Got DoD Contracts in Your Supply Chain Got DoD Contracts in Your Supply Chain? Get Cybersecurity Compliant and Meet DOD’s Year-End Deadline for Competitive Advantage Elizabeth Adams, Vermont Procurement Technical Assistance Center Patricia Giavara, Vermont Manufacturing Extension Center Jon Bates, Vermont Manufacturing Extension Center
Today’s Objective: Create awareness about DoD’s cybersecurity requirements and provide information and resources on compliance and implementation.
Cybersecurity is Good Business
What is Information Security? Cyber-security Privacy Physical Security Contingency Planning & Disaster Recovery Operational Security Personnel Security Information Security Information your business uses / stores Includes customers, suppliers, IP, etc. Has several components you’re probably aware of already Includes the following interrelated disciplines: Physical Security Protection of Life and Property An Essential Element of Information Access Control Personnel Security Background Checks – including educational checks – as appropriate Behavioral Monitoring Contingency Planning and Disaster Recovery – also, Business Continuity Planning Includes planning for not being able to use your computer Includes planning for when your critical IT person leaves/resigns. Well understood, but not always implemented and tested Operational Security Protection of your private business intentions Protecting processes Dealing with the Media, External Organizations Privacy Protecting Personally Identifiable Information, especially of customers and employees Cybersecurity Protecting electronic devices Protecting the electronically-stored data / information Lacking any one piece (physical, personnel, etc.) diminishes the effectiveness of the other pieces of the security puzzle. Presentation Notes Explain that all these aspects of security are interrelated and interdependent.
DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting Contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” The Contractor shall implement NIST SP 800-171, not later than December 31, 2017. The Contractor shall submit requests to vary from NIST SP 800-171 in writing to the Contracting Officer, for consideration by the DoD CIO. The Contractor need not implement any security requirement adjudicated by an authorized representative of the DoD CIO to be non applicable or to have an alternative, but equally effective, security measure that may be implemented in its place. Rapidly report cyber incidents to DoD at http://dibnet.dod.mil Flow down the clause in subcontracts
Let’s break down the DFARS requirements: What is Covered Defense Information and Controlled Unclassified Information? What is NIST SP 800-171? What does implemented by December 31, 2017 mean? What are options for meeting the requirements? What if a requirement doesn’t apply to my business; or can’t be implemented as described? What is required for reporting cyber incidents?
What is CDI, CTI, CUI . . . ?
The CUI Registry www.archives.gov/cui/registry/category-list.html Online repository for information, guidance, policy, and requirements on handling CUI, including issuances by the CUI Executive Agent. Identifies approved CUI categories and subcategories (with descriptions of each) and the basis for controls. Sets out procedures for the use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, re-using, and disposing of the information.
CUI Registry Manufacturing Category-Subcategory: Proprietary Business Information-Manufacturer Category Description: Material and information relating to, or associated with, a company's products, business, or activities, including but not limited to financial information; data or statements; trade secrets; product research and development; existing and future product designs and performance specifications. Subcategory Description: Relating to the production of a consumer product to include that of a private labeler. Marking: MFC
NIST Special Publication 800-171 Rev 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations December 2016 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf
Security Requirements 14 Families Access Control Audit and Accountability Awareness and Training Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Physical Protection Personnel Security Risk Assessment Security Assessment System and Communications Protection System and Information Integrity Security Requirements 14 Families Obtained from FIPS 200 and NIST Special Publication 800-53.
Assumptions Nonfederal Organizations — Have information technology infrastructures in place. Not developing or acquiring systems specifically for the purpose of processing, storing, or transmitting CUI. Have safeguarding measures in place to protect their information. May also be sufficient to satisfy the CUI requirements. May not have the necessary organizational structure or resources to satisfy every CUI security requirement. Can implement alternative, but equally effective, security measures. Can implement a variety of potential security solutions. Directly or through the use of managed services.
Structure of Security Requirements Security requirements have a well-defined structure that consists of the following components: Basic security requirements section. Derived security requirements section.
Awareness and Training Example Security Requirement Awareness and Training Example Basic Security Requirements: 3.2.1 Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those organizational information systems. 3.2.2 Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities. Derived Security Requirements: 3.2.3 Provide security awareness training on recognizing and reporting potential indicators of insider threat.
Awareness and Training Example 3.2.2 Security Requirement Awareness and Training Example 3.2.2 Basic Security Requirement: 3.2.2 Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities. Meeting the Requirement: Basic security awareness training to new employees. Security awareness training to users when information system changes. Annual security awareness refresher training.
Access Control Example Security Requirement Access Control Example Basic Security Requirements: 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, or devices (including other systems). 3.1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute. Derived Security Requirements: 3.1.3 Control the flow of CUI in accordance with approved authorizations. 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. 3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts. 3.1.6 Use non-privileged accounts or roles when accessing non-security functions. 3.1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions. 3.1.8 Limit unsuccessful logon attempts.
Access Control Example 3.1.8 Security Requirement Access Control Example 3.1.8 Derived Security Requirements: 3.1.8 Limit unsuccessful logon attempts. Meeting the Requirements: Limit number of consecutive invalid logon attempts allowed during a time period. Account lockout time period automatically enforced by the information system when max number of unsuccessful logon attempts is exceeded. Locks the account/node until released by an administrator. Delays next logon prompt according to the organization-defined delay algorithm. Access control policy and procedures addressing unsuccessful logon attempts. Personnel with information security responsibilities; system developers; system/network administrators.
What does “implement SP 800-171 by 12/31/2017” really mean? A company demonstrates compliance and implementation of all 110 security controls in 800-171 through: Developing a System Security Plan (SSP) Performing an Assessment and producing an assessment report Addressing the deficiencies found during the assessment in a Plan of Action and Milestones (PoAM) These three steps provide evidence that the company has implemented the 800-171 security controls. It is not enough for a company simply state they have implemented the security controls in 800-171, they must be able to provide evidence of the implementation. There may be other approaches to developing and providing the evidence but the three step approach listed above is what NIST and DoD are recommending.
DFARS 252.204.7008 “If the Offeror proposes to vary from any of the security requirements specified by NIST SP 800-171 that are in effect at the time the solicitation is issued or as authorized by the Contracting Officer, the Offeror shall submit to the Contracting Officer, for consideration by the DoD Chief Information Officer (CIO), a written explanation of— (A) Why a particular security requirement is not applicable; or (B) How an alternative but equally effective, security measure is used to compensate for the inability to satisfy a particular requirement and achieve equivalent protection.”
Meeting SP 800-171 Some security controls may not be applicable to your environment. Build off what you are currently doing. Consider other ways to meet the requirements. Isolate CUI into its own security domain by applying architectural design concepts Mapping to NIST SP 800-53 and ISO/IEC 27001 is provided in SP 800- 171
NIST 800-171 Guidebook – Coming Soon. https://www. nist
Free Online Assessment Tool CAUTION: Requires an IT savvy user.
Using CSET To be effective it should be completed by a cross-functional team of subject matter experts (SME) Operational (work day-to-day with the systems) Maintenance (fix, update, modify, etc. the systems) Information Technology (configure, create accounts, troubleshooting, etc. the systems) Business Security This tool will help create these two Reports: System Security Plan (SSP) Plan of Action and Milestones (PoAM)
Cyber Incident Reporting Rapidly report cyber incidents to DoD at http://dibnet.dod.mil NOTE: Vermont law requires reporting security breaches involving personal information http://ago.vermont.gov/assets/files/Security%20Breach%20Guidance %20updated.pdf
Resources: NIST SP 800-171 Rev1 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting http://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012 Small Business Information Security:The Fundamentals http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf DoD Industry Information Day - Cybersecurity June 23, 2017 - http://dodprocurementtoolbox.com/cms/sites/default/files/resources/2017- 06/Public%20Meeting%20-%20Jun%2023%202017%20Final.pdf Cybersecurity Resources for Small Manufacturers: https://www.nist.gov/mep/cybersecurity-resources-manufacturers VMEC Website Cybersecurity Links https://www.vmec.org/resources/white-papers/
Resources for 800-171 Implementation: NIST MEP 800-171 Guidebook CSET Tool http://www.raytheon.com/suppliers/rtnwcm/groups/iis/documents/c ontent/cset-instructions-help.pdf Cybersecurity services companies Contact PTAC or VMEC
Contact Information: Elizabeth Adams, Vermont Procurement Technical Assistance Center elizabeth.adams@vermont.gov, 802-272-1587 http://accd.vermont.gov/economic-development/programs/ptac Patricia Giavara, Vermont Manufacturing Extension Center pgiavara@vmec.org, 802-279-6103 Jon Bates, Vermont Manufacturing Extension Center jbates@vmec.org, 802-345-2062 https://www.vmec.org