DFARS, System Security Plan & POA&M

Michael G. Semmens, P.E.President, Imprimis, Inc. (i2)

Chairman, National Cyber Exchange (NCX)

DFARS 204.73NIST (SP) 800-171

Agenda• Reference Material

• Nature of Threats Why we Need Strong Cybersecurity

• Quick Review: • DFARS 204.73 • NIST (SP) 800-171 • Recent DPAP Guidance

• Components of an SSP and How to Develop Them

• What’s in a POA&M

• Summary, Conclusions, & Recommendations

• Q&A

29-May-182

IMPRIMIS WEBINARS AND TRAINING

• Resource Repository

• Webinars and Webcasts

• Learning Management System (LMS)

29-May-183

Download from https://www.imprimis-inc.com/training/imprimis-webinars/the-imprimis-insider

Why Cybersecurity? The Nature of Cyber Threats

29-May-184

The Two Sides of Cyber

29-May-185

Productive Applications

via the Cyber Domain

1HEADS

Threatsvia the Cyber

Domain

0TAILS

Has Anyone Heard of a Cyber Incident Lately?

29-May-186

Top 3 Russian Hacks1. 2016 Presidential Election2. Democratic National Committee3. Yahoo!

Top 3 Chinese Hacks1. OPM – Office of Personnel Management2. FDIC3. Various Industrial Espionage

Top 3 North Korean Hacks1. Sony Entertainment2. SWIFT3. Interpark

Top 3 Criminal Hacks1. Home Depot2. Anthem 20153. Mirai (Dyn 2016)

Top 3 Terrorist Hacks1. CENTCOM Twitter2. Newsweek Twitter3. Islamic State Hacking of Division’s

(ISHD) Kill List (a.k.a., Cyber Caliphate, Islamic Cyber Army or ICA)

Doug Olenick, “Cyber Enemies”, SCMagazine, May 2017: 15-17. Print.

Hey, wait a minute – that ain’t nothing – how about …

▪ The F-35 ▪ Technology Targeting

▪ Estonia 2007▪ Georgia 2008▪ Ukraine & ▪ Ukraine Power 2015

▪ Ransomware _ All

▪ Equifax-143 million!!!

29-May-187

E-Mail Attack Vector

77.3%Of Successful

Attacks

A form of social engineering in which a message, typically an email, with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment or following a link

Email PhishingRef: Verizon DBIR 2016 Report

About Your Vector Radius

29-May-18

8

VECTOR: In physics and geometry, a vector is used to represent

physical quantities that have both magnitude and direction

ATTACK VECTOR: the particular approach used,

or vulnerability exploited, in order to penetrate a computer system's security or propagate malicious software

RADIUS: A straight

line from the center to the circumference

Radius

5-APR-16

Your Connection

YOU There are no PHYSICAL dimensions in cyberspace – a

computer in Beijing or Moscow is as close to you as your

officemate’s computer.

The concepts of space and separation are gone.

The (attackers) are bad guys in your offices and your homes.

VECTOR

TARGET

CVRTM

What is a Cyber Vector Radius™?Who do you do business with?

29-May-189

Individual SMB

BANKS

Retail Outlets

Hospitals

Commercial Customers

Government Customers

Prime Contractors

Sub

Sub

Sub

Sub

From Nuisance to Crime: Cyber Crime Goes Pro

With an Effective Underground Economy

Evolution of Cyber Crime

29-May-1810

1980-1990 1990-2000 2000-2010 2010-2020

VIRUS

1982WORM

1988BOTNET

2008

TOR & THE DARK WEB

1990

BITCOIN

2009

DFARS Review & DPAP Guidance

29-May-1811

Government Presentation (DPAP)

29-May-1812

Navigating Unclassified Cyber/Information (System) Security Protections

Elements that drive appropriate protections. The information system and the information

Contractor’s Internal SystemContractor’s System Operated on DoD’s Behalf

DoD Information System

Cloud Service Provider (CSP)

Applicable controls:NIST SP 800-171

Applicable controls:From CNSSI 1253, based on NIST SP 800-53

Applicable controls:From CNSSI 1253, based on NIST SP 800-53

Applicable controls:FedRAMP (Mod)

Federal Contract Information

ControlledUnclassified Information (CUI)

(USG-wide)

Unclassified ControlledTechnical Information (UCTI)

Covered Defense Information (CDI)

Cloud Service Provider (CSP)

CDI (Covered Defense Information)252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting.

