Tinker & The Primes 2017 Innovating Together Protecting Controlled Unclassified Information Systems and Organizations Larry Findeiss Bid Assistance Coordinator Oklahoma s Procurement Technical Assistance Center (PTAC) larry.findeiss@tulssatech.edu 918-828-5435 Geoff Wilson Principal Security Consultant True Digital Security geoff.wilson@truedigitalsecurity.com 866-490-2595 X 103
Tinker & The Primes 2017 Innovating Together Protecting Controlled Unclassified Information Systems and Organizations Executive Order 13556 November 4, 2010 This order establishes an open and uniform program for managing information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, excluding information that is classified under Executive Order 13526 of December 29, 2009, or the Atomic Energy Act, as amended.. To address these problems, this order establishes a program for managing this information, hereinafter described as Controlled Unclassified Information, that emphasizes the openness and uniformity of Government-wide practice.. approve categories and subcategories of CUI and associated markings to be applied uniformly throughout the executive branch. establish and maintain a public CUI registry reflecting authorized CUI categories and subcategories, associated markings, and applicable safeguarding, dissemination, and decontrol procedures.
Tinker & The Primes 2017 Innovating Together Protecting Controlled Unclassified Information Systems and Organizations NIST Special Publication 800-53 -Security and Privacy Controls for Federal Information Systems and Organization April 2013 The selection and implementation of security controls for information systems 1 and organizations are important tasks that can have major implications on the operations 2 and assets of organizations 3 as well as the welfare of individuals and the Nation. Security controls are the safeguards/countermeasures prescribed for information systems or organizations that are designed to: (i) protect the confidentiality, integrity, and availability of information that is processed, stored, and transmitted by those systems/organizations; and (ii) satisfy a set of defined security requirements. Federal Information Security Modernization Act of 2014 (FISMA 2014) Codifying Department of Homeland Security (DHS) authority to administer the implementation of information security policies for non-national security federal Executive Branch systems, including providing technical assistance and deploying technologies to such systems he selection and implementation of security controls for information systems 1 and organizations are important tasks
Tinker & The Primes 2017 Innovating Together Protecting Controlled Unclassified Information Systems and Organizations CUI Registry National Archives (https://www.archives.gov/cui/registry/category-list ) create a public registry of authorized categories, subcategories, and markings of CUI and their definitions, along with applicable safeguarding, dissemination, and decontrol procedures. Categories of CUI most likely in Defense Contracts (other than IT) are: Controlled Technical Information - means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Export Control - Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives Procurement and Acquisition - Material and information relating to, or associated with, the acquisition and procurement of goods and services, including but not limited to, cost or pricing data, contract information, indirect costs and direct labor rates.
Tinker & The Primes 2017 Innovating Together Protecting Controlled Unclassified Information Systems and Organizations NIST Special Publication 800-171 June 2015, now Revision 1 December 2016 Today the federal government is relying on external service providers to help carry out a wide range of federal missions and business functions using state-of-the-practice information systems. Many federal contractors, for example, routinely process, store, and transmit sensitive federal information in their systems to support the delivery of essential products and services to federal agencies.protection of sensitive federal information while residing in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations, including those missions and functions related to the critical infrastructure. The purpose of this publication is to provide federal agencies with recommended security requirements for protecting the confidentiality of CUI when the CUI is resident in a nonfederal system and organization.
Tinker & The Primes 2017 Innovating Together Protecting Controlled Unclassified Information Systems and Organizations FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems June 2016 Information System - information resources organized for the collections, processing, maintenance, use, sharing, dissemination or disposition of information. Covered Contractor Information System information system that is owned or operated by a contractor that processes, stores or transmits Federal contract information. Safeguarding measures or controls that are prescribed to protect information systems Safeguarding requirements and procedures. Contractor shall apply the following basic safeguarding requirements and procedures Limit System Users Access Authenticate/Verify user identities Implement separate sub-networks Limit Access to authorized functions Sanitize/destroy media for disposal Identify, report and correct flaws Verify/Control System Connections Limit physical access to systems Protect from malicious codes Control use of Public systems Escort/monitor visitor activity Update malicious code protection Identify system users and uses Monitor/control communications Perform periodic system scans
Tinker & The Primes 2017 Innovating Together Protecting Controlled Unclassified Information Systems and Organizations DFAR 252-204-7008 Compliance with Safeguarding Covered Defense Information Controls The security requirement required by contract clause 252.204-7012 shall be implemented for all covered defense information on all covered contractor systems that support the performance of this contract. DFAR 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting Covered defense information unclassified controlled technical information or other information, as described in Controlled Unclassified Information (CUI) Registry that requires safeguarding or dissemination controls.and is (1) Marked or otherwise identified and provided. or (2) Collected, developed, received, transmitted used or stored in support of performance of the contract. AND system shall be subject to the security requirements in NIST SP 800-171.as soon as practical but not later than December 31, 2017.for contracts awarded prior to October 1, 2017, Contractor shall notify the DOD CIO within 30 days of contract award of any security requirements.not implemented at time of award AND Rapidly report cyber incidents
Motivation for Protecting CUI Breaches are inevitable and unfortunately occur often CUI breach must be reported to DoD A breach of CUI can affect your ability to do business with the DoD The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its assigned missions and business operations (NIST 800-171).
