cybersecurity: secure today to flourish tomorrow

Download Cybersecurity:  Secure Today To flourish tomorrow

Post on 10-Feb-2016




0 download

Embed Size (px)


Cybersecurity: Secure Today To flourish tomorrow . New Cybersecurity Requirements for Government Contractors and What They Mean For Your Organization. Ryan C. Bradel Associate, Greenberg Traurig. The Need for Cybersecurity. The Need for Cybersecurity. Cyber Attacks. - PowerPoint PPT Presentation


Cybersecurity: Secure Today To flourish tomorrow

Cybersecurity: Secure Today To flourish tomorrow New Cybersecurity Requirements for Government Contractors and What They Mean For Your Organization

Ryan C. BradelAssociate, Greenberg Traurig

The Need for Cybersecurity

The Need for Cybersecurity

Cyber Attacks

This is a very major security compromise that has possibly put at risk numerous sensitive government sites and private industry as well. - Former U.S. National Security Advisor Richard Clarke

In 2011, a major online attack was launched against the networks of Lockheed Martin, the country's largest defense contractor.Hackers reportedly exploited Lockheed's VPN access system, which allows employees to log in remotely by using their RSA SecurID hardware tokens. Attackers apparently possessed the seeds--factory-encoded random keys--used by at least some of Lockheed's SecurID hardware fobs, as well as serial numbers and the underlying algorithm used to secure the devices.

Anonymous Hacks ManTech, a FBI Cybersecurity ContractorAnonymous acquired and released to the public, a list of approximately 90,000 military emails and Base64 password hashes, after hacking into systems from Booz Allen Hamilton, the large government contractor that works closely with many defense, intelligence, and civil sectors on cybersecurity.Heady times in CybersecurityThe last couple of years have seen a flurry of activity, primarily from the Obama Administration, but also from Congress, working to stay ahead of the cybersecurity curve.

Today we will be focusing on two items that are likely to have the most impact for government contractors:The NIST Draft of the Preliminary Cybersecurity Framework.The Proposed FAR Rule Basic Safeguarding of Contractor Information Systems.

Both of these items are in draft/proposed form so the situation is very fluid.

The $64,000 Question(s):Will the Government establish mandatory, uniform cybersecurity standards for government contractors across agencies and industries?

If so, what are they likely to look like? How will it be accomplished?RoadmapBrief history of the cybersecurity regime FISMA NIST Special Publications 800-37 / 800-53

Recently enacted laws affecting government contractors:DOD Instruction 8582.01GSAR Case 2011-G503Executive Order 13636 / Presidential Policy Directive 21

The latest NIST guidelinesDraft NIST Cybersecurity Framework (direct response to EO 13636)

The future: implications for government contractorsProposed Changes to the FAR General Services Administration RFI more changes to the FAR?

RoadmapThe focus of todays conversation will be on cybersecurity requirements for government contractors.

Many of the laws and guidelines that we discuss today are also or primarily applicable to government agencies or commercial companies. But we are going to focus in on the elements that are applicable to government contractors.

RoadmapApproaching the issue from a legal perspective: focusing on the institutions and entities that have been involved and the work they have done as well as complying with the legal requirements.

Relevant Laws/GuidelinesIn place:FISMANIST Special Publications 800-37, 800-53GSA Cybersecurity Regulation GSAR 552.239-71DoD Instruction 8582.01Executive Order 13636Presidential Policy Directive 21

Pending:NIST Draft Cybersecurity FrameworkProposed FAR Rule77 Fed. Reg. 51496

Proposed:GSA RFI 78 Fed. Reg. 27966CISPA

The cybersecurity regime for contractors has been

The state of the cybersecurity regime for contractorsIf the past has been haphazard, ad hoc and piecemeal, the present has been characterized by a movesomewhattowards uniformity and clearer standards.

For example, Executive Order 13636 which sought to harmonize and make consistent existing procurement requirements related to cybersecurity.Federal Information Security Management Act of 2002 (FISMA) Stated purposes

Provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets.

Provide for the development and maintenance of minimum controls required to protect Federal information and information systems.

Recognize that selection of specific technical hardware and software information security solutions should be left to individual agencies from among commercially developed products.

Federal Information Security Management Act of 2002 (FISMA) Basic Requirements

FISMA requires each agencys program officials, chief information officers and inspectors general to conduct annual reviews of the agencys information security program and report the results to the Office of Management and Budget.

Federal Information Security Management Act of 2002 (FISMA) Basic Requirements

FISMA requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information systems that support the operations and assets of the agency, including those provided or managed by contractors.

Federal Information Security Management Act of 2002 (FISMA) FISMA for Government Contractors

FISMA really only has direct application to the agencies themselves; it puts the onus on the agency to ensure compliance.

Agencies can and will conduct FISMA audits of government contractors.

However, once again, the standards under which a FISMA audit is conducted will often be very agency specific and, for a contractor undergoing a FISMA audit for the first time, it can be difficult to figure out what the standards will be. Federal Information Security Management Act of 2002 (FISMA) Roadmap that we recommend contractors should follow to comply with FISMA:Categorize the information to be protected.Select minimum baseline controls.Refine controls using a risk assessment procedure.Document the controls in the system security plan.Implement security controls in appropriate information systems.Assess the effectiveness of the security controls once they have been implemented.Determine agency-level risk to the mission or business case.Authorize the information system for processing.Monitor the security controls on a continuous basis.

The Role of the National Institute of Standards and Technology (NIST)Founded in 1901 and now part of the U.S. Department of Commerce, NIST is one of the nations oldest physical science laboratories. Congress established the agency to improve the U.S.s industrial competitiveness globally.

FISMA tasked NIST with developing the basic standards for cybersecurity.

The result is, as is most relevant here, the NIST Special Publication 800-53, the Federal Governments foundational cybersecurity document. It has been evolving ever since its inception with the most recent iteration published in May 2013. The standards are designed to have broad applicability and be useful for agencies, government contractors and commercial businesses. NIST Special Publication 800-37The Guide for Applying the Risk Management Framework to Federal Information Systems.

A structured process that integrates information security risk and risk management activities into a system development life-cycle.

NIST Special Publication 800-37

NIST Special Publication 800-37Six Risk Management Framework steps:

Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis.

Select an initial set of baseline security controls for the information system based on the security categorization, tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions.

Implement the security controls and describe how the controls are employed within the information system and its environment of operation.

NIST Special Publication 800-37Six Risk Management Framework steps (contd):

Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.

Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials.

NIST Special Publication 800-53NIST Special Publication 800-53 is the meat on the bones of the FISMA cybersecurity regime.

It is effectively a menu of cybersecurity control guidelines and a process for selecting an initial set of baseline security controls, tailoring the baseline security controls, and supplementing the security controls based on an organizational assessment of risk.

The security rules cover 17 areas including access control, incident response, business continuity, and disaster recoverability.NIST Special Publication 800-53Recent revisions to 800-53 addressed:

Additional security controls and enhancements for advanced cyber threats;Recommendations for prioritizing security controls during implementation or deployment;Guidance on using the risk management framework for legacy information systems and for external information system servic