Tinker & The Primes 2017 Innovating Together

Similar documents
ROADMAP TO DFARS COMPLIANCE

Get Compliant with the New DFARS Cybersecurity Requirements

SAC PA Security Frameworks - FISMA and NIST

Cybersecurity Risk Management

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

NIST Special Publication

Executive Order 13556

INTRODUCTION TO DFARS

PilieroMazza Webinar Preparing for NIST SP December 14, 2017

DFARS Cyber Rule Considerations For Contractors In 2018

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

DFARS , NIST , CDI

Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

DFARS Defense Industrial Base Compliance Information

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

SYSTEMS ASSET MANAGEMENT POLICY

Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)

Why is the CUI Program necessary?

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

Preparing for NIST SP January 23, 2018 For the American Council of Engineering Companies

Cyber Security Challenges

DOD s New Cyber Requirements: Impacts on DOD Contractors and Subcontractors

Cybersecurity Challenges

Special Publication

DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.

The FAR Basic Safeguarding Rule

Handbook Webinar

Another Cook in the Kitchen: The New FAR Rule on Cybersecurity

Agency Guide for FedRAMP Authorizations

NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015

2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Outline. Other Considerations Q & A. Physical Electronic

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Compliance with NIST

Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

2017 SAME Small Business Conference

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

David Missouri VP- Governance ISACA

New Process and Regulations for Controlled Unclassified Information

Rev.1 Solution Brief

Safeguarding unclassified controlled technical information (UCTI)

Framework for Improving Critical Infrastructure Cybersecurity

Safeguarding Unclassified Controlled Technical Information

Cyber Security Challenges

Controlled Unclassified Information (CUI) and FISMA: an update. May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner

Compliance with CloudCheckr

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

DRAFT. NIST MEP CYBERSECURITY Self-Assessment Handbook

INFORMATION ASSURANCE DIRECTORATE

Outline. Why protect CUI? Current Practices. Information Security Reform. Implementation. Understanding the CUI Program. Impacts to National Security

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

COMPLIANCE IN THE CLOUD

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Cyber Security For Business

FedRAMP Security Assessment Framework. Version 2.0

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Streamlined FISMA Compliance For Hosted Information Systems

COMPLIANCE SCOPING GUIDE

New Cyber Rules. Are You Ready? Bob Metzger, RJO Dave Drabkin, DHG Tom Tollerton, DHG. Issues in Focus Webinar Series. government contracting

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

Mapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

Automating the Top 20 CIS Critical Security Controls

Regulating Information: Cybersecurity, Internet of Things, & Exploding Rules. David Bodenheimer Evan Wolff Kate Growley

FedRAMP Security Assessment Framework. Version 2.1

Industry Perspectives on Active and Expected Regulatory Actions

UCOP ITS Systemwide CISO Office Systemwide IT Policy

Framework for Improving Critical Infrastructure Cybersecurity

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

ISOO CUI Overview for ACSAC

FedRAMP Security Assessment Plan (SAP) Training

Cybersecurity & Privacy Enhancements

IT-CNP, Inc. Capability Statement

Safeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

DoD Guidance for Reviewing System Security Plans and the NIST SP Security Requirements Not Yet Implemented This guidance was developed to

Click to edit Master title style

Information Security Policy

DFARS and the Aerospace & Defence Enterprise

Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP)

Opportunities (a.k.a challenges) Interfaces Governance Security boundaries expanded Legacy systems New application Compliance

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Compliance & Security in Azure. April 21, 2018

Quick Start Strategy to Compliance DFARS Rob Gillen

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Recommendations for Implementing an Information Security Framework for Life Science Organizations

Google Cloud & the General Data Protection Regulation (GDPR)

Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

01.0 Policy Responsibilities and Oversight

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant

INFORMATION ASSURANCE DIRECTORATE

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

The NIST Cybersecurity Framework

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Transcription:

Tinker & The Primes 2017 Innovating Together Protecting Controlled Unclassified Information Systems and Organizations Larry Findeiss Bid Assistance Coordinator Oklahoma s Procurement Technical Assistance Center (PTAC) larry.findeiss@tulssatech.edu 918-828-5435 Geoff Wilson Principal Security Consultant True Digital Security geoff.wilson@truedigitalsecurity.com 866-490-2595 X 103

Tinker & The Primes 2017 Innovating Together Protecting Controlled Unclassified Information Systems and Organizations Executive Order 13556 November 4, 2010 This order establishes an open and uniform program for managing information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, excluding information that is classified under Executive Order 13526 of December 29, 2009, or the Atomic Energy Act, as amended.. To address these problems, this order establishes a program for managing this information, hereinafter described as Controlled Unclassified Information, that emphasizes the openness and uniformity of Government-wide practice.. approve categories and subcategories of CUI and associated markings to be applied uniformly throughout the executive branch. establish and maintain a public CUI registry reflecting authorized CUI categories and subcategories, associated markings, and applicable safeguarding, dissemination, and decontrol procedures.

