100% found this document useful (17 votes)

119 views83 pages

The NICE Cyber Security Framework Cyber Security Intelligence and Analytics 1st Edition by Izzat Alsmadi ISBN 3030023605 9783030023607

The document promotes the book 'The NICE Cyber Security Framework Cyber Security Intelligence and Analytics' by Izzat Alsmadi, providing links to download it and other related textbooks. It outlines the NICE framework's role in bridging academia and industry in cybersecurity education. The book serves as an introductory resource for understanding key knowledge, skills, and abilities (KSAs) in cyber intelligence and analytics.

Uploaded by

seyoumsana

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (17 votes)

119 views83 pages

The NICE Cyber Security Framework Cyber Security Intelligence and Analytics 1st Edition by Izzat Alsmadi ISBN 3030023605 9783030023607

Uploaded by

seyoumsana

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 83

Visit ebookball.

com to download the full version and

explore more ebook or textbook

The NICE Cyber Security Framework Cyber Security

Intelligence and Analytics 1st Edition by Izzat
Alsmadi ISBN 3030023605 9783030023607

_ Click the link below to download _

https://ebookball.com/product/the-nice-cyber-security-
framework-cyber-security-intelligence-and-analytics-1st-
edition-by-izzat-alsmadi-
isbn-3030023605-9783030023607-15840/

Explore and download more ebook or textbook at ebookball.com

Here are some recommended products that we believe you will be
interested in. You can click the link to download.

The NICE Cyber Security Framework Cyber Security

Intelligence and Analytics 1st edition by Izzat Alsmadi
ISBN â€Ž 3030023591 978-3030023591
https://ebookball.com/product/the-nice-cyber-security-framework-cyber-
security-intelligence-and-analytics-1st-edition-by-izzat-alsmadi-isbn-
aeurz-3030023591-978-3030023591-16654/

Information Fusion for Cyber-Security Analytics 1st

Edition by Izzat Alsmadi, George Karabatis, Ahmed Aleroud
ISBN 3319442562 9783319442563
https://ebookball.com/product/information-fusion-for-cyber-security-
analytics-1st-edition-by-izzat-alsmadi-george-karabatis-ahmed-aleroud-
isbn-3319442562-9783319442563-16984/

Information Fusion for Cyber-Security Analytics 1st

Advances in Cyber Security and Intelligent Analytics 1st

edition by Abhishek Verma 1000821455 9781000821451

https://ebookball.com/product/advances-in-cyber-security-and-
intelligent-analytics-1st-edition-by-abhishek-
verma-1000821455-9781000821451-20112/
Cyber Security Intelligence and Analytics 1st edition by
Zheng Xu, â€ŽReza Parizi, â€ŽMohammad Hammoudeh 3030433064
9783030433062
https://ebookball.com/product/cyber-security-intelligence-and-
analytics-1st-edition-by-zheng-xu-aeurzreza-parizi-aeurzmohammad-
hammoudeh-3030433064-9783030433062-19990/

Cyber Security Analytics Technology and Automation 1st

Edition by Martti Lehto, Pekka Neittaanmaki ISBN
9783319183022 3319183028
https://ebookball.com/product/cyber-security-analytics-technology-and-
automation-1st-edition-by-martti-lehto-pekka-neittaanmaki-
isbn-9783319183022-3319183028-15776/

Cyber Security Analytics Technology and Automation 1st

Edition by Martti Lehto, Pekka Neittaanmaki ISBN
3319183028 9783319183022
https://ebookball.com/product/cyber-security-analytics-technology-and-
automation-1st-edition-by-martti-lehto-pekka-neittaanmaki-
isbn-3319183028-9783319183022-15802/

Cyber Security Intelligence and Analytics 1st edition by

Zheng Xu, â€ŽReza M. Parizi, â€ŽMohammad Hammoudeh
3030433099 9783030433093
https://ebookball.com/product/cyber-security-intelligence-and-
analytics-1st-edition-by-zheng-xu-aeurzreza-m-parizi-aeurzmohammad-
hammoudeh-3030433099-9783030433093-20172/

Cyber Security Analytics Technology and Automation 2015th

Edition by Martti Lehto, Pekka Neittaanmaki ISBN
331918301X 9783319183015
https://ebookball.com/product/cyber-security-analytics-technology-and-
automation-2015th-edition-by-martti-lehto-pekka-neittaanmaki-
isbn-331918301x-9783319183015-17032/
Izzat Alsmadi

The NICE
Cyber Security
Framework
Cyber Security Intelligence and Analytics
The NICE Cyber Security Framework
Izzat Alsmadi

The NICE Cyber Security

Framework
Cyber Security Intelligence and Analytics
Izzat Alsmadi
Texas A&M University
San Antonio, TX, USA

ISBN 978-3-030-02359-1 ISBN 978-3-030-02360-7 (eBook)

https://doi.org/10.1007/978-3-030-02360-7

Library of Congress Control Number: 2018960944

© Springer Nature Switzerland AG 2019

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of
the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology
now known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors, and the editors are safe to assume that the advice and information in this book
are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the
editors give a warranty, express or implied, with respect to the material contained herein or for any errors
or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims
in published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Preface

In this book, I tried to cover with essential information US NIST National Initiative
for Cybersecurity Education (NICE) framework KSAs in certain areas related to
cyber intelligence and analytics in particular. By no means is the information in this
book complete or comprehensive due to the extensive information in this area.
This book can serve as an introductory source for those who are planning to
adopt the NICE framework in cyber security education. The NICE framework is
meant to establish a common ground between the academia and the industry on the
different knowledge areas, specialties, and work roles in cyber security. However, in
its current format, the framework is abstract. Different institutions can decide their
own focuses from this abstract educational model. They can also estimate the course
time required to complete each KSA in the framework as clearly each will take dif-
ferent course times to teach by educators or to complete by students.

San Antonio, TX, USA Izzat Alsmadi

v
Contents

1 Introduction�� 1
General Issues with NICE Framework
(Applied to August 2017 Version)�� 2
The Classification of KSAs Based on NICE Framework�� 2
Level of Details and Granularity of KSAs�� 6
Bibliography�� 7
2 Acquisition Management�� 9
K0126: Knowledge of Secure Acquisitions (e.g., Relevant
Contracting Officer’s Technical Representative [COTR] Duties,
Secure Procurement, Supply Chain Risk Management)�� 9
K0148: Knowledge of Import/Export Control Regulations
and Responsible Agencies for the Purposes of Reducing
Supply Chain Risk �� 11
K0154: Knowledge of Supply Chain Risk Management
Standards, Processes, and Practices �� 13
BES Cyber Asset�� 14
ISO/IEC 20243 and 27036�� 16
K0163: Knowledge of Critical Information Technology (IT)
Procurement Requirements�� 16
IT Procurement Methods �� 18
K0164: Knowledge of Functionality, Quality, and Security
Requirements and How These Will Apply to Specific Items
of Supply (i.e., Elements and Processes) �� 18
Functional Requirements �� 18
Quality Requirements�� 19
Security Requirements �� 20

vii
viii Contents

K0169: Knowledge of Information Technology (IT) Supply

Chain Security and Risk Management Policies, Requirements,
and Procedures �� 20
Supply Chain Security Policies�� 20
Supply Chain Security Requirements and Procedures�� 22
Supply Chain Risk Management Policies�� 22
K0257: Knowledge of Information Technology (IT)
Acquisition/Procurement Requirements�� 23
K0264: Knowledge of Program Protection Planning to Include
Information Technology (IT) Supply Chain Security/Risk
Management Policies, Anti-tampering Techniques,
and Requirements�� 23
Information Sensitivity�� 24
K0266: Knowledge of How to Evaluate the Trustworthiness
of the Supplier and/or Product �� 26
K0270: Knowledge of the Acquisition/Procurement Lifecycle
Process �� 27
Defense Acquisition University �� 29
K0523: Knowledge of Products and Nomenclature of Major
Vendors (e.g., Security Suites—Trend Micro, Symantec, McAfee,
Outpost, Panda, Kaspersky) and How Differences Affect
Exploitation/Vulnerabilities �� 30
S0086: Skill in Evaluating the Trustworthiness of the Supplier
and/or Product�� 32
A0009: Ability to Apply Supply Chain Risk Management Standards�� 32
A0031: Ability to Conduct and Implement Market Research
to Understand Government and Industry Capabilities
and Appropriate Pricing �� 34
A0039: Ability to Oversee the Development and Update
of the Lifecycle Cost Estimate �� 35
A0045: Ability to Evaluate/Ensure the Trustworthiness
of the Supplier and/or Product �� 36
A0056: Ability to Ensure Security Practices Are Followed
Throughout the Acquisition Process�� 37
A0056-2 �� 38
A0064: Ability to Interpret and Translate Customer Requirements
into Operational Capabilities �� 38
Bibliography�� 39
3 Continuity Planning and Disaster Recovery �� 41
K0210: Knowledge of Data Backup and Restoration Concepts�� 41
Types of Storage Destinations�� 42
Network Attached Storage Systems�� 43
Storage Area Networks�� 43
RAID�� 43
Contents ix

Remote or Online Storage�� 44

Backup vs. Archive�� 44
K0021: Knowledge of Data Backup, Types of Backups
(e.g., Full, Incremental), and Recovery Concepts and Tools �� 44
K0365: Knowledge of Basic Back-Up and Recovery Procedures
Including Different Types of Backups (e.g., Full, Incremental)�� 45
K0026: Knowledge of Disaster Recovery Continuity
of Operations Plans�� 47
Business Process and Impact Analysis (BPA/BIA) �� 50
FCD and CGC�� 50
S0032: Skill in Developing, Testing, and Implementing
Network Infrastructure Contingency and Recovery Plans�� 50
S0150: Skill in Implementing and Testing Network
Infrastructure Contingency and Recovery Plans�� 50
Bibliography�� 51
4 Cyber Defense Analysis and Support�� 53
K0098: Knowledge of the Cyber Defense Service Provider Reporting
Structure and Processes Within One’s Own Organization�� 53
DOD CNDSP Directives�� 55
K0107: Knowledge of and Experience in Insider Threat Investigations,
Reporting, Investigative Tools and Laws/Regulations �� 55
Phishing Attacks�� 56
Password Attacks �� 57
Privilege Tampering/Escalation and Abuse�� 57
Challenges in Insider Threats Investigations �� 58
Methods to Counter and Mitigate Insider Threats �� 59
Insiders’ Investigations: Laws and Regulations�� 60
K0157: Knowledge of Cyber Defense Policies, Procedures,
and Regulations�� 60
K0190: Knowledge of Encryption Methodologies�� 62
K0408: Knowledge of Cyber Actions (i.e., Cyber Defense,
Information Gathering, Environment Preparation, Cyber-Attack)
Principles, Capabilities, Limitations, and Effects�� 62
S0063: Skill in Collecting Data from a Variety of Cyber
Defense Resources �� 63
S0096: Skill in Reading and Interpreting Signatures (e.g., Snort)�� 63
S0124: Skill in Troubleshooting and Diagnosing Cyber Defense
Infrastructure Anomalies and Work Through Resolution�� 69
S0170: Skill in Configuring and Utilizing Computer
Protection Components (e.g., Hardware Firewalls, Servers,
Routers, as Appropriate)�� 70
Bibliography�� 73
x Contents

5 Cyber Intelligence�� 75

K0409: Knowledge of Cyber Intelligence/Information Collection
Capabilities and Repositories�� 75
Cyber Intelligence Levels�� 76
Sources of Cyber Intelligence or Collection Capabilities�� 76
The Intelligence Lifecycle or Activities�� 78
Areas of Cyber Intelligence �� 79
K0525: Knowledge of Required Intelligence Planning Products
Associated with Cyber Operational Planning�� 80
K0550: Knowledge of Target, Including Related Current Events,
Communication Profile, Actors, and History (Language, Culture)
and/or Frame of Reference�� 81
K0553: Knowledge of Tasking Processes for Organic
and Subordinate Collection Assets�� 81
K0554: Knowledge of Tasking, Collection, Processing,
Exploitation, and Dissemination�� 82
K0562: Knowledge of the Capabilities and Limitations of New
and Emerging Collection Capabilities, Accesses, and/or Processes�� 83
K0568: Knowledge of the Definition of Collection
Management and Collection Management Authority�� 83
K0404: Knowledge of Current Collection Requirements�� 83
K0571: Knowledge of the Feedback Cycle in Collection Processes �� 84
K0578: Knowledge of the Intelligence Requirements Development
and Request for Information Processes�� 84
K0580: Knowledge of the Organization’s Established Format
for Collection Plan �� 84
K0595: Knowledge of the Relationships of Operational Objectives,
Intelligence Requirements, and Intelligence Production Tasks �� 85
Cyber Intelligence: K0596 Knowledge of the Request
for Information Process�� 86
K0602: Knowledge of the Various Collection Disciplines
and Capabilities�� 87
K0458: Knowledge of Intelligence Disciplines �� 87
Bibliography�� 89
6 Cyber Intelligence Analysis�� 91
K0110: Knowledge of Common Adversary Tactics,
Techniques, and Procedures in Assigned Area of Responsibility
(i.e., Historical Country-Specific Tactics, Techniques,
and Procedures; Emerging Capabilities)�� 92
Cyber Kill Chain Models �� 93
Cyber Threats’ Description Languages and Models�� 94
K0115: Knowledge of Emerging Computer-Based Technology
That Has Potential for Exploitation by Adversaries�� 96
Contents xi

K0312: Knowledge of Intelligence Principles, Policies,

and Procedures Including Legal Authorities and Restrictions �� 96
Cyber Security Intelligence Principles�� 96
Cyber Security Act 2015�� 97
FISMA �� 97
Electronic Surveillance and FISA�� 98
Intelligence Authorization Act �� 98
The Cyber Intelligence Sharing and Protection Act�� 98
Freedom of Information Act (FOIA) �� 98
Intelligence Reform and Terrorism Prevention Act
of 2004 (IRTPA)�� 98
K0315: Knowledge of the Principal Methods, Procedures,
and Techniques of Gathering Information and Producing,
Reporting, and Sharing Information�� 99
Existing Efforts in Cyber Security Information Sharing �� 100
K0352: Knowledge of All Forms of Intelligence Support Needs,
Topics, and Focus Areas�� 101
K0354: Knowledge of All Relevant Reporting and Dissemination
Procedures�� 102
K0355: Knowledge of All-Source Reporting and Dissemination
Procedures�� 102
The Intelligence and Information Sharing and Dissemination
Capability (IISDC)�� 102
Suspicious Activity Reporting (SAR) Process�� 102
NSA/CSS Policy 5-5�� 102
Interagency Threat Assessment and Coordination Group
(ITACG) Intelligence Guide for First Responders�� 103
Unified Crime Reporting System�� 103
Production and Dissemination of Serialized Intelligence
Reports Derived from Signals Intelligence�� 104
Intelligence Products Typically Available to First Responders�� 104
K0358: Knowledge of Analytical Standards and the Purpose
of Intelligence Confidence Levels�� 104
DNI ICD 203: Analytic Standards �� 105
How Right and How Often?�� 105
K0359: Knowledge of Approved Intelligence Dissemination
Processes�� 105
Common Forms/Format of Dissemination�� 106
K0386: Knowledge of Collection Management Tools�� 106
K0391: Knowledge of Collection Systems, Capabilities,
and Processes �� 106
Joint Collection Management Tools (JCMT)�� 106
ECHELON�� 107
xii Contents

