unclassified dod and private sector cybersecurity ... › eventpower › images › v1 › ... ·...

UNCLASSIFIEDUNCLASSIFIED


Cybersecurity Interaction Between DoD and Private Sector

June 6, 2019Vicki Michetti, Office of the DCIO-Cybersecurity, Director, Policy, Strategy, International, and Defense Industrial Base


UNCLASSIFIEDUNCLASSIFIEDUNCLASSIFIED

UNCLASSIFIED

Cybersecurity Environment

53% of attacks result in damages of $500,000 or more CISCO Annual Cybersecurity Report 2018

Cybercrime will cost businesses over $2 trillion by 2019

Juniper Research

The U.S. was the most targeted country in the past three years; accounting for 27% of all targeted attack activity Internet Security Threat Report, Symantec 2018

49% of customers with at least one significant attack were successfully attacked again within one year

M-Trends 2018, FireEye

53,308 security incidents, 2,216 data breaches, 65 countries, 67 contributors

68% of breaches took months or longer to discover

2018 Data Breach Investigations Report, Verizon

Cyber threats targeting unclassified information have dramatically increased

1



UNCLASSIFIED

Cyber Threat

• U.S. is engaged in a continuous competition against strategic adversaries, rogue states, terrorist organizations, and criminal networks

• Russia, China, Iran, and North Korea all use cyberspace to challenge the U.S.

• Use tools in cyberspace to undermine our economy and democracy,

• Steal our intellectual property, • Sow discord in our democratic processes

• Our adversaries are continually developing new and more effective cyber weapons

• Risk is growing that these countries will conduct cyber-attacks against the United States during a crisis short of war

2



UNCLASSIFIED

National Cyber Strategy: Four Pillars

I. Defend the homeland by protecting networks, systems, functions and data

II. Promote American prosperity by nurturing, thriving digital economy and fostering strong domestic innovation

III. Preserve peace and security by strengthening the ability of the United States- in concert with allies and partners – to deter and, if necessary, punish those who use cyber tools for malicious purposes; and

IV. Expand American influence abroad to extend the key tenets of an open, interoperable, reliable, and secure internet

3



UNCLASSIFIED

Defense Cyber Strategy

• Strategic competitors are conducting cyber-enabled campaigns to erode U.S. military advantages, threaten our infrastructure, and reduce our economic prosperity

• The Department must defend its own networks from malicious activity and be prepared to defend, when directed, those operated by entities of the nation’s critical infrastructure

• DoD will also collaborate with our various partners to strengthen the cybersecurity and resilience of both the DoD and the DIB

• The Department will also seek to preempt, defeat, or deter malicious activity targeting U.S. critical infrastructure entities that could cause a significant cyber event

4



UNCLASSIFIED

The Cyber Landscape

5



UNCLASSIFIED

What DoD Is Doing

• DoD has a range of activities including both regulatory and voluntary programs to improve the cybersecurity of DIB and protect DoD programs and information

• Secure DoD’s information systems and networks

• Codify cybersecurity responsibilities and procedures for the acquisition workforce in defense acquisition policy

• Implement contractual requirements through the Defense Federal Acquisition Regulation Supplement (DFARS)

• Leverage security standards such as National Institute of Standards and Technology (NIST) Special Publication 800-171 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (Revision 1 published Dec 2016)

• Engage industry through DoD’s voluntary Defense Industrial Base Cybersecurity Program for cyber threat information sharing

6



UNCLASSIFIED

Voluntary DIB Cybersecurity Program

DIB CS Program is a public private cybersecurity partnership that:

• Provides a collaborative environment for sharing unclassified and classified cyber threat information

• Offers analyst-to-analyst exchanges, mitigation and remediation strategies

• Provides companies analytic support and forensic malware analysis

• Increases U.S. Government and industry understanding of cyber threat

• Enables companies to better protect unclassified defense information on company networks or information systems

• Protects confidentiality of shared information

Mission: Enhance and supplement DIB participants’ capabilities to safeguard DoD information that resides on, or transits, DIB unclassified information systems

Framework Agreement

Information Sharing

Reporting and Response

(dibnet.dod.mil)

Damage Assessment

DIB CS Construct

7



UNCLASSIFIED

DoD Cyber Crime Center

DC3 Cyber Forensics Laboratory - CFL

DC3 Cyber Training Academy - CTA

DC3 Technical Solutions Development - TSD

DC3 Analytical Group - AG

DC3 Defense Industrial Base (DIB) Collaborative Info Sharing Environment

DC3 Vulnerability Disclosure Program - VDP

- DCISE

A DoD technical center for digital & multimedia forensics, cyber training, technical solutions development, & cyber analytics supporting DoD & National requirements

8



UNCLASSIFIED

Most Successful DIB Attack Vectors

Attack Vendor MitigationPhishing emails • Disable web links inside e-mails

• Strip attachments from external e-mails for separate scanning

Harvested/Stolen Credentials • Enable two-factor authentication

Commonly Available Web Exploits • Aggressive system patching• Secure application development

