed:
– Governed subset
 Services Definitions:
– Supported services based on application
needs and bounded by what is allowed
7
SCOPE SERVICES TO WHAT IS NEEDED AND ALLOWED
Government
Cloud Capabilities
Public Cloud
Capabilities
Regulatory
Allowed
Services
Definitions
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
8
ITAR, EAR, CUI and NIST 800-171
 International Traffic in Arms
Regulations (ITAR)
– U.S. government export and
import of defense-related articles
and services regulations
Be familiar with the regulations you’re designing to meet
 Controlled Unclassified
Information (CUI)
– Data that must be safeguarded
and/or dissemination controlled by
U.S. government regulation
 NIST 800-171
– Protecting CUI in nonfederal
information systems and
organizations
 Export Administration
Regulations (EAR)
– Commercial import and
export regulations
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
9
Different questions leading to the same objective — protecting the business
TWO CRITICAL REGULATORY GROUPS’ CONCERNS
 Export/Import
– Will there be Foreign Person access?
– Will export-controlled data be accessed?
– Are required controls in place?
– If an unintentional export happens:
 Can we detect it and act promptly?
 Do we meet reporting requirements?
HAVE WE DONE ENOUGH TO
PROTECT AGAINST UNLICENSED
AND UNAUTHORIZED EXPORTS?
HAVE WE DONE ENOUGH TO ENSURE
COMPLIANT CONFIDENTIALITY,
INTEGRITY AND AVAILABILITY?
 IT Security
– Does it access sensitive data?
– Are appropriate/compliant controls in place?
– Does it provide sufficient insight for event
correlation and intrusion prevention?
– Is pass required testing and review?
– If there are any gaps, have they
been disclosed and is a Plan
of Actions and Milestones
(POAM) in place?
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
10
ISSUES YOU’LL LIKELY ENCOUNTER
 Identity
– Automation identities aren’t
granted the right to modify their
own identity
– Issued tokens expire to policy
– Stored identity is protected by
enterprise encryption keys
 Connectivity
– Most foundations won’t be
internet facing
– Intrusion detection and prevention
will be in your packet pathway
– Cloud-to-cloud communications
aren’t direct
Free and open is not remotely equivalent to compliant and controlled
 Security
– Not everything will be allowed (like ECR)
– Authenticate before access still applies
– Encryption technologies must be compliant
and certified
– Encryption keys must be issued by existing
key stores
– Application Security Groups are
governed and controlled like firewalls
– Where an information system “lives”
is complicated by microservices
– Cloud foundry doesn’t natively
support security roles
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
11
APPROACHES
 Place regulatory checks and
validation in automation
– Detect, block and alert Foreign Person
access to export-restricted services
– Enforce Application Security Group
change approval prior to implementation
– Manage application APIs based on data
classifications and acceptable uses
– Utilize pipelines to implement
compliance
– Create microservices that enforce
declared data controls in lieu of direct
database access
 Prioritize regulatory insight
– Establish log and event processing
practices that highlight elevations in
privilege, changes in configuration
and unexpected behavior
– Create dashboards that show
complete history of actions taken
by people, pipelines, platforms
and services
– Understand and implement
audit trail retention periods
with tools to navigate through
context
Care and feeding of compliance approvers must be testable
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
12
Government
Cloud Capabilities
Public Cloud
Capabilities
Regulatory
Allowed
Services
Definitions
 Contain scope – what is used
– Only what you need now
– Avoid nice-to-have: limit creep
 Contain scope – what is offered
– Implement high-value and compliant first
– Socialize road maps prior to publishing
 Measured steps
– Incremental changes in lieu of monolithic
– Align with needs from both groups
CONTROL AND ARTICULATE SCOPES
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
13
 ST 800-171
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf
 ITAR
https://www.pmddtc.state.gov/regulations_laws/itar.html
 Keith’s contact information
keith.a.rodwell@raytheon.com
ADDITIONAL RESOURCES
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.

