DFARS252AssessmentSession208:NISTSP800-171andControlledUnclassifiedInformation

Presentedby:Miguel(Mike)O.Villegas,CISA,CISSP,CSX|F,PAQSA,PCIQSA

734-546-9605mike.villegas@k3des.com

Whodoesthisapplyto?

vNon-FederalInformationSystem– aninformationsystemusedtooperatebyanon-federalorganizationthatstores,processes,ortransmitsCUI(SeeNISTSP800-171r1)

vNon-FederalOrganizations– federalcontractors;state,local,andtribalgovernments;andcollegesanduniversities

vAskyourfederalcontractorsuchasRaytheon,Boeing,Lockhead…

2

Questions:• Doesthisapplytome?• IambeingaskedtobeDFARScompliantbutfrommy:• Partners• Customers• FederalContractor(notoneoftheprimes)

• Willthedate(12/31/17)change?ItisnowNovember2017.• IhavebeenaskedtocompletetheExostarformonline.Isn’tthatallIneedtodo?• I’mauniversity,bank,manufacturer,publicutility,etc.Iamnotadefensecontractor.Doesthisapplytome?Ordoesit?• Ican’tbelievetheywouldcutmycontractifnotcompliant.Howseriousisthis?

3

OnSeptember14,2016,NISTSP800-171r1(ControlledUnclassifiedInformationinNonfederalInformationSystemsandOrganizations)wasformallyissuedtoprovideguidanceoncontrolledunclassifiedinformation(CUI).SafeguardingordisseminatingCUI,consistentwithapplicablelaw,regulations,andgovernment-widepolicies,isvital,andnoncompliancebyDecember31,2017,meansgovernmentcontractorswilllosetheircontract.Experiencehasshownthatthisorder,likeothersbeforeit,willnotbetakenseriously—butitshouldbe.Ifyourorganizationisfacingnoncompliance,thissessionwillfocusontheNISTSP800-171controlfamilies,requirements,andcompliancedates.

4

OnSeptember14,2016,NISTSP800-171r1(ControlledUnclassifiedInformationinNonfederalInformationSystemsandOrganizations)wasformallyissuedtoprovideguidanceoncontrolledunclassifiedinformation(CUI).SafeguardingordisseminatingCUI,consistentwithapplicablelaw,regulations,andgovernment-widepolicies,isvital,andnoncompliancebyDecember31,2017,meansgovernmentcontractorswilllosetheircontract.Experiencehasshownthatthisorder,likeothersbeforeit,willnotbetakenseriously—butitshouldbe.Ifyourorganizationisfacingnoncompliance,thissessionwillfocusontheNISTSP800-171controlfamilies,requirements,andcompliancedates.

5

ChiefInformationSecurityOfficer(CISO)

6

WhatisDFARS?

DFARS- DefenseFederalAcquisitionRegulationSupplement

DFARS252.204-7012 - SectionpertainingtocybersecurityrequirementstoprotectControlledUnclassifiedInformation(CUI)andreportsecurityincidents

7

ControlledUnclassifiedInformation(CUI)Registry

https://www.archives.gov/cui/registry/category-list#page-header

v Agriculturev ControlledTechnicalInformationv CriticalInfrastructurev EmergencyManagementv ExportControlv Financialv GeodeticProductInformationv Immigrationv Intelligencev InternationalAgreements

v LawEnforcementv Legalv NATOv Nuclearv Privacyv ProcurementandAcquisitionv Financialv ProprietaryBusinessInformationv SAFETYActInformationv Statisticalv Taxv Transportation

8

WhatisNISTSP800-171r1?

ThecybersecurityframeworkspecifiedunderDFARS252.204-7012.DerivedfromNISTSP800-53r4 andFIPS200.Consistsof14ControlFamiliesand110 Controls

AC ACCESSCONTROLAT AWARENESSANDTRAININGAU AUDITANDACCOUNTABILITYCA SECURITYASSESSMENTCM CONFIGURATIONMANAGEMENTIA IDENTIFICATIONAND

AUTHENTICATIONIR INCIDENTRESPONSE

MA MAINTENANCEMP MEDIAPROTECTIONPS PERSONNELSECURITYPE PHYSICALPROTECTIONRA RISKASSESSMENTSC SYSTEM&COMMUNICATIONSSI SYSTEM&INFORMATIONINTEGRITY

9

vNISTSP800-171r1ismadeupofbasicandderivedsecurityrequirementsareobtainedfromFIPS200andNISTSP800-53,respectively

vNISTSP800-171r1ismadeupof14Familiesofcontrols.

