1

CYBERSECURITY COMPLIANCE:TOOLS FOR ASSESSMENT

(RMF, DSS-AAPM, DFARS, FAR, & NIST 800)

AMY VERMILLIONIMPRIMIS, INC.

2

ASSESSMENT OPTIONSTools SpreadsheetCSET (Cyber Security Evaluation Tool) i2ACT-800

3

OPTION#1

SPREADSHEETWITH WORD & FILE-SHARING

4

• The Cyber Security Evaluation Tool (CSET®) provides:• Systematic, disciplined, and repeatable approach for evaluating an organization’s security posture

• Desktop software tool that guides asset owners and operators through a step‐by‐step process to evaluate

• Their industrial control system (ICS) • Information technology (IT) network security

• Available through the Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS‐CERT) developed the CSET application, and offers it at no cost to end users

5

Advisory  Cyber Security Evaluation Tool The Cyber Security Evaluation Tool (CSET)® is only one component of the overall cyber security picture and should be complemented with a robust cyber security program within the organization. A self‐assessment with CSET® cannot reveal all types of security weaknesses, and should not be the sole means of determining an organization's security posture. The tool will not provide a detailed architectural analysis of the network or a detailed network hardware/software configuration review. It is not a risk analysis tool so it will not generate a complex risk assessment. CSET® is not intended as a substitute for in‐depth analysis of control system vulnerabilities as performed by trained professionals. Periodic onsite reviews and inspections must still be conducted using a holistic approach including facility walk‐downs, interviews, and observation and examination of facility practices. Consideration should also be given to additional steps including scanning, penetration testing, and exercises on surrogate, training, or non‐production systems, or systems where failures, unexpected faults, or other unexpected results will not compromise production or safety. CSET® assessments cannot be completed effectively by any one individual. A cross‐functional team consisting of representatives from operational, maintenance, information technology, business, and security areas is essential. The representatives must be subject matter experts with significant expertise in their respective areas. No one individual has the span of responsibility or knowledge to effectively answer all the questions. Data and reports generated by the tool should be managed securely and marked, stored, and distributed in a manner appropriate to their sensitivity. 

30‐Jun‐17 6

30‐Jun‐17 7

8

https://ics‐cert.us‐cert.gov/Downloading‐and‐Installing‐CSET

IMPRIMIS ACT-Assessment &

Compliance Tool

9

DESIGNED FOR TEAMCOLLABORATION

10

Up to 20 people may work simultaneously without worry of data corruption

11

i2ACT‐800 PRO:Supports all of the Risk Management Framework (RMF), contains all 970 NIST 800‐53 controls and enhancementsContains over two dozen baselines including DSS AAPM, DFARS, FIPS, ICS, and all of the CNSSI 1253Allows the user to tailor their own baseline, add it to the library of baselines and share baseline with satellite locations or subcontractors

i2ACT‐800s: “lite” version, Specifically for 800‐171

Addresses all 110 requirements and the 125 referenced controls from NIST 800‐53Ideal for small businesses, subcontractors only worried about DFARS 800‐171

i2ACT‐ROLLUP:Imports Multiple Databases (Backend) to allow central review of subcontractors, multiple networks, or trend analysis 

12

i2ACT-800 DEMO HERE

I2ACT 800 PRO MAIN MENU

1330‐Jun‐17

I2ACTS (800-171 ONLY)

30‐Jun‐17 14

CHOOSE BASELINE

1530‐Jun‐17

MANAGE BASELINES

30‐Jun‐17 16

I2ACT - TAILOR BASELINE

17

REVIEW 800-53

1830‐Jun‐17

30‐Jun‐17 19

I2ACT - ASSESSMENT

30‐Jun‐17 20

I2ACT - REPORTS

30‐Jun‐17 21

30‐Jun‐17 22

POA&M and Remediation Report: Gantt Chart in Microsoft Project™

THE I2ACT SUPPORT SUITE

30‐Jun‐17 23

i2ACT‐800 PRO i2ACT‐800s I2ACT‐800 Roll Up

Policies & Procedures

Incident Response 

Plan

System Security Plan (SSP)

