what the changes to cyber security legislation mean for ... · • trusted support for 700+ deltek...
TRANSCRIPT
What the Changes to Cyber Security
Legislation Mean for Your Business
Rob Wilson Rich Wilkinson
Chief Technology Officer Vice President, Client Services
NeoSystems NeoSystems
NeoSystems: Who We Are
• Proven Deltek Expertise with 300 GCS/CP7 Migrations, Integrations, Implementations
• Trusted Support for 700+ Deltek Customers and over 60,000 End Users
• Upgrade-Ready, Extensibility & Web Services
• CP Workflow, CER, Resource Management
• Managed Accounting, IT, HR, Contracts, FP&A
• World-Class Hosting: SOC 1&2, ITAR, NIST/DFAR, FedRAMP Ready
• Deltek’s First and Only Platinum Partner. Partner for 12+ years
• Most Experienced in Deltek Gov Con Solutions
• Inc 5000’s Fastest Growing Private Companies 7 Years in a Row
©2016 Deltek, Inc. All Rights Reserved 2
Proprietary & Confidential3
Road Map
How we got here (and where we are)
The basic requirements of the FAR and DFARS clauses
Safeguarding – Systems vs. Data
The trouble with the term “Federal contract information”
What you REALLY have to do
How this will affect the relationships between Primes and Subs Exemptions
Where we’re headed next (maybe)
The First Government Action
Executive Order 13556 (11/4/10) established a program requiring controls over both classified and “controlled unclassified” information
• 180 day timeline for initial policies and procedures
• Another 180 days for agencies to develop plans and target dates
Eventually gave rise to the FAR clause 52.204-21
©2016 Deltek, Inc. All Rights Reserved 5
Congress Chimes In
FY 2013 NDAA (1/2/13) required
DoD to establish criteria for
“covered networks” and mandate
reporting of breaches
• 90 day timeline to establish
procedures
Eventually gave rise to the DFARS
clause 252.204-7012
©2016 Deltek, Inc. All Rights Reserved 6
Proprietary & Confidential7
Some of the Notable Events Since Then
Since April 2013, six hacks targeted OPM and its contractors (alone), resulting in the theft of
millions of federal workers' personal data
Agency breaches
– First OPM breach (unknown # records, maybe none?) 11/14 – 3/14, made public 7/14
– Second OPM breach (≈ 21.5M records) 5/14 – 5/15, made public 6/15, full extent not
disclosed until 7/15
– Third OPM breach (≈ 4.6M records) 10/15 – 4/15, made public 6/15
Contractor breaches
– USIS breach (25K records) probably early ‘13 – 6/14, made public 8/14
– First KeyPoint breach (≈48K records) 12/13 – 9/14, made public 12/14
– Second KeyPoint breach (>390K records) ??/13 – 9/14, made public 6/15
Proprietary & Confidential8
More Notable Events
HHS, 7/15, networks compromised when (probably) a non-state actor inserted malware via the
Healthcare.gov web site
The White House - October 2014 – site shut down when hackers accessed sensitive non-classified data
(considered likely to be a state actor)
NOAA, 9/14, attributed to hackers from China
USPS, 1/14 – 11/14, personnel information of ≈ 800,000 employees compromised
DoS, 10/14 – 11/14, hackers in Russia - possibly working with the Russian government - are suspected in
attacks on DoS e-mail system. Info from this breach may have contributed to White House breach
FAA, 2/15 – 4/15 malware risked compromise of National Airspace System and critical ATC systems
DoD, 4/15, Secretary Carter testified to Congress that Russian hackers accessed unclass files
Federal Reserve Bank St. Louis , 5/15, hackers successfully redirected online communication
Internal Revenue Service, 5/15, hackers accessed personal data of more than 334,000 taxpayers
U.S. Army, 6/15, Army.mil taken offline when hackers accessed the site and posted personal messages.