Contenu connexe

Tendances

Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a bytelgcdcpas
 
Security Analysis Findings and Recommendations for the Department of Veterans...
Security Analysis Findings and Recommendations for the Department of Veterans...Security Analysis Findings and Recommendations for the Department of Veterans...
Security Analysis Findings and Recommendations for the Department of Veterans...David Bustin
 
THE ESSENTIAL ELEMENT OF YOUR SECURITY
THE ESSENTIAL  ELEMENT OF YOUR SECURITYTHE ESSENTIAL  ELEMENT OF YOUR SECURITY
THE ESSENTIAL ELEMENT OF YOUR SECURITYETDAofficialRegist
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityJessica Santamaria
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case StudyDigital Bond
 
Achieving 360° view of security for complete situational awareness
Achieving 360° view of security for complete situational awarenessAchieving 360° view of security for complete situational awareness
Achieving 360° view of security for complete situational awarenessHappiest Minds Technologies
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standardsautomatskicorporation
 
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar NCritical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar Nnull The Open Security Community
 
SingHealth Cyber Attack (project)
SingHealth Cyber Attack (project)SingHealth Cyber Attack (project)
SingHealth Cyber Attack (project)James Neo
 
Using international standards to improve EU cyber security
Using international standards to improve EU cyber securityUsing international standards to improve EU cyber security
Using international standards to improve EU cyber securityIT Governance Ltd
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningBlack Duck by Synopsys
 
Top 10 Security Challenges
Top 10 Security ChallengesTop 10 Security Challenges
Top 10 Security ChallengesJorge Sebastiao
 
Chamber Technology Committee Presentation
Chamber Technology Committee PresentationChamber Technology Committee Presentation
Chamber Technology Committee PresentationTony DeGonia (LION)
 
Advanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesAdvanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesNetIQ
 
Data erasure's role in limiting cyber attacks
Data erasure's role in limiting cyber attacksData erasure's role in limiting cyber attacks
Data erasure's role in limiting cyber attacksBlancco
 
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...John Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 
Delete vs Erase: How Are Companies Wiping Active Files
Delete vs Erase: How Are Companies Wiping Active Files Delete vs Erase: How Are Companies Wiping Active Files
Delete vs Erase: How Are Companies Wiping Active Files Blancco
 
Cyber Six: Managing Security in Internet
Cyber Six: Managing Security in InternetCyber Six: Managing Security in Internet
Cyber Six: Managing Security in InternetRichardus Indrajit
 

Tendances (20)

Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
 
Security Analysis Findings and Recommendations for the Department of Veterans...
Security Analysis Findings and Recommendations for the Department of Veterans...Security Analysis Findings and Recommendations for the Department of Veterans...
Security Analysis Findings and Recommendations for the Department of Veterans...
 
THE ESSENTIAL ELEMENT OF YOUR SECURITY
THE ESSENTIAL  ELEMENT OF YOUR SECURITYTHE ESSENTIAL  ELEMENT OF YOUR SECURITY
THE ESSENTIAL ELEMENT OF YOUR SECURITY
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
 
Achieving 360° view of security for complete situational awareness
Achieving 360° view of security for complete situational awarenessAchieving 360° view of security for complete situational awareness
Achieving 360° view of security for complete situational awareness
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standards
 
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar NCritical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
 
SingHealth Cyber Attack (project)
SingHealth Cyber Attack (project)SingHealth Cyber Attack (project)
SingHealth Cyber Attack (project)
 
Key Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government ContractorsKey Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government Contractors
 
Using international standards to improve EU cyber security
Using international standards to improve EU cyber securityUsing international standards to improve EU cyber security
Using international standards to improve EU cyber security
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability Scanning
 
Top 10 Security Challenges
Top 10 Security ChallengesTop 10 Security Challenges
Top 10 Security Challenges
 
Chamber Technology Committee Presentation
Chamber Technology Committee PresentationChamber Technology Committee Presentation
Chamber Technology Committee Presentation
 
Advanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesAdvanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective Responses
 
