A sample README.md file
More and more private, public, governmental or legislative entities, (identified in this document as ‘parties’), are engaging in collaborations or multi-party missions that require federation of the cloud-based resource brought forward by each federating partner. In response to this trend and in alignment with the call launched by the Defense Science Board, the President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, and by the Office of Management and Budget Memorandum M-17-25 (implementation guidance for the Cybersecurity Executive Order) to develop the next generation risk management for modern systems and to strengthen the protection of high-value assets, this document provides guidance to parties entering into a multi-party collaboration that requires resource pooling through secure connectivity among previously stand-alone systems and high availability of pooled resources to all parties, requires engineering of trustworthy, resilient and defensible cloud-based system-of-systems, herein referred to as federation of cloud-based resources.
NIST is currntly developing the Special Publication 800-199 in collaboration with DoD CIO to provide a high-level, introductory, view of the two major aspects of a mission-based federation: federation of identities and federation of pooled cloud-based resources; and to define a threat-based risk management framework that facilitates the orchestration of trustworthy, defensible and resilient federated cloud-based resources supporting multi-party missions.
Cloud Resilience Analysis and Federation Tool (CRAFT) is an Excel-based tool that implements the threat-based risk management framework and its supporting process. The process starts with a guiding questionnaire aligned with the NIST Cybersecurity Framework (CSF) [TBD ref]. The answers provided by the federation partners are used then to identify the resources deemed necessary for the successful completion of the multi-party mission as a set of teechnology-agnostic capabilities mapped to one or more of the CSF functions (e.g. identify, protect, detect, respond). NOTE: CSF's recovery funtion is not in scope of CRAFT. Further, the implemented process provides a step-by-step approach for:
- the identification of the threats the federated resources might be subject of,
- the scoring of all functional and defense capabilities that collectively compose the federated resources; scoring which reflects each capability’s resilience against the identified threats, for identifying , detecting, protecting and responding to those threats,
- the identification and quantification of the residual risk and, when applicable, the hardening of the federated resources to reduce the risk to an acceptable level, and
- the overall analysis of the federated resources’ resilience and the identification of the gaps that need to be addressed.
In alphabetical order by last name
| Name | Affiliation |
|---|---|
| Michaela Iorga | NIST |
| Prabha Kumar | DoD CIO |
| Tony Modelfino | Stratogis Neetworks |
Refer to the CHANGE LOG.md for a complete list of changes.
Current version of CRAFT is equivalent to a pre-alpha release. THe authors are still making changes to enhace it, in preparation of v 1.0 release