our stuff keeps your stuff from becoming their stuff ci ......our stuff keeps your stuff from...
Post on 03-Jun-2020
29 Views
Preview:
TRANSCRIPT
CI SecurityMike HamiltonFounder and CISO
Our stuff keeps your stuff from becoming their stuff
The Cyber Maturity Model Certification:
Time To Get Serious
Critical Infrastructure Risk Management
March 5, 2019
• 2
• Founder, CI Security
• Policy Advisor, Washington State
• CISO, City of Seattle
• Managing Consultant, VeriSign
• Senior Principal Consultant, Guardent
• Independent Security Consultant
• Founder, Network Commerce, Inc.
• Ocean Scientist, NASA/JPL
Your Presenter
IR Plan Top Table
Exercise
Incident Response
Plan
Policy, Process &
Procedure Development
Internal & External
Vulnerability Assessment
Focused Security
Assessment
About CI SecurityProfessional Services, Continuous Vulnerability Identification (CVI), and Log Management
Continuous Vulnerability Identification
Managed Detection & Response
Penetration Testing
Log Management
Ongoing / Periodic:
Focused Security Assessment
Periodic/Annual Information
Security Maintenance
Activities
Annual Policy Review
Annual Penetration Testing
Regular IR Plan TTEs
Firewall Rule Review
4For Gartner Use Only
Why Are We Here?Report: Hackers target defense contractors, telecoms
Hacking groups with ties to Iran spent much of their time
targeting the defense and government sectors in the U.S.
and elsewhere, and the firm said it tracked a noticeable shift
in emphasis to the United States in the latter half of 2019.
This targeting of U.S. entities began picking up around the
same time as the 2019 Gulf of Oman incident, when three oil
tankers and a bunkering ship were damaged with
explosives, with U.S. officials blaming Iran.
https://defensesystems.com/articles/2020/03/04/crowdstrike-report-cyber-johnson.aspx?m=1
- Records Disclosure: ~$150/record
- Theft: $75K-$1.2M in our region,
millions elsewhere (and rising)
- Disruption: Loss of business
continuity or operating capacity, loss
of life for certain critical service
outages
Outcomes to Avoid, Financial Impacts
And NOW – You’re a Threat to Business Partners
The Third Party Microscope
Saw This One Coming
• Market forces versus regulatory
requirements to address security –
long, ongoing discussion
• The show-your-papers business
climate was predictable
• Differentiate your business and get
more business based on your
security – there’s an actual ROI
there
What is a Capability Maturity Model?
And What is the CMMC?• The CMMC will review and combine various cybersecurity standards
and best practices and map these controls and processes across
several maturity levels that range from basic cyber hygiene to
advanced. For a given CMMC level, the associated controls and
processes, when implemented, will reduce risk against a specific set
of cyber threats.
• The CMMC effort builds upon existing regulation (DFARS 252.204-
7012) that is based on trust by adding a verification component
with respect to cybersecurity requirements.
• The goal is for CMMC to be cost-effective and affordable for
small businesses to implement at the lower CMMC levels.
• The intent is for certified independent 3rd party organizations to
conduct audits and inform risk.
History• Intended to protect Controlled Unclassified Information
(CUI)
• Still in its development stages
• DFARS regulation required assessment against NIST
800-171
• No one did that
• New capability maturity model adopted, with
certification requirement
• Now at version 0.7
• Practices measure technical activities and processes
measure the maturity of processes.
What Are Those Practices?The Moving Parts of NIST 800-171
Access Control (3.1)
Awareness & Training (3.2)
Audit & Accountability (3.3)
Configuration Management (3.4)
Identification & Authentication (3.5)
Incident Response (3.6)
Maintenance (3.7)
Media Protection (3.8)
Personnel Security (3.9)
Physical Protection (3.10)
Risk Assessment (3.11)
Security Assessment (3.12)
System & Communications Protection (3.13)
System & Information Integrity (3.14)
• ISO 27001/2
• Payment Card Industry Data
Security Standard
• NIST Cybersecurity Framework
• Information Security Forum
Standard of Good Practice
• Criminal Justice Information
Standard
• HIPAA Security Rule
• FFIEC Audit Handbook
• NERC CIPs
Standards of Practice: The
ingredients are the same…
…But the packaging is a little different
CMMC Levels
14https://ci.security/
New (Additional) Total (Cumulative)
CMMC Level Description Practices Processes Practices Processes*
1 Basic Cyber Hygiene with Performed Processes 17 0 17 0
2 Intermediate Cyber Hygiene with Documented Processes 55 51 72 51
3 Good Cyber Hygiene with Managed Processes 59 34 131 85
4 Proactive Cybersecurity Program with Reviewed Processes 26 34 157 119
5Advanced / Progressive Cybersecurity Program with
Optimized Processes16 34 173 153
CMMC Levels
15https://ci.security/
•Level 1 – “Basic Cyber Hygiene” – In order to pass an audit for this level, the DoD
contractor will need to implement 17 controls of NIST 800-171 rev1.