UTT: Unified Targeting Tool�� 107

NSA XKeyscore Program�� 108
PRISM Program�� 108
Upstream�� 108
Cadence�� 109
WebTAS �� 109
K0387: Knowledge of Collection Planning Process
and Collection Plan�� 109
Internet-Based Collection Planning Process�� 110
K0389: Knowledge of Collection Sources Including
Conventional and Non-conventional Sources�� 110
SIGADs DNR and DNI Collection Sources�� 111
K0390: Knowledge of Collection Strategies �� 111
Cross-Intelligence Collection Strategies�� 111
Collection Coverage Plan�� 111
Strategic Intelligence �� 112
K0394: Knowledge of Common Reporting Databases and Tools �� 112
K0401: Knowledge of Criteria for Evaluating Collection Products�� 112
Accuracy and Timeliness �� 114
K0441: Knowledge of How Collection Requirements
and Information Needs Are Translated, Tracked, and Prioritized
Across the Extended Enterprise �� 114
Actionable Knowledge�� 115
Autonomous Security Controls�� 116
K0456: Knowledge of Intelligence Capabilities and Limitations�� 116
Intelligence Capabilities�� 117
Intelligence Limitations �� 117
Predictive vs Prescriptive Analytics�� 118
K0457: Knowledge of Intelligence Confidence Levels �� 118
K0459: Knowledge of Intelligence Employment Requirements
(i.e., Logistical, Communications Support, Maneuverability,
Legal Restrictions) �� 120
K0460: Knowledge of Intelligence Preparation of the Environment
and Similar Processes�� 120
K0461: Knowledge of Intelligence Production Processes�� 121
K0462: Knowledge of Intelligence Reporting Principles, Policies,
Procedures, and Vehicles, Including Report Formats, Report-Ability
Criteria (Requirements and Priorities), Dissemination Practices,
and Legal Authorities and Restrictions�� 121
Examples of Intelligence Reporting Formats�� 122
K0463: Knowledge of Intelligence Requirements Tasking Systems�� 123
Standard Collection Asset Request Format (SCARF) �� 123
National Human Intelligence Requirements Tasking
Center (NHRTC)�� 124
Contents xiii

K0464 Knowledge of Intelligence Support to Planning, Execution,

and Assessment�� 124
K0484: Knowledge of Midpoint Collection (Process, Objectives,
Organization, Targets, etc.)�� 126
K0492: Knowledge of Non-traditional Collection Methodologies�� 126
K0514: Knowledge of Organizational Structures and Associated
Intelligence Capabilities�� 127
K0544: Knowledge of Target Intelligence Gathering
and Operational Preparation Techniques and Lifecycles �� 127
K0577: Knowledge of the Intelligence Frameworks, Processes,
and Related Systems�� 129
Open Indicators of Compromise (OpenIOC) Framework �� 129
Collective Intelligence Framework (CIF)�� 130
Open Threat Exchange (OTX) �� 131
Bibliography�� 132
7 Cyber Operational Planning�� 135
K0028 Knowledge of Organization’s Evaluation and Validation
Requirements �� 135
K0234: Knowledge of Full Spectrum Cyber Capabilities �� 136
CNA/D/E/O�� 137
K0316: Knowledge of Business or Military Operation Plans,
Concept Operation Plans, Orders, Policies, and Standing
Rules of Engagement �� 138
K0367: Knowledge of Basic Cyber Operations Activity
Concepts (e.g., Foot-Printing, Scanning and Enumeration,
Penetration Testing, White/Black Listing)�� 139
K0400: Knowledge of Crisis Action Planning for Cyber Operations�� 141
Define a Crisis�� 142
K0413: Knowledge of Cyber Operation Objectives, Policies,
and Legalities �� 143
K0415: Knowledge of Cyber Operations Terminology/Lexicon�� 144
K0436: Knowledge of Fundamental Cyber Operations Concepts,
Terminology/Lexicon (i.e., Environment Preparation, Cyber-Attack,
Cyber Defense), Principles, Capabilities, Limitations, and Effects�� 144
CyberSpace�� 145
Cyber Deterrence �� 146
K0416: Knowledge of Cyber Operations�� 148
K0424: Knowledge of Denial and Deception Techniques�� 150
K0442: Knowledge of How Converged Technologies Impact
Cyber Operations (e.g., Digital, Telephony, Wireless)�� 150
Internet of Things (IoT) �� 151
K0465: Knowledge of Internal and External Partner Cyber
Operations Capabilities and Tools �� 155
xiv Contents

K0494: Knowledge of Objectives, Situation, Operational Environment,

and the Status and Disposition of Internal and External Partner
Collection Capabilities Available to Support Planning�� 155
K0495: Knowledge of Ongoing and Future Operations�� 156
Stuxnet, Olympic Games, Nitro Zeus, and Flame �� 156
Russia’s Hack or Ukraine’s Power Grid�� 157
Democratic National Committee Hack in 2016�� 158
K0496: Knowledge of Operational Asset Constraints �� 158
K0497: Knowledge of Operational Effectiveness Assessment�� 159
K0498: Knowledge of Operational Planning Processes�� 159
K0499: Knowledge of Operations Security �� 160
K0503: Knowledge of Organization Formats of Resource
and Asset Readiness Reporting, Its Operational Relevance
and Intelligence Collection Impact�� 163
K0519: Knowledge of Planning Timelines Adaptive, Crisis Action,
and Time-Sensitive Planning �� 163
K0572: Knowledge of the Functions and Capabilities of Internal
Teams that Emulate Threat Activities to Benefit the Organization�� 164
Bug Bounty Programs�� 165
K0585: Knowledge of the Organizational Structure as It Pertains
to Full Spectrum Cyber Operations, Including the Functions,
Responsibilities, and Interrelationships Among Distinct
Internal Elements �� 165
Teams Employment Category�� 165
K0588: Knowledge of the Priority Information Requirements
from Subordinate, Lateral, and Higher Levels of the Organization�� 167
K0589: Knowledge of the Process Used to Assess the Performance
and Impact of Operations�� 168
K0593: Knowledge of the Range of Cyber Operations and Their
Underlying Intelligence Support Needs, Topics, and Focus Areas�� 168
K0594: Knowledge of the Relationships Between End States,
Objectives, Effects, Lines of Operation, etc�� 171
K0613: Knowledge of Who the Organization’s Operational
Planners Are, How and Where They Can be Contacted,
and What Are Their Expectations�� 171
S0030: Skill in Developing Operations-Based Testing Scenarios �� 172
S0055: Skill in Using Knowledge Management Technologies�� 173
S0061: Skill in Writing Test Plans �� 174
Cyber Security T&E Policy in DoDI 5000.02 �� 174
S0082: Skill in Evaluating Test Plans for Applicability
and Completeness�� 175
S0104: Skill in Conducting Test Readiness Reviews�� 176
Bibliography�� 177
Contents xv

8 Cyber Policy and Strategy Management �� 181

K0065: Knowledge of Policy-Based and Risk-Adaptive
Access Controls �� 181
K0191: Knowledge of Signature Implementation Impact �� 183
K0248: Knowledge of Strategic Theory and Practice�� 184
K0288: Knowledge of Industry Standard Security Models �� 184
Access Control Models�� 184
Authentication Protocols or Standards�� 185
Encryption Standards �� 186
Cloud Security Models�� 186
K0311: Knowledge of Industry Indicators Useful for Identifying
Technology Trends�� 187
Gartner ‘Top 10 Strategic Technology Trends’�� 187
Deloitte Technical Trends�� 188
K0335: Knowledge of Current and Emerging Cyber Technologies�� 189
10 Top Cyber Security Companies �� 189
K0412: Knowledge of Cyber Lexicon/Terminology �� 191
K0435 Knowledge of Fundamental Cyber Concepts, Principles,
Limitations, and Effects �� 191
K0454: Knowledge of Information Needs�� 191
K0504: Knowledge of Organization Issues, Objectives,
and Operations in Cyber as Well as Regulations and Policy
Directives Governing Cyber Operations�� 192
Presidential Policy Directive (PPD) 20�� 192
National Security Presidential Directive 54 (NSPD 54)�� 192
Comprehensive National Cybersecurity Initiative (CNCI)�� 192
K0521: Knowledge of Priority Information, How It Is Derived,
Where It Is Published, How to Access, etc�� 193
K0526: Knowledge of Research Strategies and Knowledge
Management�� 193
K0535: Knowledge of Strategies and Tools for Target Research�� 195
K0566: Knowledge of the Critical Information Requirements
and How They’re Used in Planning �� 195
S0018: Skill in Creating Policies that Reflect System Security
Objectives�� 197
S0145 Skill in Integrating and Applying Policies that Meet
System Security Objectives �� 197
Creating Policies in Operating Systems�� 197
Creating Policies in Firewalls�� 197
Creating Policies in Switches and Routers�� 199
Creating Policies in DBMS�� 199
Creating Policies in Web Servers�� 199
xvi Contents

S0146: Skill in Creating Policies that Enable Systems to Meet

Performance Objectives (e.g., Traffic Routing, SLA’s,
CPU Specifications) �� 200
Amazon Route 53�� 200
A0034: Ability to Develop, Update, and/or Maintain Standard
Operating Procedures (SOPs)�� 202
Bibliography�� 202
9 Cyber Threat Analysis �� 205
K0426: Knowledge of Dynamic and Deliberate Targeting�� 205
K0430: Knowledge of Evasion Strategies and Techniques�� 207
IDS/IPS Evasion�� 207
Sandbox Evasion�� 209
Domain Generation Algorithms; DGAs�� 210
K0453: Knowledge of Indications and Warning�� 211
Cyber Threats Indications and Warning�� 211
K0469: Knowledge of Internal Tactics to Anticipate and/or Emulate
Threat Capabilities and Actions �� 213
Threat Emulation and Sandboxing�� 213
MITRE Adversary Emulation Plans�� 213
K0474: Knowledge of Key Cyber Threat Actors and Their Equities�� 215
Cyber Criminals �� 215
Cyber Activists�� 215
Nation States�� 216
K0533: Knowledge of Specific Target Identifiers and Their Usage�� 216
K0536: Knowledge of Structure, Approach, and Strategy
of Exploitation Tools (e.g., Sniffers, Keyloggers) and Techniques
(e.g., Gaining Backdoor Access, Collecting/Exfiltrating
Data, Conducting Vulnerability Analysis of Other Systems
in the Network)�� 217
Exploitation Tools�� 217
Exploitation Techniques�� 219
K0540: Knowledge of Target Communication Tools and Techniques�� 226
Centralized Communication�� 226
P2P Communication�� 227
Covert or Anonymous Communication �� 227
K0546: Knowledge of Target List Development
(i.e., RTL, JTL, CTL)�� 227
Cyber Target Template �� 228
Cyber Target Development�� 228
K0548: Knowledge of Target or Threat Cyber Actors
and Procedures. K0549�� 228
Cyber Attribution �� 230
K0549: Knowledge of Target Vetting and Validation Procedures�� 230
K0551: Knowledge of Targeting Cycles�� 230
Contents xvii

D3A Targeting Framework�� 231

F3EAD Targeting Cycle�� 231
Joint Targeting Cycles�� 233
K0603: Knowledge of the Ways in Which Targets or Threats Use
the Internet �� 233
Communication�� 233
Malware Deployment�� 233
Information Gathering or Intelligence �� 234
K0612: Knowledge of What Constitutes a “Threat” to a Network�� 235
Subjectivity�� 235
Priority or Importance�� 235
Evolution and Dynamics�� 235
The Environment�� 235
S0022: Skill in Designing Countermeasures to Identified
Security Risks�� 236
S0044: Skill in Mimicking Threat Behaviors. �� 237
S0052: Skill in the Use of Social Engineering Techniques �� 239
Social Engineering Techniques for Cyber Operations
and Vulnerability Assessment�� 239
S0109: Skill in Identifying Hidden Patterns or Relationships �� 240
Bibliography�� 240
10 Cyber Security Management�� 243
K0147: Knowledge of Emerging Security Issues, Risks,
and Vulnerabilities �� 243
IoT Security Issues�� 243
Cryptocurrency, Bitcoin, Blockchain, and Security�� 244
Security in the Cloud �� 245
Security in Online Social Networks�� 245
Smart Phones and Security�� 247
K0173: Knowledge of Operations Security �� 248
K0242: Knowledge of Organizational Security Policies �� 248
K0502: Knowledge of Organization Decision Support Tools
and/or Methods�� 250
Bibliography�� 251
11 Forensics Analysis�� 253
K0017: Knowledge of Concepts and Practices of Processing
Digital Forensics Data�� 253
Digital Forensic Process�� 253
Image Acquisition�� 255
K0118: Knowledge of Processes for Seizing and Preserving
Digital Evidence (e.g., Chain of Custody)�� 255
Probable Cause�� 256
Documentation and Labeling�� 256
Seizure of Memory or Any Volatile Data�� 256
xviii Contents

K0119: Knowledge of Hacking Methodologies in Windows

or Unix/Linux Environment�� 257
Windows Hacking�� 257
Linux Hacking �� 261
K0133: Knowledge of Types of Digital Forensics Data
and How to Recognize Them�� 264
Disks Forensics�� 266
Deleted Data�� 266
Hidden Data �� 267
Slack Spaces�� 267
Memory Forensic Artifacts�� 267
Operating System Logs�� 268
Internet Forensic Data�� 268
Email Clients and Servers�� 269
K0134: Knowledge of Deployable Forensics�� 269
NFSTC Deployable Forensics �� 269
Deployable Configurations�� 270
K0184: Knowledge of Anti-Forensics Tactics, Techniques,
and Procedures �� 270
Anti-Forensics’ Goals�� 270
Anti-Forensics’ Methods �� 271
K0185: Knowledge of Common Forensics Tool Configuration
and Support Applications (e.g., VMware, WIRESHARK)�� 272
Network Forensics �� 273
K0268: Knowledge of Forensics Foot-Print Identification�� 274
Malware Foot-Printing�� 275
K0433: Knowledge of Forensics Implications of Operating
System Structure and Operations�� 275
Alternate Data Stream: ADS�� 276
Forensic Investigations in MAC Operating Systems �� 276
K0449: Knowledge of How to Extract, Analyze, and Use Metadata�� 278
Common Sources of Metadata�� 278
Examples of Metadata�� 278
Disk Acquisition Formats and Metadata�� 279
K0573: Knowledge of the Fundamentals of Digital Forensics
in Order to Extract Actionable Intelligence.�� 279
Actionable Forensic Intelligence �� 279
S0047: Skill in Preserving Evidence Integrity According to Standard
Operating Procedures or National Standards�� 282
Follow Current Standards, Guidelines, and Laws�� 282
Hashing�� 282
Write Blockers �� 283
Anti-Static Bags �� 284
Memory Dumps �� 284
Contents xix

S0065: Skill in Identifying and Extracting Data of Forensic Interest

in Diverse Media (i.e., Media Forensics)�� 285
Disk Forensic Tools�� 285
Disk Forensics�� 286
S0069: Skill in Setting Up a Forensic Workstation �� 288
S0071: Skill in Using Forensic Tool Suites
(e.g., EnCase, Sleuthkit, FTK)�� 289
A Sample Usage of Sleuthkit Autopsy Tool�� 289
S0075: Skill in Conducting Forensic Analyses in Multiple Operating
System Environments (e.g., Mobile Device Systems)�� 300
Using Santoku: https://santoku-linux.com�� 300
S0087: Skill in Deep Analysis of Captured Malicious Code
(e.g., Malware Forensics)�� 301
S0088: Skill in Using Binary Analysis Tools (e.g., Hexedit,
Command Code xxd, hexdump)�� 301
S0120: Skill in Reviewing Logs to Identify Evidence
of Past Intrusions�� 302
S0175: Skill in Performing Root-Cause Analysis�� 302
A0010: Ability to Analyze Malware�� 303
Server (NSRLserver) Experiment�� 305
A0043: Ability to Conduct Forensic Analyses in and for Both
Windows and Unix/Linux Environments�� 311
Bibliography�� 312
12 Identity Management�� 313
Single-Sign-On (SSO) �� 314
Session Time-Out�� 314
Kerberos �� 314
Digital Certificates �� 315
K0007: Knowledge of Authentication, Authorization,
and Access Control Methods �� 315
Access Controls in Operating and File Systems�� 316
Access Controls in Database Management Systems �� 319
Access Controls in Websites and Web Applications�� 320
RBAC (Role-Based Access Control) �� 321
OBAC (Object-Based Access Control)�� 323
K0033: Knowledge of Host/Network Access Control Mechanisms
(e.g., Access Control List)�� 324
Access Control in Distributed and Operating Systems�� 324
Access Controls in Firewalls�� 325
Access Controls in Switches�� 327
Access Controls in Routers�� 328
Access Controls in IDS/IPS �� 328
Bibliography�� 329
xx Contents

