dfars nist 800-171 aia smc sc 092617 ….../ u u ] ] } v rd ] v ] u µ u e )$5 0,1,080 &21752/6...
Post on 26-May-2020
0 Views
Preview:
TRANSCRIPT
Complying with NIST 800-171
Waide Jones, CISO, ExostarRoy Hu, Senior Manager, Accenture
Dan Vlacich, Manager, Accenture
• Cyber Threat• Incidents • Government Action Regulation Overview• Risk Based Approach - Cyber Security Risk Management • Survey Results • Resources - Build vs. Buy
Agenda
Advanced Persistent Threat
• Well-Funded• Professional
caliber attackers• Avoid detection
by industry standard tools
Targeting
• Anyone who has what they want• Smaller the
better• Intellectual
Property• Financial
Information
Economic/National Interests
• Competitive Advantage
• Shorten Creation Cycles (R&D)
• Shorten Technological Advantages
Cyber Threat
• Companies being targeted for information
• Many not prepared for the threat• Reports are that many
small to mid-sized businesses are not compliant
• Company size makes no difference • (Attackers hope for
smaller, unprepared companies)
Incidents
• US Overview• FAR 52.204-21: Basic Safeguarding of Covered Contractor Information
Systems• DFARS 252.204-7008-Oct2016: Compliance with Safeguarding Covered
Defense Information Controls• DFARS 252.204-7009-Oct2016: Limitations on the Use or Disclosure of
Third-Party Contractor Information• DFARS 252.204-7012-Oct2016: Safeguarding Covered Defense Information
and Cyber Incident Reporting• DFARS 252.239-7010-Oct2016: Cloud Computing Services
• UK • Cyber Essentials• Cyber Essentials Plus• Defence Cyber Protection Partnership
Government Action - Regulation
Governments will address threats; Industry can anticipate or react
FAR 52.204-21• Applicability
• On contracts/system with Federal Contract Information
• All federal contracts and subcontracts at any tier• Exclusion - COTS products
• Compliance • Mandatory flowdown at all tiers• Imposes 15 requirements that correlate to 17 NIST SP
800-171 security controls (limited subset)• Suppliers agree to controls by signing the contract
Federal Contract Information —“Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Websites) or simple transactional information, such as necessary to process payments.”
Immediate Action - Minimum NeedsFAR 52.204-21 MINIMUM
CONTROLS NIST 800-171 CONTROL
(i) Limit information system access toauthorized users, processes acting onbehalf of authorized users, or devices(including other information systems).
3.1.1
(ii) Limit information system access to thetypes of transactions and functions thatauthorized users are permitted to execute.
3.1.2
(iii) Verify and control/limit connections to and use of external informationsystems.
3.1.20
(iv) Control information posted or processed on publicly accessible information systems.
3.1.22
(v) Identify information system users, processes acting on behalf of users, or devices.
3.5.1
(vi) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
3.5.2
(vii) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
3.8.3
(viii) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
3.10.1
FAR 52.204-21 MINIMUM CONTROLS
NIST 800-171 CONTROL
(ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
3.10.3, 3.10.4, 3.10.5
(x) Monitor, control, and protect organizational communications (i.e.,information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the informationsystems.
3.13.1
(xi) Implement subnetworks for publicly accessible system componentsthat are physically or logically separated from internal networks.
3.13.5
(xii) Identify, report, and correct information and information systemflaws in a timely manner.
3.14.1
(xiii) Provide protection from malicious code at appropriate locations within organizational informationsystems.
3.14.2
(xiv) Update malicious code protection mechanisms when new releases are available.
