Cybersecurity: Complying with Federal Regulations for Research and by Research Institutions

Transcription

1 M310 October 16, 2017; 2:00 p.m. 3:00 p.m. Cybersecurity: Complying with Federal Regulations for Research and by Research Institutions J. Michael Slocum, Esquire; Slocum & Boddie, P.C. Alexandria, VA USA

2 Summary Introduction Security issues in information security and cyber Federal initiatives 2

3 What is the Cloud? Cloud computing is a model for enabling convenient, on demand network access to a shared pool of configurable computing resources (NIST) Rapid deployment, low startup costs/capital investments, costs based on utilization or subscription, multi tenant sharing of services/resources Characteristics: On demand service, ubiquitous network access, location independent resource pooling, rapid elasticity 3

4 In Most Ways, Cloud Computing Security Is No Different Than Regular Security Many applications interface with end users All of the vulnerabilities in those apps are just as relevant to applications running on the cloud as they are to applications running on conventional hosts (continued) 4

5 In Most Ways, Cloud Computing Security Is No Different Than Regular Security (2) Data center supporting cloud computing is internally and externally indistinguishable from a data center full of "regular" servers In each case, it will be important for the data center to be physically secure against unauthorized access or potential natural disasters, but there are no special new physical security requirements which suddenly appear simply because one of those facilities is supporting cloud computing 5

6 C-I-A (No, Not the Spies) Confidentiality, Integrity and Availability Security incident NIST A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies or standard security practices Cyber Incident DFARS Cyber incident means actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein 6

7 Security Issues Threats include: Data breaches, data loss, account or service traffic hijacking, insecure interfaces and APIs, denial of service Malicious insiders, abuse of cloud, services insufficient due diligence, shared technology vulnerabilities Most security problems stem from: loss of control, weak trust relationships and multi tenancy Problems exist mainly with 3rd party management models 7

8 Security and Privacy Issues Confidentiality: Questions about whether the sensitive/private data stored (on a cloud, for instance) remain confidential and about leaking of confidential customer information Integrity: Questions about how the cloud provider correctly performs integrity computations and how the cloud provider really stores user data without altering it Availability: Questions about what happens for customer critical systems/data, if the provider is attacked or when it goes out of business (continued) 8

9 Security and Privacy Issues (2) Massive data mining: Providers store data from a large number of customers and run data mining algorithms to retrieve large amounts of information New classes of harmful attacks: Attackers can target the communication link between provider and customer and Provider employees can be phished Digital forensics: Audit data and forensics are hard to perform since customers don t maintain data locally Legal and transitive trust issues: Who is responsible for complying with regulations 9

10 Security Solutions Minimize loss of control Activity monitoring (e.g., payment, delegation, usage and storage control) Access control and inter operation management Minimize the weakness of trust relationships Security policy (description language, policy validation and conflict management) Certification infrastructure (integrity and authentication) Identity management, coordination and interoperation of multi tenancy 10

11 Cloud Challenges Security breaches will be constant Password based security will become essentially useless Most services should offer a multi factor authentication capability Mobile (smartphones) are used by people with minimal technical skill, virtually no attention to security Cloud failures will result in substantial data loss Security as a service becomes a new cloud market Nation state cyber war escalates Rogue nations use cybercrime 11

12 Litigation Prevention/Mitigation Preventative end user measures to include: Data encryption before data sent to cloud Sophisticated and often changed passwords (including dual log ins multi factor authentication) Notify staff/clients/students that data is stored in this fashion as part of contracts governing basic relationship Be aware of industry specific rules with additional restrictions on electronic data storage (e.g., FERPA or HIPAA) Address cloud storage issues (and leak response plan) in formal compliance plan 12

13 Security Lapse Response Immediate internal investigation Retain outside counsel privilege/work product issues Interview key personnel Document measures taken Immediately and fully notify affected parties No cover up, minimization or delayed reporting Include plan/potential compensation offer Hotline for those affected 13

14 Federal Cybersecurity Initiatives President issues Executive Order 13636, Improving Critical Infrastructure Cybersecurity, on February 12, 2013 New Executive Order: May 11, 2017 Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure 14

15 Agency Actions New Executive Order mandates NIST Cybersecurity Framework Three parts: Framework core Framework profile Framework implementation tiers 15

16 Framework Organizations formally Describe their current cybersecurity posture Describe their target state for cybersecurity Identify and prioritize opportunities for improvement within the context of a continuous and repeated process Assess progress toward the target state Communicate among internal and external stakeholders about cybersecurity risk 16

17 Framework Core Set of cybersecurity activities, desired outcomes and applicable references that are common across critical infrastructure sectors Five concurrent and continuous functions Identify Protect Detect Respond Recover 17