Tinker & The Primes 2017 Innovating Together Protecting Controlled Unclassified Information Systems and Organizations NIST Special Publication 800-53 -Security and Privacy Controls for Federal Information Systems and Organization April 2013 The selection and implementation of security controls for information systems 1 and organizations are important tasks that can have major implications on the operations 2 and assets of organizations 3 as well as the welfare of individuals and the Nation. Security controls are the safeguards/countermeasures prescribed for information systems or organizations that are designed to: (i) protect the confidentiality, integrity, and availability of information that is processed, stored, and transmitted by those systems/organizations; and (ii) satisfy a set of defined security requirements. Federal Information Security Modernization Act of 2014 (FISMA 2014) Codifying Department of Homeland Security (DHS) authority to administer the implementation of information security policies for non-national security federal Executive Branch systems, including providing technical assistance and deploying technologies to such systems he selection and implementation of security controls for information systems 1 and organizations are important tasks

Tinker & The Primes 2017 Innovating Together Protecting Controlled Unclassified Information Systems and Organizations CUI Registry National Archives (https://www.archives.gov/cui/registry/category-list ) create a public registry of authorized categories, subcategories, and markings of CUI and their definitions, along with applicable safeguarding, dissemination, and decontrol procedures. Categories of CUI most likely in Defense Contracts (other than IT) are: Controlled Technical Information - means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Export Control - Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives Procurement and Acquisition - Material and information relating to, or associated with, the acquisition and procurement of goods and services, including but not limited to, cost or pricing data, contract information, indirect costs and direct labor rates.

Tinker & The Primes 2017 Innovating Together Protecting Controlled Unclassified Information Systems and Organizations NIST Special Publication 800-171 June 2015, now Revision 1 December 2016 Today the federal government is relying on external service providers to help carry out a wide range of federal missions and business functions using state-of-the-practice information systems. Many federal contractors, for example, routinely process, store, and transmit sensitive federal information in their systems to support the delivery of essential products and services to federal agencies.protection of sensitive federal information while residing in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations, including those missions and functions related to the critical infrastructure. The purpose of this publication is to provide federal agencies with recommended security requirements for protecting the confidentiality of CUI when the CUI is resident in a nonfederal system and organization.

Tinker & The Primes 2017 Innovating Together Protecting Controlled Unclassified Information Systems and Organizations FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems June 2016 Information System - information resources organized for the collections, processing, maintenance, use, sharing, dissemination or disposition of information. Covered Contractor Information System information system that is owned or operated by a contractor that processes, stores or transmits Federal contract information. Safeguarding measures or controls that are prescribed to protect information systems Safeguarding requirements and procedures. Contractor shall apply the following basic safeguarding requirements and procedures Limit System Users Access Authenticate/Verify user identities Implement separate sub-networks Limit Access to authorized functions Sanitize/destroy media for disposal Identify, report and correct flaws Verify/Control System Connections Limit physical access to systems Protect from malicious codes Control use of Public systems Escort/monitor visitor activity Update malicious code protection Identify system users and uses Monitor/control communications Perform periodic system scans

Tinker & The Primes 2017 Innovating Together Protecting Controlled Unclassified Information Systems and Organizations DFAR 252-204-7008 Compliance with Safeguarding Covered Defense Information Controls The security requirement required by contract clause 252.204-7012 shall be implemented for all covered defense information on all covered contractor systems that support the performance of this contract. DFAR 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting Covered defense information unclassified controlled technical information or other information, as described in Controlled Unclassified Information (CUI) Registry that requires safeguarding or dissemination controls.and is (1) Marked or otherwise identified and provided. or (2) Collected, developed, received, transmitted used or stored in support of performance of the contract. AND system shall be subject to the security requirements in NIST SP 800-171.as soon as practical but not later than December 31, 2017.for contracts awarded prior to October 1, 2017, Contractor shall notify the DOD CIO within 30 days of contract award of any security requirements.not implemented at time of award AND Rapidly report cyber incidents

Motivation for Protecting CUI Breaches are inevitable and unfortunately occur often CUI breach must be reported to DoD A breach of CUI can affect your ability to do business with the DoD The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its assigned missions and business operations (NIST 800-171).

