Transforming the Profession: Anticipating and Adapting to Change

Lexington Park, MD - www.ncmachesa.org

Cybercompliance in Government Contracting: 2016 and Beyond Breakout Session #: C13

Gunjan R. Talati Kilpatrick Townsend & Stockton, LLP

Christian Henel Thompson Hine LLP

Aria Mansuri, Principal Product Manager Distributed Solutions, Inc.

Date: Monday, July 25 Time: 4:00pm–5:15pm

Why We’re Here

• Need for cybersecurity safeguards and reporting has become a leading priority in today’s government contracting environment

• Agencies are revamping their own cybersecurity policies and procedures, shifting more responsibility to contractors. This is cybercompliance.

• Regulatory landscape remains unclear – no FAR provision, divergent approaches

• Cybercompliance can be costly and burdensome

• Contractors need to strike some balance

The Battlefield

Staggering 2015 Statistics: • Scary Lessons From 2015:

– 38: percent more security incidents detected than in 2014. – “The Global State of Information Security Survey 2016” (PWC)

– 169 million number of personal records exposed in 2015, stemming from 781 publicized breaches across the financial, business, education, government and healthcare sectors. – “ ITRC Data Breach Reports – 2015 Year-End Totals”

– Over 200: median number of days that attackers stay dormant within a network before detection– “Microsoft Advanced Threat Analytics”

– 38: percent of global organizations claim they are prepared to handle a sophisticated cyberattack. – “2015 Global Cybersecurity Status Report” | ISACA International

Compilation – www.swimlane.com

The Battlefield

Cybersecurity in the Headlines: • “FDIC reports five ‘major incidents’ of cybersecurity breaches

since fall [2015]” – www.washingtonpost.com • “OPM announces more than 21 million affected by second data

breach” – www.nationaljournal.com • “OPM says 5.6 million fingerprints stolen in cyberattack, five times

as many as previously thought” – www.washingtonpost.com • “Contractor breach gave hackers keys to OPM data” –

www.federaltimes.com • “IRS hack far larger than first thought” – www.usatoday.com • GAO: As of 2015, “19 of 24 major federal agencies reported that

either a material weakness or significant deficiency in internal controls over their financial reporting” and “inspectors general at 23 of these agencies cited information security as a major management challenge for their agency.” http://www.gao.gov/products/GAO15-573T?source=ra

The Battlefield

• Common types/methods of cyber-crime: • Advanced persistent threat (APT):

unauthorized access to infiltrate system undetected

• Denial of Service: disrupt normal system operations

• Malware: infiltrate and destroy/inhibit system service

• Phishing/Spear-phishing: access through e-mail

• Social Engineering: access leveraging human vulnerabilities (the “human factor”)

• Other bots, hacks, forced entry: the “brute force” approach

Overview of Federal Laws and Regulations • What is a cyber incident/cyber

attack? – No uniform definition – DOD: Actions taken through the

use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein. DOD Interim Rule 252.204-7012

Overview of Federal Laws and Regulations • FIPS = Federal Information Processing

Standards • NIST= National Institute of Standards and

Technology • FIPS and NIST work together:

– FIPS 199: Creates three “impact” categories (low, medium, high) for each of three FISMA security objectives (“confidentiality, integrity, availability”)

– Agencies apply the FIPS 199 criteria to determine what minimum standards apply (found in NIST 800-53/800-171)

Overview of Federal Laws and Regulations FISMA • Policies

– Provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operation and assets

– Promote development of key cybersecurity “minimum controls” – Promote risk-based information security programs – No rigid set of rules:

• Specific solutions left to agencies • Recognizes the need for private industry market solutions

• Actions – Instructs agencies to protect information/systems and provide

security protections – Requires agencies to have and implement an “information security

program” – Requires agencies to report to Congress; subjects agencies to

independent audit – Tasks National Institute of Standards and Technology (NIST) with

creating minimum standards and guidelines

Overview of Federal Laws and Regulations FISMA Compliance Based on Three Information Security Objectives: • Integrity: guarding against improper

information modification or destruction, and includes ensuring information nonrepudiation and authenticity

• Confidentiality: preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information

• Availability: ensuring timely and reliable access to and use of information

Overview of Federal Laws and Regulations NIST/FIPS • FISMA-created standards/minimum required

practices • “Risk-based” compliance based on FISMA’s

three security objectives (mapping exercise) • FIPS 199: Establishes three “impact levels” for

each FISMA objective – e.g.: “Confidentiality: Low, Integrity:

