Raytheon is a large defense contractor that must carefully consider regulatory compliance when designing automation systems. The document discusses how regulatory requirements are constantly changing and there is no single approach to compliance. It emphasizes designing systems to only use necessary services and ensuring proper access controls, logging, and oversight to meet export regulations and security standards. Regulatory and security groups may have different compliance focuses, but the overall goal is the same of protecting sensitive data and systems. The document provides recommendations like implementing checks in automation, prioritizing regulatory insight, and controlling the scope of services offered to help balance user and compliance needs.

1. Copyright © 2017, Raytheon Company. All rights reserved.
DESIGN FOR REGULATORY APPROVAL AS
CAREFULLY AS YOU DESIGN YOUR AUTOMATION
Global Business Services – IT
Keith Rodwell
Business Application Services Cloud Architect
Dec. 4, 2017
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.

2. 2
FIRST – A DISCLOSURE
 The specifics of what we’re doing are
sensitive, so information cannot be shared
 Regulatory compliance is NOT a destination,
but instead a complex and twisty road full of
shear drops and sudden stops – even if we
had all of today’s answers, what you need to
do will be different tomorrow
There is no cookbook for regulatory compliance — your mileage will vary
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.

3. 3
RAYTHEON COMPANY – A TECHNOLOGY AND
INNOVATION LEADER SPECIALIZING IN DEFENSE,
CIVIL GOVERNMENT AND CYBERSECURITY
SOLUTIONS THROUGHOUT THE WORLD.
 2016 net sales: $24 billion
 63,000 employees worldwide
 Headquarters: Waltham, Massachusetts
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.

4. 4
OUR BUSINESSES ARE ORGANIZED
BY KEY MISSION AREAS
IDS
Headquartered in Tewksbury, Massachusetts,
Integrated Defense Systems specializes in air
and missile defense, large land- and sea-
based radars, and systems for managing
command, control, communications,
computers, cyber and intelligence. It
also produces sonars, torpedoes and
electronic systems for ships.
FORCEPOINTTM
Headquartered in Austin, Texas, Forcepoint
safeguards users, data and networks against
accidental or malicious insider threats and
advanced outside attacks across the entire
threat life cycle, in the cloud, on the road and in
the office. A joint venture of Raytheon and
Vista Equity Partners, Forcepoint enables
better decision-making, more efficient security
and simplifies compliance as it protects and
empowers more than 20,000 commercial and
government organizations worldwide.
IIS
Headquartered in Dulles, Virginia, Intelligence,
Information and Services designs and delivers
solutions and services that leverage its deep
expertise in cyber, analytics and automation.
Software, systems integration, and the support
and sustainment of Raytheon and other
companies’ systems for intelligence, military and
civil applications are delivered across five
markets: space, digital battlespace, cyber,
intelligent transportation and high-consequence
training.
RMS
Headquartered in Tucson, Arizona,
Raytheon Missile Systems is the world’s
premier missile maker, providing defensive
and offensive weapons for air, land, sea,
and space, including interceptors for U.S.
ballistic missile defense. The business also
builds net-enabled battlefield sensors and
includes Raytheon UK.
SAS
Headquartered in McKinney, Texas, Space
and Airborne Systems builds radars and
other sensors for aircraft, spacecraft and
ships. The business also provides
communications, electronic warfare and
high-energy laser solutions, and performs
research in areas ranging from linguistics to
quantum computing.
INTEGRATED
DEFENSE SYSTEMS
INTELLIGENCE,
INFORMATION AND SERVICES
MISSILE SYSTEMS
SPACE AND
AIRBORNE SYSTEMS
FORCEPOINT
POWERED BY RAYTHEON
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.

5. 5
GLOBAL PRESENCE
ALWAYS THERE.
DEDICATED TO OUR
GLOBAL CUSTOMERS.
Raytheon Company is deeply committed to
global partnerships, providing solutions and
services to valued customers in more than
80 countries and building upon international
relationships to best meet the national
security and technology needs of nations
around the world.
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.

6. 6
USER AND COMPLIANCE PRESSURE
USERS AND DEVELOPERS
WANT IT ALL
REGULATORY WANTS
THE LEAST NEEDED
Go! Go! Go!
Cloud – Yippee!
Faster, Better and Cheaper!
Enough Insight?
Audit?
Reputation?
Protect Us?
Controls?
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.

