cybersecurity ompliance tools for …...report will include i) incident report, ii) malicious...
TRANSCRIPT
1
CYBERSECURITY COMPLIANCE:TOOLS FOR ASSESSMENT
(RMF, DSS-AAPM, DFARS, FAR, & NIST 800)
AMY VERMILLIONIMPRIMIS, INC.
2
ASSESSMENT OPTIONSTools SpreadsheetCSET (Cyber Security Evaluation Tool) i2ACT-800
3
OPTION#1
SPREADSHEETWITH WORD & FILE-SHARING
4
• The Cyber Security Evaluation Tool (CSET®) provides:• Systematic, disciplined, and repeatable approach for evaluating an organization’s security posture
• Desktop software tool that guides asset owners and operators through a step‐by‐step process to evaluate
• Their industrial control system (ICS) • Information technology (IT) network security
• Available through the Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS‐CERT) developed the CSET application, and offers it at no cost to end users
5
Advisory Cyber Security Evaluation Tool The Cyber Security Evaluation Tool (CSET)® is only one component of the overall cyber security picture and should be complemented with a robust cyber security program within the organization. A self‐assessment with CSET® cannot reveal all types of security weaknesses, and should not be the sole means of determining an organization's security posture. The tool will not provide a detailed architectural analysis of the network or a detailed network hardware/software configuration review. It is not a risk analysis tool so it will not generate a complex risk assessment. CSET® is not intended as a substitute for in‐depth analysis of control system vulnerabilities as performed by trained professionals. Periodic onsite reviews and inspections must still be conducted using a holistic approach including facility walk‐downs, interviews, and observation and examination of facility practices. Consideration should also be given to additional steps including scanning, penetration testing, and exercises on surrogate, training, or non‐production systems, or systems where failures, unexpected faults, or other unexpected results will not compromise production or safety. CSET® assessments cannot be completed effectively by any one individual. A cross‐functional team consisting of representatives from operational, maintenance, information technology, business, and security areas is essential. The representatives must be subject matter experts with significant expertise in their respective areas. No one individual has the span of responsibility or knowledge to effectively answer all the questions. Data and reports generated by the tool should be managed securely and marked, stored, and distributed in a manner appropriate to their sensitivity.
30‐Jun‐17 6
30‐Jun‐17 7
8
https://ics‐cert.us‐cert.gov/Downloading‐and‐Installing‐CSET
IMPRIMIS ACT-Assessment &
Compliance Tool
9
DESIGNED FOR TEAMCOLLABORATION
10
Up to 20 people may work simultaneously without worry of data corruption
11
i2ACT‐800 PRO:Supports all of the Risk Management Framework (RMF), contains all 970 NIST 800‐53 controls and enhancementsContains over two dozen baselines including DSS AAPM, DFARS, FIPS, ICS, and all of the CNSSI 1253Allows the user to tailor their own baseline, add it to the library of baselines and share baseline with satellite locations or subcontractors
i2ACT‐800s: “lite” version, Specifically for 800‐171