Moderate, Availability: High” • FIPS 200: Divides security requirements into

14 “families” • NIST 800-53 and 800-171: Requirements

Overview of Federal Laws and Regulations FIPS 199:

Overview of Federal Laws and Regulations FIPS 200

Overview of Federal Laws and Regulations NIST 800-53 & 800-171 NIST 800-53: • Foundational reference for minimum standards • Adopts “basic security requirements” from FIPS 200 and adds “derived

security requirements” • Government-facing – focus on the agency’s minimum security

standards • Until recently, passed on to contractors through contract clauses (i.e.,

substitute “contractor” for “agency”) NIST 800-171:

– Recently added June 2015 – Contractor facing: applies to components of nonfederal information

systems that process, store, or transmit controlled unclassified information (CUI), or that provide security protection for such components

– Contractor obligations “map” to NIST 800-53 standards – NEW DFARS 252.204-7012 requires compliance with NIST 800-

171 – Policy Note – demonstrates the Government’s risk-shift to

contractors

Overview of Federal Laws and Regulations Using NIST and FIPS – How do we determine our compliance obligations? • Review and apply clauses in your contract

– These may supplement, modify or supersede NIST/FIPS/FedRAMP

– May have “special” provisions governing PII or PHI, encryption requirements (FIPS 140-2)

• Determine the FIPS 199 Impact Level • Map and identify security controls

– If cloud product FedRAMP – If NIST 800-53 rev. 4 applies, map to the

applicable FIPS 199 impact level – If NIST 800-171 applies, map to both 800-53 and

the applicable FIPS 199 impact level

Look up this item in NIST 800-171, Table D to find the correlated 800-53 minimum requirements

AC-7 referenced in 800-171, Table D

Enhancements – may or may not be required depending on FIPS 199 risk level

Note – Priority and Baseline Allocation come from FIPS 199 Agency Risk Assessment. In this example, AC-7 applies to all risk categories Other examples differ:

Note the higher-risk categories sometimes call for enhancements

NIST 800-53 & 800-171

Overview of Federal Laws and Regulations FedRAMP: • Government-wide program (GSA-administered)

providing standardized approach to cloud computing • Provides minimum standards for data security,

continuous monitoring, and incident response based on NIST 800-53 rev. 4. – FedRAMP requires same minimum security

requirements as NIST 800-53 plus additional controls suited to protect data in cloud environments

• Contractors apply for provisional or agency-specific authorization to operate (“ATO”)

• Contractors obtain ATO following intensive assessment by third party assessment organization (3PAO)

Overview of Federal Laws and Regulations How do agencies implement FISMA, FIPS, NIST, FedRAMP? • FAR:

– prior to May 2016, no FAR clause – new Rule provides for “Basic Safeguarding of

Contractor Information Systems” • does not address CUI.

• Agency specific clauses – Typically incorporate NIST standards for CUI,

Secured information (NISPOM) for classified information

– Rapid reporting requirements some can broadly shift risk to contractors

Overview of Federal Laws and Regulations May 2016 FAR Revision: • Follows a near four year comment

period • Adds Subpart 4.19, “Basic

Safeguarding of Contractor Information Systems”

• Applies to “all acquisitions, including acquisitions of commercial items other than commercially available off-the-shelf items, when a contractor's information system may contain Federal contract information”

Overview of Federal Laws and Regulations Key Definitions: • Covered contractor information system means an

information system that is owned or operated by a contractor that processes, stores, or transmits Federal contract information.

• Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public Web sites) or simple transactional information, such as that necessary to process payments.

Overview of Federal Laws and Regulations • New clause (FAR 52.204-21), Basic

Safeguarding of Covered Contractor Information Systems – No reference to specific standards

(NIST, FIPS, FedRAMP) – 15 requirements, no reference to NIST

800-53/800-171: • access control • media sanitization • network segregation • monitoring and risk assessment • incident handling and response

Overview of Federal Laws and Regulations • Warns that clause “does not relieve the Contractor of

any other specific safeguarding requirements specified by Federal agencies and departments relating to covered contractor information systems generally or other Federal safeguarding requirements for controlled unclassified information (CUI) as established by Executive Order 13556.”

• Flow-down requirement: Contractor “shall include the substance of this clause, including this paragraph (c), in subcontracts under this contract (including subcontracts for the acquisition of commercial items, other than commercially available off-the-shelf items), in which the subcontractor may have Federal contract information residing in or transiting through its information system.”

