This course explores concepts and issues pertaining to information assurance architectures and technologies (IAA), such as a three-level enterprise and cybersecurity architecture offered as one of the security common languages from the National Institute of Standards and Technology (NIST). Key NIST Cybersecurity Center of Excellence (NCCoE) Practice guides pertaining to IAA issues are introduced and analyzed. NIST/NCCoE security guidance and metrics for Zero Trust Architecture (ZTA), continuous diagnostics and mitigation (CDM), and artificial intelligence/machine learning (AI/ML) security guidance and metrics are applied to analysis of selected enterprise and cybersecurity programs, such the Department of Defense (DoD) Zero Trust Reference Architecture, Department of Homeland Security (DHS) Cybersecurity & Infrastructure Security Agency (CISA) Trusted Internet Connections Program (CISA TIC), Federal Aviation Administration (FAA) Air Traffic Modernization (NextGen) process, and Food and Drug Administration (FDA) (for approval of medical devices). Cloud computing security architecture issues for IAA technologies including FedRAMP (Federal Resources Analysis and Management Program) authorization are analyzed. Topics include protecting control systems from non-control systems for information technology (IT) and operational technology (OT) enterprise and cybersecurity risk management. For example, these IT/OT interface issues are critical for the NIST Smart Grid Cybersecurity Strategy, Architecture, and High-Level Requirements. IAA analyses include enterprise Internet of Things (IoT) mobility issues and a virtual laboratory project based on selected Amazon Web Services (AWS) security capabilities for Zero Trust Architecture (ZTA).
The course materials are divided into modules which can be accessed by clicking Modules on the course menu. A module will have several sections including the overview, content, readings, discussions, and assignments. You are encouraged to preview all sections of the module before starting. Most modules run for a period of seven (7) days, exceptions are noted in the Course Outline. You should regularly check the Calendar and Announcements for assignment due dates.
To explain selected NIST (National Institute of Standards and Technology) enterprise risk management guidance that provides common languages for management and technologists and then apply that knowledge to enterprise cybersecurity cases. For example, students analyze selected private/hybrid/public sector cases with respect to evolving NIST enterprise cybersecurity risk management guidance, including AI/ML/AML (Artificial Intelligence/Machine Learning/Adversarial Machine Learning) issues.
There's no required textbook for this course.
There is no required software for this course.
It is expected that each module will take approximately 7–10 hours per week to complete. Here is an approximate breakdown: reading the assigned sections of suggested NIST and related documents (approximately 3–4 hours per week) as well as some outside reading, listening to the audio annotated slide presentations (approximately 2–3 hours per week), and writing assignments (approximately 2–3 hours per week).
Course Grading Policy:
Please consider effective communication with the reader. For example, depending on the complexity of a deliverable, please consider 1) reader focus; 2) headings; 3) sub-headings; 3) figures/tables with footnotes for citations. For example for quality of your analysis, please consider specific headings, such as: Question, Interpretation of Question, Key Issues, Analysis, Conclusions, References.
As introduced, please consider, as applicable, figures/table citations, with attribution. For example, Table 1 Title [1]. Footnotes may include "Author developed."
Complex deliverables may include special topics, such as AI/ML/AML [Adversarial Machine Learning] Issues, and Matters for Consideration.
When evaluating the use of NIST enterprise and cybersecurity common languages, such as provided by NIST Special Publications an NISTIRs (NIST Internal Reports) or IRs, please consider several dimensions. For example, when evaluating AWS and Azure use of NIST ZTA (Zero Trust Architecture) please consider:
1. Organization utilization of broad NIST common languages. For example, AWS or Azure recognizing NIST ZTA (Zero Trust Architecture) guidance.
2. Organization utilization of specific NIST common languages. For example, AWS or Azure recognizing NIST Special Publication 800-207: Zero Trust Architecture, August 11, 2020.
3. Organization utilization of specific NIST second level of common languages. For example, AWS or Azure considering NIST SP 800-207, Section 5.7: NPE (Non-Person Entities) [e.g. AI/ML/AML interfaces.]
4. Organization potential utilization of specific NIST enterprise and cybersecurity risk management common languages, such as ZTA implementation, that is integrated with enterprise objectives. For example, enterprise objectives as presented in:
4.1 NIST: Cybersecurity Framework (CSF) 2.0, February 26, 2024: Section 5.2: Improving integration with Other [NIST] risk management programs. For example:
4.1.1 NIST SP 800-221/221A: ICT [Information and Communication Technology] Re: Enterprise Risk Management Portfolio.
4.1.2 NISTIR 8286, and 8286A-D series: Integrating Cybersecurity and Enterprise Risk Management (ERM).
Quality of enterprise and cybersecurity references may include varying degrees of authoritative merit in approximately the following order:
1. NIST references.
2. Other SDOs (Standards Developing Organizations), such as FDA (Food and Drug Administration) for healthcare device approvals, and IETF RFCs (Internet Engineering Task Force Request for Comments) for Internet standards.
3. Technical Organizations, such as DHS CISA (Department of Homeland Security Cybersecurity and Infrastructure Security Agency), and NSA (National Security Agency).
4. JHU EP guidance, such as EP Lecturer research papers and analyses.
5. Open literature.
Course Grading Policy:
Please consider effective communication with the reader. For example, depending on the complexity of a deliverable, please consider 1) reader focus; 2) headings; 3) sub-headings; 3) figures/tables with footnotes for citations. For example for quality of your analysis, please consider specific headings, such as: Question, Interpretation of Question, Key Issues, Analysis, Conclusions, References.