18 Framework Implementation Tiers How an organization views cybersecurity risk and the processes in place to manage that risk A progression from informal, reactive responses to approaches that are agile and risk informed Push to Tier 4 risk and threat aware, repeatable and adaptive 18

19 Government Requirements for Non-Governmental Organizations Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (NIST Special Publication ) Recommended requirements for nonfederal information systems and organizations (where there are no specific safeguarding requirements prescribed) The requirements apply to all components of nonfederal information systems and organizations that process, store or transmit information, or provide security protection for such components The requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations 19

20 Controlled Unclassified Information (CUI) 32 CFR (h) Information The Government creates or possesses, Or that an entity creates or possesses for or on behalf of the Government, that a law, regulation or Government wide policy requires or permits an agency to handle using safeguarding or dissemination controls (continued) 20

21 Controlled Unclassified Information (CUI) 32 CFR (h) (2) Law, regulation or Government wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic Requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified Or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify 21

22 The Requirements Access control Awareness and training Audit and accountability Configuration management Identification and authentication Incident response Maintenance (continued) 22

23 The Requirements (2) Media protection Personnel security Physical protection Risk assessment Security assessment System and communications protection System and information integrity 23

24 CUI and Research Further References Applying FISMA & NIST to Academic Research ocuments/webpage/pga_ pdf Controlled Unclassified Information (CUI) and FISMA: an update, May 12, 2017 Sweet, Lewis, Park, Gray, & Turner cuments/webpage/pga_ pdf Presentation for FDP High Performance Computing Environment for Research on Restricted Data, Deumens, Adams & Dobra 6/09/27/ deumens infosec.pdf 24

25 Each Agency Adds More NEW Controlled Unclassified Information (CUI) Program 32 CFR 2002, effective November 14, 2016 FAR , Basic Safeguarding of Covered Contractor Information Systems, June 2016 DFARS Major change just effective DFARS Part Subpart Safeguarding Covered Defense Information and Cyber Incident Reporting 25

26 FAR Subpart 4.19 Basic Safeguarding of Covered Contractor Information Systems insert the clause , Basic Safeguarding of Covered Contractor Information Systems, in solicitations and contract when the contractor or a subcontractor at any tier may have Federal contract information residing in or transiting through its information system Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government 26

27 FAR Clause (B)(1) NIST Crosswalk FAR CLAUSE NIST (i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) (ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute (continued) 27

28 FAR Clause (B)(1) NIST Crosswalk (2) FAR CLAUSE NIST (iii) Verify and control/limit connections to, and use of, external information systems (iv) Control information posted or processed on publicly accessible information systems (continued) 28

29 FAR Clause (B)(1) NIST Crosswalk (3) FAR CLAUSE NIST (v) (vi) Identify information system users, processes acting on behalf of users, or devices Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems (vii) Sanitize or destroy information (continued) 29

30 FAR Clause (B)(1) NIST Crosswalk (4) FAR CLAUSE NIST (viii) (ix) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices (continued) 30

31 FAR Clause (B)(1) NIST Crosswalk (5) FAR CLAUSE NIST (x) (xi) (xii) Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks Identify, report and correct information and information system flaws in a timely manner (continued) 31

32 FAR Clause (B)(1) NIST Crosswalk (6) (xiii) (xiv) (xv) FAR CLAUSE Provide protection from malicious code at appropriate locations within organizational information systems Update malicious code protection mechanisms when new Perform periodic scans of the information system and real time scans of files from external sources as files are downloaded, opened, or executed NIST

33 Subcontracts Under FAR (c) Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (c), in subcontracts under this contract (including subcontracts for the acquisition of commercial items, other than commercially available off the shelf items), in which the subcontractor may have Federal contract information residing in or transiting through its information system. 33

34 DFARS Overview Cloud computing means a model for enabling ubiquitous, convenient, on demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This includes other commercial terms, such as ondemand self service, broad network access, resource pooling, rapid elasticity, and measured service. It also includes commercial offerings for software as a service, infrastructure as a service, and platform as a service. 34

35 If a Contractor is Using Cloud Computing in the Performance to Provide Information Technology Services Cloud Computing Services (Oct 2016) Cloud computing security requirements Limitations on access to, and use and disclosure of Government data and Government related data Cloud computing services cyber incident reporting Submitting malicious software Media preservation and protection Access to additional information or equipment necessary for forensic analysis Cyber incident damage assessment activities Notification of third party access requests Spillage (transfer to another system not accredited ) Flowdown to subcontracts 35

36 Contracts and Subcontracts with Covered Defense Information Covered defense information means unclassified controlled technical information or other information that requires safeguarding or dissemination controls And is Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. 36