10

CUISecurityRequirements

Source:Dr.RonRoss,NIST

Definitions• OEM- originalequipmentmanufacturer (OEM)isacompanywhoseproductsareusedascomponentsintheproductsofanothercompany,referredtoasthevalue-addedreseller(VAR)

• Federalcontractors areindividualsoremployerswhoenterintoacontractwiththeUnitedStates(anydepartmentoragency)toperformaspecificjob,supplylaborandmaterials,orforthesaleofproductsandservices.

• Top100Contractors– thetop100contractorsin2015included,LockheedMartinCorp,TheBoeingCompany,GeneralDynamicsCorp,RaytheonCompany,NorthropGrummanCorporation,McKessonCorporation,UnitedTechnologiesCorporation,andmanymore.ThesearetypicallythePRIMARYCONTRACTORwithagovernmentagency.

• GovernmentAgency– Thetopfivedepartmentsbydollarsobligatedin2015weretheDepartmentofDefense ($212.5billion),DepartmentofEnergy ($23billion),HealthandHumanServices ($21billion),DepartmentofVeteranAffairs ($20billion),andNASA ($13billion)

• DAA- TheDesignatedApprovingAuthority,(e.g,intheUnitedStatesDepartmentofDefense),istheofficialwiththeauthority toformallyassumeresponsibility foroperatingasystematanacceptablelevelofrisk.ThenewofficialtermthathasreplacedDAAisAuthorizingOfficial(AO).

11

Definitions(continued…)vWhatAreTheDifferencesBetweenTheAccreditationDecisions?OncetheDesignatedApprovalAuthority(DAA)hasreviewedthesysteminformationandrecommendation,therearefourpossibleDAAaccreditationdecisionsthatcanbemade:vAuthorizationtoOperate(ATO)– fulloperationapprovalwithadurationofthreeyears;•InterimAuthorizationtoOperate(IATO)– allowsoperationtomanageIAsecurityweaknessesforamaximumofsixmonths;

vInterimAuthorizationtoTest(IATT)– aspecialcaseforauthorizingtestingallowingoperationforalimitedtime;or

vDenialofAuthorizationtoOperate(DATO)– issuedifaDoDinformationsystemhasinadequateIAdesign.IfyoureceiveaDATO,pleasecontactyourorganization’sInformationAssurance(IA)professional.

NOTE:IfanAccreditationDecisionhasnotbeenissued,asystemisconsidered“unaccredited”andisnotallowedtooperate.

vNISTSpecialPublication800-171r1– formallyissuedcompletedonDecember20,2016

12

Definitions(continued…)vIA– InformationassessmentvFederalInformationSystem– aninformationsystemusedtooperatebyanexecutiveagency,byacontractorofanexecutiveagency,orbyanotherorganizationonbehalfofanexecutiveagency.(SeeFederalInformationSecurityManagementAct(FISMA)– 40U.S.C.,Sec.11331)

vNon-FederalInformationSystem– aninformationsystemusedtooperatebyanon-federalorganizationthatstores,processes,ortransmitsCUI(SeeNISTSP800-171r1)

vNon-FederalOrganizations– federalcontractors;state,local,andtribalgovernments;andcollegesanduniversities

vPOAM- plansofactionandmilestones(POAM)foranyplannedimplementationsormitigationsvSSP- Nonfederalorganizationsdescribeinasystemsecurityplan(SSP),howtheCUIrequirementsaremetorhoworganizationsplantomeettherequirements.TheSSPdescribestheboundaryoftheinformationsystem;theoperationalenvironmentforthesystem;howthesecurityrequirementsareimplemented;andtherelationshipswithorconnectionstoothersystems.

