DFARS Compliance SLAIT Consulting SECURITY SERVICES Mike D Arezzo Director of Security Services
Introduction 18+ year career in Information Technology and Security General Electric (GE) as Software Governance Leader and Third Party Risk Compliance University of Richmond Go Spiders! ISC2 CISSP & ISACA CISA
Building a Compliance Program Develop a comprehensive program that is secure and compliant A program your organization can support A maintainable program that is developed to be future proof There are 14 families of controls and 110 individual controls supporting NIST 800-171, the framework that provides guidance on supporting DFARS Compliance. In this presentation, Mike will walk through the controls and discuss some of the tricky points and questions you may have in supporting compliance for DFARS. Are you prepared to respond within 72 hours to a Cyber Incident and what is that defined as? The goal of this presentation is to walk new and/or unsure users through the compliance and begin preparations for the Dec 31 2017 deadline.
CDI versus CUI Controlled Unclassified Information Information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. Much broader than CDI Think Category
CDI versus CUI Covered Defense Information Unclassified controlled technical information or other information () that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is: (1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. As described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html
NIST 800-171 DFARS Compliance (DFARS 252.239-701) Deadline: December 31 st 2017
Control Families Access Control Awareness and Training Audit and Accountability Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Risk Assessment Security Assessment System and Communications Protection System and Information Integrity
Access Data Classification Asset Management Access Levels and Compartmentalizing Network Segmentation Know Thyself
Data Lifecycle Data Lifecycle Requirements Storage requirements Transfer or cryptographic requirements Data Destruction requirements
Physical Security Privilege based access Visitor access processes Data center access Maintain logging of activities
Monitoring of Systems and Messaging Review of monitoring methodology Monitoring of internal to external communication Security Awareness and Training on Phishing attacks for your employees Protection from Whaling or attacks on management targets
Network Security Logical network design and road maps for growth Validation of network segmentation to avoid spillage Endpoint and network security for protection against virus and malicious code
Risk vs. Security Assessment Risk measures what may potentially affect you Loss X Potential = Risk Threat Dictionary Security Assessment reviews you environment Defense in Depth Test of Design and Test of Effectiveness
System and Communications Protection & Incident Response Network Intrusion Detection Log Management Vulnerability and Asset Management Scanning Incident Response Analysis and Prioritization Tabletop Exercise/ Threat Simulation
How Do I Get There? Visibility - Understand your data and projects Simplify - Create workflows to build new projects Observe, Analyze, Redirect, Review Sample Test to ensure controls are effective Collaborate!
Where to Get Help DoDI 8582.01, Security of Unclassified DoD Information on Non-DoD Information Systems National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Federal Information Systems and Organizations NIST SP 800-171, Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations NIST Framework for Improving Critical Infrastructure Cybersecurity Federal Risk and Authorization Management Program (FedRAMP) DoD Cloud Computing Security Requirements Guide (SRG) Unclassified 4 DoDI 8582.01, Security of Unclassified DoD From http://dodcio.defense.gov/portals/0/documents/public%20meeting%20- %20Jun%2023%202017%20Final.pdf?ver=2017-06-25-022504-940
Six Security Pillars in the SLAIT ThreatManage USM Platform SLAIT ThreatManage USM SIEM Log Collection OTX Threat Data SIEM Event Correlation Incident Response ASSET DISCOVERY Active Network Scanning Passive Network Scanning Asset Inventory Software Inventory BEHAVIORAL MONITORING Netflow Analysis Service Availability Monitoring ENDPOINT RESPONSE SLAIT Threat Intelligence Flight Data Recorder Live Response Threat Actor Detection / Remediation THREAT DETECTION Network IDS Host IDS File Integrity Monitoring VULNERABILITY ASSESSMENT Continuous Vulnerability Monitoring Authenticated / Unauthenticated Active Scanning
SLAIT Security Offerings Governance Prevention Response Risk Assessment Policy and Procedure PCI Prep HIPAA Gap Analysis Audit Preparation Assistance Security Organization Review Security Checkup Managed Firewall and Endpoint Secure Infrastructure Design & Review viso Program Awareness Training Assessment Vulnerability Scanning Penetration Testing Phishing Exercises ThreatRecon Pre-breach Preparation ThreatManage Breach Response Cyber Forensics
Innovative Solutions for Forward Thinking Companies Some of SLAIT s Technology Partners
References http://www.acq.osd.mil/dpap/dars/dfars/html/current/204_73.htm https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm https://www.archives.gov/cui/about https://federalnewsradio.com/records-managementmonth/2016/11/classified-vs-controlled-unclassified-information-know/ http://www.acq.osd.mil/dpap/pdi/docs/faqs_network_penetration_report ing_and_contracting_for_cloud_services_(01-27-2017).pdf http://dodcio.defense.gov/portals/0/documents/public%20meeting%20- %20Jun%2023%202017%20Final.pdf?ver=2017-06-25-022504-940