Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
DFARS, System Security Plan & POA&M
Michael G. Semmens, P.E.President, Imprimis, Inc. (i2)
Chairman, National Cyber Exchange (NCX)
DFARS 204.73NIST (SP) 800-171
Agenda• Reference Material
• Nature of Threats Why we Need Strong Cybersecurity
• Quick Review: • DFARS 204.73 • NIST (SP) 800-171 • Recent DPAP Guidance
• Components of an SSP and How to Develop Them
• What’s in a POA&M
• Summary, Conclusions, & Recommendations
• Q&A
29-May-182
IMPRIMIS WEBINARS AND TRAINING
• Resource Repository
• Webinars and Webcasts
• Learning Management System (LMS)
29-May-183
Download from https://www.imprimis-inc.com/training/imprimis-webinars/the-imprimis-insider
Why Cybersecurity? The Nature of Cyber Threats
29-May-184
The Two Sides of Cyber
29-May-185
Productive Applications
via the Cyber Domain
1HEADS
Threatsvia the Cyber
Domain
0TAILS
Has Anyone Heard of a Cyber Incident Lately?
29-May-186
Top 3 Russian Hacks1. 2016 Presidential Election2. Democratic National Committee3. Yahoo!
Top 3 Chinese Hacks1. OPM – Office of Personnel Management2. FDIC3. Various Industrial Espionage
Top 3 North Korean Hacks1. Sony Entertainment2. SWIFT3. Interpark
Top 3 Criminal Hacks1. Home Depot2. Anthem 20153. Mirai (Dyn 2016)
Top 3 Terrorist Hacks1. CENTCOM Twitter2. Newsweek Twitter3. Islamic State Hacking of Division’s
(ISHD) Kill List (a.k.a., Cyber Caliphate, Islamic Cyber Army or ICA)
Doug Olenick, “Cyber Enemies”, SCMagazine, May 2017: 15-17. Print.
Hey, wait a minute – that ain’t nothing – how about …
▪ The F-35 ▪ Technology Targeting
▪ Estonia 2007▪ Georgia 2008▪ Ukraine & ▪ Ukraine Power 2015
▪ Ransomware _ All
▪ Equifax-143 million!!!
29-May-187
E-Mail Attack Vector
77.3%Of Successful
Attacks
A form of social engineering in which a message, typically an email, with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment or following a link
Email PhishingRef: Verizon DBIR 2016 Report
About Your Vector Radius
29-May-18
8
VECTOR: In physics and geometry, a vector is used to represent
physical quantities that have both magnitude and direction
ATTACK VECTOR: the particular approach used,
or vulnerability exploited, in order to penetrate a computer system's security or propagate malicious software
RADIUS: A straight
line from the center to the circumference
Radius
5-APR-16
Your Connection
YOU There are no PHYSICAL dimensions in cyberspace – a
computer in Beijing or Moscow is as close to you as your
officemate’s computer.
The concepts of space and separation are gone.
The (attackers) are bad guys in your offices and your homes.
VECTOR
TARGET
CVRTM
What is a Cyber Vector Radius™?Who do you do business with?
29-May-189
Individual SMB
BANKS
Retail Outlets
Hospitals
Commercial Customers
Government Customers
Prime Contractors
Sub
Sub
Sub
Sub
From Nuisance to Crime: Cyber Crime Goes Pro
With an Effective Underground Economy
Evolution of Cyber Crime
29-May-1810
1980-1990 1990-2000 2000-2010 2010-2020
VIRUS
1982WORM
1988BOTNET
2008
TOR & THE DARK WEB
1990
BITCOIN
2009
DFARS Review & DPAP Guidance
29-May-1811
Government Presentation (DPAP)
29-May-1812
Navigating Unclassified Cyber/Information (System) Security Protections
Elements that drive appropriate protections. The information system and the information
Contractor’s Internal SystemContractor’s System Operated on DoD’s Behalf
DoD Information System
Cloud Service Provider (CSP)
Applicable controls:NIST SP 800-171
Applicable controls:From CNSSI 1253, based on NIST SP 800-53
Applicable controls:From CNSSI 1253, based on NIST SP 800-53
Applicable controls:FedRAMP (Mod)
Federal Contract Information
ControlledUnclassified Information (CUI)
(USG-wide)
Unclassified ControlledTechnical Information (UCTI)
Covered Defense Information (CDI)
Cloud Service Provider (CSP)
CDI (Covered Defense Information)252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting.