Addresses all 110 requirements and the 125 referenced controls from NIST 800‐53Ideal for small businesses, subcontractors only worried about DFARS 800‐171
i2ACT‐ROLLUP:Imports Multiple Databases (Backend) to allow central review of subcontractors, multiple networks, or trend analysis
12
i2ACT-800 DEMO HERE
I2ACT 800 PRO MAIN MENU
1330‐Jun‐17
I2ACTS (800-171 ONLY)
30‐Jun‐17 14
CHOOSE BASELINE
1530‐Jun‐17
MANAGE BASELINES
30‐Jun‐17 16
I2ACT - TAILOR BASELINE
17
REVIEW 800-53
1830‐Jun‐17
30‐Jun‐17 19
I2ACT - ASSESSMENT
30‐Jun‐17 20
I2ACT - REPORTS
30‐Jun‐17 21
30‐Jun‐17 22
POA&M and Remediation Report: Gantt Chart in Microsoft Project™
THE I2ACT SUPPORT SUITE
30‐Jun‐17 23
i2ACT‐800 PRO i2ACT‐800s I2ACT‐800 Roll Up
Policies & Procedures
Incident Response
Plan
System Security Plan (SSP)
QUESTIONS & DISCUSSIONAmy Vermillion(719) 785-0320 (W) (719) 331-9863 (M)[email protected]
24
www.i2ComplianceTools.com
25
CYBERSECURITY COMPLIANCE:TOOLS FOR ASSESSMENT
AMY VERMILLION
719-785-0320
www.i2ComplianceTools.com
26
ASSESSMENT RESOURCES Government Resources DIB ISAC ACT Support Suite i2 Cyber Compliance Center: C3 or ‘The Cube’
GOVERNMENT PROVIDED RESOURCES• ICS‐CERT
• Assessment Teams• Training• CSET Training
• DHS • Training• Education & Career Programs• Information Sharing
• SBA – GSA• … and Many More, Good References, Good Training
27
SUMMARY
28
DIB ISAC Assist DIB companieswith DFAR Compliance
Cyber Verify™ is the DIB ISAC process for Verifying and Certifying Compliance
The DIB ISAC selected and uses the Imprimis Compliance Tool
Steve [email protected]
Chad [email protected]
256‐489‐0550 Officewww.dibisac.net
29
e tan, e epi tanConfidential Information of Imprimis, Inc.
June 30, 2017
i2 Cyber Compliance Center: C3 or ‘The Cube’A Center in Colorado Springs Providing
Compliance Support NationallySERVICES
System DefinitionCompliance AssessmentVulnerability AssessmentRemediation SupportBlue Team PreparationSupport Through Red Team Audit
FACILITIES & RESOURCESVTC/Telephonic/Remote AccessTraining & How-to VideosPolicy & Plans TemplatesVulnerability Scanning ToolsPenetration TestingMonitoring Services /ToolsSupport During Incident Response
CONTACT INFORMATION
(Support)
COMPONENTS OF CYBERSECURITY
BEHAVIOR
POLICY
TECHNOLOGY
31
(CYBER) DOGS THAT WON’T HUNT
• I’m a small company, no one is interested in what we do …• I’ve got plenty of time – I’ll do it next year …• No one is going to check so I’ll just fake it …• I’m a small business, I don’t need to be smart on cybersecurity …• I went to the cloud so they do my cybersecurity …• If the government get’s hacked, they should not hold me to a standard …• I am a small business, I can’t afford cybersecurity …
32
SUMMARY• The threat from the cyber domain is very, very real and it is our responsibility to deal with combatting this threat and managing the risk
• The need for cyber compliance is here now – today – and the Government Requirements are only going to grow, e.g. DFARS, FAR, CUI, etc.
• If a company has not started, they are already behind• The lack of provable cyber security compliance, represents a real and present danger to small businesses
• Resources and tools exist to support the compliance process, and these tools will get better with time and with use
• … This is Doable, You Can Make This Happen!!!!