As introduced, please consider, as applicable, figures/table citations, with attribution. For example, Table 1 Title [1]. Footnotes may include "Author developed."
Complex deliverables may include special topics, such as AI/ML/AML [Adversarial Machine Learning] Issues, and Matters for Consideration.
When evaluating the use of NIST enterprise and cybersecurity common languages, such as provided by NIST Special Publications an NISTIRs (NIST Internal Reports) or IRs, please consider several dimensions. For example, when evaluating AWS and Azure use of NIST ZTA (Zero Trust Architecture) please consider:
1. Organization utilization of broad NIST common languages. For example, AWS or Azure recognizing NIST ZTA (Zero Trust Architecture) guidance.
2. Organization utilization of specific NIST common languages. For example, AWS or Azure recognizing NIST Special Publication 800-207: Zero Trust Architecture, August 11, 2020.
3. Organization utilization of specific NIST second level of common languages. For example, AWS or Azure considering NIST SP 800-207, Section 5.7: NPE (Non-Person Entities) [e.g. AI/ML/AML interfaces.]
4. Organization potential utilization of specific NIST enterprise and cybersecurity risk management common languages, such as ZTA implementation, that is integrated with enterprise objectives. For example, enterprise objectives as presented in:
4.1 NIST: Cybersecurity Framework (CSF) 2.0, February 26, 2024: Section 5.2: Improving integration with Other [NIST] risk management programs. For example:
4.1.1 NIST SP 800-221/221A: ICT [Information and Communication Technology] Re: Enterprise Risk Management Portfolio.
4.1.2 NISTIR 8286, and 8286A-D series: Integrating Cybersecurity and Enterprise Risk Management (ERM).
Quality of enterprise and cybersecurity references may include varying degrees of authoritative merit in approximately the following order:
1. NIST references.
2. Other SDOs (Standards Developing Organizations), such as FDA (Food and Drug Administration) for healthcare device approvals, and IETF RFCs (Internet Engineering Task Force Request for Comments) for Internet standards.
3. Technical Organizations, such as DHS CISA (Department of Homeland Security Cybersecurity and Infrastructure Security Agency), and NSA (National Security Agency).
4. JHU EP guidance, such as EP Lecturer research papers and analyses.
5. Open literature.
Deadlines for Adding, Dropping and Withdrawing from Courses
Students may add a course up to one week after the start of the term for that particular course. Students may drop courses according to the drop deadlines outlined in the EP academic calendar (https://ep.jhu.edu/student-services/academic-calendar/). Between the 6th week of the class and prior to the final withdrawal deadline, a student may withdraw from a course with a W on their academic record. A record of the course will remain on the academic record with a W appearing in the grade column to indicate that the student registered and withdrew from the course.
Academic Misconduct Policy
All students are required to read, know, and comply with the Johns Hopkins University Krieger School of Arts and Sciences (KSAS) / Whiting School of Engineering (WSE) Procedures for Handling Allegations of Misconduct by Full-Time and Part-Time Graduate Students.
This policy prohibits academic misconduct, including but not limited to the following: cheating or facilitating cheating; plagiarism; reuse of assignments; unauthorized collaboration; alteration of graded assignments; and unfair competition. Course materials (old assignments, texts, or examinations, etc.) should not be shared unless authorized by the course instructor. Any questions related to this policy should be directed to EP’s academic integrity officer at ep-academic-integrity@jhu.edu.
Students with Disabilities - Accommodations and Accessibility
Johns Hopkins University values diversity and inclusion. We are committed to providing welcoming, equitable, and accessible educational experiences for all students. Students with disabilities (including those with psychological conditions, medical conditions and temporary disabilities) can request accommodations for this course by providing an Accommodation Letter issued by Student Disability Services (SDS). Please request accommodations for this course as early as possible to provide time for effective communication and arrangements.
For further information or to start the process of requesting accommodations, please contact Student Disability Services at Engineering for Professionals, ep-disability-svcs@jhu.edu.
Student Conduct Code
The fundamental purpose of the JHU regulation of student conduct is to promote and to protect the health, safety, welfare, property, and rights of all members of the University community as well as to promote the orderly operation of the University and to safeguard its property and facilities. As members of the University community, students accept certain responsibilities which support the educational mission and create an environment in which all students are afforded the same opportunity to succeed academically.
For a full description of the code please visit the following website: https://studentaffairs.jhu.edu/policies-guidelines/student-code/
Classroom Climate
JHU is committed to creating a classroom environment that values the diversity of experiences and perspectives that all students bring. Everyone has the right to be treated with dignity and respect. Fostering an inclusive climate is important. Research and experience show that students who interact with peers who are different from themselves learn new things and experience tangible educational outcomes. At no time in this learning process should someone be singled out or treated unequally on the basis of any seen or unseen part of their identity.
If you have concerns in this course about harassment, discrimination, or any unequal treatment, or if you seek accommodations or resources, please reach out to the course instructor directly. Reporting will never impact your course grade. You may also share concerns with your program chair, the Assistant Dean for Diversity and Inclusion, or the Office of Institutional Equity. In handling reports, people will protect your privacy as much as possible, but faculty and staff are required to officially report information for some cases (e.g. sexual harassment).
Course Auditing
When a student enrolls in an EP course with “audit” status, the student must reach an understanding with the instructor as to what is required to earn the “audit.” If the student does not meet those expectations, the instructor must notify the EP Registration Team [EP-Registration@exchange.johnshopkins.edu] in order for the student to be retroactively dropped or withdrawn from the course (depending on when the "audit" was requested and in accordance with EP registration deadlines). All lecture content will remain accessible to auditing students, but access to all other course material is left to the discretion of the instructor.