•Level 2 – “Intermediate Cyber Hygiene” – In order to pass an audit for this level, the
DoD contractor will need to implement another 48 controls of NIST 800-171 rev1 plus
7 new “Other” controls.
•Level 3 – “Good Cyber Hygiene” – In order to pass an audit for this level, the DoD
contractor will need to implement the final 45 controls of NIST 800-171 rev1 plus 14
new “Other” controls.
•Level 4 – “Proactive” – In order to pass an audit for this level, the DoD contractor
will need to implement 13 controls of NIST 800-171 RevB plus 13 new “Other” controls
•Level 5 – “Advanced / Progressive” – In order to pass an audit for this level, the DoD
contractor will need to implement the final 5 controls in NIST 800-171 RevB. plus 11
new “Other” controls
Getting Ready
16https://ci.security/
• Self-Assess, using the NIST
Handbook – OR hire a
qualified assessor
• Work down your corrective
action plan
• When certification firms
become accredited, hire one
Status Today
• October 3rd 2019 DoD issued an RFI to solicit
accreditation bodies for CMMC
• By end of year, certification will become a no-nonsense
requirement
• The contracts you may bid on are dependent on your
certification level.
• Must meet certification requirements at the time of award
• Phase 1 only applies to contractor networks, and not
products
• CMMC validation by a third party is expected to be
requested in RFIs starting in June of 2020 and in RFPs
starting in the fall of 2020
The Value of Managed Security Services
• The upper levels will be extremely hard to meet for any
but the largest companies
• Requirements for documented and repeatable
processes are expensive and time-consuming to put in
place
• Monitoring, detection of aberrational network events,
investigation, response and recovery
• Continuing compliance responsibilities are best handled by
point-in-time consulting engagements
• A Virtual CISO is an economical alternative to hiring
Detection & Response is a gapMost organizations suffer deal with the fallout
average days until
compromised asset detected
of victims are notified by a
third party such as the FBIof victims were not compliant
with regulatory requirements
20589%69%
https://ci.security/ 19
Page 20 www.criticalinformatics.com March 10, 2020
Ongoing Compliance ResponsibilitiesKey Performance Requirements – Information Security Officer
Weekly Monthly Quarterly Annually
Weekly Report Conduct vulnerability Assessment Access
authorization
management
reviews
Penetration test
Incident Management Review vulnerability assessment
results, assign disposition and
delegate
Conduct Risk
Governance
Committee meeting
Risk Assessment
Recordkeeping (e.g.
security testing results for
products)
Firewall rules review Perform 2 of the
annual
requirements
Security Awareness
Training / Attestation
Corrective action board;
infosec ritual
Tabletop or functional
security exercise
Meetings (change control,
infosec, governance, etc.)
Policy review
Consulting project
management
Service audits
Ad-hoc service requests
(access changes, e.g.)
Participate in annual
planning and budget
development
Planning for upcoming
monthly, quarterly, or
annual requirements
Page 21 www.criticalinformatics.com March 10, 2020
• CMMC Certification will be a prerequisite to bidding on DOD project work
• Start now – assess, understand your gaps, work down your corrective action plan
• Be ready to engage an accredited assessor in Q3
• Security consulting and managed detection and response services will boost you to higher levels of contract availability
Summary
CONTACT US
Mike Hamilton
mkh@ci.security
Info@ci.security
@detectrespond – Company Tweets
@seattlemkh – Unvarnished Opinions (Buckle Up)
Sign up for the IT Security News Blast
https://ci.security/resources/daily-news
CI SecurityOur stuff keeps your stuff from becoming their stuff
top related