33
LIFECYCLEOF A CYBERATTACK
34
Hate
CompromisedNetwork
Selection Execution
IPBad Guy
Motivation
Espionage
Known Target Objective
Snooping Port Scanning
Access
Command & ControlC2
Back Door
NIST 800-53 VERSUS 800-171NIST 800‐171
NIST 800‐171 SECURITY REQUIREMENT FAMILIES
3.1 Access Control 3.8 Media Protection
3.2 Awareness and Training 3.9 Personnel Security
3.3 Audit and Accountability 3.10 Physical Protection
3.4 Configuration Management 3.11 Risk Assessment
3.5 Identification and Authentication 3.12 Security Assessment
3.6 Incident Response 3.13 System and Communications
3.7 Maintenance 3.14 System and Information Integrity
VS
NIST 800‐53 SECURITY CONTROL FAMILIES
AC Access Control MP Media Protection
AT Awareness & Training PE Physical & Environmental Protection
AU Audit and Accountability PL Planning
CA Security Assessment & Authorization PS Personnel Security
CM Configuration Management RA Risk Assessment
CP Contingency Planning SA System & Services Acquisition
IA Identification & Authentication SC System & Communications Protection
IR Incident Response SI System & Information
MA Maintenance
Personally Identifiable Information (PII)
AP Authority & Purpose
AR Accountability, Audit, & Risk Management
DI Data Quality & Integrity
DM Data Minimization & Retention
IP Individual Participation & Redress
SE Security
TR Transparency
UL Use Limitation
Additional NIST 800‐53 Families
(no NIST 800‐171 equivalents)
Program ManagementPM‐1 Information Security Program
PlanPM‐9 Risk Management Strategy
PM‐2 Senior Information Security Officer
PM‐10 Security Authorization Process
PM‐3 Information Security Resources
PM‐11 Mission/Business Process Definition
PM‐4 Plan of Action & Milestones Process
PM‐12 Insider Threat Program
PM‐5 Information System Inventory PM‐13 Information Security Workforce
PM‐6 Information Security Measure of Performance
PM‐14 Testing, Training, & Monitoring
PM‐7 Enterprise Architecture PM‐14 Contacts with Security Groups & Associations
PN‐8 Critical Infrastructure Plan PM‐16 Threat Awareness Program
35
MORE REQUIREMENTS? • DFARS 252.204‐7012 Contractor (Offeror) represents that it will implement security requirements in NIST 800‐171 as soon as practical but no later than December 31, 2017.
Contractor will apply other information system security measures when the contractor reasonably determines that [additional] security measures are required
• There are 65 NFO controls from about all security families• Revision 1 to NIST 800‐171 added one back
• The Implementation Guides at DPAP make it clear that breaches and incidences will be investigated and the contractor will cooperate
• A solid plan with a rationale that can be defended is needed
36
Do What is Right … and Do It Right!
GOVERNMENT PRESENTATION (DPAP)
37
Navigating Unclassified Cyber/Information (System) Security ProtectionsElements that drive appropriate protections. The information system and the information
Contractor’s Internal System
Contractor’s System Operated on DoD’s Behalf
DoD Information System
Cloud Service Provider
Applicable controls:NIST SP 800‐171
Applicable controls:From CNSSI 1253, based on NIST SP 800‐53
Applicable controls:From CNSSI 1253, based on NIST SP 800‐53
Applicable controls:From the SRG
Federal Contract Information
ControlledUnclassified Information
(USG‐wide)
Unclassified ControlledTechnical Information
Covered Defense Information
NARA REQUIRES CUI IN 2016NARA REQUIRES CUI IN 2016
38
NARA, CUI Requirements, and the FAR Clause Executive Order 13556, Controlled Unclassified Information, November 4, 2010, established the CUI Program and designated the National Archives and Record Administration (NARA) as its Executive Agent to implement the Order and to oversee agency actions to ensure compliance with the Order. Regarding contractors, the CUI Executive Agent anticipates establishing a single Federal Acquisition Regulation (FAR) clause in 2016 to apply the requirements of NIST Special Publication 800‐171 to the contractor environment as well as to determine oversight responsibilities and requirements.
‐‐Special Publication NIST 800‐171, page 15.
39
https://ics‐cert.us‐cert.gov/Downloading‐and‐Installing‐CSET
I2ACT ARCHITECTURE &CONFIGURATION
30‐Jun‐17 40
BACK ENDDATABASE• User Data
FRONT END DATABASE
• User Interface• Standards Database• Queries• Reports• Baselines
• TAB: Supplemental Guidance (NIST)
• TAB: Questionnaires• TAB: Intent & Evidence• TAB: How to Assess & Comply• TAB: Remediation Plan & POA&M
DFARS
41
SUBPART / CLAUSE
TITLE REQUIREMENTS
204.73 (subpart)
Safeguarding Covered Defense Information and Cyber Incident Reporting. Revised – Oct 21, 2016
Contractors & Subcontractors must safeguard ‘Covered’ defense information that resides in or transits through contractor ‘UNCLASSIFIED’ information system.