Overview of Federal Laws and Regulations New FAR Clause – Takeaways • “Basic” requirements are just that – the

bare minimum • Agency’s continue to make their own

rules – no uniformity • Contractors continue to shoulder

compliance cost, burden, risk of data breach/loss

• Lack of any reference to NIST/FIPS can lead to ambiguity

Overview of Federal Laws and Regulations DoD Clause – the “New Normal”? • Contractors must:

– Provide “adequate security” for “all covered defense information”

– In accordance with NIST 800-171 (NIST 800-53 rev. 4)

– Perform specific actions in response to a breach

– Rapidly report breaches to the agency – Engage in forensic preservation (media

and malware)

Overview of Federal Laws and Regulations • DoD: Broad definition of “covered defense information”

includes: – unclassified information that is (A) Provided to the

contractor by or on behalf of DoD in connection with the performance of the contract; or (B) collected, developed, received or transmitted, used, or stored by or on behalf of the contractor; and falls into any of the following categories:

• Critical information (operations security) • Export control • Any other information marked or otherwise

identified in the contract, that requires safeguarding . . .

NOTE: UCTI not limited to marked information – contractors/subcontractors need to exercise caution

Overview of Federal Laws and Regulations • DoD’s Broad definition of “covered defense information”

includes: – Unclassified information that is (A) Provided to the

contractor by or on behalf of DoD in connection with the performance of the contract; or (B) collected, developed, received or transmitted, used, or stored by or on behalf of the contractor; and falls into any of the following categories:

• Critical information (operations security) • Export control • Any other information marked or otherwise

identified in the contract, that requires safeguarding . . .

NOTE: UCTI not limited to marked information – contractors/subcontractors need to exercise caution

Overview of Federal Laws and Regulations DoD Cyber Incident Reporting: • “Rapid” (within 72 hours) of

“discovery of any cyber incident” • Centralized website: http://dibnet.

dod.mil • Forensic mindset: preserve affected

data and media

http://dibnet.dod.mil

http://dibnet.dod.mil

Overview of Federal Laws and Regulations Additional DoD Requirements: When the Contractor discovers a cyber incident that affects covered information or system, the Contractor “shall” – a)Conduct a review for evidence of compromise of covered defense information . . . b)Submit identified malicious software in accordance with instructions provided by the Contracting Officer c)Preserve and protect images of all known affected information systems identified in paragraph (c)(1)(i) of this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest d)Provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis

Overview of Federal Laws and Regulations Your mileage may vary: • No uniform rule, standard or procedure • Clauses, procedures differ among agencies • Common issues with agency clauses:

– Vaguely written – Lack reference to applicable impact levels – Antiquated – Overly broad (e.g. “contractor shall comply with

FISMA . . .” – Extremely short reporting periods (e.g., 30

minutes from discovery of a breach involving CMS PHI data)

– Liquidated damages to cover credit monitoring, litigation

Policies and Procedures Our perception of cyber crime:

Policies and Procedures The reality:

Policies and Procedures

Compliance v. Security is not an easy balance • Compliant systems are not necessarily secure • Secure systems are not necessarily secure • Consider the disproportionate costs on mid-sized

and small businesses: – Non-compliance is not an option – Full compliance is costly and burdensome – Vendors/products are costly, require additional

gap analyses • E.g., we purchased an encryption product

that uses FIPS-140-2 validated modules, but does our operating system meet the minimum FIPS requirements?

Policies and Procedures

Establishing a Culture of Compliance (There are five“I”s in this team): • Incorporate data security into the enterprise mission

statement and employee handbook • Identify and equip a Chief Information Security Officer

(CISO) • Instill a culture of security at every level of the

organization • Implement training and best practices into the

organization’s processes – On-boarding – Regular refreshers – Alerts, newsletters, e-mail reminders

• Inscribe it in writing – written policies and procedures work best from both an implementation and risk management standpoint

Policies and Procedures

Understanding what data security requirements apply to your organization. • Typical Government contract follows a

uniform format – Section H – special clauses – Section I – clauses incorporated by

reference – Appendices (referenced in Section H, if

at all) – Layers of obligations – clauses,

standards incorporate additional clauses, standards by reference

Policies and Procedures

Developing a System Security Plan (SSP): • A proactive system security plan takes

steps to avoid, monitor, detect and contain a breach:

• access control • network segregation • continuous/periodic monitoring • containment and shutdown • training, testing and exercises –

remember the human factor!! • Reference: NIST 800-18

Policies and Procedures

The Security Plan • Living document • Maps to enterprise mission, objectives, goals,

and required security controls (compliance) • Role-based:

– Information owner – System owner – CISO/SAISO(s) – Individuals responsible for discrete aspects

of system security • Requires periodic review, modification, plans of

action, milestones for security controls implementation

Policies and Procedures

Policies and Procedures

• Management Controls: focus on the management of the information system and the management of risk for a system. They are techniques and concerns that are normally addressed by management.