37 Controlled Technical Information Controlled Technical Information means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure or dissemination The term does not include information that is lawfully publicly available without restrictions Query: Is without restrictions defined the same as for the new proposed ITAR rule for Technical Data arising during, or resulting from, fundamental research? See also: Proposed Rule 81 FR 75352, 10/31/2016 Withholding of Unclassified Technical Data and Technology From Public Disclosure 37

38 DFARS Safeguarding Covered Defense Information and Cyber Incident Reporting (c) Use the clause at , Safeguarding Covered Defense Information and Cyber Incident Reporting, in all solicitations and contracts, 38

39 Each Agency Adds More See, for example: DoD Program Manager s Guidebook for Integrating the Cybersecurity Risk Management Framework (RMF) into the System Acquisition Lifecycle, September 2015 (v. 1.0) NIH Security Best Practices for Controlled Access Data Subject to the NIH Genomic Data Sharing (GDS) Policy, updated: 09 MAR 2015 (See also: NOT OD ) NIH Policy Manual, Special Clearance and Other Acquisition Procedures Issuing Office: OD/OM/OALM/OAMP/DSAPS (301) , Release Date 8/7/2014 (continued) 39

40 Each Agency Adds More (2) See, for example: Enhanced Cyber Risk Management Standards Comptroller of the Currency, the Federal Reserve System, and the Federal Deposit Insurance Corporation proposed rule 10/26/2016 Standards for Safeguarding Customer Information Federal Trade Commission proposed rule 09/07/

41 FDA Content of Premarket Submissions for Management of Cybersecurity in Medical Devices; Guidance for Industry and Food and Drug Administration Staff; Availability (See articles/2014/10/02/ /content of premarketsubmissions for management of cybersecurity inmedical devices guidance for) Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication (See htm) (continued) 41

42 FDA (2) Information for Healthcare Organizations about FDA s Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off the Shelf (OTS) Software (See htm) Guidance for Industry Cybersecurity for Networked Medical Devices Containing Off the Shelf (OTS) Software (See RegulatoryInformation/ Guidances/ucm htm) January 22, 2016, Postmarket Management of Cybersecurity in Medical Devices Draft Guidance 42

43 Crosswalk NIST to HIPAA Security Rule Cybersecurity Framework Entities regulated by the Health Insurance Portability and Privacy Act (HIPAA) must comply with the HIPAA Security Rule National Institute of Standards and Technology (NIST) and the Office of the National Coordinator for Health IT (ONC) crosswalk document identifies mappings between the Cybersecurity Framework and the HIPAA Security Rule Additional resources on the HIPAA Security Rule at 43

44 Crosswalk NIST to HIPAA Security Rule Cybersecurity 44

45 Additional Crosswalks Cyber Resilience Review (CRR): NIST Cybersecurity Framework Crosswalks February cert.gov/sites/default/files/c3vp/csc crr nistframework crosswalk.pdf Comparison of IT Security Standards FISMA security standards and guidelines and the ISO Information Security Management System (ISMS) vnist.pdf FAR NIST Final Rule Implements New Baseline Cybersecurity Requirements for Federal Contractors Hogan Lovells onregulation/final rule implements new baseline cybersecurityrequirements for federal contractors (included in Blog post) (continued) 45

46 Additional Crosswalks (2) NIST SP Compliance Template sp compliance template The NIST SP Compliance Template was share Higher Education Cloud Vendor Assessment Tool was prepared through collaboration of Common Solutions Group ( members. Its purpose is to provide a starting point for NIST SP compliance. Published by EDUCAUSE with the permission of the Common Solutions Group Steering Committee. 46

47 So What About Grants? No centralized requirement YET Examples can be found in individual agreements: CYBER SECURITY PLAN. The Recipient is required to submit to the DOE Technical Project Officer, a plan for how it will address cyber security requirements. Failure to submit an acceptable cyber security plan within a reasonable time frame may result in termination of the award. In addition, failure to effectively implement the DOE approved cyber security plan may result in termination of the award. The cyber security plan shall describe the Recipient's approach to detect, prevent, communicate with regard to, respond to, or recover from system security incidents. The plan shall address the following areas from both a technical and a management (organizational) perspective: 47

48 Federal Risk and Authorization Management Program (FedRAMP) Standardized approach for the adoption and use of cloud services: Standardized security requirements A conformity assessment program for Cloud Service Providers (CSPs) Authorization packages of cloud services reviewed by a Joint Authorization Board (JAB) consisting of security experts from the Department of Homeland Security (DHS), Department of Defense (DoD) and General Services Administration (GSA) Standardized contract language A repository of authorization packages for cloud services that can be leveraged government wide 48