Must rapidly report incidents involving possible loss of covered data to DoD via Dibnet.dod.mil
Report will include i) incident report, ii) malicious software, and iii) media Prescribes: 252.204‐7008, ‐7009, ‐7012 , 252.227‐7013
202.1 (subpart)
Definitions. Revised ‐ Oct 21, 2016
Designated subpart as location for definitions:
239.76 (subpart)
Cloud Computing. New Addition – Aug 26, 2015 Revised ‐ Oct 21, 2016
For Contractor Systems, FedRAMP qualified cloud providers will be used For Federal Systems, contracts will be awarded to cloud service providers
that are granted provisional authorization by DISA. Prescribes 252.239‐7009 & ‐7010
212.301 (f) (clauses & provisions)
Solicitation provisions and contract clauses for the acquisition of commercial items. Revised – August 2, 2016
Identifies Solicitation clauses and provisions to be included in the acquisition of commercial items.
Includes cybersecurity and safeguards identified in the above clauses. Supply chain risk evaluation required (239.73)
DFARS
EXECUTIVE RESPONSIBILITY
• Cybersecurity and Compliance programs are needed within a Corporation for the purpose of…Managing Risk and LiabilitiesMeeting Minimum Requirements to Access MarketsAchieving and Maintaining Competitive Advantage
42
Cybersecurity is a Fiduciary Responsibility of the Organization’s Board of Directors, Officers, Senior Leadership and Management
NIST 800-12 ELEMENTS OF INFORMATIONSECURITY
43
1. Information security supports the mission of the organization2. Information security is an integral element of sound management 3. Information security protections should be commensurate with risk 4. Information security responsibilities and accountability are explicit5. System owners share security responsibilities with other systems 6. Information security requires comprehensive & integrated approach 7. Information security is assessed regularly8. Information security is constrained by societal factors
EXECUTIVEMANAGEMENT
44
Organizational Cybersecurity Risk
Management & Compliance
C-Suite & BoDCEOCOOCIOCFOBoard of Directors
ExecutiveAwareness Policy Appointments Monitoring
Training & Education
Cyber risk Management
Principles & Elements of Cybersecurity
Governance Responsibility Accountability
Cyber Authority CIO Other Key
Executives
Assurance Assessments Audits Reviews
System Security Plan
(SSP)
IT MANAGEMENT& EXECUTION
45
SSP Implementation
IT Management CIOCISO/SISOIT Management
Implementation Personnel Assignments Monitoring
Categorization Controls
Selection Controls
Implementation Assess &
Confirm Operate
CISO/SISO IT Manager(s) System Owners
Assurance Assessments Audits Reviews
• NCX designated as an Information Sharing and Analysis Organization (ISAO) Collaborates with DHS, industry Information Sharing and Analysis Centers (ISAC), and other ISAOs
NATIONAL CYBER EXCHANGE (NCX):THREAT INTELLIGENCE & TRAINING
46
NCX, formerly WCX (Western Cyber Exchange), is a non-profit, member organization dedicated to improving cybersecurity and protecting critical infrastructure by sharing cyber threat information, providing education and workforce development, technology development, and supporting member cybersecurity needs.
HAS ANYONE HEARD OF A CYBERINCIDENT LATELY?
• Target• Home Depot• Sony• OPM• Anthem• … The major incidences are becoming too many to identify – the number of smaller incidences are ubiquitous.
47
WHY SHOULD ALL COMPANIES CARE? • “Hey, I’m just a small business. No one cares enough about what we do to bother with a cyber attack. What would they get?”