13

RoadtoATO

14

GovernmentAgency

• IssuesATOtoPrimaryOEM/FC

OEM/Federal

Contractor

• Requires171r1IA

• IssuesATO

OEM/FederalContractor

• Requires171r1IA

• IssuesATO

Definitions(continued…)vNISTSpecialPublication800-171r1– formallyissuedcompletedonDecember20,2016.ThispublicationprovidesfederalagencieswithasetofrecommendedsecurityrequirementsforprotectingtheconfidentialityofCUI whensuchinformationisresidentinnonfederalsystemsandorganizations.

vCUI– ControlledUnclassifiedInformation- isanyinformationthatlaw,regulation,orgovernment-widepolicyrequirestohavesafeguardingordisseminatingcontrols,excludinginformationthatisclassifiedunderExecutiveOrder13526,ClassifiedNationalSecurityInformation,December29,2009,oranypredecessororsuccessororder,ortheAtomicEnergyActof1954,asamended.

vCUIRegistry- istheonlinerepositoryforinformation,guidance,policy,andrequirementsonhandlingCUI,includingissuancesbytheCUIExecutiveAgent.

vInformationtechnology- (see40U.S.C11101(6))means,inlieuofthedefinitionatFAR2.1,anyequipment,orinterconnectedsystem(s)orsubsystem(s)ofequipment,thatisusedintheautomaticacquisition,storage,analysis,evaluation,manipulation,DefenseFederalAcquisitionRegulationSupplementmanagement,movement,control,display,switching,interchange,transmission,orreceptionofdataorinformationbytheagency

15

Whydoesanyofthismatter?

16

Whichsupplychainsareaffected?

17

18

IndustriesAffectedbyDFARS

https://www.archives.gov/cui/registry/category-list#page-header

vManufacturing– directtoPrimesorTertiaryContractorsvUniversitieswithGovernmentGrants– DefenseResearchvNon-FederalInformationSystem– aninformationsystemusedtooperatebyanon-federalorganizationthatstores,processes,ortransmitsCUI(SeeNISTSP800-171r1)

vNon-FederalOrganizations– federalcontractors;state,local,andtribalgovernments;andcollegesanduniversities

19

Whydosomanyofthesefirmshavesofewcybersecuritymeasuresinplace?

NoROI+

20

PHASE1– RiskAssessment– thisisascopingexercisetodeterminewhat171r1testproceduresapplyforthisassessment;needPre-AssessmentQuestionnaire;addressonlymoderateandhigherimpactsbasedonFIPS199

PHASE2– GapAssessment– testeachin-scope171r1testprocedures;statewhethercompliantorisagapwithrecommendedremediations

PHASE3– deployorfacilitateremediationsforopengaps;refertoappropriatemanagedserviceproviders;developPOA&Mforeachmajorgap andanoverallSSP

PHASE4– test,validateandverifythatremediationshavebeenimplementedproperlyandsupportcomplianceto171r1

PHASE5– completetheFinalNISTSP800171r1reportstatingclientisfullycompliant

Approach

21

22

Phase1– RiskAssessment

vPHASE1– RiskAssessment– thisisascopingexercisetodeterminewhat171r1testproceduresapplyforthisassessmentvPre-AssessmentQuestionnairevCreateSOWandobtainsignedagreementvCompleteFIPS199vaddressonlymoderateandhigherimpactsbasedonFIPS199vNISTSP800-171r1-PBC.docx

23

Pre-AssessmentQuestionnaire

LookatDFARS-Assessment_Questionnaire_2017.docxintheDropboxfolder.

BasedontheresultsofthePre-AssessmentQuestionnaire,theprimary(MMTV,CMTC,Alvaka,etc.),willputtogetheranRFQ,SOW,orproposalbasedonwhatisrequestedoragreedtowiththeclient.

EachprimaryneedstoruntheproposedfeewithMMTV(assessor)BEFOREcommittingtoclient.ThereasonisbecausetheamountofworktoperformPhase1andPhase2needstobedeterminedbytheassessor,nottheprimary.ThisisreciprocatedwhentheassessorrecommendsAlvakaoranotherremediator totheclienttoaddressagap.

BasicGuideline:Thelesstheclienthasinplace(“No”)answersinthePre-AssessmentQuestionnaire,thelesstheefforttodevelopaGapAssessment(Phase1and2).Themoretheyhaveinplace,themoretestingisrequiredtodeterminewheretheyarecompliantandwhatremediationswilladdressthegaps.TestingofcontrolstakesplaceinPhase2andPhase4.

FIPS199definesthreelevelsofpotentialimpactonorganizationsorindividualsshouldtherebeabreachofsecurity(i.e.,alossofconfidentiality,integrity,oravailability).vThepotentialimpactisLOWifthelossofconfidentiality,integrity,oravailabilitycouldbeexpectedtohavealimitedadverseeffectonorganizationaloperations,organizationalassets,orindividuals.

vThepotentialimpactisMODERATEifthelossofconfidentiality,integrity,oravailabilitycouldbeexpectedtohaveaseriousadverseeffectonorganizationaloperations,organizationalassets,orindividuals

vThepotentialimpactisHIGHifthelossofconfidentiality,integrity,oravailabilitycouldbeexpectedtohaveasevereorcatastrophicadverseeffectonorganizationaloperations,organizationalassets,orindividuals.