As prescribed in 204.7304(c), use the following clause: (a) Definitions. As used in this clause—

29-May-1813

“Covered defense information” means unclassified controlled technical

information or other information, as described in the Controlled Unclassified

Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html,

that requires safeguarding or dissemination controls pursuant to and consistent with

law, regulations, and Governmentwide policies, and is—

(1) Marked or otherwise identified in the contract, task order, or delivery order

and provided to the contractor by or on behalf of DoD in support of the performance

of the contract; or

(2) Collected, developed, received, transmitted, used, or stored by or on

behalf of the contractor in support of the performance of the contract.

29-May-1814

DFARS (Defense Federal Acquisition Regulation Supplement)

204.73 (subpart) Safeguarding Covered Defense Information and Cyber Incident Reporting 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls252.204-7009 Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information

202.1 (subpart) Definitions239.76 (subpart) Cloud Computing

252.239-7009 Representation of Use of Cloud Computing252.239-7010 Cloud Computing Services

212.301 (f) (clauses & provisions) Solicitation provisions and contract clauses for the acquisition of commercial items

DFARS Summary

• DFARS (Cyber) in effect as of December 31, 2017• Contractors need to be in Compliance with NIST 800-171

and/or have a SSP & POA&M• They need to report incidences to DoD via dibnet & their

prime contractor within 72 hours, preserve media, capture malware

• Must use CSP (Cloud Service Provider) that meets FedRAMP (Federal Risk and Authorization Management Program)Moderate Baseline

• Must flow down clauses to subcontractors and suppliers

29-May-1815

29-May-1816

This solicitation is issued as a request for quotes (RFQ) in accordance with FAR Parts 12 & 13. The provisions and clauses incorporated into this solicitation document are those in effect through Federal Acquisition Circular 2005-97 effective on January 24, 2018. Provisions and clauses incorporated by reference have the same force and effect as if they were given in full text. The full text of the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulations supplement (DFARS) can be accessed on the internet at http://farsite.hill.af.mil/.

29-May-1817

2017 DFARS Cyber Compliance Deadline: Modified or Not?

By: Michael G. Semmens, President of Imprimis, Inc.

On December 7, 2017, the Honorable Ellen M. Lord, Under Secretary of Defense for Acquisition, Technology and Logistics (AT&L), provided testimony before the Senate Armed Services Committee (SASC) regarding the implementation of the "Cyber DFARS” (Defense Federal Acquisition Regulations Supplement).In her testimony, she said, “We said that clearly the only requirement for this year [2018] is to lay out what your plan is. That can be a very simple plan. We can help you with that plan. We can give you a template for that plan. Then just report your compliance to it.”

That testimony has caused several articles to be published with headlines such as " Pentagon Delays Deadline for Military Suppliers to Meet Cybersecurity Rules”. In response to such articles, a Pentagon spokesman said that the change should not be considered a delay in the deadline since contractors will still document, by December 31, how they will implement the new rules.

https://www.imprimis-inc.com/training/imprimis-webinars/the-imprimis-insider

Summary and Conclusions• DPAP OSD is providing guidance to CO/KO• The deadline did not change – but DoD will accept a SSP & POA&M • Compliance remains the responsibility of the contractor• The SSP/POA&M should have been in place by 12/31/2017• The SSP will be requested in the proposal• The CO/KO may …

• Evaluate the risk presented by the SSP/POA&M and assess if acceptable• Use the SSP/POA&M as a technical evaluation factor• Incorporate the plan (POA&M) as part of the contract performance

• DPAP OSD is planning on modifying existing contracts• Planned as a no-cost/no-impact modification• Some potential for support if Services/Components support the need

29-May-1818

29-May-1819

FAR(Federal Acquisition Regulation)

Subpart 4.19 Basic Safeguarding of Covered Contractor Information Systems52.204-21 Basic Safeguarding of Covered Contractor Information Systems

• Executive Order 13556, Controlled Unclassified Information, November 4, 2010, established the CUI Program and designated the National Archives and Record Administration (NARA) as its Executive Agent (the CUI Executive Agent)

• NARA anticipated NIST 800-171 for all government contractors by mid-2016• They only published 15 requirements• A CUI Registry was established• The NIST 800-171 standard is coming soon to all government contractors

CUI Registry (https://www.archives.gov/cui/registry/category-list)

More Cybersecurity Required …

29-May-1820

NARA in 2018Fe

der

al R

egis

ter

Vo

l. 8

3 N

o. 9

Fri

day

, Jan

uar

y 1

2, 2

01

8

Banks starting to require cybersecurity plans before lending to businesses … Business Week in Review, KRDO-ABC January 19, 2018

Important Notice

•This is no longer a ‘hypothetical exercise’•The horse has left the barn•The train has left the station•The rocket has left the pad

•The cyber DFARS AND the cyber FAR are now part of every contractors reality!

29-May-1821

NIST 800-171 Review

29-May-1822

Risk Management Framework

29-May-1823

Step 1CATEGORIZEInformation

System

Step 2SELECT

Security Controls

Step 3IMPLEMENT

Security Controls

Step 4ASSESSSecurity Controls

Step 5AUTHORIZEInformation

System

Step 6MONITORSecurity Controls

REPEAT AS NECESSARY

NIST 800-171

29-May-1824

NIST 800-171 Security Families

AC - Access Control (3.1) 22

AT - Awareness & Training (3.2) 3

AU - Audit & Accountability (3.3) 9

CM - Configuration Management (3.4) 9

IA - Identification & Authentication (3.5) 11

IR - Incident Response (3.6) 3

MA - Maintenance (3.7) 6

MP - Media Protection (3.8) 9

PS - Personnel Security (3.9) 2

PE - Physical Protection (3.10) 6

RA - Risk Assessment (3.11) 3

CA - Security Assessment (3.12) 3 /4

SC - System & Communications Protection (3.13) 16

SI - System & Information Integrity (3.14) 7

TOTAL REQUIREMENTS:109110

REV 1 – NIST 800-171 (Is Final)

▪ Guidance on the use of system security plans (SSPs) and plans

of action and milestones (POA&Ms) to demonstrate the

implementation or planned implementation of CUI requirements

by nonfederal organizations;

▪ Guidance on federal agency use of submitted SSPs and

POA&Ms as critical inputs to risk management decisions and

decisions on whether or not to pursue agreements or contracts

with nonfederal organizations;

Develop, document, periodically update,

and implement system security plans

for organizational information systems

that describe the security requirements

in place or planned for the systems.

3.12.4

NIST 800-171… NOW HAS 110 REQUIREMENTS (DECEMBER 2016)

System Security Plan or SSP:1. System Definition2. Governance3. Risk Assessment / Categorization4. Compliance Assessment + Remediation Plan (POA&M)

29-May-1825

29-May-18

26

The Compliance Process

29-May-1827

Components of Cybersecurity

BEHAVIOR

POLICY

TECHNOLOGY

29-May-18

28

ACRONYM DEFINITION

PAQ Pre-Assessment Questionnaire

RP Remediation Plan

V-Scan Vulnerability Scan

VRP Vulnerability Remediation Plan

SSP System Security Plan

PoAM Plan of Actions & Milestones

IRP Incident Response Plan

RT Red Team

Pen Test Penetration Test

The Assessment-Compliance Process

29-May-1829

Maintaining Compliance

30

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Configuration Control Meetings-Q1

Periodic Scans-Q1

Configuration Contol Meetings-Q2

Periodic Scans-Q2

Configuration Control Meetings-Q3

Periodic Scans-Q3

Configuration Control Meetings-Q4

Annual Assessment

Supply Chain Due Diligence

Continuous Monitoring

Training

Continuous Improvements

29-May-18

▪ Flow down DFARS requirements to subcontractors

▪ Prime performs due diligence to accept cyber compliant subs and suppliers▪ Questionnaire▪ On-Site inspection / audits▪ Sub / Supplier SSP, IRP

▪ Implement supply chain best practices▪ Information &

Communications Technology (ICT) Supply Chain Risk Management (SCRM) Practices – NIST 800-161 or equivalent

Supply Chain

29-May-1831

Elements of a System Security Plan or SSP

29-May-1832

Defining the SSP: Sources & Findings• NIST Special Publication 800-18 Revision 1Guide for Developing

Security Plans for Federal Information Systems – February 2006

• NIST 800-171A (Draft)

• NIST Handbook 162

• DHS / ICS-CERT / CSET Program

• Imprimis Inc. SSP Template

29-May-1833

Key Points: 1. NO required format but must contain

information specified2. Plan of Action for deficiencies3. SSP & POA&M together OR separate4. Content consistent across all sources

SSP Content: 1. System Definition: Boundaries,

Environment2. Governance: Roles & Responsibilities3. Risk Assessment4. Assessment Status: How

Requirements are Implemented/ or not, exceptions

5. Policies & Procedures6. POA&M

Imprimis Inc. SSP Template

29-May-1834

1 Introduction

2 System Description and Characterization

2.1 General Description / Purpose

2.2 System Interconnection / Information Sharing

2.3 System Dependencies / Inheritance

2.4 System Inventory

3 Governance

3.1 Corporate Management (CM)

3.2 Chief Security Officer or CISO

3.3 Security Officer (SO)

3.4 System Owners

3.5 Data Owners

3.6 Configuration Control Board (CCB)

3.7 Information Technology Manager (ITM)

3.8 Security Administrators

3.9 Department Manager (DM)

3.10 Users

4 Categorization and Risk Assessment

4.1 Select Security Controls / Baselines

5 Policies and Procedures

6 Compliance Status

6.1 Compliance Assessment Report

6.2 Remediation Plan of Action & Milestones (POA&M)

7 Summary

Appendix A – Network Diagrams

Appendix B – Interconnection Diagrams

Appendix C – Information Systems Inventory

Appendix D – IT Policies and Procedures

Appendix E – Cybersecurity Assessment

Appendix F – Remediation Plan of Action & Milestones (POA&M)

Network Diagrams

29-May-1835

Governance

29-May-1836

3Governance3.1 Corporate Management (CM)3.2 Chief Security Officer or CISO3.3 Security Officer (SO)3.4 System Owners3.5 Data Owners3.6 Configuration Control Board (CCB)3.7 Information Technology Manager (ITM)3.8 Security Administrators3.9 Department Manager (DM)3.10 Users

CCB (Configuration Control Board)

• Stakeholder Representatives (All)

• Senior Management / Decision Makers

• Occurs Regularly (Frequently in the beginning)

• Documentation of all Decisions

• System Documentation

• System

• SSP

• IRP

A recommendation …

POA&M

29-May-1837

Developing the SSP and POA&M

29-May-1838

SSP

Risk Analysis

Management Governance

Policies

POA&M

System Definition

Transition Tasks:

• Segmentation• 2FA• Monitoring• Scanning• …

Assessment Report

Remediation Tasks

Compliance Assessment

Perform Compliance Assessment

29-May-1839

Security Design:

Implementing Transitional

Elements

R 3.1.1

R 3.1.2

R 110

…

Transitional Tasks

NIST 800-171 Requirements

Transitional Tasks:

• Policies & Procedures• Configuration Settings• Network Segmentation• Network Upgrade HW/SW• Continuous Monitoring• Vulnerability Scanning• Configuration Control• Training• Continuous Improvement

POA&M OUTPUT

29-May-1840

POA&M MATRIX

POA&M GANTT CHART

29-May-1841

Overview of Available Tools

Tool Discussion

• Spreadsheets

•GRCs (Governance, Risk Management, & Compliance)

•Monitoring Companies

• Specialty Applications

•CSET (DHS Cyber Security Evaluation Tool)

• Imprimis i2ACT

29-May-1842

Co

mp

aris

on

Mat

rix

Rep

rese

nta

tive

Est

imat

e

29-May-1843

OPTION

CLO

UD

/

PR

EM

CH

AR

GE

PER

NU

MB

ER

Sim

ult

ane

ou

s U

SER

S (M

ax)

NU

MB

ER O

F A

SSES

SMEN

TS

CO

ST R

AN

GE

ASS

ESSM

ENT

SUP

PO

RT

ASS

ESSM

ENT

REP

OR

T

SSP

PO

A&

M

OU

TPU

T

Spreadsheet(s) Prem Sheet 1 Unlim $0-$1,700 No No No No

GRCs CloudUser & Assess.

12-5

1-3Unlim

$2,400-$6,000/yr.$30,000-$60,000/yr.

No Yes Y/N Y/N

Monitoring Service CloudUser & Devices

N/A 1/yr. ~$12,000/yr.-Up Y/N Y/N Y/N Y/N

Network OutsourceCloud /Other

Users N/A 1/yr. ~$12,000/yr.-Up Y/N Y/N Y/N Y/N

CSET Prem N/A 1 Unlim $0 No Yes Yes No

Imprimis i2ACT800s + Templates

Prem Computer 1-10 Unlim$1,000 -$3,500 yr.1~$295-$1,500/yr.

Yes Yes Yes Yes

Imprimis Assessment Package (SW/Temp./Labor)

Prem Computer - Unlim$3,000-$10,000

~$295/yr.Yes Yes Yes Yes

i2 Support Suite: Empowering Your Team

29-May-1844

▪ Management▪ CIO / CISO▪ Data / Network Owners ▪ Program Management▪ Contracts / Subcontracts

Templates for

Compliance

Supply Chaini2ACT-800 Roll up Tool

Support and Services

The Cube: Cyber

Compliance Center

I2ACT-800 Assessment &

Compliance Tool

I2ACT-800 Training and

Education▪ i2ACT-800 PRO▪ i2ACT-800s (800-171)▪ DSS AAPM▪ Remediation Plan▪ POA&M▪ 50+ Baselines + RMF

▪ Policy & Procedures (P&P)▪ System Security Plan (SSP)▪ Incident Response Plan (IRP)

▪ i2 Cyber™ Series▪ Qualified Training for

Compliance Remediation▪ Webinars and Speaker Series

▪ Compliance Assessment▪ Remediation▪ Scanning ▪ SME / Consulting

▪ Supply Chain Packages▪ Roll Up Tool

DIY-

Do it

Yourself

DIY with

Cube

Support

Have it

Done

Have it Done

and Manage

Supply ChainUser’s Choice-“DIY or Have it Done”

29-May-1845

Imprimis Sales and Partners

29-May-1846

29-May-1847

• Remediation costs vary greatly: schedule, design, HW/SW

• SSP/POA&M satisfy current procurement requirements … lower cost to get started

• This allows remediation to be spread over time

• … on the other hand … ASK:

• What’s the cost of not being competitive?

• Of not winning contracts?

• Of a major breach?

Q&A - Discussion29-May-1848

Michael G. Semmens(719) 785-0333

Michael.Semmens@Imprimis-Inc.comwww.Imprimis-Inc.com

www.i2ComplianceTools.com

@ImprimisInc Imprimis-Inc-

29-May-1849