• PII (Personally Identifiable Information)• PHI (Protected Health Information)• IP (Intellectual Property)• Money • Spectrum of Sensitive Information
48
CYBER THREAT PLAYERS AND ACTIVITIESAPT
(Advanced Persistent Threat)
CYBER CRIME HACKTAVIST INSIDER THREAT TERRORIST NUISANCE
ACTORS Nation States, Major Crime Org’s
Amateurs to Nations
Amateurs to Major Org’s
Authorized User / Admin.
Individual,Non‐State, Nation State
Unskilled or Less Able Actors
OBJECTIVE Espionage, Dis‐Enable,Destroy, Defeat
Theft of Valued Data
Discredit, Disrupt, Cause Havoc
Sensitive Information,Revenge, Profit
Disrupt, Destroy, Kill
Financial, Recognition
TTP: TECHNIQUESTACTICSPROCEDURES
Social Eng., Phishing, Advanced TTPs, Implant ‘Low & Slow’
Social Eng., Phishing, Escalate Privileges, Exfil. Data
Social Eng., Phishing, DOS/DDOS (Distributed Denial of Service)
Use Authorized Access to Steal, Sabotage, Damage
Social Eng. To Advanced TTP
SPAM, Scanning, Crawlers, Worms, Viruses
MAJOR KNOWN SOURCES
China, Russia, Iran, North Korea
Russia, China, “Riders of the Dark Net”
Political, Ethnical, Religious Org’s or Individuals
Throughout North Korea, Al Qaeda, ISIS /ISIL, … many
Ubiquitous
49
30‐Jun‐17 50
E‐Mail Attack Vector
Ref: Verizon DBIR 2016 Report
Email PhishingA form of social engineering in which a message,typically an email, with a malicious attachment orlink is sent to a victim with the intent of tricking therecipient to open an attachment
77.3%Of Successful
Attacks���������� � ����
���� ���������������������������������������� � �������������������������������������� ��������������������� ���������������������������� ����� ������������������ ��������������������
�������� ��������������������
30‐Jun‐17 51
2010 20162010 2011 2012 2013 2014 2015 2016
CIAT (Center for Information Transformation)4/1/2010
WCX (Western Cyber Exchange) Established4/29/2011
Operational Threat Center with CRITs Software4/27/2012
Successful Threat Message Transfer WCX‐‐>ACSC8/29/2014
9/1/2015
Added AIS (Automated Indicator Sharing) to WCX ISAO4/20/2016
Continued N2SI Program5/27/2016
NCC Collaboration10/1/2016
NCX Becomes National Organization10/1/2016
E‐Mail Attack Vector
Ref: Verizon DBIR 2016 Report
Email PhishingA form of social engineering in which a message,typically an email, with a malicious attachment orlink is sent to a victim with the intent of tricking therecipient to open an attachment
77.3%Of Successful
Attacks���������� � ����
������ � ������������������������������������ ���������������������������������������������������������� ���� ��� ������������ �����!��������� ���� �������������������� ����
�������� �����
WHAT ARE CYBERSECURITY STANDARDS
• Represent the accumulated knowledge, experience, and wisdom of many who have traveled the road before us
• Are documents typically produced after great collaborative efforts of experts
• Are meant to establish normal requirements, guidelines or best practices for an item, system, or process to ensure the appropriate outcome in terms of performance, quality, and cost
• Use is sometimes mandated, sometimes best practice
52
KEY CYBERSECURITY STANDARD FAMILIES
53
Commercial:
• ISO 27000• COBIT• CIS/SANS Top 20
Sector Specific:
• PCI DSS• NERC‐CIP• HIPAA• Hi‐Trust
Federally-Oriented or Federally-Mandated:
Cybersecurity FrameworkRisk Management Framework (RMF)• Federal Information Process Standards (FIPS)• National Institute of Science and Technology
(NIST) 800‐53• NIST 800‐82• NIST 800‐171• NISPOM and DSS AAPM• DFARS• FARS
FISMA AND FIPS• Federal Information Security Management Act (FISMA) of 2002 established the responsibilities for Federal Agencies
• Federal Information Processing Standards (FIPS) provide guidance for Federal Agencies