9
More Cyber-related Legislation and Standards FISMA – Federal Information Systems Modernization Act of 2014, PL 113-283 – agency protection
of federal information and systems
HIPAA - Health Insurance Portability and Accountability Act of 1996, PL 104-191 – privacy for
Protected Health Information (PHI)
GLBA – Graham-Leach-Bliley Act - Financial Services Modernization Act of 1999, PL 106-102 –
consumer privacy in banking, securities and insurance includes anti-phishing safeguard rules
PCI-DSS - Payment Card Industry Data Security Standard – not federal law, industry standard
FedRAMP – Federal Risk and Authorization Management Program - OMB Memo Dec 8, 2011 –
cloud service provider security
Cyber Security Act of 2012 – failed to pass through the Senate
CISA - Cybersecurity Information Sharing Act of 2015 – encourages voluntary sharing between
private sector and Federal government
The Basics of the FAR and DFARS Clauses
What they say and DON’T say and how they are (very) different.
©2016 Deltek, Inc. All Rights Reserved 10
©2016 Deltek, Inc. All Rights Reserved 11
A Difference in Approach
The FAR approach is to establish safeguarding requirements for systems where federal contract
information may reside or through which it may flow
– Imposes 15 basic security controls on systems
The DFARS approach is to establish a requirement for “adequate security” for the information
(differs based on the type of data)
– Covered Defense Information (CDI)
– Controlled Technical Information
– Critical Information
– Export Control Information
– Other information identified in the contract
©2016 Deltek, Inc. All Rights Reserved 12
A Difference in Consequences
The DFARS clause has very specific requirements for incident reporting with a very short time
frame
The DFARS clause has stringent flow-down requirements and requires incident reporting to both
the government and the Prime contractor
The DFARS clause grants DoD personnel access to the contractor’s systems to investigate the
incident
The FAR clause has no incident reporting requirement at all
It does require flow-down, but still no incident reporting
There is not provision in the FAR clause for access ti investigate the incident
©2016 Deltek, Inc. All Rights Reserved 13
A Difference in Implementation
The FAR requirements are immediately effective when a contract is awarded that contains the
clause
Under the DFARS provisions, contractors are directed to implement NIST 800-171 standards “as
soon as practical, but not later than December 31, 2017.”
– Contractors must notify the DoD CIO, within 30 days of award, of any NIST 800-171 security
requirement that has not been implemented at the time of contract award.
– Absent notice, it appears that DoD will presume contractors are meeting all of the NIST 800-
171 security requirements.
©2016 Deltek, Inc. All Rights Reserved 14
A Difference in Authority
The FAR clause cites as its authority Executive Order 13556 issued January 4, 2010
The DFARS clause cites as its authority the FY 2013 National Defense Authorization Act signed
into law January 2, 2013.
– Required DoD to establish criteria for “covered networks”
– Required DoD to promulgate regulations to mandate reporting of breaches
A proposed change to the DFARS clause (imminent) cites as its authority the FY 2016 National
Defense Authorization Act
– Provides liability protections for cleared defense contractors when reporting cyber incidents
and network penetrations
– Also provides liability protections for operationally critical contractors for such reporting
16
Protecting Government and Contractor Data Under DFARS
DFARS 252.204-7012 - Safeguarding Covered Defense Information and Cyber Incident Reporting
– Dec 2015
Protecting Covered Defense Information (CDI)
CDI – Covered Defense Information
– Controlled Technical Information
– Critical Information
– Export Control Information
– Other information identified in the contract
– subject to controls
17
More on the DFARS Requirements
DFARS 252.204-7012 - Safeguarding Covered Defense Information and Cyber Incident Reporting
– Dec 2015
Protecting Controlled Unclassified Information (CUI)
CUI – Controlled Unclassified Information
– Critical infrastructure, Personal, Financial
– Business Proprietary Information: “Material and information relating to, or associated with, a
company's products, business, or activities, including but not limited to financial information;
data or statements; trade secrets; product research and development; existing and future
product designs and performance specifications.”
