Cybersecurity: Secure Today To flourish tomorrow

Download Cybersecurity:  Secure Today To flourish tomorrow

Post on 10-Feb-2016




0 download

Embed Size (px)


Cybersecurity: Secure Today To flourish tomorrow . New Cybersecurity Requirements for Government Contractors and What They Mean For Your Organization. Ryan C. Bradel Associate, Greenberg Traurig. The Need for Cybersecurity. The Need for Cybersecurity. Cyber Attacks. - PowerPoint PPT Presentation


Cybersecurity: Secure Today To flourish tomorrow

Cybersecurity: Secure Today To flourish tomorrow New Cybersecurity Requirements for Government Contractors and What They Mean For Your Organization

Ryan C. BradelAssociate, Greenberg Traurig

The Need for Cybersecurity

The Need for Cybersecurity

Cyber Attacks

This is a very major security compromise that has possibly put at risk numerous sensitive government sites and private industry as well. - Former U.S. National Security Advisor Richard Clarke

In 2011, a major online attack was launched against the networks of Lockheed Martin, the country's largest defense contractor.Hackers reportedly exploited Lockheed's VPN access system, which allows employees to log in remotely by using their RSA SecurID hardware tokens. Attackers apparently possessed the seeds--factory-encoded random keys--used by at least some of Lockheed's SecurID hardware fobs, as well as serial numbers and the underlying algorithm used to secure the devices.

Anonymous Hacks ManTech, a FBI Cybersecurity ContractorAnonymous acquired and released to the public, a list of approximately 90,000 military emails and Base64 password hashes, after hacking into systems from Booz Allen Hamilton, the large government contractor that works closely with many defense, intelligence, and civil sectors on cybersecurity.Heady times in CybersecurityThe last couple of years have seen a flurry of activity, primarily from the Obama Administration, but also from Congress, working to stay ahead of the cybersecurity curve.

Today we will be focusing on two items that are likely to have the most impact for government contractors:The NIST Draft of the Preliminary Cybersecurity Framework.The Proposed FAR Rule Basic Safeguarding of Contractor Information Systems.

Both of these items are in draft/proposed form so the situation is very fluid.

The $64,000 Question(s):Will the Government establish mandatory, uniform cybersecurity standards for government contractors across agencies and industries?

If so, what are they likely to look like? How will it be accomplished?RoadmapBrief history of the cybersecurity regime FISMA NIST Special Publications 800-37 / 800-53

Recently enacted laws affecting government contractors:DOD Instruction 8582.01GSAR Case 2011-G503Executive Order 13636 / Presidential Policy Directive 21

The latest NIST guidelinesDraft NIST Cybersecurity Framework (direct response to EO 13636)

The future: implications for government contractorsProposed Changes to the FAR General Services Administration RFI more changes to the FAR?

RoadmapThe focus of todays conversation will be on cybersecurity requirements for government contractors.

Many of the laws and guidelines that we discuss today are also or primarily applicable to government agencies or commercial companies. But we are going to focus in on the elements that are applicable to government contractors.

RoadmapApproaching the issue from a legal perspective: focusing on the institutions and entities that have been involved and the work they have done as well as complying with the legal requirements.

Relevant Laws/GuidelinesIn place:FISMANIST Special Publications 800-37, 800-53GSA Cybersecurity Regulation GSAR 552.239-71DoD Instruction 8582.01Executive Order 13636Presidential Policy Directive 21

Pending:NIST Draft Cybersecurity FrameworkProposed FAR Rule77 Fed. Reg. 51496

Proposed:GSA RFI 78 Fed. Reg. 27966CISPA

The cybersecurity regime for contractors has been

The state of the cybersecurity regime for contractorsIf the past has been haphazard, ad hoc and piecemeal, the present has been characterized by a movesomewhattowards uniformity and clearer standards.

For example, Executive Order 13636 which sought to harmonize and make consistent existing procurement requirements related to cybersecurity.Federal Information Security Management Act of 2002 (FISMA) Stated purposes

Provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets.

Provide for the development and maintenance of minimum controls required to protect Federal information and information systems.

Recognize that selection of specific technical hardware and software information security solutions should be left to individual agencies from among commercially developed products.

Federal Information Security Management Act of 2002 (FISMA) Basic Requirements

FISMA requires each agencys program officials, chief information officers and inspectors general to conduct annual reviews of the agencys information security program and report the results to the Office of Management and Budget.

Federal Information Security Management Act of 2002 (FISMA) Basic Requirements

FISMA requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information systems that support the operations and assets of the agency, including those provided or managed by contractors.

Federal Information Security Management Act of 2002 (FISMA) FISMA for Government Contractors

FISMA really only has direct application to the agencies themselves; it puts the onus on the agency to ensure compliance.

Agencies can and will conduct FISMA audits of government contractors.

However, once again, the standards under which a FISMA audit is conducted will often be very agency specific and, for a contractor undergoing a FISMA audit for the first time, it can be difficult to figure out what the standards will be. Federal Information Security Management Act of 2002 (FISMA) Roadmap that we recommend contractors should follow to comply with FISMA:Categorize the information to be protected.Select minimum baseline controls.Refine controls using a risk assessment procedure.Document the controls in the system security plan.Implement security controls in appropriate information systems.Assess the effectiveness of the security controls once they have been implemented.Determine agency-level risk to the mission or business case.Authorize the information system for processing.Monitor the security controls on a continuous basis.