3.14.4
(xv) Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
3.14.5
C
C
H
P
C
C
P
P
P
H
C H
SC
S
C
C
Configuration
Hardware
Policy
Software
15 FAR controls For FAR and DFAR Compliance
Start here
• Applicability:• On contracts/systems where Covered Defense Information (CDI)
resides or operationally critical support• CDI identified by the Contracting Officer (CO), Prime Contractor, or
higher tiered subcontractor• CDI identified in Distribution Statement B-F & Section J of the contract &
markings on the data • If in doubt ask, before you sign the contract• Am I going to receive or create CDI in the execution of this contract
• Compliance • Compliance = Implementation of NIST SP 800-171• Implementation = self assessment + SSP & POA&M• A Systems Security Plan (SSP) to include a remediation plan is required
for all controls not implemented by December 31, 2017
DFARS - Key Points
Be aware of fear marketing; No certification Vendors
• Audit • There is no audit, this is only self attestation• DCMA can ask about NIST 800-171 applicability and compliance but NIST
800-171 compliance will not be the driver of why they are there• DCMA will verify Systems Security Plan (SSP), 30 day notices, & ECA Cert for
reporting incidences
• Incident Reporting:• Must report cyber incidents
• Upon discovery must conduct a review for evidence of compromise• Report within 72 hours directly to DoD https://dibnet.dod.mil/portal/intranet/• Must have a DoD approved medium Assurance Certificate
• Must provide DoD-assigned incident report number to prime/higher tiered subcontractor• Must preserve and protect images of known affected images and systems for 90 days• Must provide DoD access to additional information or equipment necessary to conduct forensics
analysis• Must submit any malicious software uncovered to DC3
DFARS - Key Points
System Security Plan (SSP) & Plan of action & Milestones POA&M• Describe system boundaries • System environments of operation• How security requirements are implemented• Connections to other systems• Periodically update
NIST SP 800-171, Security Requirement 3.12.4 —Develop, document, and periodically update, system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
• Compliance questionnaire helps but is insufficient
•Network Diagrams• Risk Assessment
• Plan• Milestones• Tracking & Reporting tool
• Tasks• Responsible•Dates • Status
SSP
POA&M
If requested, DOD may utilize the System Security Plan by • Requiring that proposals
i) identify any NIST SP 800-171 security requirements not implemented at the time award and ii) include associated plans of action for implementation
• Identifying in the solicitationthat all security requirements in NIST SP 800-171 must be implemented at the time of award
• Identifying in the solicitation that the contractor’s approach to providing adequate security will be evaluated in the source selection process for award
NIST 800-171 System Security Plan (SSP) Examples
Source: DOD FedRamp Template
Source: DHS CSET Security Plan Report
Source: A&D Company System Security Plan Excerpt Source: Exostar Risk Management Solution
• My read of the Government is….• They need everyone to know:
Threats are Real, You are a Target
• Each of us have to get in the game• Manage cyber risk like any other business risk
• Regulation is the minimum bar & will drive compliance BUT • Recognize good cyber security risk management is the long term fix
• Allowing System Security Plan (SSP) & Plan of Action & Milestones (POA&M) to comply
• No set SSP template
Government Implementation - Risk Based
Highest Concerns – AIA Cyber Survey 20% response rate
Exostar NIST 800-171 Questionnaire Results
• Exostar Partner Information Manager (PIM) data from suppliers of multiple large A&D buying organizations
• Random sample of approximately 800 suppliers completing the Exostar NIST self-assessment questionnaire
• Percentage of organizations claiming they have implemented or not the control
• Ten lowest percent implemented controls • Consistent ratings for 12 months
Control % Implemented Control Description3.5.3 38% Use multifactor authentication for local and network access to privileged accounts a...
3.13.11 42% Employ FIPS-validated cryptography when used to protect the confidentiality of CUI…3.12.4 46% Develop, document, and periodically update system security plans that describe system …3.3.6 47% Provide audit reduction and report generation to support on-demand analysis and repo…3.6.3 47% Test the organizational incident response capability.
3.1.19 47% Encrypt CUI on mobile devices.3.3.5 48% Use automated mechanisms to integrate and correlate audit review, analysis, and repo...
3.13.13 49% Control and monitor the use of mobile code.3.7.5 50% Require multifactor authentication to establish nonlocal maintenance sessions via ex...
3.13.10 54% Establish and manage cryptographic keys for cryptography employed in the information...