13 Incident Response�� 331

K0041: Knowledge of Incident Categories, Incident Responses,
and Timelines for Responses �� 331
K0042: Knowledge of Incident Response and Handling
Methodologies�� 333
K0145: Knowledge of Security Event Correlation Tools�� 336
Security Information and Event Management (SIEM)�� 336
K0150: Knowledge of Enterprise Incident Response Program,
Roles, and Responsibilities�� 337
National Computer Security Incident Response Programs�� 337
K0193: Knowledge of Advanced Data Remediation Security
Features in Databases�� 339
K0230: Knowledge of Cloud Service Models and Possible
Limitations for an Incident Response�� 340
K0317: Knowledge of Procedures Used for Documenting
and Querying Reported Incidents, Problems, and Events�� 340
Security Incident Reporting Procedures�� 340
K0381: Knowledge of Collateral Damage and Estimating
Impact(s)�� 340
S0054: Skill in Using Incident Handling Methodologies�� 342
S0080: Skill in Performing Damage Assessments�� 343
S0098: Skill in Detecting Host and Network-Based Intrusions
via Intrusion Detection Technologies�� 344
S0173: Skill in Using Security Event Correlation Tools �� 344
A0025: Ability to Accurately Define Incidents, Problems,
and Events in the Trouble Ticketing System�� 345
Bibliography�� 345

Index�� 347
Chapter 1
Introduction

The job market for cyber security-related jobs is growing and is expected to reach a
peak on demand in the next few years. Statistics showed that the USA has an overall
national workforce shortage. Additionally, there is a need for education methods in
this field in particular to evolve and accommodate market demands. In this path,
NICE Cyber security education framework has been introduced recently. In this
book, our goal is to present a teaching material based on NICE framework. The
NICE framework focus was more jobs oriented than educational oriented. The
NICE framework itself extended earlier OPM security framework (https://www.
opm.gov/policy-data-oversight/assessment-and-selection/competencies/). Both
frameworks adopted KSA competencies (Knowledge, Skills, and Abilities or
Experience) as an alternative to classical course or program learning outcomes
(CLOs and PLOs). One of the main differences between the two approaches is that
KSA competencies explicitly distribute teaching, learning and also assessment
activities to three categories: KSAs. This is very necessary for practical-oriented
majors such as cyber security where knowledge and lecturing based on slides will
not be enough.
NICE framework is evaluated from an education perspective. Issues and chal-
lenges related to using such framework to guide future cyber security programs are
discussed in details. One of the most significant challenges observed is related to the
lack of a unified method to estimate KSAs. Different KSAs vary widely in their
level of details. Additionally, the same KSA can interpret in different cyber security
classes or programs differently. This means that estimating how much of course
time such KSA should be allocated can widely vary from one school or program to
another.
In NICE documentation, Knowledge areas have codes up to K0614. Similarly,
last skill number in NICE framework is 0359 and last Ability is A0119. Nonetheless,
with newer versions/releases of NICE framework, numbering is changed, some
merges, updates, or changes occur to all KSAs.
Cyber security jobs are expected to grow vertically or in size in the next few
years and also horizontally where many new job security roles are expected to arise.

© Springer Nature Switzerland AG 2019 1

I. Alsmadi, The NICE Cyber Security Framework,
https://doi.org/10.1007/978-3-030-02360-7_1
2 1 Introduction

Core Cybersecurity Roles i

Entry-Level Mid-Level Advanced-Level

Cybersecurity
Specialist Cybersecurity
Technician Cybersecurity
Manager /
Analyst
Administrator

Cyber Crime
Analyst /
Investigator

Cybersecurity Cybersecurity
Consultant Engineer

Incident
Analyst /
Responder

Penetration &
Cybersecurity
Vulnerability
Architect
Tester
IT Auditor

Fig. 1.1 Core cyber security roles (Cyberseek.org)

The NICE and OPM frameworks represent collective effort at US national level to
envision and show job demands and help fulfill such demand through helping edu-
cational institutes match such demand. Figure 1.1 shows core cyber security roles:
cyberseek.org.

eneral Issues with NICE Framework (Applied to August

G
2017 Version)

The Classification of KSAs Based on NICE Framework

Evaluating how NICE KSAs are used to map with Specialty Areas and Work Role,
we can observe the following KSA categories:
General Issues with NICE Framework (Applied to August 2017 Version) 3

Table 1.1 The first six K0001 K0004

knowledge areas exist in all
K0002 K0005
framework specialties (see
footnote 1) K0003 K0006

1. Core KSAs (KSAs listed in all or most cyber security job roles) (Table 1.1):
Those are included in all 52 specialty areas (33 main specialty areas, with
several sub-specialty areas). Looking at the description of those knowledge com-
petencies, we can see that they are very broad in nature. Each one of them can be
covered within a course. This is one of the problems that we will elaborate on
further in another section. As those are included in all 52 specialty areas, they
should be included separately in an introductory course that will be a prerequi-
site course to all other program courses.
We set a cut-off of seven specialty areas and above to consider “core skills
and abilities.” Tables 1.2 and 1.3 show the core skills and abilities based on our
assumption.
Similar to core knowledge competencies, we can see that core skills and abili-
ties are constructed to be broad and generics. This is why they are included in
many specialty areas.
So, the question is then “Is this is the best/optimized set of KSAs to be con-
sidered in NICE framework, based on the level of abstraction or details?” Should
we decompose some of those core KSAs or not? What will be the advantage or
the drawback of doing so? There are many indications that the current set of
KSAs is not final. The process is evolutionary however and may not see the term
“final set of KSAs” any time soon.
The framework is designed to find a unified or common language between:
companies, job recruiters, students or job seekers, and education providers
(Colleges, Universities, etc.). For education providers, KSAs have to map to
courses. How many KSAs from the framework to include in each course is the
most difficult question to consider. There is no assessment in NICE framework
on how broad each KSA can be or how much course time, grading, etc. each
KSA should be allocated.
2. Work role special KSAs: KSAs largely listed for one Work role
One of the ideas we are proposing in this chapter is for cyber security pro-
grams to consider developing job-oriented courses, one or more courses to be
developed explicitly to target one job role. The list in this section can be a good
starting point. The NICE framework documentation described different work
roles and required KSAs for each one. This can serve companies, job recruiters,
or job seekers. However, education course designers are interested to ensure that
KSAs are not repeated in the different courses. Current higher institute educa-
tions are built around courses as they are the smallest autonomous units. You can
ask students to take a course as a prerequisite, but you can’t ask them to take a
KSA as a prerequisite.
4 1 Introduction

Table 1.2 Core Skills with their occurrence count in specialty areas and description (see footnote 1)
Skill No. Skill No.
S0367 14 S0027 7
S0296 9 S0060 7
S0218 8 S0297 7
S0249 8

Table 1.3 Core Abilities with their occurrence count in specialty areas and description
Skill No. Skill No.
A0123 15 A0106 9
A0013 14 A0015 8
A0089 13 A0082 7
A0066 12 A0084 7
A0170 11 A0088 7
A0070 9 A0105 7
A0085 9 A0119 7

Table 1.4 KSAs not included in current NICE framework matrix of work roles and specialty areas
Knowledge Skills Ability
K0085, K0099, S0099, S0105, S0161, A0075, A0126, A0127, A0131, A0132, A0133,
K0141, K0166, S0163, S0164, S0165, A0134, A0135, A0136, A0137, A0138, A0139,
K0173 S0180, S0230, S0366, A0140, A0141, A0142, A0143, A0144, A0145,
S0368, S0371, S0373 A0146, A0147, A0150, A0151, A0152, A0153
A0154, A0155, A0156, A0157, A0158, A0162,
A0169, A0173

They will have to develop core courses (with common or core KSAs) that can
fit first- or second-year cyber security students. However, higher level courses
should be more focused and hence should include unique KSAs.
3. KSAs that are not included in any work role or specialty area. Table 1.4 below
shows the list of KSAs that are currently not included in any work role or spe-
cialty area:
Why will NICE includes KSAs in their framework and don’t use them at all?
Following are some possibilities:
• It is possible that those were removed by mistake or with new releases.
For example, for the Knowledge: K0085, we can see it in version Nov. 2016
(800-081), (https://www.careeronestop.org/competencymodel/info_documents/
NICE-WorkforceFramework-Nov2016.pdf) in securely provision, risk manage-
ment, software development, strategic planning and policy development, vul-
nerability assessment and management (VA) modules or specialty areas but not
in the current excel file or august. 2017 (final) version: (http://nvlpubs.nist.gov/
General Issues with NICE Framework (Applied to August 2017 Version) 5

nistpubs/SpecialPublications/NIST.SP.800-181.pdf). Table 1.5 shows the list of

KSAs that do not exist anymore in the most recent versions.
Those are removed completely without any notice. Unlike the next list where the
new document shows that they were withdrawn and included in other KSAs.
• Ability A0162 is listed in some references and removed in some others.
• Two KSAs with the same number and different descriptions:

A0162: “Ability to ensure information system security, acquisition personnel, legal counsel,
and other appropriate advisors and stakeholders are participating in decision making from
system concept definition/review and are involved in, or approve of, each milestone decision
through the entire system life cycle for systems”1
A0162: “Ability to recognize the unique aspects of the communications security (COMSEC)
environment and hierarchy”

• There are some KSAs that exist in the most recent documents, but they are not
used in any work area or specialty (Table 1.6).
• There are other instances where the removed KSAs from the current version are
shown as withdrawn or combined with other KSAs (Table 1.7).

Table 1.5 List of NICE KSAs that are removed completely from recent publications
K0085, K0099, K0166, K0173, S0099, S0105, S0165, A0075, A0169

Table 1.6 KSAs that are not used in any work area or specialty
S0366, S0368, S0371, S0373, A0126, A0127, A0131, A0132, A0133, A0134, A0135, A0136,
A0137, A0138, A0139, A0140, A0141, A0142, A0143, A0144, A0145, A0146, A0147, A0150,
A0151, A0152, A0153, A0154, A0155, A0156, A0157, A0158, A0162, A0173

Table 1.7 List of withdrawn or updated KSAs/Tasks in NICE framework

Withdrawn Integrated into Withdrawn Integrated into
K0141 K0420 K0337 K0007
T0336 T0228 K0385 K0142
K0223 K0073 K0450 K0036
K0253 K0227 K0490 K0058
K0282 K0200 K0611 K0131
S0161 S0160 S0163 S0060
S0180 S0062 S0230 S0066

1
William Newhouse, Stephanie Keith, Benjamin Scribner, Greg Witte, National Initiative for
Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication
800-181, August 2017.
6 1 Introduction

Level of Details and Granularity of KSAs

Several papers discussed issues related to the level of details and granularity of
NICE KSAs (e.g., CSRC 2016). There are some KSAs that seem to have more
details than others. On the other hand, this can be subjective and can vary from one
course to another or from one job description to another. While making a unified
language between education and the industry is considered as a strength element in
NICE framework, however, it has some drawbacks. For example, for the Knowledge
K0001: “Knowledge of computer networking concepts and protocols, and net-
work security methodologies” (see Bejtlich 2010; Bellovin et al. 2017;Campbell
2003; Cichonski et al. 2012; Gennuso 2012; Incident Response Plan, Document
Version: 1.0.0 2018; Information security Technologies to Secure Federal Systems
2004; InfoSec Nirvana 2015; ISO/IEC 27035 2018; Kumari and McPherson 2009;
Lewis 1993; Libicki 2017; Mehta 2014; Olson and Blackwell 1990; Sang-Hun
2016; Trivedi 2007; Zhang 2017), clearly the granularity of such statement can vary
widely from one scope to another. For the classical computer science education, this
statement may be covered within up to three complete courses (i.e., computer net-
working 1, 2 and network security). How much each cyber security-related work
area or specialty require from this KSA can clearly vary from one to another. The
NICE framework in its current.
To investigate K0001 in particular, this integrates two large knowledge areas:
(1) computer networking concepts and protocols and (2) network security method-
ologies. If we start with the first one, here are some of the “main subjects” that can
be covered under this short statement: Network topologies, LANs, WANs, routing,
switching, OSI model, TCP/IP suit, (many networking protocols), wireless, etc.
Those can be covered typically in one or two computer networking courses. So,
there is no doubt that such single Knowledge component is very large, regardless of
how much instructor is going to shorten it. So, there are several issues with this
Knowledge competency. For example, let’s take Scope Coverage: How much con-
tent an educator should cover in this competency? All NICE framework KSAs are
introduced without any reference to time, effort, or resource estimations. This may
make it as a reference rather than a practical framework or model. In other words,
the framework requires that you should cover this competency, somehow, without
any reference on what to cover or how much effort to spend.
Starting the next chapter, chapters’ content will be divided into four components:
Tasks, Knowledge, Skills, and Abilities. Codes and descriptions of those tasks and
KSAs are all copied from NIST reference documents. We will only present educa-
tional materials that can realize such components.
Bibliography 7

Bibliography

Bejtlich R (2010) CIRT-level response to advanced persistent threat. SANS Forensic Incident
Response Summit
Bellovin SM, Landau S, Lin HS (2017) Limiting the undesired impact of cyber weapons: techni-
cal requirements and policy implications. J Cybersecur 3(1):59–68. https://doi.org/10.1093/
cybsec/tyx001
Campbell T (2003) An introduction to the computer security incident response team (CSIRT) set-
up and operational considerations. Global information assurance certification paper. giac.org
Cichonski P, Millar T, Grance T (NIST), Scarfone K (Scarfone Cybersecurity) (2012) NIST
Special publication 800-61, SP 800-61 Rev. 2. Computer security incident handling guide,
August 2012
Gennuso K (2012) Shedding light on security incidents using network flows. SANS. https://
www.sans.org/reading-room/whitepapers/incident/shedding-light-security-incidents-network-
flows-33935
Incident Response Plan (2018) Document version: 1.0.0. http://www.i-assure.com, www.i-assure.
com/wp-content/uploads/dlm.../RMF_Incident-Response-plan.docx
Information security Technologies to Secure Federal Systems (2004) GAO report to congressional
requesters. GAO-04-467. www.gao.gov.
InfoSec Nirvana (2015) Part 2, Incident classification, security investigation series. http://infosec-
nirvana.com/part-2-incident-classification/
ISO/IEC 27035 (2018) http://www.iso27001security.com/html/27035.html
Kumari W, McPherson D (2009) Remote triggered black hole filtering with unicast reverse path
forwarding (uRPF). Network working group, request for comments: 5635
Lewis L (1993) A case-based reasoning approach to the management of faults in communications
networks. CAIA
Libicki M (2017) Second acts in cyberspace. J Cybersec 3:29–35
Mehta L (2014) Top 6 SIEM Use Cases—InfoSec Institute. http://resources.infosecinstitute.com/
top-6-seim-usecases/. Accessed 6 Sept 2014
Olson L, Blackwell A (1990) Understanding network management with OOA. IEEE network
magazine
Sang-Hun C (2016) Computer networks in South Korea are paralyzed in cyberattacks. New York
Times. http://www.nytimes.com/2013/03/21/world/asia/southkorea-computer-network-crashes.
html. Last Accessed 26 June 2016
Trivedi K (2007) A standards-based approach for offering a managed security service in a multi-
vendor network environment. Internet Protocol J 10(3)
Zhang E (2017) What is event correlation, examples, benefits and more. Digi Guardian, Sep. 12th
2018, digitalguardian.com
Chapter 2
Acquisition Management

The process of acquiring computing resources includes several activities related to

planning, budgeting, comparing alternative options, configuration and change man-
agement, etc. Our focus in this book is on securing information and computing
resources. As such, selected KSAs as well as the content of each KSA will be
focused on this subject only.
Why security personnel should have KSAs related to acquisition management? In
many cases of acquisition projects, security personnel should be present in the com-
mittee to plan and manage the acquisition process. Security goals and functions exist
in all business domains and functions. Any new acquisition for information systems,
network components, security controls, and hardware or software components can
have its impact on security and can possibly create a vulnerability if not selected and
integrated properly. At the end, for hackers, all what they need is to discover one
vulnerability that they can find and expose to start attacking their targets.

0126: Knowledge of Secure Acquisitions (e.g., Relevant

K
Contracting Officer’s Technical Representative [COTR]
Duties, Secure Procurement, Supply Chain Risk Management)

Contracting Officer’s Technical Representative (COTR) or Contracting Officer’s

Representative (COR) should ensure that company will only acquire the right: prod-
ucts, services, and contractors. Procurement of new hardware, software, or information
system should not be authorized before ensuring that such procurement went through
the right procedures according to business policies and regulation guidelines.
Software or system acquisition includes the following four main steps: (1) plan-
ning, (2) contracting, (3) monitoring and acceptance, and (4) follow-up. Proper
security measures should be adopted through the whole process where security
problems can occur at any stage (Table 2.1).