The Role of the National Institute of Standards and Technology (NIST)Founded in 1901 and now part of the U.S. Department of Commerce, NIST is one of the nations oldest physical science laboratories. Congress established the agency to improve the U.S.s industrial competitiveness globally.

FISMA tasked NIST with developing the basic standards for cybersecurity.

The result is, as is most relevant here, the NIST Special Publication 800-53, the Federal Governments foundational cybersecurity document. It has been evolving ever since its inception with the most recent iteration published in May 2013. The standards are designed to have broad applicability and be useful for agencies, government contractors and commercial businesses. NIST Special Publication 800-37The Guide for Applying the Risk Management Framework to Federal Information Systems.

A structured process that integrates information security risk and risk management activities into a system development life-cycle.

NIST Special Publication 800-37

NIST Special Publication 800-37Six Risk Management Framework steps:

Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis.

Select an initial set of baseline security controls for the information system based on the security categorization, tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions.

Implement the security controls and describe how the controls are employed within the information system and its environment of operation.

NIST Special Publication 800-37Six Risk Management Framework steps (contd):

Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.

Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials.

NIST Special Publication 800-53NIST Special Publication 800-53 is the meat on the bones of the FISMA cybersecurity regime.

It is effectively a menu of cybersecurity control guidelines and a process for selecting an initial set of baseline security controls, tailoring the baseline security controls, and supplementing the security controls based on an organizational assessment of risk.

The security rules cover 17 areas including access control, incident response, business continuity, and disaster recoverability.NIST Special Publication 800-53Recent revisions to 800-53 addressed:

Additional security controls and enhancements for advanced cyber threats;Recommendations for prioritizing security controls during implementation or deployment;Guidance on using the risk management framework for legacy information systems and for external information system services providers;Updates to security control baselines based on current threat information and cyber attacks;Guidance on the management of common controls within organizations; Strategy for harmonizing FISMA security standards and guidelines with international security standard ISO/IEC 27001;Dealing with insider threats;Software application security (including web applications);Social networking/mobile devices, Cloud computing;Advanced persistent threats;Supply chain security; andPrivacy/civil liberties concerns.

The FISMA RegimeCriticisms of FISMA

Some have criticized FISMA as a well-intentioned but fundamentally flawed tool because it measures security planning rather than actually measuring the security of the information.

In other words, it assigns tasks and responsibilities for oversight and recommends processes but doesnt establish clear benchmarks that organizations must meet.

Some have said that the FISMA enforcement regime doesnt do a realistic analysis of actual threats and effective responses but merely encourages box checking to please agency auditors.

The FISMA RegimeExamples of Agency-Specific Rules Under FISMA

Two very recently enacted regulations are prime examples of how the FISMA regime can be very agency-specific and very different from agency to agency:

Department of Defense Instruction 8582.01

General Services Administration GSAR 552.239-71DOD Instruction 8582.01Designed primarily to apply to contractors:

Establishes policy for managing the security of unclassified DOD information on non-DOD information systems.

Applies to all unclassified DOD information in the possession or control of non-DOD entities on non-DOD information systems.

Appropriate requirements shall be incorporated into all contracts with non-DOD entities.DOD Instruction 8582.01Information Safeguards

Do not process unclassified DOD information on publically available computers (e.g., those available for use by the general public in kiosks or hotel business centers).

Protect unclassified DOD information by at least one physical or electronic barrier (e.g., locked container or room, logical authentication or logon procedure) when not under direct individual control of an authorized user.

At a minimum, overwrite media that have been used to process unclassified DOD information before external release or disposal.

DOD Instruction 8582.01Information Safeguards (contd)

Encrypt all information that has been identified as controlled unclassified information (CUI) when it is stored on mobile computing devices such as laptops and personal digital assistants, compact disks, or authorized removable storage media such as thumb drives and compact disks, using the best encryption technology available to the contractor or teaming partner.

Limit transfer of unclassified DOD information to subcontractors or teaming partners with a need to know and obtain a commitment from them to protect the information they receive to at least the same level of protection as that specified in the contract or other written agreement.

DOD Instruction 8582.01Information Safeguards (contd)

Transmit e-mail, text messages, and similar communications containing unclassified DOD information using technology and processes that provide the best level of privacy available, given facilities, conditions, and environment. Examples of recommended technologies or processes include closed networks, virtual private networks, public key-enabled encryption, and transport layer security (TLS).

Encrypt organizational wireless connections and use encrypted wireless connections where available when traveling. If encrypted wireless is not available, encrypt document files (e.g., spreadsheet and word processing files), using at least application-provided password protected level encryption.

Transmit voice and fax transmissions only when there is a reasonable assurance that access is limited to authorized recipients.

DOD Instruction 8582.01Information Safeguards (contd)

Do not post unclassified DOD information to website pages that are publically available or have access limited only by domain or Internet protocol restriction. Such information may be posted to website pages that control access by user identification and password, user certificates, or other technical means and provide protection via use of TLS or other equivalent technologies during transmission. Access control may be provided by the intranet (via the website itself or the application it hosts).

Provide protection against computer network intrusions and data exfiltration, minimally including:Current and regularly updated malware protection services, e.g., anti-virus, anti-spyware.Monitoring and control of both inbound and outbound network traffic (e.g., at the external boundary, sub-networks, individual hosts), including blocking unauthorized ingress, egress, and exfiltration through technologies such as firewalls and router policies, intrusion prevention or detection services, and host-based security services.Prompt application of security-relevant software patches, service packs, and hot fixes.

DOD Instruction 8582.01Information Safeguards (contd)

Comply with other current Federal and DOD inf...


View more >