Data erasure's role in limiting cyber attacks
Data erasure's role in limiting cyber attacksData erasure's role in limiting cyber attacks
Data erasure's role in limiting cyber attacks
 
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
 
Delete vs Erase: How Are Companies Wiping Active Files
Delete vs Erase: How Are Companies Wiping Active Files Delete vs Erase: How Are Companies Wiping Active Files
Delete vs Erase: How Are Companies Wiping Active Files
 
Robert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsRobert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government Contractors
 
Cyber Six: Managing Security in Internet
Cyber Six: Managing Security in InternetCyber Six: Managing Security in Internet
Cyber Six: Managing Security in Internet
 

Similaire à Minimizing Compliance Resistance to Digital Transformation --- Design for regulatory approval as carefully as you design your automation

The Anatomy of Building a Compliant PCF Service in a Limited Connectivity Env...
The Anatomy of Building a Compliant PCF Service in a Limited Connectivity Env...The Anatomy of Building a Compliant PCF Service in a Limited Connectivity Env...
The Anatomy of Building a Compliant PCF Service in a Limited Connectivity Env...VMware Tanzu
 
eGRC for Information Export Control
eGRC for Information Export ControleGRC for Information Export Control
eGRC for Information Export ControlNextLabs, Inc.
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for CybersecurityShawn Tuma
 
IS4799 Final Project (1)
IS4799 Final Project (1)IS4799 Final Project (1)
IS4799 Final Project (1)Mark Milburn
 
The EU General Protection Regulation and how Oracle can help
The EU General Protection Regulation and how Oracle can help The EU General Protection Regulation and how Oracle can help
The EU General Protection Regulation and how Oracle can help Niklas Hjorthen
 
DevOps for Highly Regulated Environments
DevOps for Highly Regulated EnvironmentsDevOps for Highly Regulated Environments
DevOps for Highly Regulated EnvironmentsDevOps.com
 
Application security Best Practices Framework
Application security   Best Practices FrameworkApplication security   Best Practices Framework
Application security Best Practices FrameworkSujata Raskar
 
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...Financial Poise
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
2016 01-05 csr css non-confidential slide deck
2016 01-05 csr  css non-confidential slide deck2016 01-05 csr  css non-confidential slide deck
2016 01-05 csr css non-confidential slide deckRichard (Dick) Kaufman
 
1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdfChunLei(peter) Che
 
Government-ForeScout-Solution-Brief
Government-ForeScout-Solution-BriefGovernment-ForeScout-Solution-Brief
Government-ForeScout-Solution-BriefJonathan Reyes
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.360factors
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityErnest Staats
 
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017Amazon Web Services
 
An Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsAn Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsDoubleHorn
 
Secure Your High Risk Data
 Secure Your High Risk Data  Secure Your High Risk Data
Secure Your High Risk Data Naveed Ahmed
 
5 Signs Your Privacy Management Program is Not Working for You
5 Signs Your Privacy Management Program is Not Working for You5 Signs Your Privacy Management Program is Not Working for You
5 Signs Your Privacy Management Program is Not Working for YouTrustArc
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis PYA, P.C.
 

Similaire à Minimizing Compliance Resistance to Digital Transformation --- Design for regulatory approval as carefully as you design your automation (20)

The Anatomy of Building a Compliant PCF Service in a Limited Connectivity Env...
The Anatomy of Building a Compliant PCF Service in a Limited Connectivity Env...The Anatomy of Building a Compliant PCF Service in a Limited Connectivity Env...
The Anatomy of Building a Compliant PCF Service in a Limited Connectivity Env...
 
eGRC for Information Export Control
eGRC for Information Export ControleGRC for Information Export Control
eGRC for Information Export Control
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
 
IS4799 Final Project (1)
IS4799 Final Project (1)IS4799 Final Project (1)
IS4799 Final Project (1)
 
The EU General Protection Regulation and how Oracle can help
The EU General Protection Regulation and how Oracle can help The EU General Protection Regulation and how Oracle can help
The EU General Protection Regulation and how Oracle can help
 