© Springer Nature Switzerland AG 2019 9

I. Alsmadi, The NICE Cyber Security Framework,
https://doi.org/10.1007/978-3-030-02360-7_2
10 2 Acquisition Management

Table 2.1 Acquisition stages based on different standards (Polydys and Wisseman 2009a, b)
Standard/
stage Planning Contracting Monitoring and acceptance Follow-up
IEEE 1062 Planning Contracting Implementation Acceptance Follow-on
PMBOK Initiating Monitoring Closing
executing
NIST SP Business Acquisition Contract Contract Follow-on
800-61 planning planning performance Closeout
DoD Pre-system System acquisition Sustainment
5000.2 acquisition
ISO/IEC Preparation Advertisement Monitoring Acceptance
12207 and Closure

Securing Communication with Contractors During the Solicitation Process

A company trying to acquire software or systems will send solicitation documents

to candidate contractors. COTR or those assigned in the procurement process should
be the only contact point with those contractors. Same initial information or any
extra provided clarifications should be provided to all candidate contractors/ven-
dors. The acquisition team should act with extreme caution when dealing with con-
tractors/vendors to keep the competitive process open and fair. Details about the
selection process should be classified and no contractor or vendor should be given
any insider information. Commitment to acquire the final selected system should be
only made public after final decision and all candidate contractors should be aware
of the selection.

Securing the Acquisition Process

Upon selecting a contractor or vendor, written contract should clearly explain the
two-party duties and responsibilities. Details should help in clarifying expectations
and limit any possible conflicts or potential problems in future.
Software Acquisition Working Group in U.S. Department of Homeland Security
prepared a guidebook that has focused on how to improve the software acquisition
and purchasing process. The ultimate goal is to enhance software supply chain man-
agement (DHS 2007, Polydys and Wisseman 2009a, b).
Software applications and information systems continuously go through cycles
of new fixes, updates, enhancements, etc. Figure 2.1 shows possible software supply
chain path (Polydys and Wisseman 2009a, b).
Every software change may introduce possible vulnerabilities. We assume that
such vulnerabilities that exist in acquired software are accidentally or carelessly
inserted at any time during the software lifecycle. While it is possible that many
K0148: Knowledge of Import/Export Control Regulations and Responsible Agencies… 11

Fig. 2.1 Possible software supply chain path (Polydys and Wisseman 2009a, b)

software systems exist with vulnerabilities that were never exploits or discovered,
however, the existence of such vulnerabilities is a serious risk that. If such risks are
not accounted for (e.g., in risk avoidance, mitigation or tolerance methods), they can
cause catastrophic consequences. Examples of categories of such consequences
include: sensitive data exposures that can jeopardize privacy, intellectual property,
integrity, etc. Attacks that expose software vulnerabilities may also cause identity
thefts and serious financial losses.
Software procurement team should learn how to check with software vendors
issues related to software vulnerability. They should know through a series of
questions, reading through documentations, interviews with vendors, etc. what ven-
dors have or have not done as part of their secure development process, how they
handle vulnerabilities, etc.

0148: Knowledge of Import/Export Control Regulations

K
and Responsible Agencies for the Purposes of Reducing
Supply Chain Risk

Export Control Classification Numbers (ECCNs) and Harmonized Tariff Schedule

(HTS) Numbers and CCATS are standard entries used to identify different items.
Those values consist of digits and numbers, Table 2.2.
Each ECN number contains five digits (Fig. 2.2). The first number from the left
shows the Commerce Control List (CCL) category. The second digit is a letter and
shows one of five possible product groups.
When it comes to software/information system acquisition, many US legisla-
tions give precedence to local or national products. For security concerns in par-
ticular, more reasons exist to support such choice. In cloud hosting, for example,
12 2 Acquisition Management

Table 2.2 Examples of US Model # US HTS US ECCN

HTS and ECCNs
Alienware M17X/M17X10 8471.30.010 5A992
Inspiron 1017 8471.30.010 5A992
Inspiron 1120/1121 8471.30.010 5A992

Fig. 2.2 US ECN specifications (www.bis.doc.gov)

US government agencies demand that any contractor or service provider should

verify that hosted data/services exist physically in the USA. Similarly, through the
Export Administration Act (EAA) and the Arms Export Control Act (AECA),
exports of weapons, military-related products or products that can have dual usage:
civilian and military are prohibited. Other important regulations related to supply
chain and foreign exports include: Trade Expansion Act of 1967:232, Foreign
Investment and National Security Act of 2007 (“FINSA”), National Defense
Authorization Act of 2011 and the “Wolf Provision” Act 2014.
With the Internet, online social networks, smart phones, and all globalization
issues, security concerns are in continuous increase. Many IT companies have their
headquarters in the USA, while the majority of their products are developed in other
countries. In order to keep a balance, a large and important country such as the USA
cannot and should not keep itself isolated from the global economy and the benefits
of global ICT supply chain.
With global industry, companies or supply chain, different types of risks may
arise. For example, several recent cases showed examples of espionage from foreign
countries (especially China and Russia). Reports showed that major global compa-
nies and government agencies have frequently discovered malicious code and soft-
ware and hardware in their ICT networks or equipment, which could facilitate
cyber-attacks (US Chamber of Commerce 2016).
K0154: Knowledge of Supply Chain Risk Management Standards, Processes… 13

0154: Knowledge of Supply Chain Risk Management

K
Standards, Processes, and Practices

Supply chain risks related to ICT sectors may include insertion of counterfeits,
malicious software and hardware, unauthorized production, tampering, theft, or
poor manufacturing and development practices in the ICT supply chain (NIST
2015).
Supply chain literature summarizes the following main categories of risks:
demand, delay, disruption, inventory, manufacturing and breakdown, physical plant
capacity, supply, system, sovereign, transportation risk (Tummala and Schoenherr,
2011). Literature categorizes also those risks into four levels: extreme or very high,
high, low, and very low based on four factors: consequence or impact type, conse-
quence severity, risk occurrence frequency, and predictability.
A recent cyber security supply chain standard is developed by: North American
Electric
Supply risk mitigation strategies can take different categories also such as:
demand management, supply management, product management, and information
management (Blos et al. 2009). More specifically, supply risk mitigation can con-
sider one of the following generic risk mitigation strategies: risk postponement,
selective, transfer, avoidance, etc.
Reliability Corporation (NERC) based on an initiative from Federal Energy
Regulatory Commission (FERC) agency in department of energy (FERC order
No. 829).
FERC Order No. 829 directed the electric reliability organization to develop
standards that address supply chain risk management for industrial control system
hardware, software, and computing and networking services.
The current NERC draft (August 10, 2017) contains three components within
Critical Infrastructure Protection (CIP: http://www.nerc.com/pa/Stand/Pages/
CIPStandards.aspx) standard:
• Supply chain risk management Reliability Standards CIP-013-1 (Cyber
Security—Supply Chain Risk Management).
• CIP-005-6 (Cyber Security—Electronic Security Perimeter(s)).
• CIP-010-3 (Cyber Security—Configuration Change Management and
Vulnerability).
The current standard is not comprehensive and it excludes: Electronic Access
Control and Monitoring Systems (EACMS), \5\ Physical Access Control Systems
(PACS), and Protected Cyber Assets (PCAs), with the exception of the modifica-
tions in proposed Reliability Standard CIP-005-6, which apply to PCAs (https://
www.gpo.gov/fdsys/pkg/FR-2018-01-25/html/2018-01247.htm).
14 2 Acquisition Management

BES Cyber Asset

This is a new term used by NERC in (CIP V5 standard) shifting from identifying
Critical Cyber Assets to identifying BES Cyber Systems or Assets. In NERC glos-
sary, BES Cyber Asset (BCA), is defined as: “A Cyber Asset that if rendered unavail-
able, degraded, or misused would, within 15 min of its required operation,
mis-operation, or non-operation, adversely impact one or more facilities, systems,
or equipment, which, if destroyed, degraded, or otherwise rendered unavailable
when needed, would affect the reliable operation of the Bulk Electric System”
(Fig. 2.3).
BES cyber systems are classified into three categories: high, medium, and low
impact. Focus is on high and medium impact systems. One sub-system with high or

Version 4 Cyber Assets Version 5 Cyber Assets

BES Cyber System

CCA
CCA

Associated
Protected Cyber
Assets

Non-Critical Cyber Asset

Within an ESP

Associated
Electronic and
Physical Access
Control and
Monitoring
System
CIP-005-4 R1.5 and
CIP-006-4 R2

Fig. 2.3 BES cyber systems (NERC: CIP-002-5.1 standard)

K0154: Knowledge of Supply Chain Risk Management Standards, Processes… 15

medium impact will cause the whole system to be considered also as high or
medium. Currently, cut-off is set to yearly power generation of 1500MW as the low-
est for a system to be considered in the low impact category.
US National Institute of Standards and Technology (NIST) developed and insti-
tuted supply chain risk management (SCRM) framework: NIST 800-161, 2015,
(https://csrc.nist.gov/publications/detail/sp/800-161), (https://csrc.nist.gov/
Projects/Supply-Chain-Risk-Management). The framework extends earlier similar
or related efforts including:
• FIPS 199, Standards for Security Categorization of Federal Information and
Information Systems.
• NIST SP 800-30, Revision 1, Guide for Conducting Risk Assessments.
• NIST SP 800-37, Revision 1, Guide for Applying the Risk Management
Framework to Federal Information Systems.
• NIST SP 800-39, Managing Information Security Risk: Organization, Mission,
and Information System.
• NIST 800-53 Revision 4, Security and Privacy Controls for Federal Information
Systems and Organizations.
• NIST SP 800-53A Revision 4, Guide for Assessing the Security Controls in
Federal Information Systems and Organizations.
• Department of Defense and Department of Homeland Security Software
Assurance Acquisition Working Group, Software Assurance in Acquisition:
Mitigating Risks to the Enterprise.
• National Defense Industrial Association (NDIA), Engineering for System
Assurance [NDIA].
• International Organization for Standardization/International Electrotechnical
Commission (ISO/IEC) 15288—System Life Cycle Processes [ISO/IEC 15288].
• ISO/IEC 27036—Information Technology—Security Techniques—Information
Security for Supplier Relationships [ISO/IEC 27036].
• The Open Group’s Open Trusted Technology Provider™ Standard (O-TTPS),
Version 1.0, Mitigating Maliciously Tainted and Counterfeit Products [O-TTPS].
• Software Assurance Forum for Excellence in Code (SAFECode) Software
Integrity Framework, [SAFECode 2] and Software Integrity Best Practices
[SAFECode 1].
NIST SCRM focusing on the following main goals (Pillars of ICT SCRM):
• Resilience: Ensuring that ICT supply chain will provide required ICT products
and services under stress or failure circumstances.
• Quality: Reducing vulnerabilities that may limit the intended functions of a com-
ponent, lead to component failure, or provide possibilities for exploitation.
• Security: Provides basic CIA (confidentiality, integrity, and availability) when it
comes to the different supply chain activities, services, and members or
partners.
• Integrity: Ensuring that the ICT products and services are immune from tamper-
ing or alteration. Additionally, SRCM should ensure that the ICT products and
16 2 Acquisition Management

services will perform according to acquirer specifications and without additional

unwanted functionality.
• Sustainability and compliance.
• It also focuses on four SCRM strategies: (1) incident management, (2) supplier
business continuity planning (BCP), (3) manufacturing and test resilience, and
(4) product resilience

ISO/IEC 20243 and 27036

ISO/IEC 20243: Open Trusted Technology Provider Standard (O-TTPS)—

Mitigating the Risk of Tainted and Counterfeit Products and the Assessment
Procedures for 20243 (latest versions, 2015 and 2018). (https://www.iso.org/stan-
dard/74399.html, https://publications.opengroup.org/x1607). The O-TTPS certifi-
cation program identifies organizations that conform to ISO/IEC 20243.
ISO/IEC 20243 is a process-based standard that focuses on reducing the risk of
counterfeit in commercial-off-the-shelf (COTS) products and their supply chains
requirements for suppliers throughout their products’ lifecycles. The standard con-
tains processes and practices for ICT providers. The standard focuses on product
integrity and supply chain security.
ISO/IEC 27036 addresses the general security requirements in suppliers’ rela-
tionships in any procurement, security guidelines for ICT, and cloud supply chain
security. The standard is structured with ISO/IEC 15288: System and Software
Engineering, Lifecycle Processes. The standard is also mapped to ISO/IEC 27002.

0163: Knowledge of Critical Information Technology (IT)

K
Procurement Requirements

IT procurement requirements can be defined as the demand for: information sys-

tems, equipment, hardware, software, personnel, services or solutions, or facilities
by specified quantities for a specific period of time. Requirements in IT procure-
ments continuously change and evolve as technology, environment, and even secu-
rity risk continuously and rapidly change.
The amount of planning and effort to spend in IT procurement can vary from one
project to another based on several factors such as: overall estimated budget, secu-
rity risks involved/expected, and criticality of the project.
First step in IT procurement is to identify business needs based on several factors
including business mission/objectives, budget, and standards or regulations.
Procurements with high budgets should include clear justifications and business
values on such investments. They should also include details related to compatibil-
ity with existing systems. Decisions should also be made whether such require-
ments can be fulfilled in-house or a procurement process is necessary.
K0163: Knowledge of Critical Information Technology (IT) Procurement Requirements 17

IT procurement requirements share several commonalities with requirements

collection and analysis in other software and IT projects. For example, here is a list
of possible problems IT procurement requirements’ problems:
• Problems in the requirements collection process: IT equipment can be requested
based on three categories: (1) Must have: If core business functions or services are
currently down or unavailable waiting for such IT equipment, Similarly if such
items are required to handle serious security issues; (2) Necessary to have: For
necessary updates or upgrades with less urgency in comparison with the first case;
and (3) Good or want to have, enhance, or improve business functions, without
core or security urgency. IT procurement requirement needs to be clearly classi-
fied under which one of those three previously mentioned categories. Handling
requirements for each category will be completely different from the others.
• Requirements feasibility issues: Adopted requirements should be feasible, appli-
cable, or doable. This has to consider several factors related to business goals and
mission, environment, users, budget, and many other factors. In many cases,
what worked in one business or environment successfully may not work in the
same level of success in a different company or environment. Many examples in
the different IT sectors include cases where a certain software or information
system was requested based on unrealistic or through IT procurement require-
ments and such systems were a complete failure.
• Fitness issues: In connection with the two previous issues, fitness issues are very
critical, especially when acquiring a large equipment or information system that
will impact many people and business sectors. The process of large information
systems, especially if they are upgrading earlier systems can be very expensive
and time-consuming. Acquisition failures can be then catastrophic. This is why
some organizations struggle dealing with legacy systems. However, a balance is
required here between making the right and proper transition or else having to
deal with legacy systems with very painful and expensive maintenance issues.
IT procurement requirements can also be classified into: mandatory, functional,
technical, and work or performance.
• Mandatory: Where certain criteria must exist in the candidate supplier.
• Functional: If services, information systems, or applications are requested,
requirements can be stated in terms of service requestor needs. Service providers
or suppliers will have to come up with their own plan on how to fulfill such func-
tions. The quality, clarity, and completeness of the provided requirements from
service requestor can help create a better contract and define at the end of the
acquisition process success or failure factors.
• Technical requirements. Usually IT departments from service requestor should
detail requirements for such technical needs or support. They can also clarify
hardware, network, software, or training expectations.
• Performance requirements: Those are typically regulations or constraints that
can be included in addition to one of the earlier options. For example, constraints
should be made on project timeline and expected deliverables, qualifications of
supplier, etc.
18 2 Acquisition Management

IT Procurement Methods

Several factors decide the proper IT procurement method for a particular procure-
ment project. Constraints on budget, quality, and availability of requested products
or services, fair and open competition are examples of main criteria to consider. For
seeking offers from contractors, one of the following methods can be used: (1)
quick quotes, (2) competitive sealed bidding, (3) competitive negotiation, or (4)
public or online auctions. Major factor in picking which one of those alternatives is
the project cost or budget. In some exceptional cases (e.g., urgent procurement,
informal quotation, exempt procurement), seeking one candidate supplier is
possible.
A successful procurement process requires continuous effort throughout the pro-
cess from different members including: business owners or stakeholders, procure-
ment team, subject matter experts, IT team in addition to supplier teams.

