dfars 252 assessment session 208: nist sp 800 …/media/hdifusion/files/speaker-handouts/... ·...
TRANSCRIPT
DFARS252AssessmentSession208:NISTSP800-171andControlledUnclassifiedInformation
Presentedby:Miguel(Mike)O.Villegas,CISA,CISSP,CSX|F,PAQSA,PCIQSA
Whodoesthisapplyto?
vNon-FederalInformationSystem– aninformationsystemusedtooperatebyanon-federalorganizationthatstores,processes,ortransmitsCUI(SeeNISTSP800-171r1)
vNon-FederalOrganizations– federalcontractors;state,local,andtribalgovernments;andcollegesanduniversities
vAskyourfederalcontractorsuchasRaytheon,Boeing,Lockhead…
2
Questions:• Doesthisapplytome?• IambeingaskedtobeDFARScompliantbutfrommy:• Partners• Customers• FederalContractor(notoneoftheprimes)
• Willthedate(12/31/17)change?ItisnowNovember2017.• IhavebeenaskedtocompletetheExostarformonline.Isn’tthatallIneedtodo?• I’mauniversity,bank,manufacturer,publicutility,etc.Iamnotadefensecontractor.Doesthisapplytome?Ordoesit?• Ican’tbelievetheywouldcutmycontractifnotcompliant.Howseriousisthis?
3
OnSeptember14,2016,NISTSP800-171r1(ControlledUnclassifiedInformationinNonfederalInformationSystemsandOrganizations)wasformallyissuedtoprovideguidanceoncontrolledunclassifiedinformation(CUI).SafeguardingordisseminatingCUI,consistentwithapplicablelaw,regulations,andgovernment-widepolicies,isvital,andnoncompliancebyDecember31,2017,meansgovernmentcontractorswilllosetheircontract.Experiencehasshownthatthisorder,likeothersbeforeit,willnotbetakenseriously—butitshouldbe.Ifyourorganizationisfacingnoncompliance,thissessionwillfocusontheNISTSP800-171controlfamilies,requirements,andcompliancedates.
4
OnSeptember14,2016,NISTSP800-171r1(ControlledUnclassifiedInformationinNonfederalInformationSystemsandOrganizations)wasformallyissuedtoprovideguidanceoncontrolledunclassifiedinformation(CUI).SafeguardingordisseminatingCUI,consistentwithapplicablelaw,regulations,andgovernment-widepolicies,isvital,andnoncompliancebyDecember31,2017,meansgovernmentcontractorswilllosetheircontract.Experiencehasshownthatthisorder,likeothersbeforeit,willnotbetakenseriously—butitshouldbe.Ifyourorganizationisfacingnoncompliance,thissessionwillfocusontheNISTSP800-171controlfamilies,requirements,andcompliancedates.
5
WhatisDFARS?
DFARS- DefenseFederalAcquisitionRegulationSupplement
DFARS252.204-7012 - SectionpertainingtocybersecurityrequirementstoprotectControlledUnclassifiedInformation(CUI)andreportsecurityincidents
7
ControlledUnclassifiedInformation(CUI)Registry
https://www.archives.gov/cui/registry/category-list#page-header
v Agriculturev ControlledTechnicalInformationv CriticalInfrastructurev EmergencyManagementv ExportControlv Financialv GeodeticProductInformationv Immigrationv Intelligencev InternationalAgreements
v LawEnforcementv Legalv NATOv Nuclearv Privacyv ProcurementandAcquisitionv Financialv ProprietaryBusinessInformationv SAFETYActInformationv Statisticalv Taxv Transportation
8
WhatisNISTSP800-171r1?
ThecybersecurityframeworkspecifiedunderDFARS252.204-7012.DerivedfromNISTSP800-53r4 andFIPS200.Consistsof14ControlFamiliesand110 Controls
AC ACCESSCONTROLAT AWARENESSANDTRAININGAU AUDITANDACCOUNTABILITYCA SECURITYASSESSMENTCM CONFIGURATIONMANAGEMENTIA IDENTIFICATIONAND
AUTHENTICATIONIR INCIDENTRESPONSE
MA MAINTENANCEMP MEDIAPROTECTIONPS PERSONNELSECURITYPE PHYSICALPROTECTIONRA RISKASSESSMENTSC SYSTEM&COMMUNICATIONSSI SYSTEM&INFORMATIONINTEGRITY
9
vNISTSP800-171r1ismadeupofbasicandderivedsecurityrequirementsareobtainedfromFIPS200andNISTSP800-53,respectively
vNISTSP800-171r1ismadeupof14Familiesofcontrols.