QUESTIONS & DISCUSSIONAmy Vermillion(719) 785-0320 (W) (719) 331-9863 (M)Amy.Vermillion@Imprimis-Inc.com

24

www.i2ComplianceTools.com

25

CYBERSECURITY COMPLIANCE:TOOLS FOR ASSESSMENT

AMY VERMILLION

719-785-0320

www.i2ComplianceTools.com

26

ASSESSMENT RESOURCES Government Resources DIB ISAC ACT Support Suite i2 Cyber Compliance Center: C3 or ‘The Cube’

GOVERNMENT PROVIDED RESOURCES• ICS‐CERT 

• Assessment Teams• Training• CSET Training

• DHS • Training• Education & Career Programs• Information Sharing

• SBA – GSA• … and Many More, Good References, Good Training

27

SUMMARY

28

DIB ISAC Assist DIB companieswith DFAR Compliance

Cyber Verify™ is the DIB ISAC process for Verifying and Certifying Compliance

The DIB ISAC selected and uses the Imprimis Compliance Tool

Steve Linessteve.lines@dibisac.net256.929.8987

Chad TillmanChad.tillman@dibisac.net256.508.3740

256‐489‐0550 Officewww.dibisac.net

29

e tan, e epi tanConfidential Information of Imprimis, Inc.

June 30, 2017

i2 Cyber Compliance Center: C3 or ‘The Cube’A Center in Colorado Springs Providing

Compliance Support NationallySERVICES

System DefinitionCompliance AssessmentVulnerability AssessmentRemediation SupportBlue Team PreparationSupport Through Red Team Audit

FACILITIES & RESOURCESVTC/Telephonic/Remote AccessTraining & How-to VideosPolicy & Plans TemplatesVulnerability Scanning ToolsPenetration TestingMonitoring Services /ToolsSupport During Incident Response

CONTACT INFORMATION

719.785.0393Info@i2ComplianceTools.comwww.i2ComplianceTools.com

(Support)

COMPONENTS OF CYBERSECURITY

BEHAVIOR

POLICY

TECHNOLOGY

31

(CYBER) DOGS THAT WON’T HUNT

• I’m a small company, no one is interested in what we do …• I’ve got plenty of time – I’ll do it next year …• No one is going to check so I’ll just fake it …• I’m a small business, I don’t need to be smart on cybersecurity …• I went to the cloud so they do my cybersecurity …• If the government get’s hacked, they should not hold me to a standard …• I am a small business, I can’t afford cybersecurity …

32

SUMMARY• The threat from the cyber domain is very, very real and it is our responsibility to deal with combatting this threat and managing the risk

• The need for cyber compliance is here now – today – and the Government Requirements are only going to grow, e.g. DFARS, FAR, CUI, etc.                           

• If a company has not started, they are already behind• The lack of provable cyber security compliance, represents a real and present danger to small businesses

• Resources and tools exist to support the compliance process, and these tools  will get better with time and with use

• … This is Doable, You Can Make This Happen!!!!

33

LIFECYCLEOF A CYBERATTACK

34

Hate

CompromisedNetwork

Selection Execution

IPBad Guy

 Motivation

Espionage

Known Target Objective

Snooping Port Scanning

Access

Command & ControlC2

Back Door

NIST 800-53 VERSUS 800-171NIST 800‐171

NIST 800‐171 SECURITY REQUIREMENT FAMILIES

3.1 Access Control 3.8  Media Protection

3.2 Awareness and Training 3.9  Personnel Security

3.3 Audit and Accountability 3.10 Physical Protection

3.4  Configuration Management 3.11 Risk Assessment

3.5  Identification and Authentication 3.12 Security Assessment

3.6  Incident Response 3.13  System and Communications

3.7 Maintenance 3.14  System and Information Integrity  

VS

NIST 800‐53 SECURITY CONTROL FAMILIES

AC  Access Control MP Media Protection

AT Awareness & Training PE Physical & Environmental Protection

AU Audit and Accountability PL Planning

CA Security Assessment & Authorization PS Personnel Security

CM Configuration Management RA Risk Assessment

CP Contingency Planning SA System & Services Acquisition

IA Identification & Authentication SC System & Communications Protection

IR Incident Response SI  System & Information

MA Maintenance

Personally Identifiable Information (PII)

AP Authority & Purpose

AR Accountability, Audit, & Risk Management 

DI Data Quality & Integrity

DM Data Minimization & Retention

IP Individual Participation & Redress

SE Security

TR Transparency

UL Use Limitation

Additional NIST 800‐53 Families 

(no NIST 800‐171 equivalents)

Program ManagementPM‐1 Information Security Program 

PlanPM‐9 Risk Management Strategy

PM‐2 Senior Information Security Officer

PM‐10 Security Authorization Process

PM‐3 Information Security Resources

PM‐11 Mission/Business Process Definition

PM‐4 Plan of Action & Milestones Process

PM‐12 Insider Threat Program

PM‐5 Information System Inventory PM‐13 Information Security Workforce

PM‐6 Information Security Measure of Performance

PM‐14  Testing, Training, & Monitoring

PM‐7 Enterprise Architecture PM‐14  Contacts with Security Groups & Associations

PN‐8 Critical Infrastructure Plan PM‐16 Threat Awareness Program

35

MORE REQUIREMENTS? • DFARS 252.204‐7012 Contractor (Offeror) represents that it will implement security requirements in NIST 800‐171 as soon as practical but no later than December 31, 2017. 

Contractor will apply other information system security measures when the contractor reasonably determines that [additional] security measures are required

• There are 65 NFO controls from about all security families• Revision 1 to NIST 800‐171 added one back

• The Implementation Guides at DPAP make it clear that breaches and   incidences will be investigated and the contractor will cooperate

• A solid plan with a rationale that can be defended is needed

36

Do What is Right … and Do It Right!

GOVERNMENT PRESENTATION (DPAP)

37

Navigating Unclassified Cyber/Information (System) Security ProtectionsElements that drive appropriate protections. The information system and the information

Contractor’s Internal System

Contractor’s System Operated on DoD’s Behalf

DoD Information System

Cloud Service Provider

Applicable controls:NIST SP 800‐171

Applicable controls:From CNSSI 1253, based on NIST SP 800‐53

Applicable controls:From CNSSI 1253, based on NIST SP 800‐53

Applicable controls:From the SRG

Federal Contract Information

ControlledUnclassified Information 

(USG‐wide)

Unclassified ControlledTechnical Information 

Covered Defense Information 

NARA REQUIRES CUI IN 2016NARA REQUIRES CUI IN 2016

38

NARA, CUI Requirements, and the FAR Clause Executive Order 13556, Controlled Unclassified Information, November 4, 2010, established the CUI Program and designated the National Archives and Record Administration (NARA) as its Executive Agent to implement the Order and to oversee agency actions to ensure compliance with the Order. Regarding contractors, the CUI Executive Agent anticipates establishing a single Federal Acquisition Regulation (FAR) clause in 2016 to apply the requirements of NIST Special Publication 800‐171 to the contractor environment as well as to determine oversight responsibilities and requirements.

‐‐Special Publication NIST 800‐171, page 15. 

39

https://ics‐cert.us‐cert.gov/Downloading‐and‐Installing‐CSET

I2ACT ARCHITECTURE &CONFIGURATION

30‐Jun‐17 40

BACK ENDDATABASE• User Data

FRONT END DATABASE

• User Interface• Standards Database• Queries• Reports• Baselines

• TAB: Supplemental Guidance (NIST)

• TAB: Questionnaires• TAB: Intent & Evidence• TAB: How to Assess & Comply• TAB: Remediation Plan & POA&M

DFARS

41

SUBPART / CLAUSE

TITLE REQUIREMENTS

204.73 (subpart)

Safeguarding Covered Defense Information and Cyber Incident Reporting. Revised – Oct 21, 2016

Contractors & Subcontractors must safeguard ‘Covered’ defense information that resides in or transits through contractor ‘UNCLASSIFIED’ information system.

Must rapidly report incidents involving possible loss of covered data to DoD via Dibnet.dod.mil 

Report will include i) incident report, ii) malicious software, and iii) media Prescribes: 252.204‐7008, ‐7009, ‐7012 , 252.227‐7013

202.1 (subpart) 

Definitions. Revised ‐ Oct 21, 2016

Designated subpart as location for definitions: 

239.76 (subpart) 

Cloud Computing. New Addition – Aug 26, 2015 Revised ‐ Oct 21, 2016

For Contractor Systems, FedRAMP qualified cloud providers will be used For Federal Systems, contracts will be awarded to cloud service providers 

that are granted provisional authorization by DISA.  Prescribes 252.239‐7009 & ‐7010 

212.301 (f) (clauses & provisions) 

Solicitation provisions and contract clauses for the acquisition of commercial items. Revised – August 2, 2016 

Identifies Solicitation clauses and provisions to be included in the acquisition of commercial items. 

Includes cybersecurity and safeguards identified in the above clauses.  Supply chain risk evaluation required (239.73)

DFARS

EXECUTIVE RESPONSIBILITY

• Cybersecurity and Compliance programs are needed within a Corporation for the purpose of…Managing Risk and LiabilitiesMeeting Minimum Requirements to Access MarketsAchieving and Maintaining Competitive Advantage

42

Cybersecurity is a Fiduciary Responsibility of the Organization’s Board of Directors,  Officers,  Senior Leadership and Management

NIST 800-12 ELEMENTS OF INFORMATIONSECURITY

43

1. Information security supports the mission of the organization2. Information security is an integral element of sound management 3. Information security protections should be commensurate with risk 4. Information security responsibilities and accountability are explicit5. System owners share security responsibilities with other systems 6. Information security requires comprehensive & integrated approach 7. Information security is assessed regularly8. Information security is constrained by societal factors

EXECUTIVEMANAGEMENT

44

Organizational Cybersecurity Risk

Management & Compliance

C-Suite & BoDCEOCOOCIOCFOBoard of Directors

ExecutiveAwareness Policy Appointments Monitoring

Training & Education

Cyber risk Management

Principles & Elements of Cybersecurity

Governance Responsibility Accountability

Cyber Authority CIO Other Key

Executives

Assurance Assessments Audits Reviews

System Security Plan

(SSP)

IT MANAGEMENT& EXECUTION

45

SSP Implementation

IT Management CIOCISO/SISOIT Management

Implementation Personnel Assignments Monitoring

Categorization Controls

Selection Controls

Implementation Assess &

Confirm Operate

CISO/SISO IT Manager(s) System Owners

Assurance Assessments Audits Reviews

• NCX designated as an Information Sharing and Analysis Organization (ISAO) Collaborates with DHS, industry Information Sharing and Analysis Centers (ISAC), and other ISAOs

NATIONAL CYBER EXCHANGE (NCX):THREAT INTELLIGENCE & TRAINING

46

NCX, formerly WCX (Western Cyber Exchange), is a non-profit, member organization dedicated to improving cybersecurity and protecting critical infrastructure by sharing cyber threat information, providing education and workforce development, technology development, and supporting member cybersecurity needs.

HAS ANYONE HEARD OF A CYBERINCIDENT LATELY?

• Target• Home Depot• Sony• OPM• Anthem• … The major incidences are becoming too many to identify – the number of smaller incidences are ubiquitous.  

47

WHY SHOULD ALL COMPANIES CARE? • “Hey, I’m just a small business.  No one cares enough about what we do to bother with a cyber attack.  What would they get?”

• PII (Personally Identifiable Information)• PHI (Protected Health Information)• IP (Intellectual Property)• Money • Spectrum of Sensitive Information

48

CYBER THREAT PLAYERS AND ACTIVITIESAPT

(Advanced Persistent Threat)

CYBER CRIME HACKTAVIST INSIDER THREAT TERRORIST NUISANCE

ACTORS Nation States, Major Crime Org’s

Amateurs to Nations

Amateurs to Major Org’s

Authorized User / Admin.

Individual,Non‐State, Nation State

Unskilled or Less Able Actors

OBJECTIVE Espionage, Dis‐Enable,Destroy, Defeat

Theft of Valued Data

Discredit, Disrupt, Cause Havoc

Sensitive Information,Revenge, Profit

Disrupt, Destroy, Kill

Financial, Recognition

TTP: TECHNIQUESTACTICSPROCEDURES

Social Eng., Phishing, Advanced TTPs, Implant ‘Low & Slow’

Social Eng., Phishing, Escalate Privileges, Exfil. Data

Social Eng., Phishing, DOS/DDOS (Distributed Denial of Service)

Use Authorized Access to Steal, Sabotage, Damage

Social Eng. To Advanced TTP

SPAM, Scanning, Crawlers, Worms, Viruses

MAJOR KNOWN SOURCES

China, Russia, Iran, North Korea

Russia, China, “Riders of the Dark Net”

Political, Ethnical, Religious Org’s or Individuals

Throughout North Korea, Al Qaeda, ISIS /ISIL, … many

Ubiquitous

49

30‐Jun‐17 50

E‐Mail Attack Vector

Ref: Verizon DBIR 2016 Report

Email PhishingA form of social engineering in which a message,typically an email, with a malicious attachment orlink is sent to a victim with the intent of tricking therecipient to open an attachment

77.3%Of Successful

Attacks���������� � ����

���� ���������������������������������������� � �������������������������������������� ��������������������� ���������������������������� ����� ������������������ ��������������������

�������� ��������������������

30‐Jun‐17 51

2010 20162010 2011 2012 2013 2014 2015 2016

CIAT (Center for Information Transformation)4/1/2010

WCX (Western Cyber Exchange) Established4/29/2011

Operational Threat Center with CRITs Software4/27/2012

Successful Threat Message Transfer WCX‐‐>ACSC8/29/2014

9/1/2015

Added AIS (Automated Indicator Sharing) to WCX ISAO4/20/2016

Continued N2SI Program5/27/2016

NCC Collaboration10/1/2016

NCX Becomes National Organization10/1/2016

E‐Mail Attack Vector

Ref: Verizon DBIR 2016 Report

Email PhishingA form of social engineering in which a message,typically an email, with a malicious attachment orlink is sent to a victim with the intent of tricking therecipient to open an attachment

77.3%Of Successful

Attacks���������� � ����

������ � ������������������������������������ ���������������������������������������������������������� ���� ��� ������������ �����!��������� ���� �������������������� ����

�������� �����

WHAT ARE CYBERSECURITY STANDARDS

• Represent the accumulated knowledge, experience, and wisdom of many who have traveled the road before us

• Are documents typically produced after great collaborative efforts of experts

• Are meant to establish normal requirements, guidelines or best practices for an item, system, or process to ensure the appropriate outcome in terms of performance, quality, and cost

• Use is sometimes mandated, sometimes best practice

52

KEY CYBERSECURITY STANDARD FAMILIES

53

Commercial:

• ISO 27000• COBIT• CIS/SANS Top 20

Sector Specific:

• PCI DSS• NERC‐CIP• HIPAA• Hi‐Trust

Federally-Oriented or Federally-Mandated:

Cybersecurity FrameworkRisk Management Framework (RMF)• Federal Information Process Standards (FIPS)• National Institute of Science and Technology 

(NIST) 800‐53• NIST 800‐82• NIST 800‐171• NISPOM and DSS AAPM• DFARS• FARS

FISMA AND FIPS• Federal Information Security Management Act (FISMA) of 2002 established the responsibilities for Federal Agencies

• Federal Information Processing Standards (FIPS) provide guidance for Federal Agencies

FIPS PUB 199  ‐ Standards for Security Categorization of Federal Information and Information Systems FIPS PUB 200 ‐ Minimum Security Requirements for Federal Information and Information Systems 

30‐Jun‐17 54

RISKMATRIX

FIPS 199RISK

CATEGORIZATION

30‐Jun‐17 55

C-I-A LOW IMPACT

MODERATE IMPACT

HIGH IMPACT

Confidentiality (C) Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. [44 U.S.C., SEC. 3542]

The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Integrity (I) Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. [44 U.S.C., SEC. 3542]

The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Availability (A) Ensuring timely and reliable access to and use of information. [44 U.S.C., SEC. 3542]

The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Federal Information Processing Standards Publication, FIPS PUB 199, February 2004, National Institute of Standards and Technology

NIST (SP) 800-53R4, SECURITY AND PRIVACY CONTROLSFOR FEDERAL INFORMATION SYSTEMSAND ORGANIZATIONS

30‐Jun‐17 56

RISKMANAGEMENTFRAMEWORK

30‐Jun‐17 57

Step 1CATEGORIZEInformation 

System

Step 2SELECTSecurity Controls

Step 3IMPLEMENTSecurity Controls

Step 4ASSESSSecurity Controls

Step 5AUTHORIZEInformation 

System

Step 6MONITORSecurity Controls

REPEAT AS NECESSARY

NIST SP 800-53 SECURITY AND PRIVACY CONTROLS FOR FEDERAL INFORMATION

SECURITY CONTROL CATALOG(Appendix F)

SECURITY CONTROLS, ENHANCEMENTS, AND 

SUPPLEMENTAL GUIDANCE

AC‐1ACCESS CONTROL 

POLICY AND PROCEDURES

SI‐17FAIL‐SAFE 

PROCEDURES

INFORMATION SECURITY PROGRAMS(Appendix G)

ORGANIZATION‐WIDE INFORMATION SECURITY PROGRAM MANAGEMENT 

CONTROLS

PM‐1INFORMATION 

SECURITY PROGRAM 

PLAN

PM‐16THREAT 

AWARENESS PROGRAM

PRIVACY CONTROL CATALOG(Appendix  J) 

PRIVACY CONTROLS, ENHANCEMENTS, AND SUPPLEMENTAL GUIDANCE

AP‐1AUTHORITY TO COLLECT

UL‐2INFORMATION 

SHARING WITH THIRD PARTIES

ControlSupplemental Guidance

[Enhancement][Enhancement]

References

ControlSupplemental Guidance

[Enhancement][Enhancement]

References

ControlSupplemental Guidance

[Enhancement][Enhancement]

References

30‐Jun‐17 58

EXAMPLE CONTROL ENTRY FROM 800-53CP-3 CONTINGENCY TRAINING Control: The organization provides contingency training to information system users consistent

with assigned roles and responsibilities:

a. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;

b. When required by information system changes; and

c. [Assignment: organization-defined frequency] thereafter.

Supplemental Guidance: Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan. Related controls: AT-2, AT-3, CP-2, IR-2. Control Enhancements:

(1) CONTINGENCY TRAINING | SIMULATED EVENTS The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations.

(2) CONTINGENCY TRAINING | AUTOMATED TRAINING ENVIRONMENTS The organization employs automated mechanisms to provide a more thorough and realistic contingency training environment.

References: Federal Continuity Directive 1; NIST Special Publications 800-16, 800-50. Priority and Baseline Allocation:

P2 LOW CP-3 MOD CP-3 HIGH CP-3 (1)

Family, Number (1‐44) & Name

The Control Text

Supplemental Guidance, if any

Control Enhancements, with Name. if any (0‐24) May contain Supplemental Guidance

CP‐3(1), CP‐3(2)

References

Priority & Baseline• P1. P2. P3• order of 

implementation

Low, Mod, High• Which 

controls/enhancements required per IS Category 

30‐Jun‐17 59

NIST (SP) 800-171, PROTECTING CONTROLLEDUNCLASSIFIED INFORMATION INNONFEDERAL INFORMATION SYSTEMSAND ORGANIZATIONS

60

NIST 800-171• The Government started with the FIPS Moderate Baseline, a set of 260+ control from NIST 800‐53

• They removed controls that …• Pertained only to the government (FED)• Did not support “C” or Confidentiality (NCO)• Expected to be routinely satisfied by the non‐federal organization (NFO)

61

TAILORING SYMBOL  TAILORING CRITERIA 

NCO NOT DIRECTLY RELATED TO PROTECTING THE CONFIDENTIALITY OF CUI. 