49 FedRAMP Result of collaboration GSA, NIST, DHS, DoD, NSA, OMB the Federal CIO Council Risk management program that provides a standardized approach for assessing and monitoring the security of cloud products and services 49

50 FedRAMP Provides Standardized Solution FedRAMP process: CSPs must meet FedRAMP requirements to be acceptable to Government agencies CSPs provide the actual cloud service to an Agency (and to their contractors/grantees), and must meet all FedRAMP requirements before they implement their services 3PAOs perform initial and periodic assessment of CSP systems per FedRAMP requirements, provide evidence of compliance, and play an ongoing role in ensuring CSPs meet requirements 50

51 Examples of Institutional Response Secure Compute Research Environment Security Controls UC Santa Barbara computeresearch environment/secure compute researchenvironment security controls Stanford Medicine Server Security See: Can Campus Networks Ever Be Secure? The Atlantic, JOSEPHINE WOLFF OCT 11, /can campus networks ever be secure/409813/ 51

52 Additional References and Materials CMS Information Security Contract Clause/Provision Statistics Data and Systems/CMS Information Technology/InformationSecurity/Info Security Library Items/CMS Information Security Contract Clause Provision.html?DLPage=2&DLEntries=10&DLSort= 0&DLSortDir=ascending Controlled Unclassified Information (CUI) Cybersecurity For Dummies, Palo Alto Networks 2nd Edition (free download) ersecurity for dummies en (continued) 52

53 Additional References and Materials (2) FedRAMP An Introduction to NIST Special Publication for Higher Education Institutions Higher Education Information Security Council, Oct (2016 EDUCAUSE) to nist special publication forhigher education institutions PART OF EDUCAUSE LIBRARY (continued) 53

54 Additional References and Materials (3) CMS Information Security Statistics Data and Systems/CMS Information Technology/Information Security/ A Guide to Complying with DoD s New Cybersecurity Rules Law guide tocomplying with dod s new cybersecurity rules CUI FAQ s CUI Registry Categories and Subcategories list.html (continued) 54

55 Additional References and Materials (4) Congressional Research Service, Cybersecurity: Selected Legal Issues crs/misc/r42409.pdf Cybersecurity for Dummies paloaltonetworkscom/en_us/assets/pdf/education/cybersecurityfor dummies.pdf FAR Cybersecurity Clause Table (beginning on Slide 27) (continued) 55

56 Additional References and Materials (5) FedRAMP Online Training resources/training Continuous Monitoring (Con Mon) Overview, 3/15/2015 How to Write a Control, 3/15/2016 Security Assessment Plan (SAP) Overview, 12/9/2015 Security Assessment Report (SAR) Overview, 12/9/2015 FedRAMP System Security Plan (SSP) Required Documents, 6/15/2015 (continued) 56

57 Additional References and Materials (6) Final Rule Implements New Baseline Cybersecurity Requirements for Federal Contractors onregulations/final rule implements new baselinecybersecurity requirements for federal contractors Covington & Burling, LLP, Final FAR Cyber Rule Issued on Safeguarding of Contractor Systems and insights/ insights/2016/05/final far cyber rule issued onsafeguarding of contractor systems (continued) 57

58 Additional References and Materials (7) 2016 HIMSS Cybersecurity Survey sites/himssorg/files/2016 cybersecurity report.pdf International Institute for Analytics, Stronger Cybersecurity Starts With Data Management starts with data management An Introduction to NIST Special Publication for Higher Education Institutions, Higher Education Information Security Council, October /4/nist800.pdf (continued) 58

59 Additional References and Materials (8) Key Elements of the CUI Program, elements.html NIH National Heart, Lung & Blood Institute, Information Technology Security Plan (IT SP) for Moderate Impact Level Nonfederal Information Systems and Organizations, urity%20plan%20%20(it SP)%20Template.docx NIST SP and CUI with Ron Ross, EDUCAUSE, nistcoffeechatslidesfinal.pdf (continued) 59

60 Additional References and Materials (9) HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework, files/nist csfto hipaa security rule crosswalk final.pdf NIST SP and CUI with Ron Ross, EDUCAUSE Cybersecurity Initiative, media/files/library/2016/9/nistwebinartranscript.pdf Understanding Cyber Security and How It Affects Federal Grant Writing, by Stephen R. Galati, Cyber Security Federal Grant Writing.pdf Federal Actions to Enable Contractors to Protect Covered Defense Information and Controlled Unclassified Information A White Paper Published in Conjunction with the IT Alliance for Public Sector, March 27, dc0c 434c b5a9 db5c796aa3c.pdf 60

61 Thank you! J. Michael Slocum, Esquire SLOCUM & BODDIE, P.C Shawnee Road, Suite 300 Alexandria, VA Tel: (703) Fax: (703)