DevOps for Highly Regulated Environments
DevOps for Highly Regulated EnvironmentsDevOps for Highly Regulated Environments
DevOps for Highly Regulated Environments
 
Application security Best Practices Framework
Application security   Best Practices FrameworkApplication security   Best Practices Framework
Application security Best Practices Framework
 
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offering
 
2016 01-05 csr css non-confidential slide deck
2016 01-05 csr  css non-confidential slide deck2016 01-05 csr  css non-confidential slide deck
2016 01-05 csr css non-confidential slide deck
 
1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf
 
Government-ForeScout-Solution-Brief
Government-ForeScout-Solution-BriefGovernment-ForeScout-Solution-Brief
Government-ForeScout-Solution-Brief
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.
 
Tyler Technology Expo
Tyler Technology ExpoTyler Technology Expo
Tyler Technology Expo
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
 
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
 
An Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsAn Overview of the Major Compliance Requirements
An Overview of the Major Compliance Requirements
 
Secure Your High Risk Data
 Secure Your High Risk Data  Secure Your High Risk Data
Secure Your High Risk Data
 
5 Signs Your Privacy Management Program is Not Working for You
5 Signs Your Privacy Management Program is Not Working for You5 Signs Your Privacy Management Program is Not Working for You
5 Signs Your Privacy Management Program is Not Working for You
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis
 

Plus de VMware Tanzu

What AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About ItWhat AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About ItVMware Tanzu
 
Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023VMware Tanzu
 
Enhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at ScaleEnhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at ScaleVMware Tanzu
 
Spring Update | July 2023
Spring Update | July 2023Spring Update | July 2023
Spring Update | July 2023VMware Tanzu
 
Platforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a ProductPlatforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a ProductVMware Tanzu
 
Building Cloud Ready Apps
Building Cloud Ready AppsBuilding Cloud Ready Apps
Building Cloud Ready AppsVMware Tanzu
 
Spring Boot 3 And Beyond
Spring Boot 3 And BeyondSpring Boot 3 And Beyond
Spring Boot 3 And BeyondVMware Tanzu
 
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdfSpring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdfVMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023VMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023VMware Tanzu
 
tanzu_developer_connect.pptx
tanzu_developer_connect.pptxtanzu_developer_connect.pptx
tanzu_developer_connect.pptxVMware Tanzu
 
Tanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - FrenchTanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - FrenchVMware Tanzu
 
Tanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - EnglishTanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - EnglishVMware Tanzu
 
Virtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - EnglishVirtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - EnglishVMware Tanzu
 
Tanzu Developer Connect - French
Tanzu Developer Connect - FrenchTanzu Developer Connect - French
Tanzu Developer Connect - FrenchVMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023VMware Tanzu
 
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring BootSpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring BootVMware Tanzu
 
SpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software EngineerSpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software EngineerVMware Tanzu
 
SpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs PracticeSpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs PracticeVMware Tanzu
 
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense SolutionsSpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense SolutionsVMware Tanzu
 

Plus de VMware Tanzu (20)

What AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About ItWhat AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About It
 
Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023
 
Enhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at ScaleEnhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at Scale
 
Spring Update | July 2023
Spring Update | July 2023Spring Update | July 2023
Spring Update | July 2023
 
Platforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a ProductPlatforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a Product
 
Building Cloud Ready Apps
Building Cloud Ready AppsBuilding Cloud Ready Apps
Building Cloud Ready Apps
 
Spring Boot 3 And Beyond
Spring Boot 3 And BeyondSpring Boot 3 And Beyond
Spring Boot 3 And Beyond
 
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdfSpring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
 
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
 
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
 
tanzu_developer_connect.pptx
tanzu_developer_connect.pptxtanzu_developer_connect.pptx
tanzu_developer_connect.pptx
 
Tanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - FrenchTanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - French
 
Tanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - EnglishTanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - English
 
Virtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - EnglishVirtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - English
 