FED UNIQUELY FEDERAL, PRIMARILY THE RESPONSIBILITY OF THE FEDERAL GOVERNMENT. 

NFO EXPECTED TO BE ROUTINELY SATISFIED BY NON‐FEDERAL ORGANIZATIONS WITHOUT SPECIFICATION.

CUITHE CUI BASIC OR DERIVED SECURITY REQUIREMENT IS REFLECTED IN AND IS TRACEABLE TO THE SECURITY CONTROL, CONTROL ENHANCEMENT, OR SPECIFIC ELEMENTS OF THE CONTROL/ENHANCEMENT. 

APPENDIX E: NIST SPECIAL PUBLICATION 800‐171

NIST 800-171

30‐Jun‐17 62

NIST 800-171 Security Families AC ‐ Access Control (3.1) 22AT ‐ Awareness & Training (3.2) 3AU ‐ Audit & Accountability (3.3) 9CM ‐ Configuration Management (3.4) 9IA ‐ Identification & Authentication (3.5) 11IR ‐ Incident Response (3.6) 3MA ‐ Maintenance (3.7) 6MP ‐ Media Protection (3.8) 9PS ‐ Personnel Security (3.9) 2PE ‐ Physical Protection (3.10) 6RA ‐ Risk Assessment (3.11) 3CA ‐ Security Assessment (3.12) 4SC ‐ System & Communications Protection (3.13) 16SI ‐ System & Information Integrity (3.14) 7

TOTAL REQUIREMENTS: 110

REV 1 – NIST 800-171 (Is Final) Guidance on the use of system security plans (SSPs) and plans

of action and milestones (POAMs) to demonstrate the implementation or planned implementation of CUI requirements by nonfederal organizations;

Guidance on federal agency use of submitted SSPs and POAMs as critical inputs to risk management decisions and decisions on whether or not to pursue agreements or contracts with nonfederal organizations;

Develop, document, periodically update, and implement system security plans for organizational information systems that describe the security requirements in place or planned for the systems.

3.12.4

NIST 800-171… NOW HAS 110 REQUIREMENTS

System Security Plan or SSP:1. System Definition2. Governance3. Risk Assessment / Categorization4. Compliance Assessment + Remediation Plan (POA&M)

WHEN TO USE NIST 800-171 • NIST 800‐171 is intended for use by federal agencies with recommended requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) :

• when the CUI is resident in nonfederal information systems and organizations;• where the CUI does not have specific safeguarding requirements prescribed by the authorizing law, regulation, or government wide policy for the CUI category or subcategory listed in the CUI Registry (https://www.archives.gov/cui/registry/category‐list); and

• when the information systems where the CUI resides are not operated by organizations on behalf of the federal government.

• The requirements apply only to components of nonfederal information systems that process, store, or transmit CUI, or provide security protection for such components

• Federal agencies will include CUI requirements in appropriate contractual vehicles established between those agencies and nonfederal organizations

• Nonfederal organizations must comply with these requirements to meet contractual requirements

63

DEFENSE SECURITY SERVICEASSESSMENT AND AUTHORIZATIONPROCESS MANUAL (DSS AAPM)

30‐Jun‐17 64

DSS AAPM• Required for Cleared Defense Contractors in the National Industrial Security Program

• Provides standardized security policies and procedures for use in safeguarding classified information processed by contractors’ information systems

• Part of DSS transition of the National Industrial Security Program (NISP) certification & accreditation process to RMF