Thegeneralizedformatforexpressingthesecuritycategory,SC,ofaninformation typeis:SCinformationtype={(confidentiality,impact),(integrity,impact),(availability,impact)},wheretheacceptablevaluesforpotentialimpactareLOW,MODERATE,HIGH,orNOTAPPLICABLE

Onlythoseimpactsthataremoderateandhigharein-scopeoftheNISTSP800-171r1IA.(Seefips_199_security_categorization.docx)

24

FIPS199

25

Phase2– GapAssessment

vPHASE2– GapAssessment– testeachin-scope171r1testprocedures;statewhethercompliantorisagapwithrecommendedremediationsvCSET8.0vNISTSP800-171r1WorksheetvUseNISTSP800-171r1FolderStructureforEvidencevTest,Verify,andEvidenceallIn-ScopeTestProceduresvRecommendviable,costeffective,riskbasedremediationsthatsatisfytestprocedureandcontrol

vIdentifycompensatingcontrol(CC)ifremediationistooexpensive,timeconsuming,ornotfeasible;butonly iftheCCwillsatisfythetestprocedure

vGapAssessmentandRiskAssessmentmustbeQA’dbyprimaryandassessormanagementteambefore deliveredtoclient

27

28

29

NetworkDiagram

Thisisasimplenetworkdiagramthatdemonstratesapictorialviewofthenetworktopology,components,segmentation,andfirewall/router/switch/IDSplacements.

Thisnetworkdiagrammustcoincidewithactuallayer3configurationsandrules(ACLsandVLANs).

NetworkDiagramWithSegmentation

31

NetworkDiagramSample(Redacted)

Compensatingcontrolsmaybeconsideredwhenanentitycannotmeetarequirementexplicitlyasstated,duetolegitimatetechnicalordocumentedbusinessconstraints,buthassufficientlymitigatedtheriskassociatedwiththerequirementthroughimplementationofothercontrols.Compensatingcontrolsmust:

1. Meettheintentandrigoroftheoriginalcontrol;2. Provideasimilarlevelofdefenseastheoriginalcontrol3. Be“aboveandbeyond”othercontrolrequirements(notsimplyincompliance

withothercontrol);and4. Becommensuratewiththeadditionalriskimposedbynotadheringtothe

control

Source:PCIDSSv3.2

CompensatingControls

Phase3- Remediations

Phase4– ValidationandVerification

Ø SIEM– SecurityIncident&EventMonitorØ IPS/IDS– IntrusionPrevention/Detection SystemØWAF– Web ApplicationFirewallØDatabaseMonitoringØMulti-FactorAuthentication

ØHardTokensØ Soft Tokens

ØNetwork MonitoringØTLS/SSL/EV– WebcommunicationencryptionØDataLossPrevention (DLP)

34

MonitoringTools

MagicQuadrant

35

AGOODSTART

Ø GardnerMagicQuadrant

Ø ForresterWave

SecurityInformation&EventMonitor(SIEM)COMMERCIAL OPENSOURCE

Ø CostØ ScalabilityØ FlexibilityØ SkillsetrequirementsØ CurrentsignaturesØ Agentand/orAgentless

36

FileIntegrityMonitoringCOMMERCIAL OPENSOURCE

Ø CostØ ScalabilityØ FlexibilityØ SkillsetrequirementsØ Currentsignatures

TRIPWIRE

(ForEnd-UserComputingOnly)

37

IDS/IPSCOMMERCIAL OPENSOURCE

Ø CostØ ScalabilityØ FlexibilityØ SkillsetrequirementsØ Currentsignatures

38

WebApplicationFirewallsCOMMERCIAL OPENSOURCE

Ø CostØ ScalabilityØ FlexibilityØ SkillsetrequirementsØ Currentattackvendors

ESAPIWebApplicationFirewall(ESAPIWAF)

39

DatabaseMonitoringCOMMERCIAL OPENSOURCE

Ø CostØ ScalabilityØ FlexibilityØ SkillsetrequirementsØ CurrentsignaturesØ Agentand/orAgentless

40

Multi-FactorAuthenticationØ Multi-factorauthentication(alsoMulti-factorauthentication,MFA,orM-FA)isanapproachtoauthenticationwhichrequiresthepresentationoftwoormoreofthethreeauthenticationfactors

Ø SomethingIknowØ SomethingIhaveØ SomethingIam

41

- RSASecurID

PhoneFactoroffersinstantintegrationwithawiderangeofapplications,includingallleadingremoteaccessVPNsolutions,singlesign-onsystems,cloudapplications,onlinebanking,andwebsitesaswellascustomapplications.PhoneFactoralsointegrateswithActiveDirectoryandLDAPserversforcentralizedusermanagement.