10
CUISecurityRequirements
Source:Dr.RonRoss,NIST
Definitions• OEM- originalequipmentmanufacturer (OEM)isacompanywhoseproductsareusedascomponentsintheproductsofanothercompany,referredtoasthevalue-addedreseller(VAR)
• Federalcontractors areindividualsoremployerswhoenterintoacontractwiththeUnitedStates(anydepartmentoragency)toperformaspecificjob,supplylaborandmaterials,orforthesaleofproductsandservices.
• Top100Contractors– thetop100contractorsin2015included,LockheedMartinCorp,TheBoeingCompany,GeneralDynamicsCorp,RaytheonCompany,NorthropGrummanCorporation,McKessonCorporation,UnitedTechnologiesCorporation,andmanymore.ThesearetypicallythePRIMARYCONTRACTORwithagovernmentagency.
• GovernmentAgency– Thetopfivedepartmentsbydollarsobligatedin2015weretheDepartmentofDefense ($212.5billion),DepartmentofEnergy ($23billion),HealthandHumanServices ($21billion),DepartmentofVeteranAffairs ($20billion),andNASA ($13billion)
• DAA- TheDesignatedApprovingAuthority,(e.g,intheUnitedStatesDepartmentofDefense),istheofficialwiththeauthority toformallyassumeresponsibility foroperatingasystematanacceptablelevelofrisk.ThenewofficialtermthathasreplacedDAAisAuthorizingOfficial(AO).
11
Definitions(continued…)vWhatAreTheDifferencesBetweenTheAccreditationDecisions?OncetheDesignatedApprovalAuthority(DAA)hasreviewedthesysteminformationandrecommendation,therearefourpossibleDAAaccreditationdecisionsthatcanbemade:vAuthorizationtoOperate(ATO)– fulloperationapprovalwithadurationofthreeyears;•InterimAuthorizationtoOperate(IATO)– allowsoperationtomanageIAsecurityweaknessesforamaximumofsixmonths;
vInterimAuthorizationtoTest(IATT)– aspecialcaseforauthorizingtestingallowingoperationforalimitedtime;or
vDenialofAuthorizationtoOperate(DATO)– issuedifaDoDinformationsystemhasinadequateIAdesign.IfyoureceiveaDATO,pleasecontactyourorganization’sInformationAssurance(IA)professional.
NOTE:IfanAccreditationDecisionhasnotbeenissued,asystemisconsidered“unaccredited”andisnotallowedtooperate.
vNISTSpecialPublication800-171r1– formallyissuedcompletedonDecember20,2016
12
Definitions(continued…)vIA– InformationassessmentvFederalInformationSystem– aninformationsystemusedtooperatebyanexecutiveagency,byacontractorofanexecutiveagency,orbyanotherorganizationonbehalfofanexecutiveagency.(SeeFederalInformationSecurityManagementAct(FISMA)– 40U.S.C.,Sec.11331)
vNon-FederalInformationSystem– aninformationsystemusedtooperatebyanon-federalorganizationthatstores,processes,ortransmitsCUI(SeeNISTSP800-171r1)
vNon-FederalOrganizations– federalcontractors;state,local,andtribalgovernments;andcollegesanduniversities
vPOAM- plansofactionandmilestones(POAM)foranyplannedimplementationsormitigationsvSSP- Nonfederalorganizationsdescribeinasystemsecurityplan(SSP),howtheCUIrequirementsaremetorhoworganizationsplantomeettherequirements.TheSSPdescribestheboundaryoftheinformationsystem;theoperationalenvironmentforthesystem;howthesecurityrequirementsareimplemented;andtherelationshipswithorconnectionstoothersystems.
13
RoadtoATO
14
GovernmentAgency
• IssuesATOtoPrimaryOEM/FC
OEM/Federal
Contractor
• Requires171r1IA
• IssuesATO
OEM/FederalContractor
• Requires171r1IA
• IssuesATO
Definitions(continued…)vNISTSpecialPublication800-171r1– formallyissuedcompletedonDecember20,2016.ThispublicationprovidesfederalagencieswithasetofrecommendedsecurityrequirementsforprotectingtheconfidentialityofCUI whensuchinformationisresidentinnonfederalsystemsandorganizations.
vCUI– ControlledUnclassifiedInformation- isanyinformationthatlaw,regulation,orgovernment-widepolicyrequirestohavesafeguardingordisseminatingcontrols,excludinginformationthatisclassifiedunderExecutiveOrder13526,ClassifiedNationalSecurityInformation,December29,2009,oranypredecessororsuccessororder,ortheAtomicEnergyActof1954,asamended.
vCUIRegistry- istheonlinerepositoryforinformation,guidance,policy,andrequirementsonhandlingCUI,includingissuancesbytheCUIExecutiveAgent.
vInformationtechnology- (see40U.S.C11101(6))means,inlieuofthedefinitionatFAR2.1,anyequipment,orinterconnectedsystem(s)orsubsystem(s)ofequipment,thatisusedintheautomaticacquisition,storage,analysis,evaluation,manipulation,DefenseFederalAcquisitionRegulationSupplementmanagement,movement,control,display,switching,interchange,transmission,orreceptionofdataorinformationbytheagency
15
IndustriesAffectedbyDFARS
https://www.archives.gov/cui/registry/category-list#page-header
vManufacturing– directtoPrimesorTertiaryContractorsvUniversitieswithGovernmentGrants– DefenseResearchvNon-FederalInformationSystem– aninformationsystemusedtooperatebyanon-federalorganizationthatstores,processes,ortransmitsCUI(SeeNISTSP800-171r1)
vNon-FederalOrganizations– federalcontractors;state,local,andtribalgovernments;andcollegesanduniversities
19
PHASE1– RiskAssessment– thisisascopingexercisetodeterminewhat171r1testproceduresapplyforthisassessment;needPre-AssessmentQuestionnaire;addressonlymoderateandhigherimpactsbasedonFIPS199
PHASE2– GapAssessment– testeachin-scope171r1testprocedures;statewhethercompliantorisagapwithrecommendedremediations
PHASE3– deployorfacilitateremediationsforopengaps;refertoappropriatemanagedserviceproviders;developPOA&Mforeachmajorgap andanoverallSSP
PHASE4– test,validateandverifythatremediationshavebeenimplementedproperlyandsupportcomplianceto171r1
PHASE5– completetheFinalNISTSP800171r1reportstatingclientisfullycompliant
Approach
21
22
Phase1– RiskAssessment
vPHASE1– RiskAssessment– thisisascopingexercisetodeterminewhat171r1testproceduresapplyforthisassessmentvPre-AssessmentQuestionnairevCreateSOWandobtainsignedagreementvCompleteFIPS199vaddressonlymoderateandhigherimpactsbasedonFIPS199vNISTSP800-171r1-PBC.docx
23
Pre-AssessmentQuestionnaire
LookatDFARS-Assessment_Questionnaire_2017.docxintheDropboxfolder.
BasedontheresultsofthePre-AssessmentQuestionnaire,theprimary(MMTV,CMTC,Alvaka,etc.),willputtogetheranRFQ,SOW,orproposalbasedonwhatisrequestedoragreedtowiththeclient.
EachprimaryneedstoruntheproposedfeewithMMTV(assessor)BEFOREcommittingtoclient.ThereasonisbecausetheamountofworktoperformPhase1andPhase2needstobedeterminedbytheassessor,nottheprimary.ThisisreciprocatedwhentheassessorrecommendsAlvakaoranotherremediator totheclienttoaddressagap.
BasicGuideline:Thelesstheclienthasinplace(“No”)answersinthePre-AssessmentQuestionnaire,thelesstheefforttodevelopaGapAssessment(Phase1and2).Themoretheyhaveinplace,themoretestingisrequiredtodeterminewheretheyarecompliantandwhatremediationswilladdressthegaps.TestingofcontrolstakesplaceinPhase2andPhase4.
FIPS199definesthreelevelsofpotentialimpactonorganizationsorindividualsshouldtherebeabreachofsecurity(i.e.,alossofconfidentiality,integrity,oravailability).vThepotentialimpactisLOWifthelossofconfidentiality,integrity,oravailabilitycouldbeexpectedtohavealimitedadverseeffectonorganizationaloperations,organizationalassets,orindividuals.
vThepotentialimpactisMODERATEifthelossofconfidentiality,integrity,oravailabilitycouldbeexpectedtohaveaseriousadverseeffectonorganizationaloperations,organizationalassets,orindividuals
vThepotentialimpactisHIGHifthelossofconfidentiality,integrity,oravailabilitycouldbeexpectedtohaveasevereorcatastrophicadverseeffectonorganizationaloperations,organizationalassets,orindividuals.
Thegeneralizedformatforexpressingthesecuritycategory,SC,ofaninformation typeis:SCinformationtype={(confidentiality,impact),(integrity,impact),(availability,impact)},wheretheacceptablevaluesforpotentialimpactareLOW,MODERATE,HIGH,orNOTAPPLICABLE
Onlythoseimpactsthataremoderateandhigharein-scopeoftheNISTSP800-171r1IA.(Seefips_199_security_categorization.docx)
24
FIPS199
25
Phase2– GapAssessment
vPHASE2– GapAssessment– testeachin-scope171r1testprocedures;statewhethercompliantorisagapwithrecommendedremediationsvCSET8.0vNISTSP800-171r1WorksheetvUseNISTSP800-171r1FolderStructureforEvidencevTest,Verify,andEvidenceallIn-ScopeTestProceduresvRecommendviable,costeffective,riskbasedremediationsthatsatisfytestprocedureandcontrol
vIdentifycompensatingcontrol(CC)ifremediationistooexpensive,timeconsuming,ornotfeasible;butonly iftheCCwillsatisfythetestprocedure
vGapAssessmentandRiskAssessmentmustbeQA’dbyprimaryandassessormanagementteambefore deliveredtoclient
NetworkDiagram
Thisisasimplenetworkdiagramthatdemonstratesapictorialviewofthenetworktopology,components,segmentation,andfirewall/router/switch/IDSplacements.
Thisnetworkdiagrammustcoincidewithactuallayer3configurationsandrules(ACLsandVLANs).
Compensatingcontrolsmaybeconsideredwhenanentitycannotmeetarequirementexplicitlyasstated,duetolegitimatetechnicalordocumentedbusinessconstraints,buthassufficientlymitigatedtheriskassociatedwiththerequirementthroughimplementationofothercontrols.Compensatingcontrolsmust:
1. Meettheintentandrigoroftheoriginalcontrol;2. Provideasimilarlevelofdefenseastheoriginalcontrol3. Be“aboveandbeyond”othercontrolrequirements(notsimplyincompliance
withothercontrol);and4. Becommensuratewiththeadditionalriskimposedbynotadheringtothe
control
Source:PCIDSSv3.2
CompensatingControls
Ø SIEM– SecurityIncident&EventMonitorØ IPS/IDS– IntrusionPrevention/Detection SystemØWAF– Web ApplicationFirewallØDatabaseMonitoringØMulti-FactorAuthentication
ØHardTokensØ Soft Tokens
ØNetwork MonitoringØTLS/SSL/EV– WebcommunicationencryptionØDataLossPrevention (DLP)
34
MonitoringTools
SecurityInformation&EventMonitor(SIEM)COMMERCIAL OPENSOURCE
Ø CostØ ScalabilityØ FlexibilityØ SkillsetrequirementsØ CurrentsignaturesØ Agentand/orAgentless
36
FileIntegrityMonitoringCOMMERCIAL OPENSOURCE
Ø CostØ ScalabilityØ FlexibilityØ SkillsetrequirementsØ Currentsignatures
TRIPWIRE
(ForEnd-UserComputingOnly)
37
IDS/IPSCOMMERCIAL OPENSOURCE
Ø CostØ ScalabilityØ FlexibilityØ SkillsetrequirementsØ Currentsignatures
38
WebApplicationFirewallsCOMMERCIAL OPENSOURCE
Ø CostØ ScalabilityØ FlexibilityØ SkillsetrequirementsØ Currentattackvendors
ESAPIWebApplicationFirewall(ESAPIWAF)
39
DatabaseMonitoringCOMMERCIAL OPENSOURCE
Ø CostØ ScalabilityØ FlexibilityØ SkillsetrequirementsØ CurrentsignaturesØ Agentand/orAgentless
40
Multi-FactorAuthenticationØ Multi-factorauthentication(alsoMulti-factorauthentication,MFA,orM-FA)isanapproachtoauthenticationwhichrequiresthepresentationoftwoormoreofthethreeauthenticationfactors
Ø SomethingIknowØ SomethingIhaveØ SomethingIam
41
- RSASecurID
PhoneFactoroffersinstantintegrationwithawiderangeofapplications,includingallleadingremoteaccessVPNsolutions,singlesign-onsystems,cloudapplications,onlinebanking,andwebsitesaswellascustomapplications.PhoneFactoralsointegrateswithActiveDirectoryandLDAPserversforcentralizedusermanagement.
NetworkingMonitoring
42
Ø Adetailedanalysisofvulnerabilities foundwithinyourIPaddressesordomain,classifiedbyHigh,MediumorLowseverity
Ø Step-by-stepinstructionsonhowtoremediatethreats,soyoucanimmediatelyaddressthemostseriousvulnerabilities
DataLossPrevention
43
Ø Detect,blockorcontroltheusageof(forexample,saving,printingorforwarding)specificcontentbasedonestablishedrulesorpolicies.
Ø Monitornetworktrafficfor,ataminimum,e-mailtrafficandotherchannels/protocols(HTTP,IM,FTP)andanalyzeacrossmultiplechannels,inasingleproductandusingasinglemanagementinterface.
Ø End-Point/Network/Discovery
BalancedViewofInformationSecurity
CONTROLS RISKS
STRATEGICBUSINESSOBJECTIVES
$ ü Complianceü Reputationü Availabilityü Financialü Securityü Confidentialityü Fraudü InsiderThreatsü CorporateEspionageü NationalSecurity
ü Directiveü Preventiveü Detectiveü Corrective
44 44
PHASE5– completetheFinalDFARS/NISTSP800171r1reportstatingclientisfullycompliant
CompletetheExostarandstateyoueithercompliantornot.
Ifnot,youthenneedtoprovide:• SystemsSecurityPlan(SSP)• PlanofActionandMilestone(POA&M)foreachgap• Eachgapneedsaplan• Eachgapneedsatimelineanddeadline• Makesureyoumeetthatdeadline
• generalpurposeinformationsystems;• industrialandprocesscontrolsystems;• cyber-physicalsystems;and• individualdevicesthatarepartoftheInternetofThings.
48
NISTSP800-171r1ITandOTConsiderations
MikeO.Villegas,CISA,CISSP,GSEC,CSX|F,PCI-QSA,PA-QSA
Miguel (Mike) O. Villegas is a Senior Vice President for K3DES LLC. He performs and QA’s PCI-DSS andPA-DSS assessments for K3DES clients. He also manages the K3DES ISO/IEC 27002:2013 program.Mike also specializes in DFARS 252/NIST SP 800-171r1 compliance. He was previously Director ofInformation Security at Newegg, Inc. for five years. Mike currently is a Contributing Writer forSearchSecurity.com –TechTarget with over published 150 articles.
Mike has over 35 years of Information Systems security and IT audit experience. Mike was previouslyVice President & Technology Risk Manager for Wells Fargo Services responsible for IT RegulatoryCompliance and was previously a partner at Arthur Andersen and Ernst & Young for theirinformation systems security and IS audit groups over a span of nine years. Mike is a CISA, CISSP,GSEC, PCI-QSA and PA-QSA.
Mike was president of the LA ISACA Chapter during 2010-2012 and president of the SF ISACA Chapterduring 2005-2006. He was the SF Fall Conference Co-Chair from 2002–2007 and also served for twoyears as Vice President on the Board of Directors for ISACA International. Mike has taught CISAreview courses for over 20 years.
51
SummarySteps
1. AssesLegal&ContractualRequirements2. StartwithaDFARSScoping&ReadinessAssessment3. AuthorPolicyandProcedures4. ImplementTechnicalRemediationMeasuresasNeeded5. InstituteSecurityAwarenessandTraining6. PerformanAnnualRiskAssessment7. ConfirmSuccessfulRemediationEfforts8. EnsureSystemSecurityPlan(SSP)andotherRelatedDocumentsareinOrder9. HaveanIndependentPartyperformanAssessmentforDFARScompliance10. EngageinContinuousMonitoringofyourcontrols11. KnowthatFederalComplianceisheretostay12. RememberyouhaveuntilDecember31,2017tobecompliant!
52