1. Scope

1.1. Identification

This Operational Concept Description (version 2.9.0) describes the operational concepts for the Distributed Incident Management System (DIMS).

1.2. System overview

DIMS is funded by the Department of Homeland Security under contract HSHQDC- 13-C-B0013. For more information, see the document, “System Requirements and Concept of Operations for From Local to Gobal Awareness: A Distributed Incident Management System (DIMS)” referenced in Section Referenced documents.

The primary mission objectives for the DIMS system are operational in nature, focused on facilitating the exchange of operational intelligence and applying this intelligence to more efficiently respond and recover from cyber compromise. The secondary mission objectives are to create a framework in which tools to support the primary mission objectives can more quickly and easily be integrated and brought to bear against advancing techniques on the attacker side of the equation.

The DIMS project is intended to take this semi-automated sharing of structured threat information, building on the success of the Public Regional Information Security Event Monitoring (PRISEM) project [Note1] and leveraging the portal used by an existing community of operational security professionals known as Ops-Trust, [Note2] and scale it to the next level. The intent of this software project is to allow for near real-time sharing of critical alerts and structured threat information that will allow each contributing party to receive information, alerts and data, analyze the data, and respond appropriately and in a timely manner through one user-friendly web application.

Working with the use cases defined by MITRE and PRISEM users, building the features necessary to simplify structured information sharing, and operationalizing these within these existing communities, will allow DIMS to fill existing gaps in capabilities and support existing missions that are slowed down today by many complicated, manual processes.

The changes to existing systems consists of seamless integration of the three current systems into a single web application that enables each system to contribute to the data warehouse of information concerning threats, alerts, attacks and suspect or compromised user terminals within the infrastructure. Additionally, the integrated systems will be able to share and retrieve data, visually observe alerts through color coded visual indicators, while retaining the existing functionality of the current system.

1.3. Document overview

The structure of this document has been adapted principally from MIL-STD-498 (see Section Referenced documents). Following this section are:

  • Section Referenced documents lists related documents.
  • Section Current system or situation describes the current PRISEM system, its sub-components, their capabilities and limitations, the existing user base, and support concept.
  • Section Justification for and nature of changes describes the justifications for how the current system needs to change, why those changes are relevant, alternatives, and assumptions/contraints.
  • Section Concept for a new or modified system describes the concept of a new and improved system and related issues.
  • Section Operational scenarios provides operational scenarios that will drive requirements and the system’s architectural design.
  • Section Notes provides an alphabetical listing of acronyms and abbreviations used in this document.
  • Section License includes the copyright and software license under which DIMS is being released.
[Note1]The PRISEM project is being superceded by a not-for-profit known as the Public Infrastructure Security Collaboration and Exchange System (PISCES). The name PRISEM remains in this, and some of the other DIMS documents, but is being replaced as documents are updated.
[Note2]The original portal used by the Ops-Trust community is being re-written and renamed the Trident portal system. It is planned to be released in open source form in Q2-Q4 of 2016.