NIST Special Publication 800-171 Rev. 1 14 control families, 110 controls
NIST SP 800-171: Not Only Applicable To You Your service providers and subcontractors that can access your CUI must also be compliant Ensure cloud-based service providers that store, process, or transmit any covered defense information meet the FedRAMP Moderate baseline and comply with DFAR 252-204-7012 requirements (c) through (g) Subcontracts that will involve covered defense information must include the DFAR 252-204-7012 clause and must involve the prime contractor (or next higher-tier subcontractor) when requesting a compliance variance and when reporting an incident. See DFAR 252-204-7012 for more detail
Six Primary Compliance Challenges Shifting Target Meshing with InfoSec Program Maintaining Compliance Vague Requirements Not Enough Time Tight Budget
Shifting Target Revision 1 of NIST SP 800-171 introduced requirement 3.12.4 3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. Contractors must stay updated on latest regulatory changes
Meshing With Your InfoSec Program NIST 800-171 compliance a comprehensive security program NIST 800-171 does not address policies, procedures, third-party management, and other critical security controls You will likely have information or systems outside of CUI that you care about
Meshing With Your InfoSec Program SOC 2 Strong Passwords Risk Assessment Process PCI-DSS Password Strength Annual Risk Assessment 800-171 Access Control Standards Periodic Risk Assessments
Meshing With Your InfoSec Program SOC 2 PCI-DSS 800-171 ABC-AC-001 Strong Passwords Risk Assessment Process Password Strength Annual Risk Assessment ABC Company will require strong passwords. Access Control Standards Periodic Risk Assessments ABC-RA-001 ABC Company will conduct an annual organization-wide risk assessment.
Maintaining Compliance Compliance is an ongoing process that must be managed It is currently unclear how or when contractors will be audited Regardless, DoD expects you to become and remain compliant What processes need to exist to remain compliant?
External Influences Improvement Maintaining Compliance Test Plan Communicate Test Plan Analyze Execute Communicate Analyze Execute Information Security Program Time
Maintaining Compliance Desired State high Current State Trust Me Tell Me Show Me Prove To Me Effort low developing Maturity full
Maintaining Compliance Track each requirement. For example: NIST 800-181 Control 3.1.8 Control Family Requirement Control Description(s) Control Owner Access Control Limit unsuccessful logon attempts. Windows default domain policy is configured for to lockout accounts for 15 minutes after 5 unsuccessful logon attempts Steve Control Test Procedures Attempt to login with an invalid password and confirm a lockout of 15 minutes is in place (example) Test Frequency Supporting Documents Evidence Annual Control Record, Default Domain Policy Export Annual control test results
Maintaining Compliance Create a Security Plan Let risk be your guide! Make progress on your top risks each year Set calendar reminders Every security plan will be different Management Activities Scheduled Security Activities Control Tests
Maintaining Compliance Activities JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC Control Tests ID.AM - ID.RM PR.AC - PR.IP PR.MA - DE.DP RS.RP - RC.CO Committee Meeting Risk Assessment Security Plan Update Pen Test FW Ruleset Review Training X X X X X X Phishing Test X X X X IRP Table Top DR Table Top X X X X X
Vague Requirements How would you address these requirements? 3.4 CONFIGURATION MANAGEMENT Basic Security Requirements: 3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. 3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems.
How would you address these requirements? Look to security best practice; Appendix D of 800-171 maps to 800-53 and ISO/IEC 27001 Assess the unique risk to your organization Get an expert opinion Vague Requirements
Not Enough Time Perform a Compliance Gap Assessment Take a prioritized approach to remediating the highest risk gaps first Establish a POA&M and be able to produce evidence of progress Don t reinvent the wheel For example, utilize CIS or Microsoft security baselines configurations to address 3.4.1 3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Seek advice from the professionals
Tight Budget Some controls are going to require money 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. Minimize the scope using segmentation and isolation. The effort and associated budget can be significantly reduced For instance, 3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. If the organization can use firewall rules to isolate CUI to a network segment that does not have publicly accessible system components, this requirement becomes trivial to meet.
How TRUE Digital Security Can Help TRUE walks you through the process of becoming 800-171 compliant Compliance Gap Assessments Customized control catalog for your unique environment utilizing expert guidance on best practices Risk Assessments (control 3.11.1) Vulnerability Scanning/Penetration Testing (control 3.11.2) 27
Free Bonus Materials Email me for: Free NIST 800-171 Compliance Management Utility (Excel) Copy of these slides Free no-obligation consultation geoff.wilson@truedigitalsecurity.com
Tinker & The Primes 2017 Innovating Together Protecting Controlled Unclassified Information Systems and Organizations Larry Findeiss Bid Assistance Coordinator Oklahoma s Procurement Technical Assistance Center (PTAC) Larry.Findeiss@tulsatech.edu 918-828-5435 Geoff Wilson Principal Security Consultant True Digital Security geoff.wilson@truedigitalsecurity.com 866-490-2595 X 103