This report provides an initial mapping of cyber resiliency constructs – cyber resiliency design principles, techniques, implementation approaches, and controls to the Cyber Survivability Attributes (CSAs) defined by the Cyber Survivability Endorsement Implementation Guide – to identify controls which support specific CSAs.
Cyber Resiliency Framework and Cyber Survivability Attributes
The Department of Defense-issued Cyber Survivability Endorsement Implementation Guide (CSEIG) directs that weapon systems and defense critical infrastructure systems demonstrate "the ability to prevent, mitigate, recover from, and adapt to adverse cyber events that could impact mission-related functions by applying a risk-managed approach to achieve and maintain an operationally relevant risk posture, throughout the system lifecycle for such systems." Cyber Survivability Attributes (CSAs) must be selected and tailored to the system in its operational and threat environment, so that the system can be demonstrated to provide adequate survivability. Simultaneously, DoD systems must be demonstrated to provide adequate cybersecurity via the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF). To apply the RMF, systems engineers for such systems need to select controls from NIST SP (Special Publication) 800-53 Numerous controls in NIST SP 800-53 Rev. 5 have been identified as supporting cyber resiliency, as defined in NIST SP 800-160 Vol. 2: "the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources." Despite differences in scope, cyber survivability aligns closely with cyber resiliency. Therefore, cyber resiliency controls are a logical starting point for identifying controls which support cyber survivability.