Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats

Similar documents
NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015

Why is the CUI Program necessary?

NIST Special Publication

SAC PA Security Frameworks - FISMA and NIST

Industry Perspectives on Active and Expected Regulatory Actions

Executive Order 13556

Get Compliant with the New DFARS Cybersecurity Requirements

PilieroMazza Webinar Preparing for NIST SP December 14, 2017

ISOO CUI Overview for ACSAC

Cybersecurity Risk Management

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

DFARS Defense Industrial Base Compliance Information

Special Publication

ROADMAP TO DFARS COMPLIANCE

DOD s New Cyber Requirements: Impacts on DOD Contractors and Subcontractors

2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA

INTRODUCTION TO DFARS

DFARS Cyber Rule Considerations For Contractors In 2018

Outline. Why protect CUI? Current Practices. Information Security Reform. Implementation. Understanding the CUI Program. Impacts to National Security

New Cyber Rules. Are You Ready? Bob Metzger, RJO Dave Drabkin, DHG Tom Tollerton, DHG. Issues in Focus Webinar Series. government contracting

Preparing for NIST SP January 23, 2018 For the American Council of Engineering Companies

Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

New Process and Regulations for Controlled Unclassified Information

DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.

Tinker & The Primes 2017 Innovating Together

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

Cybersecurity Challenges

Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)

Compliance with NIST

The FAR Basic Safeguarding Rule

NIST Security Certification and Accreditation Project

UCOP ITS Systemwide CISO Office Systemwide IT Policy

Outline. Other Considerations Q & A. Physical Electronic

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

Click to edit Master title style

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

Safeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer

Another Cook in the Kitchen: The New FAR Rule on Cybersecurity

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Agency Guide for FedRAMP Authorizations

2017 SAME Small Business Conference

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

Regulating Information: Cybersecurity, Internet of Things, & Exploding Rules. David Bodenheimer Evan Wolff Kate Growley

Cybersecurity & Privacy Enhancements

Information Security Issues in Research

National Policy and Guiding Principles

Cybersecurity in Acquisition

Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

Government Contracting. Tech-Savvy World. in a. October InterContinental Miami. Miami, Florida

Safeguarding Unclassified Controlled Technical Information

ISAO SO Product Outline

COMPLIANCE IN THE CLOUD

The NIS Directive and Cybersecurity in

DFARS and the Aerospace & Defence Enterprise

Controlled Unclassified Information (CUI) and FISMA: an update. May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner

Cyber Security Challenges

Protecting the Nation s Critical Assets in the 21st Century

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

FISMA Cybersecurity Performance Metrics and Scoring

New Guidance on Privacy Controls for the Federal Government

Safeguarding unclassified controlled technical information (UCTI)

cybersecurity challenges for government contractors

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

The NIST Cybersecurity Framework

Quick Start Strategy to Compliance DFARS Rob Gillen

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

-Eight types of cyber data, (Sec. 708(7))

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Critical Information Infrastructure Protection Law

Why you should adopt the NIST Cybersecurity Framework

Information Assurance 101

HIPAA Security and Privacy Policies & Procedures

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

The HIPAA Omnibus Rule

David Missouri VP- Governance ISACA

A Checklist for Cybersecurity and Data Privacy Diligence in TMT Transactions

Sharing of Information & Intelligence on the Importation & Transportation of Food

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

Section One of the Order: The Cybersecurity of Federal Networks.

Cyber Security Challenges

NCSF Foundation Certification

SOC for cybersecurity

Handbook Webinar

Exhibit A1-1. Risk Management Framework

Cybersecurity in Higher Ed

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

Conference for Food Protection. Standards for Accreditation of Food Protection Manager Certification Programs. Frequently Asked Questions

- Cyber threat information: information directly pertaining to,

Rev.1 Solution Brief

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

Seagate Supply Chain Standards and Operational Systems

How the SBIR/STTR Programs Help Grow Your Businesses

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

GDPR: A QUICK OVERVIEW

Transcription:

May 20, 2015 Georgetown University Law Center Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats Robert S. Metzger Rogers Joseph O Donnell, P.C. 875 15 th Street, N.W., Ste 725 Washington, D.C. 20005 (202) 777-8951 rmetzger@rjo.com www.rjo.com 3d Annual Cybersecurity Law Institute May 20, 2015 Rev.1-1-

What is Controlled Unclassified Information? CUI includes massive amounts of multiple types of sensitive information EO 13556 makes the National Archives & Records Administration (NARA) is responsible as Executive Agent to reconcile many types of CUI NARA issued a proposed rule on May 8, 2015 (80 Fed. Reg. 26501) The CUI Registry identifies 23 categories and 82 subcategories of CUI, e.g., Technical information with military or space application (UCTI) Copyrights & Patents Census data Critical infrastructure data Info subject to export controls Financial information Geospatial Immigration Intelligence (e.g., financial records, FISA) Law enforcement & Legal Personally identifiable information Privacy - including PII & PHI (health information) Proprietary business records SAFETY Act (anti-terrorism related) information 3d Annual Cybersecurity Law Institute May 20, 2015 Rev.1-2-