0164: Knowledge of Functionality, Quality, and Security

K
Requirements and How These Will Apply to Specific Items
of Supply (i.e., Elements and Processes)

This knowledge area is related to the previous one; how to handle different aspects
of IT procurement requirements, namely: functionality, quality, and security. In
addition to procurement requirements, it is important to understand projects’
requirements in which supply or procurements are requested.

Functional Requirements

Requirements should be collected and defined by the procurement requester, busi-

ness owner, or their assigned teams. They should seek help from the procurement
personnel and other SCRM team members. One major output of this team effort is
to identify the requirements for the procurement and how these requirements will
apply to the supply items.
Functional requirements are domain-specific related to the services that requested
system or service will provide. It is important to select, from supply options, those
that best fit the requested system or service with best budget, time, quality, etc. As
we can see, there are many goals or desired attributes that ideally should exist in
selected supply item. However, in practical limitations may exist that will force
companies to settle with less than ideal choices.
First one is related to the availability of different options from different vendors
or suppliers. The popular Porter value chain model (Porter 2008) indicates in one of
the five supply forces that the bargaining power of buyers is limited if supply options
are limited (Fig. 2.4).
K0164: Knowledge of Functionality, Quality, and Security Requirements and How… 19

Bargaining Power of Suppliers

Threat Industry Threat

of New Entrants Rivalry of Substitutes

Bargaining Power of Buyers

Fig. 2.4 Porter five forces supply model (Porter 2008)

How can we judge that the acquired system is the best fit for the request?
In project or system analysis, it is important to distinguish between two stages:
• Existing system analysis: This analysis focuses on the “problem domain”; what
are the existing problems in the current system that triggers this IT procurement
project.
• Acquired system specifications: What are the requested/desired features that
should exist in the acquired system?
IT procurement systems should ideally include both parts (Existing system anal-
ysis and Acquired system specifications; indicating that system in the two terms
refers to completely different systems). In some projects, contents from those two
parts will be mixed without clearly differentiating between requirements related to
what the current system has from requirements from what the solution should have
or should impact on the current system.

Quality Requirements

Quality requirements or also called non-functional requirements complement func-

tional requirements. Those are general desired characteristics (e.g., quality, perfor-
mance, reliability, usability, maintainability, security) that the solution system
should have.
Requirement of project requesters should be different between “must have” qual-
ity requirements and “desired to have” quality requirements. Making all require-
ments in one category whether “must have” or “desired to have” is not a wise
selection. Those differences in the classification of the requirements can be the main
criteria to decide which supplying option to select. While it is desired to have all
20 2 Acquisition Management

kinds of high-quality requirements, selection team should be able to make decision

related to:
• What functional or non-functional requirements that cannot be compromised and
that they should exist in acquired system exactly as described. Alternatively,
team should also be able to distinguish what are the requirements that can be
compromised to a lower level and what is the accepted level.
• In most cases, different suppliers will offer different detail services. Team should
be able to evaluate and judge those different quality attributes and compare them
with each other or compare them with offered costs.

Security Requirements

Security requirements can be seen as one major category of quality requirements

described earlier. However, in most cases, those security requirements cannot be
compromised especially with government contracts or systems required to meet
certain standards or regulations.
It is important for selection team to be aware of necessary or “must have” secu-
rity requirements in the subject system in accordance with accepted standards or
regulations. We described in other sections examples of some of those standards and
regulations.

0169: Knowledge of Information Technology (IT) Supply

K
Chain Security and Risk Management Policies, Requirements,
and Procedures

Supply Chain Security Policies

Similar to most of other business domains, supply chain security elements include,
but not limited to: physical security, access control, employees, users and custom-
ers’ security, education and training awareness, procedural and workflow security,
information protection and documentation security, partners’ communication and
transportation security, risk management and disaster recovery, etc. The value or
importance of each one of those elements may vary from one case or business to
another. Unlike security policies in other business department, security policies in
supply chain should go beyond the business premises to partners and communica-
tion or channels with supply chain partners.
Several US entities contribute to creating supply chain security policies such as:
the Department of Defense (DOD), Department of Homeland Security, National
Institute of Standards and Technology (NIST), Office of Management and Budget,
K0169: Knowledge of Information Technology (IT) Supply Chain Security and Risk… 21

Federal Energy Regulatory Commission, and General Services Administration

(GSA). Due to the international nature of supply chain security, international orga-
nizations such as: International Organization for Standardization and International
Electrotechnical Commission (ISO/IEC), World Customs Organization (WCO),
International Civil Aviation Organization (ICAO), International Maritime
Organization (IMO), and Universal Postal Union (UPO) contribute also to policies
and standards in this area.
One noticed security-related policy in supply chain in the USA and most other
countries is the issue of keeping all or most of the supply chain within national bor-
ders. In some sensitive government organizations in the USA, this is a must policy
in IT procurements. In some other cases, if international suppliers are allowed either
preferences are given to certain countries or some countries are excluded in particu-
lar (e.g., China, Russia, or India) from the selection.
Another important policy component is related to the vetting process. With dif-
ferent variations based on the nature of the organization and the procurement proj-
ect and details, vetting can occur at different levels to cover most of the supply chain
components. For example, many government organizations require certain levels of
security clearance for all those workers, from the contractor or supplier side, in the
procurement project. As part of the vetting process, suppliers may receive credits or
liabilities based on their compliance or lack of compliance to security policies or
requirements or in cases when some security vulnerabilities were discovered within
their responsibilities.
US NIST described the following important principles when it comes to supply
chain security policies:
• Security breaches are inevitable: Make your supply chain security policies as if
security breaches will occur; be proactive rather than responsive.
• Security problems are not only technical or IT related; but also have social,
human, training, and management aspects. Training is an important element in
any security framework to educate people on security issues, regulations, con-
trols, and protection mechanisms.
• Security is comprehensive; all what it takes is to find one vulnerability or weak-
ness in one component: (e.g., technical, network, management, human, training,
and security weaknesses or problems).
• Resilience: Supply chain should provide the required products and/or services
under normal and stress or failure circumstances.
Here are few examples of US Supply chain security policies:
• Supply chain security policies (SAFE Port Act of 2006): This act requires test-
ing all US-bound cargo containers and scanning of all containers for radiation at
the 22 busiest US ports.
• Secure Freight Initiative (SFI): US Department of Energy and US Customs
requires 100% scanning of US-bound cargo at selected ports.
22 2 Acquisition Management

Supply Chain Security Requirements and Procedures

Security problems in the supply chain should not be seen as IT problems only as
they can seriously impact different functions in the supply chain. Security require-
ments should not also be seen as surplus; necessary only with government contracts
or when we must comply with certain regulations or standards.
System analysts and team preparing procurement requirements may view secu-
rity requirements as an extra overhead and time/budget limitations may impact such
views. However, enterprise- level security requirements and policies should be
developed that can be implemented, easily across all organization projects. In some
cases, projects or their components can be classified under several security-related
categories (e.g., low, medium, and high). Based on which category such project or
component falls, certain security requirements can be pulled and applied from orga-
nization existing template.
When it comes to best practices and procedures in supply chain security, sharing
information and experience between the different private and public sectors is
important. On the other hand, in many cases, for information classification issues,
government sectors are reluctant to share or provide such information. There are
also several attempts of building national or global digital or online threat intelli-
gence monitoring systems to keep all members informed of latest malwares, hack-
ing attempt, or breaches, etc.

Supply Chain Risk Management Policies

In supply chain activities, several risk categories may occur. Here are few examples
or categories of such risks:
• Vetting process problems: Direct or indirect service providers in the supply chain
may leak sensitive information of expose some system vulnerabilities.
• Poor or negligent information security practices by contractors or suppliers.
• Vulnerabilities within suppliers’ premises, managements, practices, etc.
• Suppliers’ usage of unverified or improper third-party software or systems.
• Suppliers have no proper security, access controls, or auditing systems.
Supply chain risk management policies and processes are identified, established,
and managed by organizational stakeholders and any assigned employees.
Cross-functional communication or reporting mechanisms: While supply chain
is a single business functional component, security and risk management issues are
not; they cut across every major function and business area. Team in risk manage-
ment should have the required technical and functional knowledge to be able to
collect and plan for organization-wide risk management requirements. If the differ-
ent business functions do not communicate and collaborate effectively especially
with issues related to security and risk, small problems can eventually grow to be
serious ones.
K0264: Knowledge of Program Protection Planning to Include Information Technology… 23

0257: Knowledge of Information Technology (IT)

K
Acquisition/Procurement Requirements

IT procurement requirements are defined earlier in this chapter as the demand for
system, hardware, networks, software, personnel, services, etc. to be integrated in
the business that the business currently lacks. Business owner, stakeholders, and
their assigned employees or domain experts will have to evaluate current or existing
systems to evaluate future demands or needs.
Team who will prepare IT acquisition or procurement requirements should study
the problem domain first and understand its current state and environment. The
request for proposal (RFP) document usually starts from a domain personnel or
expert. Such document typically includes problems with the current or existing
domain or business function and solution specifications. Such document is used to
trigger the acquisition or procurement process and is considered one of the main
reference documents.
Different business functions may have their own custom or unique acquisition/
procurement requirements. On the other hand, IT/security requirements support
more than one business function or the whole organization. Function or domain
experts may not explicitly request IT or security requirements. However, acquisition
team should have the right knowledge, skills, or expertise to add/update acquisition
or procurements requirements to accommodate those, not requested, but yet neces-
sary IT or security requirements. Acquisition team should also prepare cost-benefit
analysis of all procurement requirements.

0264: Knowledge of Program Protection Planning to Include

K
Information Technology (IT) Supply Chain Security/Risk
Management Policies, Anti-tampering Techniques,
and Requirements

Program protection planning (PPP) aims to manage the effort of risk management
for critical system resources and organization assets and ensure that important orga-
nization assets are adequately protected. Risk management team should prepare a
deliverable document for this stage or milestone. This document captures Acquisition
Information Assurance (IA) strategy, threat and vulnerability information, descrip-
tions of (Critical Program Information) CPI and critical functions/components, etc.
(Table 2.3). PPP may also reference many other documents related to procurement
requirements, security, or risk management issues.
This document can be further divided into two parts (Acq.osd.mil 2011): (1)
Milestone A plan should include an initial criticality analysis, candidate CPI, poten-
tial countermeasures, and information assurance strategy. (2) Milestone B plan
should be a comprehensive document.
Information should be protected from adversaries and unauthorized personnel.
This includes information that by itself is unclassified but if aggregated with other
24 2 Acquisition Management

Table 2.3 Program protection content (Acq.osd.mil 2011)

1. Program protection schedule 4: Horizontal protection
2 CPI and critical functions and components protection 5: Threats, vulnerabilities,
(protected items and countermeasures), criticality analysis countermeasures, and assurance
2.1. Configuration Managements (CMs) 6: Other system security-related
plans and documents
2.2. Critical Program Information (CPI) and critical 7: Program protection risks
components
3: Critical Program Information (CPI) and critical 8: Foreign involvement
components
3.1. Identification methodology 9: Processes for management and
implementation of PPP
3.2. Inherited CPI and critical components 10: Processes for monitoring and
reporting compromises
3.3. Organic CPI and critical components 11: Program protection costs
12. Program protection analysis 12.2: Critical Program
iInformation (CPI) analysis
12.1: Information analysis 12.3: Trusted Systems and
Networks (TSN) analysis

types of unclassified information, it may allow an adversary to clone, counter, or

damage sensitive information.
For many government departments, such plan is required based on certain
instructions/policies such as:
• DoDI 5000: https://aida.mitre.org/dodi-5000/
• DoDI 5000.02: Operation of the defense acquisition system
• DoDI 5200.39: Critical Program Information (CPI) Identification and Protection
Within Research, Development, Test, and Evaluation
• DoDI 5200.mm: Trusted Systems and Networks
• DoDI 5200.44 Protection of Mission Critical Functions to Achieve Trusted
Systems and Networks
• DoDI 4140.67 DoD Counterfeit Prevention Policy
• DoDI 8500.01 Cybersecurity
Organizations may have many databases, datasets, or files that include informa-
tion. There is a need first to classify such information from sensitivity, importance
(to be protected and kept private), or privacy perspectives. Based on information
classification, different protection plan mechanisms should be planned.

Information Sensitivity (Alsmadi et al. 2018)

Information must be protected based on its value as well as the likelihood that such
information may be targeted for unauthorized disclosure. In general, information
can fall in one of three categories based on its sensitivity: confidential information,
K0264: Knowledge of Program Protection Planning to Include Information Technology… 25

private information, public information. This classification of information sensitiv-

ity is independent of the format and status. The only difference between these cat-
egories is the likelihood, duration, and the level of harm incurred in case an
unauthorized access occurs.
Confidential information: Confidential information represents information that
can result in significant level of risk when unauthorized disclosure, alteration, or
destruction of that information occurs. Examples of confidential information include
electronic medical records, financial information, and credit card transaction. In
most cases, unauthorized access to such information can result in a significant mon-
etary loss for the owner of the information as well as long-term harm. As a result,
confidential information should be maintained in a way that allows only authorized
people to access it. In such context access controls can be implemented in a way that
allows access to data based on roles or on need basis. Keep in mind that the highest
level of security controls needs to be applied to confidential information. Restricted
information is one of the sensitive categories of confidential data. Restricted infor-
mation is defined as “information that cannot be disclosed to an unauthorized orga-
nization or to one or more individuals” (Sengupta, 2011).

Private information: Private information represents information that can result in

a moderate, minor risk in case unauthorized disclosure occurs. In general, all infor-
mation that is not classified as confidential information or public information is
considered private information. A reasonable level of security controls should be
applied to private information (Ivancic et al. 2015).

Public information: Public information represents information that can result in a

little or no risk in case unauthorized disclosure occurs. In most cases, public infor-
mation is available to anyone who needs access to it. Examples of public informa-
tion include but not limited to press release, maps, directories, and research
publications.
The PPP document itself should be classified by content (Acq.osd.mil 2011).
Threat and vulnerability information is commonly classified as secret or above. The
program original classification authority is responsible for determining the appro-
priate classification of the PPP documents and related information.
Anti-Tamper (AT) is a key protection activity that is intended to prevent and/or
delay exploitation of Resident CPIs in system resources. In USAF (Secretary of the
Air Force/Special Programs Directorate (SAF/AQL)) unit, AT analysts ensure all
CPIs are assessed and threats to CPIs are continually monitored to determine if AT
measures are necessary and appropriate. The USAF AT team provides assessment
reports of Commercial Off the Shelf products used in the protection of CPIs.
26 2 Acquisition Management

0266: Knowledge of How to Evaluate the Trustworthiness

K
of the Supplier and/or Product

In procurement analysis, usually procurement team will have to make choices between
several possible suppliers and also products. Different criteria should be considered in
selecting the final product and supplier. Selection criteria will not only consider the
product but also the product supplier. In this section, we will focus on one criterion
related to the supplier as well as the product; the trustworthiness. Other words usually
connected and related to trustworthiness include: trust, reputation, credibility, confi-
dence, integrity, and the more general word; quality. Mutual trust is an evolutionary
process that increases or decreases with time based on companies’ previous interac-
tions with each other. Trustworthiness relations can also be inherited or transitive
where for example if company A trusts supplier B, and company C trusts company A,
company C may trust supplier B. In trust issues, there are also other parts that are
transitive. For example, if a company is hiring a supplier for a product or service, not
only the supplier should be trustworthy but also the supplier suppliers as well.
In some projects, procurement team may request on-site monitoring and audit for
supplier processes and products. An inspection of the supplier’s production pro-
cesses and conformity management system can aid in better understanding of sup-
plier environment and also build a level of trust.
Supplier and their products should work to gain trust from consumers. With the
Internet, e-commerce, search engines, and online social networks, positive or nega-
tive feedback on service providers or products can quickly spread to a large number
of audiences. The credibility of such feedback changes from one case or environ-
ment to another, but due to the importance of such feedback, investing on the cred-
ibility of such customers’ feedback is also key and important for suppliers and their
products.
Part of supplier process to show trustworthiness is transparency and opened with
clients. They should show their conformance to standards: what is complete and
what is not. They need to show summary of their security risk assessments, plans,
etc. For companies, it is useful to be able to classify existing and candidate suppliers
into three main categories (high trustworthy, medium, and low), based on several
criteria that can be defined, evaluated, and updated with each procurement project.
Alves (2012a, b) paper showed that the following factors are important to evalu-
ate the trustworthiness of suppliers:
• Feedback
Feedback about supplier previous interactions with any client can provide
valuable information about the organizations behavior in previous or historical
transactions [3]. The feedback can be used to measure trustworthiness or credi-
bility but can also help know more details about supplier processes, products,
and overall quality issues.
A similar criterion mentioned in EN50581 standard; historical experience
with the supplier. This experience can be direct through the procurement com-
pany, some of its partners, or general experience extracted from credible supplier
existing clients.
K0270: Knowledge of the Acquisition/Procurement Lifecycle Process 27

• Legal bonds
Legal bonds or contracts can manage the supplier interactions with other
companies.
• International presence
There is no doubt that popularity is related to trust and credibility. Larger
companies that have been in business for longer time and have branches in dif-
ferent locations can be seen as more trustworthy in comparison with small or
startup-companies. That does not mean of course that this is always true.
Additionally, when it comes to international issues, different companies may
perceive trust issues differently when we consider the cultural impact or
influence.
• Monitoring
Monitoring encourages transparency and responsible behaviors. Monitoring
can take different forms. For example, we mentioned in a different section that
some contracts may require procurement team or company to conduct audit or
monitoring activities with project suppliers.
• Cooperative norms
This is related to the supplier organization values, process maturity, objec-
tives, and principles.
A similar evaluation factor described by EN50581 standard; results of previ-
ous inspections or audits especially when those inspections come from partners
or trusted sources.