7.  Public Cloud:
– Highest diversity of services today
 Government Cloud:
– SRG-compliant subset of public cloud
 Regulatory Allowed:
– Governed subset
 Services Definitions:
– Supported services based on application
needs and bounded by what is allowed
7
SCOPE SERVICES TO WHAT IS NEEDED AND ALLOWED
Government
Cloud Capabilities
Public Cloud
Capabilities
Regulatory
Allowed
Services
Definitions
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.

8. 8
ITAR, EAR, CUI and NIST 800-171
 International Traffic in Arms
Regulations (ITAR)
– U.S. government export and
import of defense-related articles
and services regulations
Be familiar with the regulations you’re designing to meet
 Controlled Unclassified
Information (CUI)
– Data that must be safeguarded
and/or dissemination controlled by
U.S. government regulation
 NIST 800-171
– Protecting CUI in nonfederal
information systems and
organizations
 Export Administration
Regulations (EAR)
– Commercial import and
export regulations
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.

9. 9
Different questions leading to the same objective — protecting the business
TWO CRITICAL REGULATORY GROUPS’ CONCERNS
 Export/Import
– Will there be Foreign Person access?
– Will export-controlled data be accessed?
– Are required controls in place?
– If an unintentional export happens:
 Can we detect it and act promptly?
 Do we meet reporting requirements?
HAVE WE DONE ENOUGH TO
PROTECT AGAINST UNLICENSED
AND UNAUTHORIZED EXPORTS?
HAVE WE DONE ENOUGH TO ENSURE
COMPLIANT CONFIDENTIALITY,
INTEGRITY AND AVAILABILITY?
 IT Security
– Does it access sensitive data?
– Are appropriate/compliant controls in place?
– Does it provide sufficient insight for event
correlation and intrusion prevention?
– Is pass required testing and review?
– If there are any gaps, have they
been disclosed and is a Plan
of Actions and Milestones
(POAM) in place?
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.

10. 10
ISSUES YOU’LL LIKELY ENCOUNTER
 Identity
– Automation identities aren’t
granted the right to modify their
own identity
– Issued tokens expire to policy
– Stored identity is protected by
enterprise encryption keys
 Connectivity
– Most foundations won’t be
internet facing
– Intrusion detection and prevention
will be in your packet pathway
– Cloud-to-cloud communications
aren’t direct
Free and open is not remotely equivalent to compliant and controlled
 Security
– Not everything will be allowed (like ECR)
– Authenticate before access still applies
– Encryption technologies must be compliant
and certified
– Encryption keys must be issued by existing
key stores
– Application Security Groups are
governed and controlled like firewalls
– Where an information system “lives”
is complicated by microservices
– Cloud foundry doesn’t natively
support security roles
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.

11. 11
APPROACHES
 Place regulatory checks and
validation in automation
– Detect, block and alert Foreign Person
access to export-restricted services
– Enforce Application Security Group
change approval prior to implementation
– Manage application APIs based on data
classifications and acceptable uses
– Utilize pipelines to implement
compliance
– Create microservices that enforce
declared data controls in lieu of direct
database access
 Prioritize regulatory insight
– Establish log and event processing
practices that highlight elevations in
privilege, changes in configuration
and unexpected behavior
– Create dashboards that show
complete history of actions taken
by people, pipelines, platforms
and services
– Understand and implement
audit trail retention periods
with tools to navigate through
context
Care and feeding of compliance approvers must be testable
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.

12. 12
Government
Cloud Capabilities
Public Cloud
Capabilities
Regulatory
Allowed
Services
Definitions
 Contain scope – what is used
– Only what you need now
– Avoid nice-to-have: limit creep
 Contain scope – what is offered
– Implement high-value and compliant first
– Socialize road maps prior to publishing
 Measured steps
– Incremental changes in lieu of monolithic
– Align with needs from both groups
CONTROL AND ARTICULATE SCOPES
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.

13. 13
 ST 800-171
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf
 ITAR
https://www.pmddtc.state.gov/regulations_laws/itar.html
 Keith’s contact information
keith.a.rodwell@raytheon.com
ADDITIONAL RESOURCES
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.