Watering Hole Attacks • Host based intrusion detection• Deploy secure browser configurations

Social Media • Restrict sensitive information posted in public profiles

• Scrutinize requests and attachments from unknown or questionable sources

Source: DoD Cyber Crime Center

9



UNCLASSIFIED

Basic Safeguarding of Contractor Information Systems

FAR Clause 52.204-21, “Basic Safeguarding of Contractor Information Systems,” Final Rule, effective June 2016

• Used in solicitations and contracts when the contractor or subcontractor may have Federal contract information residing in or transiting through its information system

• Requires the contractor/subcontractor to safeguard Federal contract information on the Contractor’s Internal Information System by implementing 17 of the 110 requirements in NIST SP 800-171)

Federal Contract Information — “Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Websites) or simple transactional information, such as necessary to process payments.”

10



UNCLASSIFIED

DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting

Defense Federal Acquisition Regulation Supplement Clause 252.204-7012 requires contractors/subcontractors to:

1. Provide adequate security to safeguard covered defense information that resides on or is transiting through a contractor’s internal information system or network

2. Report cyber incidents that affect a covered contractor information system or the covered defense information residing therein, or that affect the contractor’s ability to perform requirements designated as operationally critical support

3. Submit malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center

4. If requested, submit media and additional information to support damage assessment

5. Flow down the clause in subcontracts for operationally critical support, or for which subcontract performance will involve covered defense information

11



UNCLASSIFIED

NIST SP 800-171, Protecting CUI in Nonfederal Information Systems and Organizations

NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

• Developed for use on contractor and other nonfederal information systems to protect CUI at confidentiality impact level “moderate”, in accordance with FIPS 199 (32 CFR 2002.12)

• Requirements are performance-based, significantly reduce unnecessary specificity

Enables contractors to comply using systems and practices likely already in place

More easily applied to existing systems • Provides standardized/uniform set of requirements for all CUI

security needs — Allows nonfederal organizations to consistently implement safeguards

for the protection of CUI (i.e., one CUI solution for all customers)— Allows contractor to implement alternative, but equally effective,

security measures to satisfy CUI security requirements

12



UNCLASSIFIED

Implementing NIST SP 800-171 Requirements

13



UNCLASSIFIED

Resources

• NIST Manufacturing Extension Partnership (MEP) Public-private partnership with Centers in all 50 states and Puerto Rico dedicated

to serving small and medium-sized manufacturers NIST Handbook 162, "NIST MEP Cybersecurity Self-Assessment Handbook for

Assessing NIST SP 800-171 Security Requirements” (Free publication downloaded over 29,000 times - provides step-by-step guide to assessing a small manufacturer’s information systems against the security requirements in NIST SP 800-171)

https://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf• Procurement Technical Assistance Program (PTAP) and Procurement Technical

Assistance Centers (PTACs) Nationwide network of centers/counselors experienced in government

contracting, many of which are affiliated with Small Business Development Centers and other small business programs

http://www.dla.mil/HQ/SmallBusiness/PTAP.aspx• Cybersecurity Evaluation Tool (CSET)

No-cost application, developed by DHS, provides step-by-step process to evaluate information technology network security practices

https://ics-cert.us-cert.gov/Downloading-and-Installing-CSET 14



UNCLASSIFIED

Resources

• Cybersecurity in DoD Acquisition Regulations (http://dodprocurementtoolbox.com/) for Related Regulations, Policy, Frequently Asked Questions, and Resources, June 26, 2017

• DoD Website for DFARS, Procedures, Guidance and Information (PGI), and Frequently Asked Questions (http://www.acq.osd.mil/dpap/dars/dfarspgi/current/index.html) and (https://www.acq.osd.mil/dpap/pdi/cyber/guidance_ for_assessing_compliance _and_ enhancing_protections.html)

• NIST SP 800-171 Revision 1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf)

• NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171a.pdf)

• DoDI 5230.24, Distribution Statements on Technical Documents(www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/523024p.pdf)

• DoD’s Defense Industrial Base Cybersecurity program (DIB CS Program)(https://dibnet.dod.mil)

15



UNCLASSIFIED

Summary

• Strategic competitors are conducting cyber-enabled campaigns to erode U.S. military advantages, threaten our infrastructure, and reduce our economic prosperity.

• Magnitude of the cyber threat continues to grow • National Cyber Strategy and Defense Cyber Strategy highlight

steps the U.S Government and DoD are taking to enhance our national cybersecurity

• Interaction between DoD and the private sector is critical to countering the threat

• To better secure DoD information, DoD is engaging the DIB with both mandatory and voluntary activities

• DoD collaboration with the DIB strengthens their cybersecurity and resilience from malicious activity

16



Contact Information: DIB CS Program: E-mail: [email protected] Phone: 703-604-3167Toll Free Number: 1-855-363-4227 FAX: 571-372-5434https://dibnet.dod.mil

mailto: DIB.CS/[email protected]