NIST Controls least
implemented by suppliers
Build vs. Buy
• Various company situations
• Varied Experience Level
• Two paths to compliance
Build – Resources
• Policy
• Security
• Controls
3rd Party Tools: AIA Cyber Security Survey
• Assessment:• CSET• Archer Database• CIS-Configuration Assessment Tool• Exostar• Nexpose, CIS Benchmarks• SANS “Top 20” CSC and ISO 27002 Framework
• Technical Controls:• SCM, Zscaler, Carbon Black, Sophos• AlienVault Unified Security Management• Splunk, Microsoft System Center• DarkTrace and BeyondTrust• FPA Technology Services, Inc.
Build - Resources• AIA Cyber Security Committee - http://www.aia-
aerospace.org/committee/cyber-security-committee/• Northrop Grumman – NIST 800-171 Controls Guidance -
http://www.northropgrumman.com/suppliers/Pages/CybersecurityControlsLanding.aspx
• Lockheed Martin – Adhering to DoD Cybersecurity Requirements -http://www.lockheedmartin.com/us/suppliers/cybersecurity/dfars.html
• Exostar – NIST 800-171 Controls Guidance -https://exostar.atlassian.net/wiki/spaces/EN8/overview
• DoD Procurement Toolbox - http://dodprocurementtoolbox.com/site-pages/cybersecurity-policy-regulations
Buy – Resources
• Use a trusted service provider
• Compliance cannot be done only by a service provider
• You still have a responsibility
Recognized leader for identity and access management and secure enterprise collaboration
Exostar Solutions – NIST 800-171 Compliant
IDENTITY MANAGEMENT
Improve the managementof employee and partner identities
and access privileges
Meet NIST 800-171 multi-factor authentication requirements
SECURE COLLABORATION
Securely and compliantly share sensitive information internally and
with external partners
RISK MANAGEMENT
Assess, measure, and mitigate risk across multi-tier partner community
networks
Store, share, protect, and mark Covered Defense Information (CDI)
Qualify and manage suppliers & eProcurement efficiently and compliantly
Manage and validate supplier readiness & guide System Security Plan (SSP) and Plan of Action & Milestone (POA&M) development
SUPPLY CHAIN MANAGEMENT
Visualize, track, and manage the enterprise sourcing and
procurement process, with improved visibility
Copyright 2017 Exostar LLC | All Rights Reserved
Accenture
Contents• DFARS Compliance Challenges• DFARS Compliance Lifecycle• Example Timeline for DFARS Compliance• Security Reference Architecture• DFARS Assessment Gap Analysis Example• Cyber Value Chain• End-to-End View of Cyber Defense• Example Solutions: DevSecOps and NIST Enabled Infrastructure
Common DFARS Compliance ChallengesMOVE FROM:
• Partial strategy and plan to address and maintain DFARS compliance standards
• Unknown state of compliance across multiple groups, business units, subsidiaries, and suppliers
• Lagging security defenses
• Limited information on asset inventory for on premise and cloud applications
• Lack of dedicated resources to identify and remediate compliance issues
• Limited automation in the tools to provide real-time compliance validation and reporting
DESIRED OUTCOMES:
• Full compliance against NIST SP 800-171 and DFARS
• Established and Mature Cyber Security Program that incorporates standardized security processes and solutions such as DevSecOps to maintain compliance
• Mapping and protection of critical assets and sensitive data
• Situational awareness of the security compliance across the entire organization
• Automated reporting and continuous security monitoring
MOVE TO:
• CUI/CDI discovery
• Compliance Self-Assessment
• Compliance Strategy/Roadmap
• Asset inventory
• Controls mapping
• Allocation of resources
• Security validation
• Post audit remediation
• Continuous monitoring
• Vulnerability assessment
• Penetration testing
• Assessment of controls
• Documentation
• Audit and report preparation
• DFARS Training
• Security automation
SECURITY RISK AND COMPLIANCE
UP FRONT
ONGOING DEVELOPMENT
ONGOING OPERATIONS
Internal Requirements • Security Policies• Security Guidelines• DevSecOps Standards
External Requirements• NIST SP 800-171 and
DFARS• NIST SP 800-53
DFARS Compliance LifecycleSecurity Compliance Methodology supports identification, analysis, remediation and mitigation of security risks for an organization’s environment
• Map and Focus on Derived Controls: Organizations may already have mapping of standards to ISO or NIST SP 800-53. Each NIST SP 800-171 control family has high level basic controls supported by more detailed derived controls. Determine an approach which confirms alignment with derived controls which then aligns with basic controls
• Determine Application of Control Level: Based on the solution in place, controls could be applied at different levels:
– Enterprise Level
– Application Level
– Location/Facility Level
– Client Data Protection Level
• Locate CUI/CDI: Identify which information systems areas store, or likely may store, sensitive client information
• Assess Compliance: Conduct interviews with key stakeholders and assess controls based on the processes and technology solutions currently in place to meet the objective of each control
• Generate Report and Documents: Develop compliance readiness reports, remediation plans, System Security Plan (SSP), etc.