0270: Knowledge of the Acquisition/Procurement Lifecycle

K
Process

A generic engineering lifecycle model includes five stages:

• Material Solution Analysis
• Technology Development
• Engineering and Manufacturing Development
• Production and Deployment
• Operations and Support
The majority of engineering projects, processes, or products consider those five
stages, either one time or through several cycles. Figure 2.5 shows DoD acquisition
process and major stages (Acquisition University Press 2001).
Figure 2.5 shows four major stages in acquisition lifecycle:
• Pre-systems acquisition, concept, and technology development. In some model,
this stage is divided into two stages: (1) concept refinement and decision, (2)
technology development. Pre-systems acquisition stage is called “NEED” stage
in DHS model (DHS 2008). Gaps and needs in existing systems are investigated
and validated.
28 2 Acquisition Management

Fig. 2.5 DoD acquisition process (Acquisition University Press 2001)

• In concept refinement, several alternative concepts are evaluated and compared

that can satisfy project objectives or requirements. Risks associated with each
concept are also discussed and analyzed. At the end of this stage, a decision must
be made to advance concepts to the next stage.
• System development and demonstration.
• Production and deployment: In this stage, product is deployed and evaluated on
its real environment. This stage is divided into two sub-stages in some models:
initial deployment or operational capability (IOC) and full; FOC.
• Sustainment and maintenance: This includes all activities after the first deployment
cycle. In other models, this same stage is called operations and support. In some
DoD or military models, this stage may include the term “Disposal”; in some
cases, explicit process/stage is required to dispose or retire the product properly.
US department of Homeland Security (DHS) defines four stages for acquisition
lifecycle (Hutton 2010):
• Identify assets needed functional capabilities and how those capabilities can
serve requested objectives.
• Capabilities alternative solutions, cost, and schedule estimations.
• Developing, testing, and deploying selected alternatives.
• Evaluate asset after solution deployment to judge if objectives are met and
moved, or not to full production.
Federal Aviation Administration proposed an acquisition lifecycle model of the
stages: mission analysis, investment analysis, and solution implementation; a cycle
of operation: in-service management and service life extension; finally, system dis-
posal stage (Fig. 2.6).
K0270: Knowledge of the Acquisition/Procurement Lifecycle Process 29

System
disposal System
S6 residual

Need
Mission Investment Solution XOR In-service XOR
analysis analysis implementation management
S1 S2 S3 S4

Service life
Manage extension
program
S5
S7
S

Fig. 2.6 FAA acquisition lifecycle model (Grady 2006)

Acquire Development
material and
Material operations
SD1

Need Advanced Project Detailed Manufacture Verify

Design
studies defination design system system
SA SB SC SD2 SD3 SD4

Provide Modify
Nasa system logistics AND system IOR
acquisition support SD5 SD6
System management
SM Use
residual Dispose of
system system
SD8 SD7

Fig. 2.7 NASA acquisition lifecycle model (Grady 2006)

Similar to FAA, NASA adopts a semi-evolutionary model in development,

deployment, and operational stages can go in several increments or cycles (Fig. 2.7).

Defense Acquisition University

Defense Acquisition University (DAU) is a corporate university of the US DoD that

focuses on: Acquisition, Technology, and Logistics (AT&L) training to military and
federal civilian staff and contractors (https://www.dau.mil/). Many relevant contents
to this chapter can be found in the University website. Similarly, DoD directive
5000 is a major reference for government policies on acquiring material systems
and infrastructure.
Positions in the acquisition workforce have different acquisition duties that can
fall into 15 functional areas. For each area, certification is available at three levels:
basic, intermediate, and advanced: Auditing, Business Cost Estimating and Financial
Management, Business Cost Estimating, Business Financial Management,
Contracting, Facilities Engineering, Industrial/Contract Property Management,
30 2 Acquisition Management

Information Technology, Lifecycle Logistics, Production, Quality and

Manufacturing, Program Management, Purchasing, Small Business, Systems
Planning, Research, Development and Engineering—Program Systems Engineering,
Science and Technology Manager, Engineering, Test and Evaluation.

0523: Knowledge of Products and Nomenclature of Major

K
Vendors (e.g., Security Suites—Trend Micro, Symantec,
McAfee, Outpost, Panda, Kaspersky) and How Differences
Affect Exploitation/Vulnerabilities

Security suites or anti-malware systems provide full or integrated security control

solutions that protect against a large spectrum of malwares or attacks. Earliest ver-
sions of such tools were called antiviruses where the only or most popular malwares
at the time were viruses. The term malware is now used to refer to all categories of
malicious software such as: viruses, worms, Trojan horses, spywares, and ad-wares.
Similarly, the term security suites indicate a recent trend in security controls to pro-
vide a one-for-all security suite that can provide all categories of security controls
or functions. For customers, and IT support this can be more convenient having to
deal with and configure one centralized security suite. We can also avoid the issue
of conflicts of actions or decisions between the different security controls. For
example, we may have a gateway firewall that has a role to block a certain traffic
while the same traffic is allowed, and necessary from a viewpoint of another secu-
rity control. Currently, with many security controls, the role of precedence usually
is enforced where if a security control denied a certain traffic and dropped it, there
is no way for further security controls to reverse that.
On the other hand, with centralization, the issue of “single point of attack” or
“single point of failure” always rises. For a large enterprise, with a large number of
assets, databases, etc. can one centralized security control be sufficient? How much
confidence we have that this centralized security control is making always the right
permit and deny decisions (e.g., consider false-positive and false-negative cases),
and how much confidence we have that such centralized security suite is not going
to be a target itself (e.g., tampering to change, add/delete some sensitive roles in its
role-engine)?
In addition to malwares, there are other categories of security controls such as
firewalls and Intrusion Detection/Protection systems: IDS/IPS. Details on those cat-
egories can be found in other parts of this book. Major focus in this section is on the
major vendors in this area of anti-malwares or integrated security controls. Security
suites can be classified and compared according to the list of features they can pro-
vide in comparison with cost (Fig. 2.8).
While paid security suites tend, usually to perform better than those that are free
or open source, some no-cost options, such as: Avira, Panda, ClamWin, Avast,
Microsoft Security Essentials, and AVG, hold up well. The rankings can vary
K0523: Knowledge of Products and Nomenclature of Major Vendors… 31

Fig. 2.8 The Best Security Suites of 2018 (pcmag.com)

s ignificantly from 1 year to another and even from one evaluator to another (e.g.,
based on features of interest). The main advantage of buying a security suite from a
vendor is the ability to get help and support. With the sensitivity of security prob-
lems or breaches and the urge to solve them quickly, one-time effective support can
justify avoiding the free or open source option.
In terms of acquisition, there are different models on how security suite services
are sold or provided. In addition to the free or open source options, early genera-
tions of security controls have the option of one-time payment. However, current
commercial security suites offer yearly subscriptions. Additionally, options can
vary between costs per user or individual and cost per site or enterprise. Different
factors cause the transition to this model:
• Internet and bandwidth availability: Early generations of Internet services
were limited and slow. With the increase of available bandwidth for users and
businesses, it became possible to provide real-time services. Many security suites
offer the option to scan your machine without the need to install any software
locally (e.g., software as a service—SaaS).
• The continuous evolution of security threats: Security threats change daily
and new threats, vulnerabilities, or malware are discovered. The need to have
real-time or frequent update for security suites is very important. In this scope,
the term, zero-day attack is used to refer to attackers taking advantage or recently
discovered vulnerabilities. They hope that such vulnerabilities are still valid in
some computers, especially those that they did update their security suites
(Assuming that security provider already discovered such vulnerability and cre-
ated a fix/update for it).
• Different platforms and mobility issues: Users want to protect their laptops,
desktops, smart phones, tablets, etc. They prefer to have one account and sub-
scription that allow them to provide the same protection level from the same
provider on their different computing environments.
32 2 Acquisition Management

0086: Skill in Evaluating the Trustworthiness of the Supplier

S
and/or Product

S0086-1: There are examples of websites that provide trust rankings for certain
industrial sectors. For example, the website: Pixalate (http://www.pixalate.com)
includes Global Seller TrustIndex for digital advertisers (Fig. 2.9). Investigate
Pixalate metrics (i.e., columns in Fig. 2.9) from a seller or supplier perspective.
S0086-2: Similar to Pixalate, make your own research to find another web-
site or tool that evaluate the trust of suppliers or sellers. Show the different
metrics or attributes used in the tool or website and how it can be utilized to
compare between different sellers and suppliers.

0009: Ability to Apply Supply Chain Risk Management

A
Standards

Government contractors are required to comply for protecting the confidentiality of

Controlled Unclassified Information (CUI) with National Institute of Standards and
Technology’s (NIST) Special Publication (SP) 800-171. It is intended to force con-
tractors to implement reasonably expected security requirements. Non-compliance
requirements means lost business and potential fines.
In this Ability, download and use NIST compliance 800-171 compliance tem-
plate for ITS managed systems: (e.g., https://www.csiac.org/wp-content/
uploads/2016/01/SRC-800-171-Requirements-Worksheet.xlsx, or https://www.
complianceforge.com/nist-800-171-compliance-criteria-worksheet.html, or https://
library.educause.edu/resources/2016/9/nist-sp-800-171-compliance-template, or
https://its.uiowa.edu/sites/its.uiowa…/NIST-SP-800-171-Template-ITSManaged.
xlsx). Then select your organization and make sure you complete the template for
your selected or evaluated organization. Table 2.4 shows a small sample to show the
columns that should be included in the evaluation.

Fig. 2.9 Pixalate seller TrustIndex and metrics (http://www.pixalate.com)