18
NIST SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (June 2015)
Describes 109 total controls across 14 control families
Provides mapping to NIST SP 800-53, Revision 4 and
ISO 27001 information security controls
14 Control Families:
• ACCESS CONTROL
• AWARENESS AND TRAINING
• AUDIT AND ACCOUNTABILITY
• CONFIGURATION MANAGEMENT
• IDENTIFICATION AND AUTHENTICATION
• INCIDENT RESPONSE
• MAINTENANCE
• MEDIA PROTECTION
• PERSONNEL SECURITY
• PHYSICAL PROTECTION
• RISK ASSESSMENT
• SECURITY ASSESSMENT
• SYSTEM AND COMMUNICATIONS PROTECTION
• SYSTEM AND INFORMATION INTEGRITY
19
FAR Security Requirements – 15 Basic Safeguards
1. Limit information system access to authorized users, processes acting on behalf of authorized
users, or devices (including other information systems).
2. Limit information system access to the types of transactions and functions that authorized users
are permitted to execute.
3. Verify and control/limit connections to and use of external information systems.
4. Control information posted or processed on publicly accessible information systems.
5. Identify information system users, processes acting on behalf of users, or devices.
6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to
allowing access to organizational information systems.
7. Sanitize or destroy information system media containing Federal Contract Information before
disposal or release for reuse.
8. Limit physical access to organizational information systems, equipment, and the respective
operating environments to authorized individuals.(ix) Escort visitors and monitor visitor activity;
maintain audit logs of physical access; and control and manage physical access devices.
20
FAR Security Requirements – 15 Basic Safeguards
9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and
manage physical access devices.
10. Monitor, control, and protect organizational communications (i.e., information transmitted or
received by organizational information systems) at the external boundaries and key internal
boundaries of the information systems.
11. Implement subnetworks for publicly accessible system components that are physically or logically
separated from internal networks.
12. Identify, report, and correct information and information system flaws in a timely manner.
13. Provide protection from malicious code at appropriate locations within organizational information
systems.
14. Update malicious code protection mechanisms when new releases are available.
15. Perform periodic scans of the information system and real-time scans of files from external
sources as files are downloaded, opened, or executed.
What’s Up with “Federal Contract Information”
What that term could include and why it could matter a LOT.
©2016 Deltek, Inc. All Rights Reserved 21
Protecting Federal Contract Information (FCI)
• FAR 52.204-21 - Basic Safeguarding of Covered Contractor Information Systems – June 2016
• FCI – Federal Contract Information
– Any information not intended for public release that is provided by or generated by the
Government under a contract to develop or deliver a product or service to the Government
– Does not include Government released public information
– Does not include simple transactional information
22
What You REALLY Have to Do
And, which contracts, contractors and subcontractors are affected
(COTS, not COTS & why not COTS) and what happens when the
SHTF (things go really, really wrong).
©2016 Deltek, Inc. All Rights Reserved 23
Incident Reporting (DFARS)
• Prime contractors are required to “rapidly report … cyber
incidents” to DoD.
– The rule defines rapid reporting as within 72 hours
of the contractor’s discovery of the cyber incident,
but does not mandate the contents of such a report.
– Reporting is to be done via http://dibnet.dod.mil
(requires a DoD-approved medium assurance
certificate)
• Subcontractors are required to “rapidly” report (72 hours)
cyber incidents directly to the DoD (also via
http://dibnet.dod.mil) and to the prime contractor by
providing the incident report number assigned
automatically when the report is made
24
The Affect on Primes/Subs Relationships
The reporting issue, breaches and responsibility for compliance.