CUI Registry: Categories & Subcategories Agriculture Controlled Technical Information Critical Infrastructure (7 sub) Emergency Management Export Control (1 sub) Financial (9 sub) Foreign Government Information Geodetic Product Information Immigration (7 sub) Information Systems Vulnerability Intelligence (5 sub) Law Enforcement (14 sub) Legal (11 sub) NATO (2 sub) Nuclear (5 sub) Patent (3 sub) Privacy (8 sub) Proprietary Business (5 sub) SAFETY Act Information Statistical (3 sub) Tax (1 sub) Transportation (1 sub) CUI categories and subcategories are those types of information for which laws, regulations, or Governmentwide policies requires safeguarding or dissemination controls. Proposed 32 C.F.R. 2002.2 (Definitions) 3d Annual Cybersecurity Law Institute May 20, 2015 Rev.1-3-

Who has access to CUI? Federal Contractors State and local governments State and local contractors Tribal governments Colleges & Universities Many federal contractors, for example, routinely process, store, and transmit sensitive federal information in their information systems to support the delivery of essential products and services to federal agencies (e.g., providing credit card and other financial services; providing Web and electronic mail services; conducting background investigations for security clearances; processing healthcare data; providing cloud services; and developing communications, satellite, and weapons systems). Additionally, federal information is frequently provided to or shared with entities such as State and local governments, colleges and universities, and independent research organizations. NIST SP 800-171 (Final Public Draft), at 1. 3d Annual Cybersecurity Law Institute May 20, 2015 Rev.1-4-

The Federal Interest in Protecting CUI Recent well-publicized attacks show both the vulnerability of nonfederal systems and the impact of attacks: Target Sony Pictures JP Morgan Anthem Healthcare US, EU and Ru banks CUI of at least equal sensitivity is routinely processed on or transmitted by nonfederal ICT systems [F]ederal information designated as CUI has the same intrinsic value and potential adverse impact if compromised whether such information resides in a federal or a nonfederal organization. Thus, protecting the confidentiality of CUI is critical to the mission and business success of federal agencies and the economic and national security interests of the nation. NIST SP 800-171 (Final Public Draft), at 5. 3d Annual Cybersecurity Law Institute May 20, 2015 Rev.1-5-

Few Measures in Effect Today No law, general regulation or other requirements apply cybersecurity measures to federal civilian contractors: Narrow mil-specific provisions to protect supply chain against high-risk sources (FY 2011 NDAA 806) Measures restrict country of origin of high impact ICT purchases by Commerce, Justice, NASA, NSF DoD s DFARS to impose basic cyber controls to protect its UCTI Limited Mandatory reporting of cyber events [same] Q: is CUI inherently less important to protect than UCTI? Q: are non-defense systems at less risk? Q: is the civilian side of the government indifferent to the risk? Q: are the potential consequences of vulnerability more tolerable? 3d Annual Cybersecurity Law Institute May 20, 2015 Rev.1-6-

The Work In Progress JWG NARA NIST Responsibilities: NARA: to define and categorize the varieties of CUI and establish workable guidelines & mechanisms 8(e) JWG: to decide on the mix of acquisition methods and contract tools NIST: to identify required security controls and practices for adoption ACQUISITION METHODS & CONTRACT CONTROLS - TOOLKIT Agencies: to evaluate cost/benefit, to establish applicability or tiers (if avail), to tailor, to specify reporting, to administer and oversee 3d Annual Cybersecurity Law Institute May 20, 2015 Rev.1-7-

Overview of Initiatives Underway NARA is the Executive Agent to address CUI Proposed rule, 80 Fed. Reg. 26501 (comments 7/7/15). Defines and categorizes CUI (using CUI Registry); Sets safeguarding standards as basic or specified (enhanced, or different); Adopts NIST SP 800-171 safeguards. NIST SP 800-171 (Final Publ. Dr.) (5/12/2015) Protects confidentiality of CUI @ moderate impact level of FIPS 199. States performance or capability-based requirements that elaborate upon FIPS 200 but do not contain the how to rules of 800-53. Intent is to capture intent of 800-53 Moderate baseline without obligating private companies to use specific 800-53 controls. Individual agencies: DoD (UCTI) and DHS ( Sensitive Information ) 8(e) Joint Working Group studying contractual implementation NARA leads drafting of single FAR clause to protect CUI Contractors execute per solicitation, by contract term NIST NARA JWG FAR CONTRACTS mid-july 201? 3d Annual Cybersecurity Law Institute May 20, 2015 Rev.1-8-