Other documents randomly have
different content
He paused and looked down at her in passionate wrath while he
wondered what she would say to all this; but she was silent.
"Again I ask you why should I spare you?" he repeated; "are you not
afraid of my vengeance, Xenie St. John?"
"No, I am not afraid," she repeated, defiantly, yet even as she spoke
he saw that a shudder that was not of the morning's cold shook her
graceful form. A sudden consciousness of the truth that lurked in his
words had rushed over her.
"Yes, we are deadly foes," she repeated to herself, with a deeper
consciousness of the meaning of those words than she had ever had
before. "Why should he spare me, since I am wholly in his power?"
His voice broke in suddenly on her swift, tumultuous thoughts,
making her start with its cold abruptness.
"Ah, I see that you begin to realize your position," he said, icily.
"What is your revenge worth now in this moment of your deadly
peril? Is it dearer to you than your life?"
"Yes, it is dearer to me than my life," she answered, steadily. "If
nothing but my life would buy revenge for me I would give it freely!"
He regarded her a moment with a proud, silent scorn. She returned
the gaze with interest, but even in her passionate anger and hatred
she could not help owning to her secret heart that she had never
seen him looking so handsome as he did just then in the rough but
well-fitting tweed suit, with the glow of the morning on his fair face,
and that light of scorn in his dark-blue eyes.
Suddenly he spoke:
"Well, go your way, Xenie St. John. You are in my way, but it is not
by this means I will remove you from it. I am not a murderer—your
life is safe from my vengeance. Yet I warn you not to go further in
your wild scheme of vengeance against me. It can only result in
disaster to yourself. I am forewarned of your intentions and your
wicked plot. You can never wrest from me the inheritance that Uncle
John intended for me!"
"We shall see!" she answered, with bold defiance, undaunted by his
threatening words.
Then, as the little babe in her arms began to moan pitifully again,
she remembered the dreadful trouble that had sent her out into the
rain, and turning from him with a sudden wail of grief, she began to
run along the shore, looking wildly around for some trace of the lost
one.
She heard Howard's footsteps behind her, and redoubled her speed,
but in a minute his hand fell on her shoulder, arresting her flight. He
spoke hastily:
"I heard you calling for Lora before I met you—speak, tell me if she
also is wandering out here like a madwoman, and why?"
She turned on him fiercely.
"What does it matter to you, Howard Templeton?"
"If she is lost I can help you to find her," he retorted. "What can you
do? A frail woman wandering in the rain with a helpless babe in your
arms!"
Bitterly as she hated him, an overpowering sense of the truth of his
words rushed over her.
She hated that he should help her and yet she could not let her own
angry scruples stand in the way of finding Lora.
She looked up at him and the hot tears brimmed over in her black
eyes and splashed upon her white cheeks.
"Lora is missing," she answered, in a broken voice. "She has been ill,
and last night she wandered in her mind. This morning while
mamma and I slept she must have stolen away in her delirium.
Mamma was prostrated by the shock, and I came out alone to find
her."
"You should have left the child at home. It will perish in the rain and
cold," he said, looking at her keenly.
She shivered and grew white as death, but pressed the babe closer
to her breast that the warmth of her own heart might protect its
tender life.
"Why did you bring the child?" he persisted, still watching her
keenly.
"I will not tell you," she answered, defiantly, but with a little shiver
of dread. What if he had seen her when she found it on the sands?
"Very well; you shall not stay out longer with it, at least. Granted
that we are deadly foes—still I have a man's heart in my breast. I
would not willingly see a woman perish. Go home, Xenie, and care
for your mother. I will undertake the search for Lora. If I find her
you shall know it immediately. I promise you."
He took the heavy cloak from his own shoulders and fastened it
around her shivering form.
She did not seem to notice the action, but stood still mechanically,
her dark, tearful eyes fixed on the mist-crowned sea. He followed
her gaze, and said in a quick tone of horror:
"You do not believe she is in there? It would be too horrible!"
"Oh, my God!" Mrs. St. John groaned, with a quiver of awful dread
in her voice.
He shivered through all his strong, lithe young frame. The thought of
such a death was terrible to him.
"You said she was ill and delirious?" he said, abruptly.
"Yes," she wailed.
"Poor Lora—poor little Lora!" he exclaimed, with a sudden tone of
pity. "Alas! is it not too probable that she has met her death in those
fatal waves?"
"Oh, she could not, she could not," Xenie moaned, wildly. "She hated
the sea. Her lover was drowned in it. She could not bear the sight or
the sound of it."
He did not answer for a moment. He was looking away from her
with a great, solemn dread and pity in his beautiful, blue eyes.
Suddenly he said, abruptly:
"Go home, Mrs. St. John, and stay there until you hear news. I will
go and arouse the village. I will have help in the search, and if she is
found we will bring her home. If she is not, God help you, for I fear
she has drowned herself in the sea."
With a long, moaning cry of anguish, Xenie turned from him and
sped along the wet sand back to her mother. Howard Templeton
watched the flying figure on its way with a grave trouble in his
handsome face, and when she was out of sight, he turned in an
opposite direction and walked briskly along the sand, looking
carefully in every direction.
"They talk of judgment," he muttered. "Has God sent this dreadful
thing upon Xenie St. John for her sinful plans? If it is so, surely it will
bring her to repentance. In the face of such a terrible affliction, she
must surely be afraid to persist in attempting such a stupendous
fraud."
CHAPTER XVI.
Half dead with weariness and sorrow, Mrs. St. John staggered into
her mother's presence with the wailing infant in her arms.
She sank down upon the floor by the side of the couch and laid the
child on her mother's breast, moaning out:
"I found him down there, lying on the wet sand all alone, mamma—
all alone! Oh! Lora, Lora!"
A heart-rending moan broke from Mrs. Carroll's lips. Her face was
gray and death-like in the chill morning light.
She closed her arms around the babe and strained it fondly to her
breast.
"Mamma, are you better? Can you speak yet? I have much to tell
you," said Xenie, anxiously.
Mrs. Carroll made a violent effort at articulation, then shook her
head, despairingly.
"I will send for the doctor as soon as the maid returns. She cannot
be long now—it is almost broad daylight," said Xenie, with a heavy
sigh. "And in the meantime I will feed the babe. It is cold and
hungry. Mamma, shall I give it a little milk and water, warmed and
sweetened?"
Mrs. Carroll assented, and Xenie went out into the little kitchen,
lighted a fire and prepared the infant's simple nourishment.
Returning to Lora's room, she sat down in a low rocker, took the
child in her arms, and carefully fed it from a teaspoon, first removing
the cold blanket from around it, and wrapping it in warm, dry
flannels.
Its fretful wails soon ceased under her tender care, and it fell into a
gentle slumber on her breast.
"Now, mamma," she said, as she rocked the little sleeper gently to
and fro, "I will tell you what happened to me while I was searching
for my sister."
In as few words as possible, she narrated her meeting with Howard
Templeton.
Mrs. Carroll greeted the information with a groan. She was both
astonished and frightened at his appearance in France, when they
had supposed him safe in America.
She struggled for speech so violently that the dreadful hysteric
constriction in her throat gave way before her mental anguish, and
incoherent words burst from her lips.
"Oh, Xenie, he will know all now, and Lora's good name and your
own scheme of revenge will be equally and forever blasted! All is
lost!"
"No, no, mamma, that shall never be! He shall not find us out. I
swear it!" exclaimed her daughter passionately. "Let him peep and
pry as he will, he shall not learn anything that he could prove. We
have managed too cleverly for that."
And then the next moment she cried out:
"But, oh, mamma, you are better—you can speak again!"
"Yes, thank Heaven!" breathed Mrs. Carroll, though she articulated
with difficulty, and her voice was hoarse and indistinct. "But, Xenie,
what could have brought Howard Templeton here? Can he suspect
anything? Did he know that we were here?"
Xenie was silent for a moment, then she said, thoughtfully:
"It may be that he vaguely suspects something wrong. Indeed, from
some words he used to me, I believe he did. But what then? It is
perfectly impossible that he could prove any charge he might make,
so it matters little what he suspects. Oh, mamma, you should have
seen how black, how stormy he looked when I showed him the
child, and told him it was mine. I should have felt so happy then had
it not been for my fear and dread over Lora."
"My poor girl—my poor Lora!" wailed the stricken mother. "Oh,
Xenie, I am afraid she has cast herself into the sea."
"Oh, no, do not believe it. She did not, she could not! You know how
she hated the sea. She has but wandered away, following her wild
fancy of finding her husband. She was too weak to go far. They will
soon find her and bring her back," said Xenie, trying to whisper
comfort to the bereaved heart of the mother, though her own lay
heavy as lead in her breast.
She rose after a moment and went to the window.
"It is strange that Ninon does not return to get the breakfast," she
said, looking out. "Can her mother be worse, do you think,
mamma?"
"She may be, but I hardly think it likely. She was better of the fever
the last time Ninon went to see her. It is likely that the foggy, rainy
morning has deceived her as to the lateness of the hour. She will be
along presently, no doubt," said Mrs. Carroll, carelessly; for her
trouble rendered her quite indifferent to her bodily comfort.
Xenie sat down again, and rocked the babe silently for a little while.
"Oh, mamma, how impatient I grow!" she said, at length. "It seems
to me I cannot wait longer. I must put the child down and go out
again. I cannot bear this dreadful suspense."
"No, no; I will go myself," said Mrs. Carroll, struggling up feebly from
the lounge. "You are cold and wet now, my darling. You will get your
death out there in the rain. I must not lose both my darlings at
once."
But Xenie pushed her back again with gentle force.
"No, mamma, you shall not go—you are already ill," she said. "Let
the child lie in your arms, and I will go to the door and see if anyone
is coming."
Filled with alternate dread and hope, she went to the door and
looked out.
No, there was naught to be seen but the rain and the mist—nothing
to be heard but the hollow moan of the ocean, or the shrill, piping
voice of the sea birds skimming across the waves.
"It is strange that the maid does not come," she said again,
oppressed with the loneliness and brooding terror around her.
She sat down again, and waited impatiently for what seemed a
considerable time; then she sprang up restlessly.
"Mamma, I will just walk out a very little way," she said. "I must see
if anyone is coming yet."
"You must not go far, then, Xenie." Mrs. Carroll remonstrated.
Xenie dashed out into the rain again, and ran recklessly along the
path, looking far ahead of her as if to pierce the mystery that lay
beyond her.
Presently she saw a young French girl plodding along toward her.
It was Ninon, the belated maid. Over her arm she carried a dripping-
wet shawl.
It was a pretty shawl, of warm woolen, finely woven, and striped
with broad bars of white and red.
Xenie knew it instantly, and a cry of terror broke from her lips. It
belonged to Lora.
She had seen it lying around her sister's shoulders when she kissed
her good-night; yet here it hung on Ninon's arms, wet and dripping,
the thick, rich fringes all matted with seaweed.
CHAPTER XVII.
Xenie's heart beat so fast at the sight of what Ninon was carrying
that she could not move another step.
She had to stand still with her hands clasped over her throbbing side
and wait till the girl came up to her. Then:
"Oh, Heaven, Ninon, where did you get that?" she gasped, looking at
the shawl with eyes full of horror, yet afraid to touch it, for it seemed
like some dead thing.
"Oh, ma'amselle," faltered the girl stopping short and looking at
Xenie's anguished face. "Oh, ma'amselle," she faltered again, and
her pretty, piquant face grew white and her black eyes sought the
ground, for Ninon, although poor and lowly, had a very tender heart,
and she could not bear to see the anguish in the eyes of her young
mistress.
"I asked you where did you get that shawl?" Xenie repeated. "It was
my sister's shawl. She wore it last night, and now, to-day, she is
missing. Did you know that, Ninon?"
"Yes," the girl answered, in her pretty, broken English. She had
heard it. A gentleman, a tourist, had brought the news to the village,
and the men were all out looking for her.
Would her mistress come to the house? She had something to tell
her, but not out there in the cold and wet. She looked fit to drop,
indeed she did, declared the voluble, young French girl.
So she half-led, half-dragged Mrs. St. John back to the cottage and
into the room where the stricken mother was waiting for tidings of
her lost one.
The maid had a sorrowful story to tell.
The waves had cast a dead body up on the beach an hour ago—the
corpse of a woman, thinly dressed in white, with long, beautiful
black hair flowing loosely and tangled with seaweed.
They could not tell who she was, for—and here Ninon shuddered
visibly—the rough waves had battered and swollen her features
utterly beyond recognition.
But they thought that she was young, for her limbs were white and
round, and beautifully moulded, and this shawl which Ninon carried
had been tightly fastened about her shoulders.
The maid had recognized it and brought it with her to show the
bereaved mother and sister, and to ask if they wished to go and view
the body and try to identify it.
All this the maid told sorrowfully and hesitatingly, while the two
women sat like statues and listened to her, every vestige of hope
dying out of their hearts at the pitiful story, and at length Xenie cast
herself down upon the wet shawl and wept and wailed over it as
though it had been the dead body of poor Lora herself lying there all
wet and dripping with the ocean spray before her anguished sight.
Then Ninon begged her to listen to what she had to say further.
"The gentleman is going to send a vehicle for you that you may go
and see the body, if you wish—I can hear the roll of the wheels now!
Shall I help you to get ready?"
Xenie looked at her mother with a dumb inquiry on her beautiful,
pallid features.
"Yes, go, dear, if you can bear it. Perhaps, after all, it may not be our
darling," said Mrs. Carroll, with a heavy sigh, even while she tried to
cheat her heart by the doubt which she felt to be a vain one.
So, with Ninon's aid, Xenie changed her wet and drabbled garments
for a plain, black silk dress, and a black hat and thick veil.
Then, leaving the maid to take care of her mother, Mrs. St. John
entered the vehicle and was driven to the place where a group of
excited villagers kept watch over a ghastly something upon the sand
—the mutilated semblance of a human being that the cruel sea had
beaten and buffeted beyond recognition.
It was a terrible ordeal for that young, beautiful, and loving sister to
pass alone.
As she stepped from the vehicle with a wildly-beating heart before
the curious scrutiny of the strangers around her, she involuntarily
cast a glance around her in the vague, scarce-defined belief that
Howard Templeton would be upon the scene. But, no, there was no
sign of his presence.
Strangers advanced to lead her forward; strangers questioned her;
strangers drew back the sheet that had been reverently folded over
the dead, and showed her that ghastly form that all believed must
have been her sister.
She knelt down, trying to keep back her sobs, and looked at the
form lying there in the awful majesty of death, with the cold,
drizzling rain beating down on its swollen, discolored features.
How could that awful thing be Lora—her own, beautiful, tender
Lora?
And yet, and yet, that beautiful, long, black hair—that fine,
embroidered night-robe, hanging in tattered remnants now where
the sea had rent it—did they not belong to her sister? Sickening with
an awful dread, she touched one of the cold, white hands.
It was a ghastly object now, swollen and livid, yet you could see that
once it had been a beautiful hand, delicate, dimpled, tapering.
And on the slender, third finger, deeply imbedded in the swollen
flesh, were two rings—plain, broad, gold bands. Xenie's eyes fell
upon them, and with a wild, despairing cry, "Oh, Lora, my sister!"
she fell upon the wet sand, in a deep and death-like swoon.
CHAPTER XVIII.
After leaving Xenie on the seashore, Howard Templeton walked away
hurriedly to the little fishing village, a mile distant, and gave the
alarm of Lora's disappearance.
By a promise of large rewards, he speedily induced a party of men
to set out in separate directions to scour the adjacent country for
the wanderer.
But scarcely had they set out on their mission when someone
brought to Howard the news of the corpse that old ocean had cast
upon the sands.
Dreading, yet fully expecting to behold the dead body of Lora
Carroll, Howard Templeton turned back and accompanied the man to
the scene.
They found a group of excited men and women gathered, on the
shore, drawn thither by that nameless fascination which the dreadful
and mysterious always possesses for every class of minds whether
high or low.
Conspicuous in the group was Ninon, the pretty young maid-servant,
and, as Howard came upon the scene, she was volubly explaining to
the bystanders that the shawl which was tightly pinned about the
shoulders of the dead woman belonged to the missing girl for whom
the men had gone out to search.
Was she quite sure of it, they asked her. Yes, she was quite sure.
She had seen it night after night lying across the bed in the young
lady's sleeping-apartment.
When she was ill and restless, as often happened, she would put it
around her shoulders and walk up and down the room for hours,
weeping and wringing her hands like one in sore distress.
"Yes," Ninon said, she could swear to the shawl. She would take it
home with her and show it to her mistress, and they would see that
she was right.
No one interfered to prevent her.
With an irrepressible shudder at touching the dead, the girl drew out
the pins and took the wet shawl.
Then, as she started on her homeward way, Howard Templeton, who
had stood still like one in a dream of horror, started forward and told
her that he himself would send a vehicle for the ladies, that they
might come if they wished to identify the body.
For himself, he had no idea whether or not that the poor, bruised
and battered corpse could be Lora Carroll.
He could see nothing that reminded him of her except the beautiful,
black hair lying about her head in heavy, clinging masses, sodden
with water and tangled with seaweed.
He longed, yet dreaded, for Mrs. Carroll and her daughter to arrive
and confirm or dissipate his fears and end the dreadful suspense.
And yet, with the rumble of the departing wheels of the conveyance
he had sent for them, a sudden cowardice stole over the young
man's heart.
He could not bear the thought of the anguish of which he might
soon be the witness.
Obeying a sudden, inexplicable impulse, he turned from the little
company of watchers by the dead and walked off from them, taking
the course along the shore that led away from the little village.
Oftentimes those simple little impulses that seem to us mere
accidental happenings, would appear in reality to be the actual
fulfillment of some divine design.
Howard little dreamed, as he turned away with a kind of sick horror,
that was no shame to his manhood, from the sight of so much
misery, that "a spirit in his feet" was guiding him straight to the
living Lora, even while his heart foreboded that it was she who lay
cold and lifeless on the ocean shore.
Yet so it was. True it is, as the great bard expresses it, that "there's
a divinity that shapes our ends, rough-hew them as we will."
Howard hurried along aimlessly, his thoughts so busy on one painful
theme that he took no note of where he was going, or how fast he
went.
He was a rapid walker usually, and when he at length brought
himself to a sudden abrupt stop he realized with a start that he had
come several miles at least.
The rain had ceased, the sun had come out in all its majestic glory,
and beneath its fervid kisses the mist that hid the ocean was melting
into thin air.
It bade fair to be a beautiful day, after all.
The pearly rain-drops sparkled like diamonds on the leaves and
flowers, the sky was blue and beautiful, with here and there a little
white cloud sailing softly past.
The day had began like many a life, in clouds and tears, but it
promised to close in as fair and sweet a serenity as many an early-
shadowed life has done.
Howard involuntarily thought of the poet's beautiful lines:
"Be still, sad heart, and cease repining,
Behind the clouds is the sun still shining!
Days of sunshine are given to all,
Though into each life some rain must fall."