FIPS PUB 199 ‐ Standards for Security Categorization of Federal Information and Information Systems FIPS PUB 200 ‐ Minimum Security Requirements for Federal Information and Information Systems
30‐Jun‐17 54
RISKMATRIX
FIPS 199RISK
CATEGORIZATION
30‐Jun‐17 55
C-I-A LOW IMPACT
MODERATE IMPACT
HIGH IMPACT
Confidentiality (C) Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. [44 U.S.C., SEC. 3542]
The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Integrity (I) Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. [44 U.S.C., SEC. 3542]
The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Availability (A) Ensuring timely and reliable access to and use of information. [44 U.S.C., SEC. 3542]
The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Federal Information Processing Standards Publication, FIPS PUB 199, February 2004, National Institute of Standards and Technology
NIST (SP) 800-53R4, SECURITY AND PRIVACY CONTROLSFOR FEDERAL INFORMATION SYSTEMSAND ORGANIZATIONS
30‐Jun‐17 56
RISKMANAGEMENTFRAMEWORK
30‐Jun‐17 57
Step 1CATEGORIZEInformation
System
Step 2SELECTSecurity Controls
Step 3IMPLEMENTSecurity Controls
Step 4ASSESSSecurity Controls
Step 5AUTHORIZEInformation
System
Step 6MONITORSecurity Controls
REPEAT AS NECESSARY
NIST SP 800-53 SECURITY AND PRIVACY CONTROLS FOR FEDERAL INFORMATION
SECURITY CONTROL CATALOG(Appendix F)
SECURITY CONTROLS, ENHANCEMENTS, AND
SUPPLEMENTAL GUIDANCE
AC‐1ACCESS CONTROL
POLICY AND PROCEDURES
SI‐17FAIL‐SAFE
PROCEDURES
INFORMATION SECURITY PROGRAMS(Appendix G)
ORGANIZATION‐WIDE INFORMATION SECURITY PROGRAM MANAGEMENT
CONTROLS
PM‐1INFORMATION
SECURITY PROGRAM
PLAN
PM‐16THREAT
AWARENESS PROGRAM
PRIVACY CONTROL CATALOG(Appendix J)
PRIVACY CONTROLS, ENHANCEMENTS, AND SUPPLEMENTAL GUIDANCE
AP‐1AUTHORITY TO COLLECT
UL‐2INFORMATION
SHARING WITH THIRD PARTIES
ControlSupplemental Guidance
[Enhancement][Enhancement]
References
ControlSupplemental Guidance
[Enhancement][Enhancement]
References
ControlSupplemental Guidance
[Enhancement][Enhancement]
References
30‐Jun‐17 58
EXAMPLE CONTROL ENTRY FROM 800-53CP-3 CONTINGENCY TRAINING Control: The organization provides contingency training to information system users consistent
with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
Supplemental Guidance: Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan. Related controls: AT-2, AT-3, CP-2, IR-2. Control Enhancements:
(1) CONTINGENCY TRAINING | SIMULATED EVENTS The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations.
(2) CONTINGENCY TRAINING | AUTOMATED TRAINING ENVIRONMENTS The organization employs automated mechanisms to provide a more thorough and realistic contingency training environment.
References: Federal Continuity Directive 1; NIST Special Publications 800-16, 800-50. Priority and Baseline Allocation:
P2 LOW CP-3 MOD CP-3 HIGH CP-3 (1)
Family, Number (1‐44) & Name
The Control Text
Supplemental Guidance, if any
Control Enhancements, with Name. if any (0‐24) May contain Supplemental Guidance
CP‐3(1), CP‐3(2)
References
Priority & Baseline• P1. P2. P3• order of
implementation
Low, Mod, High• Which
controls/enhancements required per IS Category
30‐Jun‐17 59
NIST (SP) 800-171, PROTECTING CONTROLLEDUNCLASSIFIED INFORMATION INNONFEDERAL INFORMATION SYSTEMSAND ORGANIZATIONS
60
NIST 800-171• The Government started with the FIPS Moderate Baseline, a set of 260+ control from NIST 800‐53
• They removed controls that …• Pertained only to the government (FED)• Did not support “C” or Confidentiality (NCO)• Expected to be routinely satisfied by the non‐federal organization (NFO)
61
TAILORING SYMBOL TAILORING CRITERIA
NCO NOT DIRECTLY RELATED TO PROTECTING THE CONFIDENTIALITY OF CUI.