Source: Accenture
Example Timeline for DFARS Compliance
Key Activities
CUI Discovery
Initial Assessment Documentation and POA&M Development
Schedule
Implementation of Controls and Address POA&MPhased Approach
Assess Compliance
Controls Mapping
Security Solutions Assessment Solution/Tools Modernization
Vulnerability Assessment
SSP Development/Updates
Security Solution Development
TCPs and SOPs Development/Updates
Technical Controls Validation
NIST/DFARS POA&M Development
Policy Updates
2018 +
Deadline12/31/2017
October 2017September 2017 November 2017 December 2017
Mapping of Derived Controls
Determine Application Level Controls
Remediation Activities
Control Assessments / Penetration Testing
Continuous Monitoring of Compliance
Ongoing Updates of TCPs and SOPs
Ongoing Updates of TCPs and SOPs
Security Awareness Training on DFARS Compliance
Preparation of Internal and External AuditsSecurity Strategy Develop
Tools Rationalization
Asset Inventory
Accenture’s Security Reference Architecture
Identity & Access Management
Identity Management
Access Management
Directory Services
Authorization Enforcement
Authentication Enforcement
Data Security
CryptographyData Privacy / Protection
Data Loss PreventionBusiness Proc. Security
Software and Application Security
Web App Security
Desktop App Security
Mobile App Security
Enterprise App Security
Secure Development Lifecycle
Extended Enterprise Security
Cloud Security
Mobile Security
IIoT/IoT Security
Social Media Security
Supply Chain SecurityInfrastructure Security
Platform SecurityNetwork Security
Endpoint Management
Voice/VoIP Security
Cyber Security
Threat ResponseThreat Detection
Threat IntelligenceVulnerability Management
Security Analytics
Enterprise Security Operations
Security Log Management
Business Continuity Ops
Update Management
Disaster Recovery Ops
Security Patch Mgmt Compliance Monitoring
User & Identity AdminThreat Hunting and Analysis
SOC Operations
GovernanceSecurity Strategy
Security Governance Security Architecture Risk Management Compliance ManagementSecurity Policies
Access Control Audit & Accountability
Awareness &Training
ConfigurationManagement
Identification &Authentication Incident Response Maintenance
Media Protection Personnel Security PhysicalProtection Risk Assessment Security
AssessmentSystem & Comm.
ProtectionSystem & Info
Integrity
NIST SP 800-171 Controls
Source: Accenture
DFARS Assessment – Gap Analysis Example
Difficult Ease of deployment Easy
Low
Va
lue
Hig
h
High-Priority Long-term Initiatives
High-Priority Quick Wins
Low PriorityInitiatives Quick Wins
Access Control Audit & Accountability
Awareness & Training ConfigurationManagement
Identification &Authentication Incident Response
Maintenance Media Protection
Personnel Security Physical Protection
Risk Assessment Security Assessment
System & Comm. Protection System & Info Integrity
Capability Family Legend:
Cyber Value Chain
Source: Accenture
End-to-End View of Cyber Defense
29
Source: Accenture
Example Solution: Compliance via DevSecOps
WHAT DOES IT MEAN FOR NIST SP 800-171 COMPLIANCE?Security needs to evolve, and become a support partner in the equation leveraging everything DevOps has to offer to:• Address all of the required NIST SP 800-171
security controls within the SDLC to prevent issues in the production environment
• Build on existing people, processes and tools to successfully drive security requirements in solutions
• Enable development teams to succeed in creating secure applications with an understanding of compliance goals
• Secure applications from planning and design phases to on-going operations and retirement
• Adapt to and secure new technologies
DevOps
CULTURETighter communication and integration between systems engineering and development teams
PROCESSESAutomated deployment pipeline integrated with security reviews and testing with strong feedback loop to operations and development teams
TECHNOLOGIESAdvanced combination of open source and commercial tools assessing various aspects of application (requirements, code, deployment, etc.)
