MSTONE2 Test Plan

How the US Military does Risk Management is a little different what we have seen thus far. The notable difference is the selection of the controls. The process we have seen usually begins by identifying the threats and vulnerabilities to which specific controls are selected. The US Military, on the other hand, first defines the system category based on the impact of confidentiality, integrity, and availability (STEP 1 in figure). From there, it MUST use the controls needed to meet the system category! (STEP 2 in figure).  This removes the arguments over what controls should or should not be implemented. As an example, I had a Public-Facing website with low confidentiality, integrity, and availability requirements and we had to implement 107 controls. This approach is clever in that I don’t need to estimate probabilities or likelihood of threats/vulnerabilities – I just include the proper suite of controls. (In fact, there are 3 sets of possibilities in each group: 3x confidentiality, 3x integrity, and 3x availability equals 27 possible outcomes – and each outcome had a particular set of controls; but the idea is the same).