what the changes to cyber security legislation mean for ... · • trusted support for 700+ deltek...

What the Changes to Cyber Security

Legislation Mean for Your Business

Rob Wilson Rich Wilkinson

Chief Technology Officer Vice President, Client Services

NeoSystems NeoSystems

NeoSystems: Who We Are

• Proven Deltek Expertise with 300 GCS/CP7 Migrations, Integrations, Implementations

• Trusted Support for 700+ Deltek Customers and over 60,000 End Users

• Upgrade-Ready, Extensibility & Web Services

• CP Workflow, CER, Resource Management

• Managed Accounting, IT, HR, Contracts, FP&A

• World-Class Hosting: SOC 1&2, ITAR, NIST/DFAR, FedRAMP Ready

• Deltek’s First and Only Platinum Partner. Partner for 12+ years

• Most Experienced in Deltek Gov Con Solutions

• Inc 5000’s Fastest Growing Private Companies 7 Years in a Row

©2016 Deltek, Inc. All Rights Reserved 2

Proprietary & Confidential3

Road Map

How we got here (and where we are)

The basic requirements of the FAR and DFARS clauses

Safeguarding – Systems vs. Data

The trouble with the term “Federal contract information”

What you REALLY have to do

How this will affect the relationships between Primes and Subs Exemptions

Where we’re headed next (maybe)

How We Got Here

The ugly “iceberg tip” of data breaches.


The First Government Action

Executive Order 13556 (11/4/10) established a program requiring controls over both classified and “controlled unclassified” information

• 180 day timeline for initial policies and procedures

• Another 180 days for agencies to develop plans and target dates

Eventually gave rise to the FAR clause 52.204-21


Congress Chimes In

FY 2013 NDAA (1/2/13) required

DoD to establish criteria for

“covered networks” and mandate

reporting of breaches

• 90 day timeline to establish

procedures

Eventually gave rise to the DFARS

clause 252.204-7012



Some of the Notable Events Since Then

Since April 2013, six hacks targeted OPM and its contractors (alone), resulting in the theft of

millions of federal workers' personal data

Agency breaches

– First OPM breach (unknown # records, maybe none?) 11/14 – 3/14, made public 7/14

– Second OPM breach (≈ 21.5M records) 5/14 – 5/15, made public 6/15, full extent not

disclosed until 7/15

– Third OPM breach (≈ 4.6M records) 10/15 – 4/15, made public 6/15

Contractor breaches

– USIS breach (25K records) probably early ‘13 – 6/14, made public 8/14

– First KeyPoint breach (≈48K records) 12/13 – 9/14, made public 12/14

– Second KeyPoint breach (>390K records) ??/13 – 9/14, made public 6/15


More Notable Events

HHS, 7/15, networks compromised when (probably) a non-state actor inserted malware via the

Healthcare.gov web site

The White House - October 2014 – site shut down when hackers accessed sensitive non-classified data

(considered likely to be a state actor)

NOAA, 9/14, attributed to hackers from China

USPS, 1/14 – 11/14, personnel information of ≈ 800,000 employees compromised

DoS, 10/14 – 11/14, hackers in Russia - possibly working with the Russian government - are suspected in

attacks on DoS e-mail system. Info from this breach may have contributed to White House breach

FAA, 2/15 – 4/15 malware risked compromise of National Airspace System and critical ATC systems

DoD, 4/15, Secretary Carter testified to Congress that Russian hackers accessed unclass files

Federal Reserve Bank St. Louis , 5/15, hackers successfully redirected online communication

Internal Revenue Service, 5/15, hackers accessed personal data of more than 334,000 taxpayers

U.S. Army, 6/15, Army.mil taken offline when hackers accessed the site and posted personal messages.

9

More Cyber-related Legislation and Standards FISMA – Federal Information Systems Modernization Act of 2014, PL 113-283 – agency protection

of federal information and systems

HIPAA - Health Insurance Portability and Accountability Act of 1996, PL 104-191 – privacy for

Protected Health Information (PHI)

GLBA – Graham-Leach-Bliley Act - Financial Services Modernization Act of 1999, PL 106-102 –

consumer privacy in banking, securities and insurance includes anti-phishing safeguard rules

PCI-DSS - Payment Card Industry Data Security Standard – not federal law, industry standard

FedRAMP – Federal Risk and Authorization Management Program - OMB Memo Dec 8, 2011 –

cloud service provider security

Cyber Security Act of 2012 – failed to pass through the Senate

CISA - Cybersecurity Information Sharing Act of 2015 – encourages voluntary sharing between

private sector and Federal government

The Basics of the FAR and DFARS Clauses

What they say and DON’T say and how they are (very) different.



A Difference in Approach

The FAR approach is to establish safeguarding requirements for systems where federal contract

information may reside or through which it may flow

– Imposes 15 basic security controls on systems

The DFARS approach is to establish a requirement for “adequate security” for the information

(differs based on the type of data)

– Covered Defense Information (CDI)

– Controlled Technical Information

– Critical Information

– Export Control Information

– Other information identified in the contract


A Difference in Consequences

The DFARS clause has very specific requirements for incident reporting with a very short time

frame

The DFARS clause has stringent flow-down requirements and requires incident reporting to both

the government and the Prime contractor

The DFARS clause grants DoD personnel access to the contractor’s systems to investigate the

incident

The FAR clause has no incident reporting requirement at all

It does require flow-down, but still no incident reporting

There is not provision in the FAR clause for access ti investigate the incident


A Difference in Implementation

The FAR requirements are immediately effective when a contract is awarded that contains the

clause

Under the DFARS provisions, contractors are directed to implement NIST 800-171 standards “as

soon as practical, but not later than December 31, 2017.”

– Contractors must notify the DoD CIO, within 30 days of award, of any NIST 800-171 security

requirement that has not been implemented at the time of contract award.

– Absent notice, it appears that DoD will presume contractors are meeting all of the NIST 800-

171 security requirements.


A Difference in Authority

The FAR clause cites as its authority Executive Order 13556 issued January 4, 2010

The DFARS clause cites as its authority the FY 2013 National Defense Authorization Act signed

into law January 2, 2013.

– Required DoD to establish criteria for “covered networks”

– Required DoD to promulgate regulations to mandate reporting of breaches

A proposed change to the DFARS clause (imminent) cites as its authority the FY 2016 National

Defense Authorization Act

– Provides liability protections for cleared defense contractors when reporting cyber incidents

and network penetrations

– Also provides liability protections for operationally critical contractors for such reporting

A Deeper Dive into the Requirements


16

Protecting Government and Contractor Data Under DFARS

DFARS 252.204-7012 - Safeguarding Covered Defense Information and Cyber Incident Reporting

– Dec 2015

Protecting Covered Defense Information (CDI)

CDI – Covered Defense Information

– Controlled Technical Information

– Critical Information

– Export Control Information

– Other information identified in the contract

– subject to controls

17

More on the DFARS Requirements

DFARS 252.204-7012 - Safeguarding Covered Defense Information and Cyber Incident Reporting

– Dec 2015

Protecting Controlled Unclassified Information (CUI)

CUI – Controlled Unclassified Information

– Critical infrastructure, Personal, Financial

– Business Proprietary Information: “Material and information relating to, or associated with, a

company's products, business, or activities, including but not limited to financial information;

data or statements; trade secrets; product research and development; existing and future

product designs and performance specifications.”

18

NIST SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (June 2015)

Describes 109 total controls across 14 control families

Provides mapping to NIST SP 800-53, Revision 4 and

ISO 27001 information security controls

14 Control Families:

• ACCESS CONTROL

• AWARENESS AND TRAINING

• AUDIT AND ACCOUNTABILITY

• CONFIGURATION MANAGEMENT

• IDENTIFICATION AND AUTHENTICATION

• INCIDENT RESPONSE

• MAINTENANCE

• MEDIA PROTECTION

• PERSONNEL SECURITY

• PHYSICAL PROTECTION

• RISK ASSESSMENT

• SECURITY ASSESSMENT

• SYSTEM AND COMMUNICATIONS PROTECTION

• SYSTEM AND INFORMATION INTEGRITY

19

FAR Security Requirements – 15 Basic Safeguards

1. Limit information system access to authorized users, processes acting on behalf of authorized

users, or devices (including other information systems).

2. Limit information system access to the types of transactions and functions that authorized users

are permitted to execute.

3. Verify and control/limit connections to and use of external information systems.

4. Control information posted or processed on publicly accessible information systems.

5. Identify information system users, processes acting on behalf of users, or devices.

6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to

allowing access to organizational information systems.

7. Sanitize or destroy information system media containing Federal Contract Information before

disposal or release for reuse.

8. Limit physical access to organizational information systems, equipment, and the respective

operating environments to authorized individuals.(ix) Escort visitors and monitor visitor activity;

maintain audit logs of physical access; and control and manage physical access devices.

20

FAR Security Requirements – 15 Basic Safeguards

9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and

manage physical access devices.

10. Monitor, control, and protect organizational communications (i.e., information transmitted or

received by organizational information systems) at the external boundaries and key internal

boundaries of the information systems.

11. Implement subnetworks for publicly accessible system components that are physically or logically

separated from internal networks.

12. Identify, report, and correct information and information system flaws in a timely manner.

13. Provide protection from malicious code at appropriate locations within organizational information

systems.

14. Update malicious code protection mechanisms when new releases are available.

15. Perform periodic scans of the information system and real-time scans of files from external

sources as files are downloaded, opened, or executed.

What’s Up with “Federal Contract Information”

What that term could include and why it could matter a LOT.