Agile Development
SHORTER RELEASE CYCLESShift work “to the left” as much as possible, to ensure no major issues or defects are found late in the release cycle
SMALLER BATCH SIZESReviews and tests should be able to evaluate small portions of the application while ensuring all dependencies are also covered
CROSS-FUNCTIONAL TEAMSCross-functional teams are the norm, to ensure up-to-date information on project milestones and activities in agile development are tracked and used to inform actions
Example Solution: NIST Enabled InfrastructureHPE NIST Enabled Infrastructure (NEI) addresses specific agency needs providing location agnostic cloud and compute resources prepared for rapid ATO adoption
Benefits:• Faster path to ATO for Suppliers: NEI can provide up to
85% of the required NIST controls (SP 800-53 / SP 800-171)
• Flexible capacity• Repeatable infrastructure to drive down cost• Architected to easily convert to OpenStack in the future
to drive down OPEX
HPE NIST Enabled Infrastructure
Security Controls, Baselines, Standards,
ATOs
Regardless of the infrastructure (NEI or
FedRAMP), the security controls are “accepted” to
become part of the ATO
pATOAgency requiring
ATO/NIST Controls
The Agency will accept, reject, or mitigate
controls to produce the final “system” that will
become part of the ATO
FedRAMP Cloud
Material References
• DFARS Compliance through DevSecOps – http://www.aia-aerospace.org/wp-content/uploads/2016/05/DevSecOps-Acceleration-of-800_171-Compliance.pdf
Backup
DFARS Subcontractor Flowdown• The clause is required to flow down to
subcontractors only when performance will involve:• Operationally critical support • Covered defense information
• The contractor shall determine if the information required for subcontractor performance is, or retains its identify as, covered defense information and requires safeguarding
• Flowdown is a requirement of the terms of the contract with the Government, which must be enforced by the prime contractor as a result of compliance with these terms• If a subcontractor does not agree to comply with
the terms of DFARS Clause 252.204–7012, then covered defense information shall not be shared with the subcontractor or otherwise reside on it’s information system
Be clear what information and support is needed for contract; push back if you really don’t need the CDI
“Operationally critical support’’ means supplies or services designated by the Government as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.
Covered Defense Information (CDI)
• CDI is unclassified controlled technical information or other information (as described in the Controlled Unclassified Information (CUI) Registry at https://www.archives.gov/cui/registry/category-listthat requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is—• (1) Marked or otherwise identified in the contract, task order, or delivery
order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
• (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
Covered Defense Information (CDI) -Examples• Technical information with a military or space application • Examples of technical information
• Research and engineering data• Engineering drawings, and associated lists, specifications and standards• Process sheets, manuals, technical reports, technical orders • Catalog-item identifications, data sets, studies and analyses and related
information • Computer software executable code and source code
Must be a DoD contract & applicable to DFARS regulation to apply
- Download at https://ics-cert.us-cert.gov/Downloading-and-Installing-CSET
- Select “Advanced Mode” which will provide the option to select NIST 800-171
• Application to Evaluate a Company’s Cybersecurity Posture
• Department of Homeland Security (DHS) No Cost Software Download
• Includes a Step by Step Q&A Interface
• Reports Generated include an Executive Summary and a Security Plan
• DOD Recommended
Cybersecurity Evaluation Tool (CSET)
Source: DHS CSET Tool User Screens
top related