Acquisition Methods & Contract Tools Responsible contractor threshold Solicitation & SOW Requirements Source Selection Criteria (evaluation) Contract clauses (prime level) Flowdown clauses Special provisions (higher protection) Data Item Descriptions (CUI marking) Reporting obligations Validation, access and audit? Tailor requirements to criticality, risk, cost Damages Sanctions Breach of Contract Termination Adverse Perform ce Report If willful or reckless Suspension/ Debarment False Claims Act Many issues to address to produce a regime, that is at once fair, workable, practicable & affordable 3d Annual Cybersecurity Law Institute May 20, 2015 Rev.1-9-

SP 800-171: Extending NIST to the Private Sector NIST SP 800-171 (Fin. Pub. Dr.) seeks to embrace existing private sector measures and accept alternative controls SP 800-171 describes 14 families of requirements; the relevance of 800-53 controls and enhancements may not be well understood, however. The intent is for commercial companies to assess their systems against the narrative 171 requirements rather than the specific controls in 800-53. NIST recognizes that 800-53 was developed for federal systems while 171 is to achieve similar and sufficient goals (to protect confidentiality) in the in-place systems of contractors. NIST is now evaluating comments to the Final Draft. Important Assumptions of SP 8001-171 Additional assumptions also impacting the development of the CUI security requirements and the expectation of federal agencies in working with nonfederal entities include: Nonfederal organizations have information technology infrastructures in place, and are not necessarily developing or acquiring information systems specifically for the purpose of processing, storing, or transmitting CUI; Nonfederal organizations have specific safeguarding measures in place to protect their information which may also be sufficient to satisfy the CUI security requirements; Nonfederal organizations can implement a variety of potential security solutions either directly or through the use of managed services, to satisfy CUI security requirements; and Nonfederal organizations may not have the necessary organizational structure or resources to satisfy every CUI security requirement and may implement alternative, but equally effective, security measures to compensate for the inability to satisfy a particular requirement. NIST SP 800-171 (Final Public Draft), at 5 (emph. added). 3d Annual Cybersecurity Law Institute May 20, 2015 Rev.1-10-

SP-171: Relevant Comparisons SP 800-171 sets its own requirements; these are built from FIPS 200 and mapped to show relevant controls from 800-53 and counterparts in ISO/IEC 27001 Comparing controls among the DFARS, -171 and -53 or the DFARS is difficult, but there are distinctions: The DFARS UCTI refers to 51 controls from 800-53 but 61 if you count controls + enhancements. These 61 translate to >275 task statements. SP 800-171 states 109 requirements; the map shows these reflect 122 controls from 800-53 but there are only 109 task statements. Properly understood, industry should find it less demanding (and have more alternatives) to comply with 800-171 than 800-53 (or DFARS). Expect DoD to issue a rule to adopt 800-171 controls in the DFARS and apply them to UCTI. Special Publication 800-171 is intended for use [when] federal agencies are providing CUI to nonfederal organizations (or when CUI is developed for federal agencies) for purposes unrelated to information processing that is, the nonfederal organizations are not operating their information systems to process agency data, including CUI, on behalf of the agency but rather for other purposes. Nonfederal organizations typically employ their internal information system resources to develop the required deliverables associated with specific federal contracts or other agreements with the federal government. The nonfederal organization s information system will also be required to process, store, transmit, or generate any CUI needed to develop those deliverables. In such cases, the requirements in Special Publication 800-171 are applied, recognizing that nonfederal organizations: (i) must meet their internal organizational information processing needs; and (ii) may also be required to support the information processing needs of other organizations. NIST SP 800-171 (Final Public Draft), at viii. The comment period on SP 800-171 closed on May 12. It should be Final by late June. 3d Annual Cybersecurity Law Institute May 20, 2015 Rev.1-11-

Agency Role: Balancing Cost & Risk Agencies best understand threat and the risk of cyber attack to their crucial functions that depend on nonfederal info systems Agencies are in the best position to know which information is CUI. Agencies best informed to categorize sensitivity of their information and impact upon their mission of lost confidentiality. Agencies best can assess supply chain impact upon their missions. E.g., FISMA, FIPS, FedRAMP, NIST Agencies also have specific needs for event reporting, for information security and for restoration/resilience Agencies ultimately are responsible for implementation costs. They also must temper risk perception with recognition of potential costs, affect upon competition, and impacts to their access to the technology base. Agencies will seek role in selection and tailoring of controls, validation and oversight. 3d Annual Cybersecurity Law Institute May 20, 2015 Rev.1-12-

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback