Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
STRATEGIC PLANNING FOR CYBER RISK: PROTECTING DATA AND MEETING REGULATORY
REQUIREMENTS WITH NIST SP 800-171
Heather Engel
Chief Strategy Officer757-828-0342
AGENDA
1. Why You Need to Know NIST
2. Federal and State Regulations
3. Information Classification
4. Practical Steps to Implementation
WHY YOU NEED TO KNOW NIST
• NIST provides a huge catalog of best practices
• 800-171 is:
• A risk management tool, can be used to show maturity
levels and to map to other mandates
• Designed for Non-Federal information systems
• 110 Controls in fourteen categories
• Protects CONFIDENTIALITY of data
• Easy to tailor to individual risk profiles
FEDERAL REGULATIONS
• Defense Federal Acquisition Regulation Supplement (DFARS)
• 252.204-7012, Safeguarding Covered Defense Information and Cyber
Incident Reporting
• Requires implementation of NIST SP 800-171, other standards may apply
• Federal Acquisition Regulation (FAR):
• 52.204-21
• Limited set of requirements
• Eventual intention for NIST 800-171…not there yet
• Other relevant clauses include DFARS 252.204-7008 and 252.239-7009
AND WHAT ABOUT…
• Those FAQs?
• Implementation of DFARS but provide insight into 800-171
interpretation
• The SSP review guidance?
• Provides risk values to controls that feed risk assessments
• Can be used during source selection
• The CSF update?
• Version 1.1 released in April 2018
• Includes supply chain management
OTHER REGULATIONS
•23 NYCRR 500
•PCI DSS
•GDPR
•FERPA
•NIST 800-53, 800-161, 800-30, 800-39…
INFORMATION CLASSIFICATION: WHAT IS CUI?
• Controlled Unclassified Information Registry maintained by
NARA
• 18 categories including Critical Infrastructure, Export Control,
Privacy, and Intelligence (recently updated)
• What about corporate confidential or other protected
classes?
PRACTICAL STEPS TO IMPLEMENTATION
FOUR PHASES TO COMPLIANCE
Phase 1: Scoping and Risk Assessment
Phase 2: IRP / Respond and Report
Phase 3: Protect/Detect
Phase 4: Reassess
PHASE 1: SCOPING
• Determine where protected data lives and how it flows – don’t
forget cloud services!
• Also applies to devices that provide security protection for
components (workstations, servers, OS, virtual machines,
applications, network devices)
• Evaluate existing segmentation and potential for other physical or
logical means of separation
• Assign a system owner
PHASE 1: RISK ASSESSMENT
• Why perform a risk assessment?
• What’s the method?
• Who should perform?
• What is the expected outcome?
DATA DRIVES LAYERED DEFENSE
• Compliance requirements and security strategy will
determine:
• Risk tolerance
• Supply chain management
• Tools, processes
• Categorize data and protect accordingly
PHASE 2: INCIDENT RESPONSE
• You must be prepared to report within 72 hours if you are
implementing 800-171 to comply with DFARS
• Forensic preservation may be required (tools, talent?)
• 800-171 requires an IRP and an exercise
• Keep plans simple and identify specific rols
• Exercise can be TTX
PHASE 3: PROTECT AND DETECT
• Address gaps
• Change or add processes and SOPs if needed
• Identify residual risk
• Determine risk transfer (cyber insurance, third-party assessor)
• Not everything requires technology
REQUIREMENT CHALLENGES
• AC – Encrypt CUI on mobile devices
• AT – Security Awareness Training
• AU – Maintain audit records, user actions
must be uniquely traceable, could be
automated
• CM – Baseline, monitor user installed
software
• IA – MFA
• MP – Control removable media, prohibit
portable storage that does not have an
owner
• PS – Protect CUI during personnel
termination/transfers
• PE – Enforce safeguarding at alternate
work sites (telework)
• RA/CA – Periodically assess risk and
security controls
• SC – deny by default, no simultaneous
remote connections, protect CUI at rest
THEN WRITE IT ALL DOWN…
• SSP and POAM are required with 800-171 r1
• SSP covers the control and how it is implemented
THEN WRITE IT ALL DOWN…
• POAM covers:
• Controls not met and shortfalls
• Who is responsible for implementing it and when
• Risk assignment (prioritization)
PHASE 4: REASSESS AND MAINTAIN
• Document changes from initial
assessment
• Update POA&M regularly
• Create and stick to a schedule for
scanning, assessments, policy
updates, technical reviews
QUESTIONS?
LINKS
• 800-171 and templates
• FAQ/Procurement Toolbox
• Assessing the State - Review Guidance
• 800-171 Implementation Strategy
• CUI Registry
https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/finalhttps://dodprocurementtoolbox.com/cms/sites/default/files/resources/2018-04/Revision to Cyber DFARS FAQs - April 2 2018.pdfhttps://www.regulations.gov/document?D=DARS-2018-0023-0002http://business.defense.gov/Portals/57/Documents/Cybersecurity.pdfhttps://www.archives.gov/cui/registry