Assessing Vulnerabilities in Model-Centric Acquisition Programs: Phase 2

Abstract

Digital transformation changes how systems are acquired and developed through model-centric acquisition approaches and digital engineering practices and toolsets. Enterprises face new challenges in this transformation, including emergent vulnerabilities within digital engineering environments. While vulnerability analysis of products and systems is standard practice, examining vulnerabilities within the enterprise itself is less common. This report presents findings and results of a second phase of research on uncovering cascading vulnerabilities as related to digital engineering practice and supporting environments, taking a special focus on cybersecurity-related vulnerabilities. The approach applies Cause-Effect Mapping (CEM) in vulnerability assessment as a means to better enable program leaders to anticipate and respond to vulnerabilities within the enterprise. With CEM, vulnerabilities are described using causal chains, where an external trigger initiates cascading intermediary events that leads to a terminal event. Interventions can be applied to break the causal chain in appropriate places. Phase 1 investigated uncertainties and related decisions that may lead to vulnerabilities in model-centric acquisition programs. An initial reference model for aiding program managers in detecting, assessing and mitigating vulnerabilities as related to the program's model-centric engineering practices and environment was developed. A step-wise process was defined for applying the reference model. This Phase 2 research further developed and tested the vulnerability assessment reference model and process, resulting in a baseline Reference CEM. Cybersecurity vulnerabilities are of particular concern given digital transformation and increasing threat actors. Accordingly, a deeper investigation of cybersecurity within programs and enterprises was performed given its importance and urgency. This research is responsive to the 2018 DoD Digital Engineering Strategy, which calls for enterprises to mitigate cyber risks and secure digital engineering environments against attacks from internal and external threats, mitigate known vulnerabilities that present high risk to DoD networks and data, and to mitigate risk posed by collaboration and access to vast amount of information in models. The technical approach for the research began with literature survey and gathering results of research studies of relevance, recent workshop findings, and related work on vulnerability assessment that may have implications for this work. This informed refinement of the reference model and process, which were further validated in this phase. Dynamic models were examined as a means to understand the cascading vulnerabilities and potential intervention options. A concept for an interactive demonstration prototype was also explored. Phase 2 research results are: (1) Reference CEM and process to guide vulnerability assessment, (2) empirically-grounded cybersecurity vulnerabilities related to model-centric acquisition programs and enterprises, and (3) initial concept for an assessment prototype.