STRATEGIC PLANNING FOR CYBER RISK: PROTECTING DATA AND MEETING REGULATORY

REQUIREMENTS WITH NIST SP 800-171

Heather Engel

Chief Strategy Officer757-828-0342

Heather.Engel@Sera-Brynn.com

AGENDA

1. Why You Need to Know NIST

2. Federal and State Regulations

3. Information Classification

4. Practical Steps to Implementation

WHY YOU NEED TO KNOW NIST

• NIST provides a huge catalog of best practices

• 800-171 is:

• A risk management tool, can be used to show maturity

levels and to map to other mandates

• Designed for Non-Federal information systems

• 110 Controls in fourteen categories

• Protects CONFIDENTIALITY of data

• Easy to tailor to individual risk profiles

FEDERAL REGULATIONS

• Defense Federal Acquisition Regulation Supplement (DFARS)

• 252.204-7012, Safeguarding Covered Defense Information and Cyber

Incident Reporting

• Requires implementation of NIST SP 800-171, other standards may apply

• Federal Acquisition Regulation (FAR):

• 52.204-21

• Limited set of requirements

• Eventual intention for NIST 800-171…not there yet

• Other relevant clauses include DFARS 252.204-7008 and 252.239-7009

AND WHAT ABOUT…

• Those FAQs?

• Implementation of DFARS but provide insight into 800-171

interpretation

• The SSP review guidance?

• Provides risk values to controls that feed risk assessments

• Can be used during source selection

• The CSF update?

• Version 1.1 released in April 2018

• Includes supply chain management

OTHER REGULATIONS

•23 NYCRR 500

•PCI DSS

•GDPR

•FERPA

•NIST 800-53, 800-161, 800-30, 800-39…

INFORMATION CLASSIFICATION: WHAT IS CUI?

• Controlled Unclassified Information Registry maintained by

NARA

• 18 categories including Critical Infrastructure, Export Control,

Privacy, and Intelligence (recently updated)

• What about corporate confidential or other protected

classes?

PRACTICAL STEPS TO IMPLEMENTATION

FOUR PHASES TO COMPLIANCE

Phase 1: Scoping and Risk Assessment

Phase 2: IRP / Respond and Report

Phase 3: Protect/Detect

Phase 4: Reassess

PHASE 1: SCOPING

• Determine where protected data lives and how it flows – don’t

forget cloud services!

• Also applies to devices that provide security protection for

components (workstations, servers, OS, virtual machines,

applications, network devices)

• Evaluate existing segmentation and potential for other physical or

logical means of separation

• Assign a system owner

PHASE 1: RISK ASSESSMENT

• Why perform a risk assessment?

• What’s the method?

• Who should perform?

• What is the expected outcome?

DATA DRIVES LAYERED DEFENSE

• Compliance requirements and security strategy will

determine:

• Risk tolerance

• Supply chain management

• Tools, processes

• Categorize data and protect accordingly

PHASE 2: INCIDENT RESPONSE

• You must be prepared to report within 72 hours if you are

implementing 800-171 to comply with DFARS

• Forensic preservation may be required (tools, talent?)

• 800-171 requires an IRP and an exercise

• Keep plans simple and identify specific rols

• Exercise can be TTX

PHASE 3: PROTECT AND DETECT

• Address gaps

• Change or add processes and SOPs if needed

• Identify residual risk

• Determine risk transfer (cyber insurance, third-party assessor)

• Not everything requires technology

REQUIREMENT CHALLENGES

• AC – Encrypt CUI on mobile devices

• AT – Security Awareness Training

• AU – Maintain audit records, user actions

must be uniquely traceable, could be

automated

• CM – Baseline, monitor user installed

software

• IA – MFA

• MP – Control removable media, prohibit

portable storage that does not have an

owner

• PS – Protect CUI during personnel

termination/transfers

• PE – Enforce safeguarding at alternate

work sites (telework)

• RA/CA – Periodically assess risk and

security controls

• SC – deny by default, no simultaneous

remote connections, protect CUI at rest

THEN WRITE IT ALL DOWN…

• SSP and POAM are required with 800-171 r1

• SSP covers the control and how it is implemented

THEN WRITE IT ALL DOWN…

• POAM covers:

• Controls not met and shortfalls

• Who is responsible for implementing it and when

• Risk assignment (prioritization)

PHASE 4: REASSESS AND MAINTAIN

• Document changes from initial

assessment

• Update POA&M regularly

• Create and stick to a schedule for

scanning, assessments, policy

updates, technical reviews

QUESTIONS?

LINKS

• 800-171 and templates

• FAQ/Procurement Toolbox

• Assessing the State - Review Guidance

• 800-171 Implementation Strategy

• CUI Registry

https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/finalhttps://dodprocurementtoolbox.com/cms/sites/default/files/resources/2018-04/Revision to Cyber DFARS FAQs - April 2 2018.pdfhttps://www.regulations.gov/document?D=DARS-2018-0023-0002http://business.defense.gov/Portals/57/Documents/Cybersecurity.pdfhttps://www.archives.gov/cui/registry