Tanzu Developer Connect - French
Tanzu Developer Connect - FrenchTanzu Developer Connect - French
Tanzu Developer Connect - French
 
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
 
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring BootSpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
 
SpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software EngineerSpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software Engineer
 
SpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs PracticeSpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs Practice
 
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense SolutionsSpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
 

Dernier

Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 

Dernier (20)

Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 

Minimizing Compliance Resistance to Digital Transformation --- Design for regulatory approval as carefully as you design your automation

  • 1. Copyright © 2017, Raytheon Company. All rights reserved. DESIGN FOR REGULATORY APPROVAL AS CAREFULLY AS YOU DESIGN YOUR AUTOMATION Global Business Services – IT Keith Rodwell Business Application Services Cloud Architect Dec. 4, 2017 Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
  • 2. 2 FIRST – A DISCLOSURE  The specifics of what we’re doing are sensitive, so information cannot be shared  Regulatory compliance is NOT a destination, but instead a complex and twisty road full of shear drops and sudden stops – even if we had all of today’s answers, what you need to do will be different tomorrow There is no cookbook for regulatory compliance — your mileage will vary Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
  • 3. 3 RAYTHEON COMPANY – A TECHNOLOGY AND INNOVATION LEADER SPECIALIZING IN DEFENSE, CIVIL GOVERNMENT AND CYBERSECURITY SOLUTIONS THROUGHOUT THE WORLD.  2016 net sales: $24 billion  63,000 employees worldwide  Headquarters: Waltham, Massachusetts Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
  • 4. 4 OUR BUSINESSES ARE ORGANIZED BY KEY MISSION AREAS IDS Headquartered in Tewksbury, Massachusetts, Integrated Defense Systems specializes in air and missile defense, large land- and sea- based radars, and systems for managing command, control, communications, computers, cyber and intelligence. It also produces sonars, torpedoes and electronic systems for ships. FORCEPOINTTM Headquartered in Austin, Texas, Forcepoint safeguards users, data and networks against accidental or malicious insider threats and advanced outside attacks across the entire threat life cycle, in the cloud, on the road and in the office. A joint venture of Raytheon and Vista Equity Partners, Forcepoint enables better decision-making, more efficient security and simplifies compliance as it protects and empowers more than 20,000 commercial and government organizations worldwide. IIS Headquartered in Dulles, Virginia, Intelligence, Information and Services designs and delivers solutions and services that leverage its deep expertise in cyber, analytics and automation. Software, systems integration, and the support and sustainment of Raytheon and other companies’ systems for intelligence, military and civil applications are delivered across five markets: space, digital battlespace, cyber, intelligent transportation and high-consequence training. RMS Headquartered in Tucson, Arizona, Raytheon Missile Systems is the world’s premier missile maker, providing defensive and offensive weapons for air, land, sea, and space, including interceptors for U.S. ballistic missile defense. The business also builds net-enabled battlefield sensors and includes Raytheon UK. SAS Headquartered in McKinney, Texas, Space and Airborne Systems builds radars and other sensors for aircraft, spacecraft and ships. The business also provides communications, electronic warfare and high-energy laser solutions, and performs research in areas ranging from linguistics to quantum computing. INTEGRATED DEFENSE SYSTEMS INTELLIGENCE, INFORMATION AND SERVICES MISSILE SYSTEMS SPACE AND AIRBORNE SYSTEMS FORCEPOINT POWERED BY RAYTHEON Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
  • 5. 5 GLOBAL PRESENCE ALWAYS THERE. DEDICATED TO OUR GLOBAL CUSTOMERS. Raytheon Company is deeply committed to global partnerships, providing solutions and services to valued customers in more than 80 countries and building upon international relationships to best meet the national security and technology needs of nations around the world. Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
  • 6. 6 USER AND COMPLIANCE PRESSURE USERS AND DEVELOPERS WANT IT ALL REGULATORY WANTS THE LEAST NEEDED Go! Go! Go! Cloud – Yippee! Faster, Better and Cheaper! Enough Insight? Audit? Reputation? Protect Us? Controls? Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