NetworkingMonitoring

42

Ø Adetailedanalysisofvulnerabilities foundwithinyourIPaddressesordomain,classifiedbyHigh,MediumorLowseverity

Ø Step-by-stepinstructionsonhowtoremediatethreats,soyoucanimmediatelyaddressthemostseriousvulnerabilities

DataLossPrevention

43

Ø Detect,blockorcontroltheusageof(forexample,saving,printingorforwarding)specificcontentbasedonestablishedrulesorpolicies.

Ø Monitornetworktrafficfor,ataminimum,e-mailtrafficandotherchannels/protocols(HTTP,IM,FTP)andanalyzeacrossmultiplechannels,inasingleproductandusingasinglemanagementinterface.

Ø End-Point/Network/Discovery

BalancedViewofInformationSecurity

CONTROLS RISKS

STRATEGICBUSINESSOBJECTIVES

$ ü Complianceü Reputationü Availabilityü Financialü Securityü Confidentialityü Fraudü InsiderThreatsü CorporateEspionageü NationalSecurity

ü Directiveü Preventiveü Detectiveü Corrective

44 44

PHASE5– completetheFinalDFARS/NISTSP800171r1reportstatingclientisfullycompliant

CompletetheExostarandstateyoueithercompliantornot.

Ifnot,youthenneedtoprovide:• SystemsSecurityPlan(SSP)• PlanofActionandMilestone(POA&M)foreachgap• Eachgapneedsaplan• Eachgapneedsatimelineanddeadline• Makesureyoumeetthatdeadline

Caveats?

46

GAPAssessmentpriortoRiskAssessmentwillmissthetarget

47

• generalpurposeinformationsystems;• industrialandprocesscontrolsystems;• cyber-physicalsystems;and• individualdevicesthatarepartoftheInternetofThings.

48

NISTSP800-171r1ITandOTConsiderations

ShopFloor&SCADAsystemsareinscope

49

50

MikeO.Villegas,CISA,CISSP,GSEC,CSX|F,PCI-QSA,PA-QSA

Miguel (Mike) O. Villegas is a Senior Vice President for K3DES LLC. He performs and QA’s PCI-DSS andPA-DSS assessments for K3DES clients. He also manages the K3DES ISO/IEC 27002:2013 program.Mike also specializes in DFARS 252/NIST SP 800-171r1 compliance. He was previously Director ofInformation Security at Newegg, Inc. for five years. Mike currently is a Contributing Writer forSearchSecurity.com –TechTarget with over published 150 articles.

Mike has over 35 years of Information Systems security and IT audit experience. Mike was previouslyVice President & Technology Risk Manager for Wells Fargo Services responsible for IT RegulatoryCompliance and was previously a partner at Arthur Andersen and Ernst & Young for theirinformation systems security and IS audit groups over a span of nine years. Mike is a CISA, CISSP,GSEC, PCI-QSA and PA-QSA.

Mike was president of the LA ISACA Chapter during 2010-2012 and president of the SF ISACA Chapterduring 2005-2006. He was the SF Fall Conference Co-Chair from 2002–2007 and also served for twoyears as Vice President on the Board of Directors for ISACA International. Mike has taught CISAreview courses for over 20 years.

51

SummarySteps

1. AssesLegal&ContractualRequirements2. StartwithaDFARSScoping&ReadinessAssessment3. AuthorPolicyandProcedures4. ImplementTechnicalRemediationMeasuresasNeeded5. InstituteSecurityAwarenessandTraining6. PerformanAnnualRiskAssessment7. ConfirmSuccessfulRemediationEfforts8. EnsureSystemSecurityPlan(SSP)andotherRelatedDocumentsareinOrder9. HaveanIndependentPartyperformanAssessmentforDFARScompliance10. EngageinContinuousMonitoringofyourcontrols11. KnowthatFederalComplianceisheretostay12. RememberyouhaveuntilDecember31,2017tobecompliant!

52