He paused and looked around him. He found that he had come into
the outskirts of another rude, little fishing village.
A little ahead of him he could see the fishers bustling about on the
shore.
"I have come four miles, at least," he said to himself. "What a great,
hulking, cowardly fellow I am to run that far from a woman's tears.
Far better have stayed and tried to dry them. Um! She wouldn't have
let me," he added, with a rueful second thought.
Then, after a moment's idle gazing out at sea, aimlessly noting the
flash of a sea-gull's wing as it wheeled in the blue air above him, he
said, resolutely:
"I'll go back, anyhow. Perhaps I can do something to help them.
They are but women—my countrywomen, too, and I'll not desert
them in their trouble, even though she does hate me."
He turned around suddenly to return, and the fate that was
watching him to prevent such a thing, placed a simple stone in the
way. He stepped upon it heedlessly, his ankle turned, and, with a
sharp cry of pain, Howard fell to the ground.
He made an effort to rise, but the acute pains that suddenly darted
through his ankle caused him to fall back upon the wet sand in a
hurry.
"Umph! my ankle is evidently master of the situation," he thought,
with an expression of comical distress.
Raising himself on his elbow, he shouted aloud to the men in the
distance, and presently two of them came running to his assistance.
"I have sprained my ankle," he explained to them in their native
tongue. "Please assist me to rise, and I will try to walk."
But when they took him by the arms and raised him up, they found
that it was impossible for him to walk.
"This is a deuced bore at the present time, certainly," complained
the sufferer. "Can you get me any kind of a trap to drive me back to
the village yonder?"
The peasants looked at him stupidly, and informed him carelessly
that there was nothing of the kind available. Only one man in the
vicinity owned a horse, and it had sickened and died a week before.
Howard felt a great and exceeding temptation to swear a very small
oath at this crisis, but being too much of a gentleman to yield to this
wicked whisper of the evil one, groaned very loudly instead.
"Then what the deuce am I to do?" he inquired, as much of himself
as of the two fishermen. "How am I to get away from this spot of
wet sand? Where am I to go?"
The peasants scrutinized him as stupidly as before, and to all of
these questions answered flatly that they did not know, indeed.
Howard thought within himself that the proverbial politeness of the
French was greatly tempered by stupidity in this case.
"Well, then," he inquired next, "is there any kind of a hotel around
here?"
"Yes, there was such a place," they informed him, readily; and
Howard at once begged them to summon aid and construct a litter
for him, promising to reward them liberally if they would carry him
to the hotel.
Gold—that magic "open sesame" to every heart—procured him ready
and willing attention.
It was but a short while before he found himself in tolerably
comfortable quarters at the rude hotel of the fishing village, and
obsequiously waited upon by the single Esculapius the place
afforded.
Howard's sprain was pronounced very severe indeed. It was so
painful that he could not walk upon it at all, and was ordered to
strict confinement to his couch for three days.
"A fine prospect, by Jove!" Howard commented, discontentedly.
"What am I to do shut up here three days in solitary confinement?
and what will those poor women do over yonder with not a single
masculine soul to turn to in their helplessness? Not that they wish
my help, of course, but I had meant to offer it to them all the same
if there was anything I could have done," he added, grimly, to his
own self.
The three days dragged away very drearily. On the fourth day
Howard availed himself of the aid of a crutch and got into the little
public room of the hotel.
Among the few idlers that were gathered about in little friendly
groups, he saw a rather intelligent-looking fisherman going from one
to another with a small slip of paper in his hand.
As they read it some shook their heads, and some dived into their
pockets and brought forth a few pence, which they dropped into the
fisherman's extended palm.
Howard was quite curious by the time his turn came. He took the
paper in his hand and found it to be an humble petition for charity,
which duly set forth:
"Whereas, an unknown woman lies ill of a fever at a house of one
Fanchette Videlet, a poor widow, almost without the necessaries of
life, it is here begged by the said widow that all Christian souls will
contribute a mite to the end of securing medical attendance and
comforts for the poor unknown wayfarer."
This petition, which was written in excellent French, and duly signed
Fanchette Videlet, had a strange effect upon Howard Templeton. His
face grew pale as death; his eyes stared at the poor fisherman in
perplexed thought, while he absently plunged his hand into his
pocket and drew it out full of gold pieces.
CHAPTER XIX.
"Here, my man, take this," he said, putting the coins into the man's
hand.
"Why, this is too much, sir," said the honest fisherman, holding his
hand out and looking at the gold in surprise. "You will rob yourself,
sir."
"No, no; keep it. It is but a trifle," said Howard, pushing his hand
back. "But, pray, will you answer a few questions for me?"
"As many as you like, sir—and thank you for your generosity,"
answered the fisherman, politely.
"I am very much interested in the sad story written here," said
Howard, glancing at the paper which he still held in his hand.
"Yes, sir, it is very sad," assented the fisherman.
"How came this unknown sick woman at the Widow Videlet's
house?" inquired Howard.
"The poor soul came there a few days ago, sir. She was ill and quite
out of her head—could give no account of herself."
"Can you tell me what day she came there?"
"This makes the fourth day since she came, sir. I remember it was
the same day you were brought to the hotel."
The young man started. It was the same day that Lora Carroll had
disappeared.
Could it be Lora? Had it been some other waif the great sea had cast
up from its deep?
"Did you see this woman? Could you describe her to me?" asked
Howard, eagerly.
"I saw her the day she came wandering into Dame Videlet's
cottage," was the answer.
"You can tell me how she looked then," said Howard, restraining his
impatience by a great effort.
"Yes, sir. She was a mere girl in appearance—very young and very
beautiful, with black eyes and long, black hair. She was thinly clad in
a fine night-dress," answered the fisherman.
"Did you say she was out of her mind?" asked Howard.
"Yes, sir; she raved continually."
"What form did her delirium take?"
"Oh, sir," cried the fisherman, in a tone of pity and sympathy for the
wretched unknown, "it seemed like she had lost her baby. She was
going around from one to the other in the place asking, asking
everyone, for her baby. She said she was so tired and she had lost it
out of her arms in the rain and the darkness, and could not find it
again."
Howard's heart gave a great, tumultuous bound of surprise, then
almost stopped beating with the suddenness of the shock.
It all rushed over him with the suddenness of a revelation.
It had seemed so strange to him that Mrs. St. John should have
taken the tender little babe with her in the rain and wind when she
went to search for Lora.
The truth flashed over him like lightning now.
Xenie had found the babe upon the sand where Lora had dropped it
in her fevered flight.
No wonder she had been so angry and defiant when he had
questioned her about it.
He felt sure now, beyond the shadow of a doubt, that the unknown
sick woman in the poor widow's cottage could be none other than
Lora herself.
"Poor, unhappy creature," he thought, with a thrill of commiseration.
"It must be that God himself has sent me here to succor and
befriend her."
He rose hurriedly and took up his crutch.
"How far is Dame Videlet's cottage from here?" he inquired.
"But a few rods, sir—a little further on toward the beach," said the
fisherman, regarding him in some surprise.
"I will go down there and see that unfortunate woman, if you will
guide me," said Howard. "I believe that she is a friend of mine. You
may return their pence to those poor fishermen, who can ill spare it,
perhaps. I will charge myself with her expenses even if she should
not prove to be the person I think she is."
The fisherman looked at him admiringly and hastened to do his
bidding.
Then they walked along to the widow's cottage very slowly, for
Howard found himself exceedingly awkward in the use of his crutch.
But after all it seemed but a very few minutes before they stood in
the one poor little room of Dame Videlet's dilapidated cot bowing to
the kind old soul who had taken the poor wayfarer in beneath the
shelter of her lowly roof, shared her simple crust with her, and
tended her with kindly, Christian hands.
"How is your patient to-day, my kind woman?" inquired the young
man.
"Ah, sir, ah, sir, you may even see for yourself," she answered sadly,
as she turned toward the bed.
Howard went forward with a quickened heart-beat, and stood by her
side looking down at the sufferer.
Yes there she lay—poor little Lora—with wide, unrecognizing, black
eyes, with cheeks crimson with fever and parted lips through which
the breath came pantingly. A heavy sigh broke unconsciously from
Howard's lips.
"Good sir, do you know her?" asked the woman, regarding him
anxiously.
"Yes, I know her," he answered; "she is a friend of mine and has
wandered away from her home in the delirium of fever. You shall be
richly rewarded for your noble care of her."
"I ask no reward but the blessing of Heaven, sir," said the good old
woman, piously; "I have done the best I could for her ever since she
staggered into the door and asked me for her lost baby."
As if the word struck some sensitive chord in her consciousness,
Lora turned her wild, bright eyes upon Howard's face, and
murmured in a pathetic whisper:
"Have you found my baby—Jack's baby and mine?"
Alas for Xenie's secret, guarded with such patient care and sleepless
vigilance.
Howard looked down upon her with a mist of tears before his sight—
she looked so fair, and young, and sorrowful, lying there calling for
her lost little child.
"I have lost my baby, I have lost my baby!" she wailed aloud,
throwing her arms wildly over her head and tangling her fingers in
the long, dark tresses floating over the pillow in their beautiful
luxuriance. "It is lost, lost, lost, my darling little one! It will perish in
the rain and the cold!"
Involuntarily Howard reached out and took one of the restless white
hands in his, and held it in a firm and tender clasp.
"Lora, Lora," he said, in a gentle, persuasive voice, "listen to me.
The baby is found. Xenie found it on the shore where you lost it out
of your arms. It is safe—it is well, with Xenie."
Lora turned her hollow glance upon his face, and though no gleam
of recognition shone in her eyes, his impressive words penetrated
her soul. She threw out her arms yearningly.
"It is found, it is found! Oh, thank God!" she murmured, happily.
"Bring him to me, for the love of Heaven! Lay him here upon my
breast, my precious little son!"
"Oh, sir, then it is true she had a child; and it is living. I thought
perhaps it was dead," said the poor widow.
"She has a child, indeed, and she lost it in her delirious flight; but
her sister found it soon afterward. It is at this moment not more
than four miles from here," answered the young man, without
reflecting that many things might have happened during his long
imprisonment of four days in the lonely little fishing village.
"Then, if you will take my advice, sir, as she is a friend of yours, you
will try to get that child here as soon as possible. I will do the best I
can for her, and the doctor has promised to do all in his power; but I
believe that the child is the only thing that will save her life," said
Dame Videlet, gravely shaking her head in its homely white cap.
"It shall be brought," said Howard, earnestly, and without a doubt
but that he could keep the promise thus made.
Dame Videlet thanked God aloud, then added that the sooner it
were brought the better it would be for the mother.
All the while poor Lora lay tossing in restless pain, and begging
piteously for her little child to be laid upon her breast.
Howard bent over her as tenderly and gently as a brother.
"Lora, my poor child, try to be patient," he said. "I will bring the
child to you; only be patient a little while."
But it was all in vain to preach patience to that racked heart and
weary, fevered brain.
He stole away, followed by despairing cries for the little child—cries
that echoed in his heart and brain many days afterward, when his
warm heart was half-broken because he could not keep the promise
he had made in such perfect confidence and hope.
"How shall I get back to the village four miles away from here?" he
asked of the man who had accompanied him and was still waiting
for him.
"I can take you in my fishing-boat and row you there, and welcome,
sir," was the hearty response. "It's a wee bit leaky, but as good as
any other craft about, and there's no conveyance to be had by land."
"What a great simpleton I have been, by George, never to have
thought of a boat before," said Howard, looking vexed at himself.
"Here I have been four days, and wanting to get back to the village
badly, and never thought of all the little boats and the great, wide
ocean."
"Mayhap it's all for the best, sir," said the fisherman. "If you had
gone back sooner, you might never have found the sick lady, your
friend. You should see the hand of the Lord in it, my young sir."
"It looks like it," admitted Howard, "though, truth to tell, mon ami, I
do not usually look for such intervention in my affairs. His Satanic
Majesty is at present controlling my mundane affairs."
"The Lord rules, sir," answered the man, launching his little boat,
and trying to make a comfortable and dry seat for his crippled young
passenger.
The little boat shot out into the blue and sparkling waves, and
danced along like a thing of life in the beautiful spring sunshine.
"We must go a mile below the village to the home of my friend's
mother," Howard explained, as they went along.
Then he fell to wondering how Xenie would receive him when he
came to her with the glad tidings of Lora's discovery.
"How strange that I should carry her glad tidings," he thought. "I am
afraid I do not keep to the letter of my vow of hatred as firmly as
she does. Would she bring me good news as willingly?"
His heart answered no.
The keel grated on the shore, and springing out, they went up to the
pretty cottage were Mrs. Carroll had lived in strict retirement for
several months with her two daughters.
But there a terrible disappointment awaited Howard.
The cottage was untenanted.
They knocked several times, eliciting no response, and finally
opening the doors, they found that the occupants had moved out.
All was still and silent, and Howard's heart sank heavily as he
thought of poor Lora lying in the widow's cot and moaning for the
child he had promised to bring her.
"They are gone away," said Howard in a more hopeless voice than
he knew himself. "We must return to the village. We may hear news
from them there."
And in his heart he was fervently praying that he would, for how
could he return to Lora without the child?
They went to the little village where the dead body had been
washed upon the sands, and he asked everyone he met if they knew
where the occupants of the little cottage had gone.
No one could tell him anything of their whereabouts. They had
identified the drowned woman as their relative, had buried her, and
then quietly left the place, taking Ninon, the little maid, with them.
He could not obtain the least clew by which he might follow them
and bring them back to the sick girl whom they mourned as dead.
Howard did not know what to do now, for he remembered that
Dame Videlet had said that the child was the only thing that could
save Lora's life.
He went into the churchyard and looked at the new-made grave with
the cross of white marble, and the simple inscription "Lora, ætat
18."
"Perhaps the inscription might come true after all in a few—a very
few days," he thought, sadly.
CHAPTER XX.
Howard did not know what to do: it seemed such a terrible thing to
go back to Lora with bad tidings. Perhaps the shock would kill her.
Oh, if Mrs. St. John had but waited a little longer! Why need she
have hurried away so precipitately?
Well, there was no help for it.
He must go back and tell her how inopportunely things had turned
out, and how sorry he was that he could not keep his promise.
He would get Dame Videlet to break it to her very gently.
She would not bungle over it like a great, awkward fellow like
himself.
The good old woman was waiting for him outside the door.
Her face was radiant, but it changed and grew very anxious as he
came up to her, and she saw that his arms were empty.
"Where is the child?" she whispered.
Briefly and sadly he told the story of his disappointment, and the
widow wiped the tears of sorrow from her eyes as he concluded.
"How is she now?" he inquired, anxiously.
"She has been better, much better, since you told her the child was
found. Her reason has returned to her, and she has wept tears of
joy. She is impatiently waiting for you now, for I told her just now
that you were returning. Alas, alas!" groaned Dame Videlet, her
tender heart quite melted by the thought of Lora's disappointment.
Howard groaned in unison with her.
"Will it go hard with her?" he asked, sorrowfully.
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

ebookball.com

Dissertation Bac STMG 2014
100% (2)
Dissertation Bac STMG 2014
6 pages
DH Hac Hdw1200mp Datasheet 20201106
No ratings yet
DH Hac Hdw1200mp Datasheet 20201106
3 pages
Email Surveillance Audit Program
No ratings yet
Email Surveillance Audit Program
11 pages
Btech Ee 5 Sem Sensors and Transducers Kee052 2022
No ratings yet
Btech Ee 5 Sem Sensors and Transducers Kee052 2022
2 pages
Working On The Linux Terminal and Shell
No ratings yet
Working On The Linux Terminal and Shell
7 pages
William Henry Gates
No ratings yet
William Henry Gates
15 pages
Mid Term1 2021 Exam
No ratings yet
Mid Term1 2021 Exam
9 pages
Neutrosophic Hypersoft Topological Spaces
No ratings yet
Neutrosophic Hypersoft Topological Spaces
16 pages
Adelia Marchela. 1000 Rumus & 1000 Soal Jawaban
No ratings yet
Adelia Marchela. 1000 Rumus & 1000 Soal Jawaban
134 pages
Operation Manual For TLS-22 Lubricating Grease Wide Temperature Range Drop Point Tester
No ratings yet
Operation Manual For TLS-22 Lubricating Grease Wide Temperature Range Drop Point Tester
5 pages
10 Advantages of Ansible Motion DIL Simulators
No ratings yet
10 Advantages of Ansible Motion DIL Simulators
14 pages
Sby7 Alarm
No ratings yet
Sby7 Alarm
31 pages
Assignment 1
No ratings yet
Assignment 1
8 pages
Aerospace Engineering
No ratings yet
Aerospace Engineering
1 page
C# Programming Tasks and Solutions
No ratings yet
C# Programming Tasks and Solutions
18 pages
Evolution of IP Optical Networks
No ratings yet
Evolution of IP Optical Networks
7 pages
Unit 3
No ratings yet
Unit 3
3 pages
Word Processing Activity 1: Bold BI
No ratings yet
Word Processing Activity 1: Bold BI
11 pages
Construction Bill Sheet Summary
No ratings yet
Construction Bill Sheet Summary
3 pages
Security Guard Security Officer Interview Questions
100% (1)
Security Guard Security Officer Interview Questions
2 pages
BRM PDF
No ratings yet
BRM PDF
71 pages
API Standard 521 - Guide For Pressure-Relieving and Depressuring Systems
No ratings yet
API Standard 521 - Guide For Pressure-Relieving and Depressuring Systems
5 pages
Salesforce Maps 1743868458
No ratings yet
Salesforce Maps 1743868458
203 pages
Secure Kubernetes Version Info
No ratings yet
Secure Kubernetes Version Info
6 pages
AI in NeuroMarketing Decoding Brain Responses Research
No ratings yet
AI in NeuroMarketing Decoding Brain Responses Research
10 pages
Weekly Report 2022 10 31
No ratings yet
Weekly Report 2022 10 31
3 pages
TOS Article#4
No ratings yet
TOS Article#4
1 page
Robotnik - WHITEPAPER AUTOMOTIVE
No ratings yet
Robotnik - WHITEPAPER AUTOMOTIVE
3 pages
Sis Plus Bussy
No ratings yet
Sis Plus Bussy
2 pages
IS4834 Final Exam Sample Questions
No ratings yet
IS4834 Final Exam Sample Questions
5 pages