Assessing Vulnerabilities in Model-Centric Acquisition Programs: Phase 2

Abstract

Digital transformation changes how systems are acquired and developed through model-centric acquisition approaches and digital engineering practices and toolsets. Enterprises face new challenges in this transformation, including emergent vulnerabilities within digital engineering environments. While vulnerability analysis of products and systems is standard practice, examining vulnerabilities within the enterprise itself is less common. This report presents findings and results of a second phase of research on uncovering cascading vulnerabilities as related to digital engineering practice and supporting environments, taking a special focus on cybersecurity-related vulnerabilities. The approach applies Cause-Effect Mapping (CEM) in vulnerability assessment as a means to better enable program leaders to anticipate and respond to vulnerabilities within the enterprise. With CEM, vulnerabilities are described using causal chains, where an external trigger initiates cascading intermediary events that leads to a terminal event. Interventions can be applied to break the causal chain in appropriate places. Phase 1 investigated uncertainties and related decisions that may lead to vulnerabilities in model-centric acquisition programs. An initial reference model for aiding program managers in detecting, assessing and mitigating vulnerabilities as related to the program’s model-centric engineering practices and environment was developed. A step-wise process was defined for applying the reference model. This Phase 2 research further developed and tested the vulnerability assessment reference model and process, resulting in a baseline Reference CEM. Cybersecurity vulnerabilities are of particular concern given digital transformation and increasing threat actors. Accordingly, a deeper investigation of cybersecurity within programs and enterprises was performed given its importance and urgency. Phase 2 research results are: (1) Reference CEM and process to guide vulnerability assessment, (2) empirically-grounded cybersecurity vulnerabilities related to model-centric acquisition programs and enterprises, and (3) initial concept for an assessment prototype. Keywords: model-centric, vulnerabilities, cause-effect mapping, cybersecurity, interventions

Document Details

Document Type

DoD Grant Award

Publication Date

Nov 22, 2019

Source ID

HQ00341810013

Entities

Tags