As prescribed in 204.7304(c), use the following clause: (a) Definitions. As used in this clause—
29-May-1813
“Covered defense information” means unclassified controlled technical
information or other information, as described in the Controlled Unclassified
Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html,
that requires safeguarding or dissemination controls pursuant to and consistent with
law, regulations, and Governmentwide policies, and is—
(1) Marked or otherwise identified in the contract, task order, or delivery order
and provided to the contractor by or on behalf of DoD in support of the performance
of the contract; or
(2) Collected, developed, received, transmitted, used, or stored by or on
behalf of the contractor in support of the performance of the contract.
29-May-1814
DFARS (Defense Federal Acquisition Regulation Supplement)
204.73 (subpart) Safeguarding Covered Defense Information and Cyber Incident Reporting 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls252.204-7009 Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information
202.1 (subpart) Definitions239.76 (subpart) Cloud Computing
252.239-7009 Representation of Use of Cloud Computing252.239-7010 Cloud Computing Services
212.301 (f) (clauses & provisions) Solicitation provisions and contract clauses for the acquisition of commercial items
DFARS Summary
• DFARS (Cyber) in effect as of December 31, 2017• Contractors need to be in Compliance with NIST 800-171
and/or have a SSP & POA&M• They need to report incidences to DoD via dibnet & their
prime contractor within 72 hours, preserve media, capture malware
• Must use CSP (Cloud Service Provider) that meets FedRAMP (Federal Risk and Authorization Management Program)Moderate Baseline
• Must flow down clauses to subcontractors and suppliers
29-May-1815
29-May-1816
This solicitation is issued as a request for quotes (RFQ) in accordance with FAR Parts 12 & 13. The provisions and clauses incorporated into this solicitation document are those in effect through Federal Acquisition Circular 2005-97 effective on January 24, 2018. Provisions and clauses incorporated by reference have the same force and effect as if they were given in full text. The full text of the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulations supplement (DFARS) can be accessed on the internet at http://farsite.hill.af.mil/.
29-May-1817
2017 DFARS Cyber Compliance Deadline: Modified or Not?
By: Michael G. Semmens, President of Imprimis, Inc.
On December 7, 2017, the Honorable Ellen M. Lord, Under Secretary of Defense for Acquisition, Technology and Logistics (AT&L), provided testimony before the Senate Armed Services Committee (SASC) regarding the implementation of the "Cyber DFARS” (Defense Federal Acquisition Regulations Supplement).In her testimony, she said, “We said that clearly the only requirement for this year [2018] is to lay out what your plan is. That can be a very simple plan. We can help you with that plan. We can give you a template for that plan. Then just report your compliance to it.”
That testimony has caused several articles to be published with headlines such as " Pentagon Delays Deadline for Military Suppliers to Meet Cybersecurity Rules”. In response to such articles, a Pentagon spokesman said that the change should not be considered a delay in the deadline since contractors will still document, by December 31, how they will implement the new rules.
https://www.imprimis-inc.com/training/imprimis-webinars/the-imprimis-insider
Summary and Conclusions• DPAP OSD is providing guidance to CO/KO• The deadline did not change – but DoD will accept a SSP & POA&M • Compliance remains the responsibility of the contractor• The SSP/POA&M should have been in place by 12/31/2017• The SSP will be requested in the proposal• The CO/KO may …
• Evaluate the risk presented by the SSP/POA&M and assess if acceptable• Use the SSP/POA&M as a technical evaluation factor• Incorporate the plan (POA&M) as part of the contract performance
• DPAP OSD is planning on modifying existing contracts• Planned as a no-cost/no-impact modification• Some potential for support if Services/Components support the need
29-May-1818
29-May-1819
FAR(Federal Acquisition Regulation)
Subpart 4.19 Basic Safeguarding of Covered Contractor Information Systems52.204-21 Basic Safeguarding of Covered Contractor Information Systems
• Executive Order 13556, Controlled Unclassified Information, November 4, 2010, established the CUI Program and designated the National Archives and Record Administration (NARA) as its Executive Agent (the CUI Executive Agent)
• NARA anticipated NIST 800-171 for all government contractors by mid-2016• They only published 15 requirements• A CUI Registry was established• The NIST 800-171 standard is coming soon to all government contractors
CUI Registry (https://www.archives.gov/cui/registry/category-list)
More Cybersecurity Required …
29-May-1820
NARA in 2018Fe
der
al R
egis
ter
Vo
l. 8
3 N
o. 9
Fri
day
, Jan
uar
y 1
2, 2
01
8
Banks starting to require cybersecurity plans before lending to businesses … Business Week in Review, KRDO-ABC January 19, 2018
Important Notice
•This is no longer a ‘hypothetical exercise’•The horse has left the barn•The train has left the station•The rocket has left the pad
•The cyber DFARS AND the cyber FAR are now part of every contractors reality!
29-May-1821
NIST 800-171 Review
29-May-1822
Risk Management Framework
29-May-1823
Step 1CATEGORIZEInformation
System
Step 2SELECT
Security Controls
Step 3IMPLEMENT
Security Controls
Step 4ASSESSSecurity Controls
Step 5AUTHORIZEInformation
System
Step 6MONITORSecurity Controls
REPEAT AS NECESSARY
NIST 800-171
29-May-1824
NIST 800-171 Security Families
AC - Access Control (3.1) 22
AT - Awareness & Training (3.2) 3
AU - Audit & Accountability (3.3) 9
CM - Configuration Management (3.4) 9
IA - Identification & Authentication (3.5) 11
IR - Incident Response (3.6) 3
MA - Maintenance (3.7) 6
MP - Media Protection (3.8) 9
PS - Personnel Security (3.9) 2
PE - Physical Protection (3.10) 6
RA - Risk Assessment (3.11) 3
CA - Security Assessment (3.12) 3 /4
SC - System & Communications Protection (3.13) 16
SI - System & Information Integrity (3.14) 7
TOTAL REQUIREMENTS:109110
REV 1 – NIST 800-171 (Is Final)
▪ Guidance on the use of system security plans (SSPs) and plans
of action and milestones (POA&Ms) to demonstrate the
implementation or planned implementation of CUI requirements
by nonfederal organizations;
▪ Guidance on federal agency use of submitted SSPs and
POA&Ms as critical inputs to risk management decisions and
decisions on whether or not to pursue agreements or contracts
with nonfederal organizations;
Develop, document, periodically update,
and implement system security plans
for organizational information systems
that describe the security requirements
in place or planned for the systems.