FED UNIQUELY FEDERAL, PRIMARILY THE RESPONSIBILITY OF THE FEDERAL GOVERNMENT.
NFO EXPECTED TO BE ROUTINELY SATISFIED BY NON‐FEDERAL ORGANIZATIONS WITHOUT SPECIFICATION.
CUITHE CUI BASIC OR DERIVED SECURITY REQUIREMENT IS REFLECTED IN AND IS TRACEABLE TO THE SECURITY CONTROL, CONTROL ENHANCEMENT, OR SPECIFIC ELEMENTS OF THE CONTROL/ENHANCEMENT.
APPENDIX E: NIST SPECIAL PUBLICATION 800‐171
NIST 800-171
30‐Jun‐17 62
NIST 800-171 Security Families AC ‐ Access Control (3.1) 22AT ‐ Awareness & Training (3.2) 3AU ‐ Audit & Accountability (3.3) 9CM ‐ Configuration Management (3.4) 9IA ‐ Identification & Authentication (3.5) 11IR ‐ Incident Response (3.6) 3MA ‐ Maintenance (3.7) 6MP ‐ Media Protection (3.8) 9PS ‐ Personnel Security (3.9) 2PE ‐ Physical Protection (3.10) 6RA ‐ Risk Assessment (3.11) 3CA ‐ Security Assessment (3.12) 4SC ‐ System & Communications Protection (3.13) 16SI ‐ System & Information Integrity (3.14) 7
TOTAL REQUIREMENTS: 110
REV 1 – NIST 800-171 (Is Final) Guidance on the use of system security plans (SSPs) and plans
of action and milestones (POAMs) to demonstrate the implementation or planned implementation of CUI requirements by nonfederal organizations;
Guidance on federal agency use of submitted SSPs and POAMs as critical inputs to risk management decisions and decisions on whether or not to pursue agreements or contracts with nonfederal organizations;
Develop, document, periodically update, and implement system security plans for organizational information systems that describe the security requirements in place or planned for the systems.
3.12.4
NIST 800-171… NOW HAS 110 REQUIREMENTS
System Security Plan or SSP:1. System Definition2. Governance3. Risk Assessment / Categorization4. Compliance Assessment + Remediation Plan (POA&M)
WHEN TO USE NIST 800-171 • NIST 800‐171 is intended for use by federal agencies with recommended requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) :
• when the CUI is resident in nonfederal information systems and organizations;• where the CUI does not have specific safeguarding requirements prescribed by the authorizing law, regulation, or government wide policy for the CUI category or subcategory listed in the CUI Registry (https://www.archives.gov/cui/registry/category‐list); and
• when the information systems where the CUI resides are not operated by organizations on behalf of the federal government.