• Operational Controls: Address security methods focusing on mechanisms primarily implemented and executed by people (as opposed to systems). They often require technical or specialized expertise and often rely on management activities as well as technical controls

• Technical Controls: Focus on security controls that the computer system executes. The controls can provide automated protection for unauthorized access or misuse, facilitate detection of security violations and support security requirements for applications and data.

Policies and Procedures

Keys to successful security controls: • Involve management and operations staff with specialized

knowledge • Have an effective communication plan • Account for contingency operations (redundancy) • Test technical controls in realistic environment

– Role or identity-based access control – Multi-factor authentication – Encryption – Continuous monitoring

• Remember what systems outside your control – Government – Supply chain – Request the vendor’s security capabilities and security plan

• And never forget the HUMAN FACTOR

Policies and Procedures

THE HUMAN FACTOR • IBM’s 2014 Cyber Security Intelligence Index: 95

percent of all security incidents involve human error.

• Even the most secure organizations have employees who: – Don’t walk to the shredder – Pick up and use flash drives they find in the

lobby – Leave media storage devices in their cars – Give access credentials out over the phone – Rotate the same password over and over again – Click links in suspicious (and not-so-suspicious)

e-mails

Technical Considerations

Technical Considerations

Policies and Procedures

Training, Testing and Exercises (TT&E) • Training

– Inform personnel of their roles and responsibilities within a particular IT plan

– Tech skills related to roles and responsibilities

– Goal is to equip personnel with skills needed to handle exercises and actual security incidents

– Performed in prior proximity to exercises – Reference: NIST 800-84

Policies and Procedures

The Incident Response Plan • Part of your organization’s SSP

– Identifying the response team – Communicating effectively – Implementing controls – Mitigating harm

• Preventing/limiting damage • Cooperating with external security capabilities • Coordinating with supply chain

– Preserving evidence – Complying with federal, state, government contracts

notice requirements • Reporting within required timeframes • Disclosing relevant information • Supporting Government activity

Implementing Controls

Consider practical ways to implement the following cybersecurity controls

Implementing Controls

Implementing Controls

Avoiding and Mitigating Incidents

Avoiding and Mitigating Incidents

Avoiding and Mitigating Incidents

Training Exercise – Breach

At 2:17 am on September 29, Cathy Contract, CISO for Productline, Inc., receives a call from an employee in the company’s IT department had just informed Tom that a virus had infected a large directory of files on PP’s main server, including several files containing sensitive-but-unclassified information related to a State Department supply contract. • What questions should Cathy be asking next? • What next steps should Cathy take? • What kinds of measures might have avoided or

minimized the impact?

Training Exercise – Compliance

As the new proposal manager for SuperServices, LLC, Donny Doright needs to consider whether SS is capable of complying with applicable regulations on cybersecurity. He knows that the work will involve storing government data on company laptops and mobile devices backed up to the cloud. • Where does he look to find the

standards? • How does he know which standards

apply?

Training Exercise – Compliance

Just before submitting the proposal, Donny notices an access control enhancement that applies to mobile devices. He knows the company does not have the capabilities for the enhancement and won’t spend the money on it. “It’s a small deal, though, and we have other safeguards that make it unnecessary,” he says as he seals the envelope. • Is the enhancement required to be

considered compliant?

2016 Takeaways: Best Practices in Cybercompliance • Gap analysis – are you compliant? • Goal check – are you compliant and is the

Government’s data “secure”? Is there room for improvement?

• Coordinate with agencies – are agencies really prioritizing security or are they mitigating (proactive/reactive)

• Set proactive policies – Top down culture of cybercompliance – Training for IT and contracting staff

• Invest in smart solutions

QUESTIONS?

Thank you.

Gunjan R. Talati Kilpatrick Townsend & Stockton, LLP 202.481.9941 GTalati@kilpatricktownsend.com Christian Henel Thompson Hine LLP 202.263.4127 Christian.Henel@ThompsonHine.com Aria Mansuri, Principal Product Manager Distributed Solutions, Inc. 703.471.7530 Aria.Mansuri@DistributedInc.com