3.12.4
NIST 800-171… NOW HAS 110 REQUIREMENTS (DECEMBER 2016)
System Security Plan or SSP:1. System Definition2. Governance3. Risk Assessment / Categorization4. Compliance Assessment + Remediation Plan (POA&M)
29-May-1825
29-May-18
26
The Compliance Process
29-May-1827
Components of Cybersecurity
BEHAVIOR
POLICY
TECHNOLOGY
29-May-18
28
ACRONYM DEFINITION
PAQ Pre-Assessment Questionnaire
RP Remediation Plan
V-Scan Vulnerability Scan
VRP Vulnerability Remediation Plan
SSP System Security Plan
PoAM Plan of Actions & Milestones
IRP Incident Response Plan
RT Red Team
Pen Test Penetration Test
The Assessment-Compliance Process
29-May-1829
Maintaining Compliance
30
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Configuration Control Meetings-Q1
Periodic Scans-Q1
Configuration Contol Meetings-Q2
Periodic Scans-Q2
Configuration Control Meetings-Q3
Periodic Scans-Q3
Configuration Control Meetings-Q4
Annual Assessment
Supply Chain Due Diligence
Continuous Monitoring
Training
Continuous Improvements
29-May-18
▪ Flow down DFARS requirements to subcontractors
▪ Prime performs due diligence to accept cyber compliant subs and suppliers▪ Questionnaire▪ On-Site inspection / audits▪ Sub / Supplier SSP, IRP
▪ Implement supply chain best practices▪ Information &
Communications Technology (ICT) Supply Chain Risk Management (SCRM) Practices – NIST 800-161 or equivalent
Supply Chain
29-May-1831
Elements of a System Security Plan or SSP
29-May-1832
Defining the SSP: Sources & Findings• NIST Special Publication 800-18 Revision 1Guide for Developing
Security Plans for Federal Information Systems – February 2006
• NIST 800-171A (Draft)
• NIST Handbook 162
• DHS / ICS-CERT / CSET Program
• Imprimis Inc. SSP Template
29-May-1833
Key Points: 1. NO required format but must contain
information specified2. Plan of Action for deficiencies3. SSP & POA&M together OR separate4. Content consistent across all sources
SSP Content: 1. System Definition: Boundaries,
Environment2. Governance: Roles & Responsibilities3. Risk Assessment4. Assessment Status: How
Requirements are Implemented/ or not, exceptions
5. Policies & Procedures6. POA&M
Imprimis Inc. SSP Template
29-May-1834
1 Introduction
2 System Description and Characterization
2.1 General Description / Purpose
2.2 System Interconnection / Information Sharing
2.3 System Dependencies / Inheritance
2.4 System Inventory
3 Governance
3.1 Corporate Management (CM)
3.2 Chief Security Officer or CISO
3.3 Security Officer (SO)
3.4 System Owners
3.5 Data Owners
3.6 Configuration Control Board (CCB)
3.7 Information Technology Manager (ITM)
3.8 Security Administrators
3.9 Department Manager (DM)
3.10 Users
4 Categorization and Risk Assessment
4.1 Select Security Controls / Baselines
5 Policies and Procedures
6 Compliance Status
6.1 Compliance Assessment Report
6.2 Remediation Plan of Action & Milestones (POA&M)
7 Summary
Appendix A – Network Diagrams
Appendix B – Interconnection Diagrams
Appendix C – Information Systems Inventory
Appendix D – IT Policies and Procedures
Appendix E – Cybersecurity Assessment
Appendix F – Remediation Plan of Action & Milestones (POA&M)
Network Diagrams
29-May-1835
Governance
29-May-1836
3Governance3.1 Corporate Management (CM)3.2 Chief Security Officer or CISO3.3 Security Officer (SO)3.4 System Owners3.5 Data Owners3.6 Configuration Control Board (CCB)3.7 Information Technology Manager (ITM)3.8 Security Administrators3.9 Department Manager (DM)3.10 Users
CCB (Configuration Control Board)
• Stakeholder Representatives (All)
• Senior Management / Decision Makers
• Occurs Regularly (Frequently in the beginning)
• Documentation of all Decisions
• System Documentation
• System
• SSP
• IRP
A recommendation …
POA&M
29-May-1837
Developing the SSP and POA&M
29-May-1838
SSP
Risk Analysis
Management Governance
Policies
POA&M
System Definition
Transition Tasks:
• Segmentation• 2FA• Monitoring• Scanning• …
Assessment Report
Remediation Tasks
Compliance Assessment
Perform Compliance Assessment
29-May-1839
Security Design:
Implementing Transitional
Elements
R 3.1.1
R 3.1.2
R 110
…
Transitional Tasks
NIST 800-171 Requirements
Transitional Tasks:
• Policies & Procedures• Configuration Settings• Network Segmentation• Network Upgrade HW/SW• Continuous Monitoring• Vulnerability Scanning• Configuration Control• Training• Continuous Improvement
POA&M OUTPUT
29-May-1840
POA&M MATRIX
POA&M GANTT CHART
29-May-1841
Overview of Available Tools
Tool Discussion
• Spreadsheets
•GRCs (Governance, Risk Management, & Compliance)
•Monitoring Companies
• Specialty Applications
•CSET (DHS Cyber Security Evaluation Tool)
• Imprimis i2ACT
29-May-1842
Co
mp
aris
on
Mat
rix
Rep
rese
nta
tive
Est
imat
e
29-May-1843
OPTION
CLO
UD
/
PR
EM
CH
AR
GE
PER
NU
MB
ER
Sim
ult
ane
ou
s U
SER
S (M
ax)
NU
MB
ER O
F A
SSES
SMEN
TS
CO
ST R
AN
GE
ASS
ESSM
ENT
SUP
PO
RT
ASS
ESSM
ENT
REP
OR
T
SSP
PO
A&
M
OU
TPU
T
Spreadsheet(s) Prem Sheet 1 Unlim $0-$1,700 No No No No
GRCs CloudUser & Assess.
12-5
1-3Unlim
$2,400-$6,000/yr.$30,000-$60,000/yr.
No Yes Y/N Y/N
Monitoring Service CloudUser & Devices
N/A 1/yr. ~$12,000/yr.-Up Y/N Y/N Y/N Y/N
Network OutsourceCloud /Other
Users N/A 1/yr. ~$12,000/yr.-Up Y/N Y/N Y/N Y/N
CSET Prem N/A 1 Unlim $0 No Yes Yes No
Imprimis i2ACT800s + Templates
Prem Computer 1-10 Unlim$1,000 -$3,500 yr.1~$295-$1,500/yr.
Yes Yes Yes Yes
Imprimis Assessment Package (SW/Temp./Labor)
Prem Computer - Unlim$3,000-$10,000
~$295/yr.Yes Yes Yes Yes
i2 Support Suite: Empowering Your Team
29-May-1844
▪ Management▪ CIO / CISO▪ Data / Network Owners ▪ Program Management▪ Contracts / Subcontracts
Templates for
Compliance
Supply Chaini2ACT-800 Roll up Tool
Support and Services
The Cube: Cyber
Compliance Center
I2ACT-800 Assessment &
Compliance Tool
I2ACT-800 Training and
Education▪ i2ACT-800 PRO▪ i2ACT-800s (800-171)▪ DSS AAPM▪ Remediation Plan▪ POA&M▪ 50+ Baselines + RMF
▪ Policy & Procedures (P&P)▪ System Security Plan (SSP)▪ Incident Response Plan (IRP)
▪ i2 Cyber™ Series▪ Qualified Training for
Compliance Remediation▪ Webinars and Speaker Series
▪ Compliance Assessment▪ Remediation▪ Scanning ▪ SME / Consulting
▪ Supply Chain Packages▪ Roll Up Tool
DIY-
Do it
Yourself
DIY with
Cube
Support
Have it
Done
Have it Done
and Manage
Supply ChainUser’s Choice-“DIY or Have it Done”
29-May-1845
Imprimis Sales and Partners
29-May-1846
29-May-1847
• Remediation costs vary greatly: schedule, design, HW/SW
• SSP/POA&M satisfy current procurement requirements … lower cost to get started
• This allows remediation to be spread over time
• … on the other hand … ASK:
• What’s the cost of not being competitive?
• Of not winning contracts?
• Of a major breach?
Q&A - Discussion29-May-1848
Michael G. Semmens(719) 785-0333
www.i2ComplianceTools.com
@ImprimisInc Imprimis-Inc-
29-May-1849