• The requirements apply only to components of nonfederal information systems that process, store, or transmit CUI, or provide security protection for such components
• Federal agencies will include CUI requirements in appropriate contractual vehicles established between those agencies and nonfederal organizations
• Nonfederal organizations must comply with these requirements to meet contractual requirements
63
DEFENSE SECURITY SERVICEASSESSMENT AND AUTHORIZATIONPROCESS MANUAL (DSS AAPM)
30‐Jun‐17 64
DSS AAPM• Required for Cleared Defense Contractors in the National Industrial Security Program
• Provides standardized security policies and procedures for use in safeguarding classified information processed by contractors’ information systems
• Part of DSS transition of the National Industrial Security Program (NISP) certification & accreditation process to RMF
• Based on NIST 800‐53 controls • 256 – 396 controls depending on the overlay selected• Provides additional guidance/direction on some controls
65
66
DFARS (Defense Federal Acquisition Regulation Supplement)
204.73 (subpart) Safeguarding Covered Defense Information and Cyber Incident Reporting 252.204‐7012 Safeguarding Covered Defense Information and Cyber Incident Reporting 252.204‐7008 Compliance with Safeguarding Covered Defense Information Controls252.204‐7009 Limitations on the Use or Disclosure of Third‐Party Contractor Reported Cyber Incident Information
202.1 (subpart) Definitions239.76 (subpart) Cloud Computing
252.239‐7009 Representation of Use of Cloud Computing252.239‐7010 Cloud Computing Services
212.301 (f) (clauses & provisions) Solicitation provisions and contract clauses for the acquisition of commercial items
DFARS
30‐Jun‐17 67
SUBPART / CLAUSE
TITLE REQUIREMENTS
204.73 (subpart)
Safeguarding Covered Defense Information and Cyber Incident Reporting. Revised – Oct 2016
Contractors & Subcontractors must safeguard ‘Covered’ defense information that resides in / through contractor ‘UNCLASSIFIED’ information systems
Must rapidly report incidents … to DoD via www.dibnet.dod.mi Report will include i) incident report, ii) malicious software, and iii) media
252.204‐7012 (clause)
Safeguarding Covered Defense Information and Cyber Incident Reporting. Revised ‐ Dec 2015
Contractor will implement information systems security protections on all covered contractor ‘UNCLASSIFIED’ information systems
Contractor (Offeror) represents that it will implement security requirements in NIST 800‐171 as soon as practical but no later than December 31, 2017
Contractor will apply other information system security measures when the contractor reasonably determines that additional security measures are required
“Alternative but equal effective” security measures … submitted in writing to an “authorized representative of the DoD CIO,” who will “adjudicate” offeror requests
If Contractor intends to use an external cloud service provider … security requirements … for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline
Contractor will rapidly report incidents within 72 hours to … prime contractor and DoD via http://dibnet.dod.mil Medium Assurance Certificate required
DFARS
68
FAR(Federal Acquisition Regulation)
Subpart 4.19 Basic Safeguarding of Covered Contractor Information Systems52.204‐21 Basic Safeguarding of Covered Contractor Information Systems
THE FAR 15/NIST 800-171 DIFFERENCES
69
FAR 52.204‐21 Specified Requirements Corresponding NIST (SP) 800‐171 Requirements(vii) Sanitize or destroy information system media containing
Federal Contract Information before disposal or release for reuse.
3.8.3 Sanitize or destroy information system media containingCUI before disposal or release for reuse.
(ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
3.10.3 Escort visitors and monitor visitor activity.3.10.4 Maintain audit logs of physical access.3.10.5 Control and manage physical access devices.
Any Federal Acquisition will FAR 52.204-21.
There are 15 FAR requirements that essentially are NIST 800-171 requirements with 2 exceptions:
70
Security Families in NIST 800‐171 FAR 15: ‘Security Families ’AC ‐ Access Control (3.1) AC ‐ Access ControlAT ‐ Awareness & Training (3.2)AU ‐ Audit & Accountability (3.3)CM ‐ Configuration Management (3.4)IA ‐ Identification & Authentication (3.5) IA ‐ Identification & AuthenticationIR ‐ Incident Response (3.6)MA ‐ Maintenance (3.7)MP ‐ Media Protection (3.8) MP ‐ Media ProtectionPS ‐ Personnel Security (3.9)PE ‐ Physical Protection (3.10) PE ‐ Physical ProtectionRA ‐ Risk Assessment (3.11)CA ‐ Security Assessment (3.12)SC ‐ System & Communications Protection (3.13) SC ‐ System & Communications ProtectionSI ‐ System & Information Integrity (3.14) SI ‐ System & Information Integrity
DFARS VS FAR FAMILIES
71
DFARS NIST 800-171