Protecting Federal Contract Information (FCI)

• FAR 52.204-21 - Basic Safeguarding of Covered Contractor Information Systems – June 2016

• FCI – Federal Contract Information

– Any information not intended for public release that is provided by or generated by the

Government under a contract to develop or deliver a product or service to the Government

– Does not include Government released public information

– Does not include simple transactional information

22

What You REALLY Have to Do

And, which contracts, contractors and subcontractors are affected

(COTS, not COTS & why not COTS) and what happens when the

SHTF (things go really, really wrong).


Incident Reporting (DFARS)

• Prime contractors are required to “rapidly report … cyber

incidents” to DoD.

– The rule defines rapid reporting as within 72 hours

of the contractor’s discovery of the cyber incident,

but does not mandate the contents of such a report.

– Reporting is to be done via http://dibnet.dod.mil

(requires a DoD-approved medium assurance

certificate)

• Subcontractors are required to “rapidly” report (72 hours)

cyber incidents directly to the DoD (also via

http://dibnet.dod.mil) and to the prime contractor by

providing the incident report number assigned

automatically when the report is made

24

http://dibnet.dod.mil/

http://dibnet.dod.mil/

Incident Reporting (FAR)

• None required under the current FAR clause

25

The Affect on Primes/Subs Relationships

The reporting issue, breaches and responsibility for compliance.


27

Not just for the Primes - FAR

Primes performing a contract with the clause are required to flow it

down to subs performing on that contract when the subcontractor “may

have Federal contract information residing in or transiting through its

information system”

Subs are specifically required to further flow the clause down to lower

tier subs by a provision of the clause which states, in part,

“Contractor shall include the substance of this clause, including this

paragraph in subcontracts under this contract”

Flow down is required for subcontracts for commercial items except for

commercially available off-the-shelf items

28

Not just for the Primes - DFARS

Prime contractors are required to flow down the DFARS 252.204-

7012 clause to subcontracts, “or similar contractual instruments,”

1. for operationally critical support or

2. that involve a covered contractor information system.

Subcontractors are similarly required to flow the clause down to

lower tier subcontractors

Exemptions

There aren’t any.

Next section.


Where We’re Headed Next (Maybe)

A peek into the crystal ball and what the landscape might look like after

the next tranche of breaches and the next set of clauses.



Pending FAR Cases on Cyber Provisions

None

Most commenters comparing the FAR and DFARS

clauses are puzzled by the absence of any

incident reporting requirement

Many have commented that a change to the FAR

clause is expected to add that requirement

– There is NO open FAR case to make such a

change.

– Such changes typically take from 18 to 36

months (sometimes more)


Pending DFARS Cases on Cyber Provisions

Case 2013-D018, Network Penetration Reporting and Contracting for Cloud Services

– Implements section 941 of 2013 NDAA, section 1632 of 2015 NDAA, and cloud computing policy.

– Section 941 requires cleared defense contractors to report penetrations, allows DoD access to equipment and information to assess the impact of reported penetrations

– Section 1632 requires reporting of cyber incidents on information systems of operationally critical contractors.

– Also develops policies for acquisition of cloud computing services.



Case 2013-D018 {Continued}

– Affects DFARS 201.101, 204.73,

212.301, 239, 239.76, 252.204, 252.204-

7012, 252.239

– On 10/04/2016 OIRA cleared the final

DFARS rule. The DAR editor is preparing

the rule for publication. Final action will be

to confirm any required systems changes



Case 2016-D025, Liability Protections when

Reporting Cyber Incidents

– Implements section 1641 of the FY16

NDAA to specify liability protections for

cleared defense contractors and

operationally critical contractors when

reporting cyber incidents and network

penetrations

– Affects DFARS 204, 252

– On 04/20/2016, the DARC Director

tasked Ad Hoc Committee to draft

proposed DFARS rule. Report due

10/26/2016

NeoSystems Special Events at Insight

• Expo Hall Booth #5: Win a kayak! Everyone who stops by wins a prize.

• Breakfast Events (Potomac 1, 7:45 AM – 8:45 AM)

• November 15: Celebrating GCS to Costpoint Success

• November 16: New DFAR/FAR Regulations for Primes and Subs

• Lunch Events (Potomac 1, 12:30 PM – 1:30 PM)

• November 15: Transform Raw Data into Useful Information (PwC and NeoSystems)

• November 16: Federal Workflow for Costpoint (Deloitte Federal and NeoSystems)

• Meet the Expert Happy Hours (Potomac 1, 3:00 PM – 4:00 PM)

• November 15 and 16: hosted by PwC and NeoSystems



Questions & Contacts

Rob Wilson

– Email: [email protected]

– Office: (571) 234-4942

– Web: www.NeoSystemsCorp.com

Rich Wilkinson

– Email: [email protected]

– Office: (571) 748-3786

– Web: www.NeoSystemsCorp.com

mailto:[email protected]

http://www.neosystemscorp.com/

mailto:[email protected]

http://www.neosystemscorp.com/

what the changes to cyber security legislation mean for ... · • trusted support for 700+ deltek...

Documents