  • 7.  Public Cloud: – Highest diversity of services today  Government Cloud: – SRG-compliant subset of public cloud  Regulatory Allowed: – Governed subset  Services Definitions: – Supported services based on application needs and bounded by what is allowed 7 SCOPE SERVICES TO WHAT IS NEEDED AND ALLOWED Government Cloud Capabilities Public Cloud Capabilities Regulatory Allowed Services Definitions Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
  • 8. 8 ITAR, EAR, CUI and NIST 800-171  International Traffic in Arms Regulations (ITAR) – U.S. government export and import of defense-related articles and services regulations Be familiar with the regulations you’re designing to meet  Controlled Unclassified Information (CUI) – Data that must be safeguarded and/or dissemination controlled by U.S. government regulation  NIST 800-171 – Protecting CUI in nonfederal information systems and organizations  Export Administration Regulations (EAR) – Commercial import and export regulations Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
  • 9. 9 Different questions leading to the same objective — protecting the business TWO CRITICAL REGULATORY GROUPS’ CONCERNS  Export/Import – Will there be Foreign Person access? – Will export-controlled data be accessed? – Are required controls in place? – If an unintentional export happens:  Can we detect it and act promptly?  Do we meet reporting requirements? HAVE WE DONE ENOUGH TO PROTECT AGAINST UNLICENSED AND UNAUTHORIZED EXPORTS? HAVE WE DONE ENOUGH TO ENSURE COMPLIANT CONFIDENTIALITY, INTEGRITY AND AVAILABILITY?  IT Security – Does it access sensitive data? – Are appropriate/compliant controls in place? – Does it provide sufficient insight for event correlation and intrusion prevention? – Is pass required testing and review? – If there are any gaps, have they been disclosed and is a Plan of Actions and Milestones (POAM) in place? Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
  • 10. 10 ISSUES YOU’LL LIKELY ENCOUNTER  Identity – Automation identities aren’t granted the right to modify their own identity – Issued tokens expire to policy – Stored identity is protected by enterprise encryption keys  Connectivity – Most foundations won’t be internet facing – Intrusion detection and prevention will be in your packet pathway – Cloud-to-cloud communications aren’t direct Free and open is not remotely equivalent to compliant and controlled  Security – Not everything will be allowed (like ECR) – Authenticate before access still applies – Encryption technologies must be compliant and certified – Encryption keys must be issued by existing key stores – Application Security Groups are governed and controlled like firewalls – Where an information system “lives” is complicated by microservices – Cloud foundry doesn’t natively support security roles Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
  • 11. 11 APPROACHES  Place regulatory checks and validation in automation – Detect, block and alert Foreign Person access to export-restricted services – Enforce Application Security Group change approval prior to implementation – Manage application APIs based on data classifications and acceptable uses – Utilize pipelines to implement compliance – Create microservices that enforce declared data controls in lieu of direct database access  Prioritize regulatory insight – Establish log and event processing practices that highlight elevations in privilege, changes in configuration and unexpected behavior – Create dashboards that show complete history of actions taken by people, pipelines, platforms and services – Understand and implement audit trail retention periods with tools to navigate through context Care and feeding of compliance approvers must be testable Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
  • 12. 12 Government Cloud Capabilities Public Cloud Capabilities Regulatory Allowed Services Definitions  Contain scope – what is used – Only what you need now – Avoid nice-to-have: limit creep  Contain scope – what is offered – Implement high-value and compliant first – Socialize road maps prior to publishing  Measured steps – Incremental changes in lieu of monolithic – Align with needs from both groups CONTROL AND ARTICULATE SCOPES Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
  • 13. 13  ST 800-171 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf  ITAR https://www.pmddtc.state.gov/regulations_laws/itar.html  Keith’s contact information keith.a.rodwell@raytheon.com ADDITIONAL RESOURCES Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.

Notes de l'éditeur

  1. Text or image elements are not permitted below the copyright or takeaway bar on any slide to allow this white space for required document markings.