©2016 Deltek, Inc. All Rights Reserved 26
27
Not just for the Primes - FAR
Primes performing a contract with the clause are required to flow it
down to subs performing on that contract when the subcontractor “may
have Federal contract information residing in or transiting through its
information system”
Subs are specifically required to further flow the clause down to lower
tier subs by a provision of the clause which states, in part,
“Contractor shall include the substance of this clause, including this
paragraph in subcontracts under this contract”
Flow down is required for subcontracts for commercial items except for
commercially available off-the-shelf items
28
Not just for the Primes - DFARS
Prime contractors are required to flow down the DFARS 252.204-
7012 clause to subcontracts, “or similar contractual instruments,”
1. for operationally critical support or
2. that involve a covered contractor information system.
Subcontractors are similarly required to flow the clause down to
lower tier subcontractors
Where We’re Headed Next (Maybe)
A peek into the crystal ball and what the landscape might look like after
the next tranche of breaches and the next set of clauses.
©2016 Deltek, Inc. All Rights Reserved 30
©2016 Deltek, Inc. All Rights Reserved 31
Pending FAR Cases on Cyber Provisions
None
Most commenters comparing the FAR and DFARS
clauses are puzzled by the absence of any
incident reporting requirement
Many have commented that a change to the FAR
clause is expected to add that requirement
– There is NO open FAR case to make such a
change.
– Such changes typically take from 18 to 36
months (sometimes more)
©2016 Deltek, Inc. All Rights Reserved 32
Pending DFARS Cases on Cyber Provisions
Case 2013-D018, Network Penetration Reporting and Contracting for Cloud Services
– Implements section 941 of 2013 NDAA, section 1632 of 2015 NDAA, and cloud computing policy.
– Section 941 requires cleared defense contractors to report penetrations, allows DoD access to equipment and information to assess the impact of reported penetrations
– Section 1632 requires reporting of cyber incidents on information systems of operationally critical contractors.
– Also develops policies for acquisition of cloud computing services.
©2016 Deltek, Inc. All Rights Reserved 33
Pending DFARS Cases on Cyber Provisions
Case 2013-D018 {Continued}
– Affects DFARS 201.101, 204.73,
212.301, 239, 239.76, 252.204, 252.204-
7012, 252.239
– On 10/04/2016 OIRA cleared the final
DFARS rule. The DAR editor is preparing
the rule for publication. Final action will be
to confirm any required systems changes
©2016 Deltek, Inc. All Rights Reserved 34
Pending DFARS Cases on Cyber Provisions
Case 2016-D025, Liability Protections when
Reporting Cyber Incidents
– Implements section 1641 of the FY16
NDAA to specify liability protections for
cleared defense contractors and
operationally critical contractors when
reporting cyber incidents and network
penetrations
– Affects DFARS 204, 252
– On 04/20/2016, the DARC Director
tasked Ad Hoc Committee to draft
proposed DFARS rule. Report due
10/26/2016
NeoSystems Special Events at Insight
• Expo Hall Booth #5: Win a kayak! Everyone who stops by wins a prize.
• Breakfast Events (Potomac 1, 7:45 AM – 8:45 AM)
• November 15: Celebrating GCS to Costpoint Success
• November 16: New DFAR/FAR Regulations for Primes and Subs
• Lunch Events (Potomac 1, 12:30 PM – 1:30 PM)
• November 15: Transform Raw Data into Useful Information (PwC and NeoSystems)
• November 16: Federal Workflow for Costpoint (Deloitte Federal and NeoSystems)
• Meet the Expert Happy Hours (Potomac 1, 3:00 PM – 4:00 PM)
• November 15 and 16: hosted by PwC and NeoSystems
©2016 Deltek, Inc. All Rights Reserved 35
©2016 Deltek, Inc. All Rights Reserved 36
Questions & Contacts
Rob Wilson
– Email: [email protected]
– Office: (571) 234-4942
– Web: www.NeoSystemsCorp.com
Rich Wilkinson
– Email: [email protected]
– Office: (571) 748-3786
– Web: www.NeoSystemsCorp.com