• Based on NIST 800‐53 controls • 256 – 396 controls depending on the overlay selected• Provides additional guidance/direction on some controls

65

66

DFARS (Defense Federal Acquisition Regulation Supplement)

204.73 (subpart) Safeguarding Covered Defense Information and Cyber Incident Reporting 252.204‐7012 Safeguarding Covered Defense Information and Cyber Incident Reporting 252.204‐7008 Compliance with Safeguarding Covered Defense Information Controls252.204‐7009 Limitations on the Use or Disclosure of Third‐Party Contractor Reported Cyber Incident Information

202.1 (subpart) Definitions239.76 (subpart) Cloud Computing

252.239‐7009 Representation of Use of Cloud Computing252.239‐7010 Cloud Computing Services

212.301 (f) (clauses & provisions) Solicitation provisions and contract clauses for the acquisition of commercial items 

DFARS

30‐Jun‐17 67

SUBPART / CLAUSE

TITLE REQUIREMENTS

204.73 (subpart)

Safeguarding Covered Defense Information and Cyber Incident Reporting. Revised – Oct 2016

Contractors & Subcontractors must safeguard ‘Covered’ defense information that resides in / through contractor ‘UNCLASSIFIED’ information systems

Must rapidly report incidents … to DoD via www.dibnet.dod.mi Report will include i) incident report, ii) malicious software, and iii) media

252.204‐7012 (clause) 

Safeguarding Covered Defense Information and Cyber Incident Reporting. Revised ‐ Dec 2015

Contractor will implement information systems security protections on all covered contractor ‘UNCLASSIFIED’ information systems

Contractor (Offeror) represents that it will implement security requirements in NIST 800‐171 as soon as practical but no later than December 31, 2017 

Contractor will apply other information system security measures when the contractor reasonably determines that additional security measures are required

“Alternative but equal effective” security measures … submitted in writing to an “authorized representative of the DoD CIO,” who will “adjudicate” offeror requests

If Contractor intends to use an external cloud service provider … security requirements … for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline

Contractor will rapidly report incidents within 72 hours to … prime contractor and DoD via http://dibnet.dod.mil Medium Assurance Certificate required

DFARS

68

FAR(Federal Acquisition Regulation)

Subpart 4.19 Basic Safeguarding of Covered Contractor Information Systems52.204‐21 Basic Safeguarding of Covered Contractor Information Systems

THE FAR 15/NIST 800-171 DIFFERENCES

69

FAR 52.204‐21 Specified Requirements Corresponding NIST (SP) 800‐171 Requirements(vii) Sanitize or destroy information system media containing

Federal Contract Information before disposal or release for reuse.

3.8.3 Sanitize or destroy information system media containingCUI before disposal or release for reuse.

(ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.

3.10.3 Escort visitors and monitor visitor activity.3.10.4 Maintain audit logs of physical access.3.10.5 Control and manage physical access devices.

Any Federal Acquisition will FAR 52.204-21.

There are 15 FAR requirements that essentially are NIST 800-171 requirements with 2 exceptions:

70

Security Families in NIST 800‐171 FAR 15: ‘Security Families ’AC ‐ Access Control (3.1) AC ‐ Access ControlAT ‐ Awareness & Training (3.2)AU ‐ Audit & Accountability (3.3)CM ‐ Configuration Management (3.4)IA ‐ Identification & Authentication (3.5) IA ‐ Identification & AuthenticationIR ‐ Incident Response (3.6)MA ‐ Maintenance (3.7)MP ‐ Media Protection (3.8) MP ‐ Media ProtectionPS ‐ Personnel Security (3.9)PE ‐ Physical Protection (3.10) PE ‐ Physical ProtectionRA ‐ Risk Assessment (3.11)CA ‐ Security Assessment (3.12)SC ‐ System & Communications Protection (3.13) SC ‐ System & Communications ProtectionSI ‐ System & Information Integrity (3.14) SI ‐ System & Information Integrity

DFARS VS FAR FAMILIES

71

DFARS NIST 800-171