NIST Special Publication 800-171 Rev. 1 14 control families, 110 controls

NIST SP 800-171: Not Only Applicable To You Your service providers and subcontractors that can access your CUI must also be compliant Ensure cloud-based service providers that store, process, or transmit any covered defense information meet the FedRAMP Moderate baseline and comply with DFAR 252-204-7012 requirements (c) through (g) Subcontracts that will involve covered defense information must include the DFAR 252-204-7012 clause and must involve the prime contractor (or next higher-tier subcontractor) when requesting a compliance variance and when reporting an incident. See DFAR 252-204-7012 for more detail

Six Primary Compliance Challenges Shifting Target Meshing with InfoSec Program Maintaining Compliance Vague Requirements Not Enough Time Tight Budget

Shifting Target Revision 1 of NIST SP 800-171 introduced requirement 3.12.4 3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. Contractors must stay updated on latest regulatory changes

Meshing With Your InfoSec Program NIST 800-171 compliance a comprehensive security program NIST 800-171 does not address policies, procedures, third-party management, and other critical security controls You will likely have information or systems outside of CUI that you care about

Meshing With Your InfoSec Program SOC 2 Strong Passwords Risk Assessment Process PCI-DSS Password Strength Annual Risk Assessment 800-171 Access Control Standards Periodic Risk Assessments

Meshing With Your InfoSec Program SOC 2 PCI-DSS 800-171 ABC-AC-001 Strong Passwords Risk Assessment Process Password Strength Annual Risk Assessment ABC Company will require strong passwords. Access Control Standards Periodic Risk Assessments ABC-RA-001 ABC Company will conduct an annual organization-wide risk assessment.

Maintaining Compliance Compliance is an ongoing process that must be managed It is currently unclear how or when contractors will be audited Regardless, DoD expects you to become and remain compliant What processes need to exist to remain compliant?

External Influences Improvement Maintaining Compliance Test Plan Communicate Test Plan Analyze Execute Communicate Analyze Execute Information Security Program Time

Maintaining Compliance Desired State high Current State Trust Me Tell Me Show Me Prove To Me Effort low developing Maturity full

Maintaining Compliance Track each requirement. For example: NIST 800-181 Control 3.1.8 Control Family Requirement Control Description(s) Control Owner Access Control Limit unsuccessful logon attempts. Windows default domain policy is configured for to lockout accounts for 15 minutes after 5 unsuccessful logon attempts Steve Control Test Procedures Attempt to login with an invalid password and confirm a lockout of 15 minutes is in place (example) Test Frequency Supporting Documents Evidence Annual Control Record, Default Domain Policy Export Annual control test results

Maintaining Compliance Create a Security Plan Let risk be your guide! Make progress on your top risks each year Set calendar reminders Every security plan will be different Management Activities Scheduled Security Activities Control Tests

Maintaining Compliance Activities JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC Control Tests ID.AM - ID.RM PR.AC - PR.IP PR.MA - DE.DP RS.RP - RC.CO Committee Meeting Risk Assessment Security Plan Update Pen Test FW Ruleset Review Training X X X X X X Phishing Test X X X X IRP Table Top DR Table Top X X X X X

Vague Requirements How would you address these requirements? 3.4 CONFIGURATION MANAGEMENT Basic Security Requirements: 3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. 3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems.

How would you address these requirements? Look to security best practice; Appendix D of 800-171 maps to 800-53 and ISO/IEC 27001 Assess the unique risk to your organization Get an expert opinion Vague Requirements

Not Enough Time Perform a Compliance Gap Assessment Take a prioritized approach to remediating the highest risk gaps first Establish a POA&M and be able to produce evidence of progress Don t reinvent the wheel For example, utilize CIS or Microsoft security baselines configurations to address 3.4.1 3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Seek advice from the professionals

Tight Budget Some controls are going to require money 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. Minimize the scope using segmentation and isolation. The effort and associated budget can be significantly reduced For instance, 3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. If the organization can use firewall rules to isolate CUI to a network segment that does not have publicly accessible system components, this requirement becomes trivial to meet.

How TRUE Digital Security Can Help TRUE walks you through the process of becoming 800-171 compliant Compliance Gap Assessments Customized control catalog for your unique environment utilizing expert guidance on best practices Risk Assessments (control 3.11.1) Vulnerability Scanning/Penetration Testing (control 3.11.2) 27

Free Bonus Materials Email me for: Free NIST 800-171 Compliance Management Utility (Excel) Copy of these slides Free no-obligation consultation geoff.wilson@truedigitalsecurity.com

Tinker & The Primes 2017 Innovating Together Protecting Controlled Unclassified Information Systems and Organizations Larry Findeiss Bid Assistance Coordinator Oklahoma s Procurement Technical Assistance Center (PTAC) Larry.Findeiss@tulsatech.edu 918-828-5435 Geoff Wilson Principal Security Consultant True Digital Security geoff.wilson@truedigitalsecurity.com 866-490-2595 X 103

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback