DFARS Cybersecurity Compliance Adam Austin, MSIA, CISM, Sec+ Cybersecurity Lead Haight Bey & Associates (SVOB) www.VIBNetwork.org

Agenda What is the DFARS requirement? Who is affected? What is cybersecurity? How do I report cyber incidents? What are the cyber security requirements? What do I need to do to meet the requirement? How will this affect my business? What are challenges unique to small businesses? Questions and answers

DoD Federal Acquisition Regulation Supplement (DFARS) “Covered contractor information system”: an unclassified IT system owned, or operated by or for, a contractor that processes, stores, or transmits covered defense information, e.g.: Controlled Unclassified Information (CUI): research and engineering data engineering drawings, and associated lists specifications standards process sheets manuals technical reports technical orders catalog-item identifications data sets studies and analyses and related information computer software executable code and source code CDRLs

Many (most?) DoD contractors are “covered” If the contract specifies Contract Deliverable Requirements Lists (CDRL), your organization is likely covered Only the IT systems that process CUI E.g. CAD systems, MS Office systems used to develop Tech Manuals Includes “cloud”-based IT systems—need FedRAMP approval Example of IT system not covered: G-suite tools (e.g. Google Drive) used only for corporate communications

DFARS clause 252.204-7012 Adequate security:  The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. Operational, managerial, and technical cybersecurity requirements for IT system Cyber incident reporting: Rapidly report cyber incidents to DoD at https://dibnet.dod.mil. Access to site requires ECA medium-assurance certificate (purchased by contractor), or CAC card

Cybersecurity = Risk Management Business owners do risk management everyday Think Profit/Loss If Profit/Loss ratio <=1, then something has to change Cybersecurity is the same mindset

What is common to all three? Cyber Risk Equation Assets (Impact): Vulnerabilities: Threats: What is common to all three? PEOPLE! People Information Corporate Customer IT systems, facilities Finances RISK Hacking Disasters Misuse Intentional Unintentional People Insecure configuration Lack of Ps: Policy Process Plans

Cyber Risk Equation (2) Threat + vulnerability = probability of compromise Probability x Impact = Risk is typically first calculated qualitatively, e.g: High Medium Low However, for meaningful action, we must calculate risk in terms of value of lost assets ($) If Asset/Risk ratio <=1, something has to change RISK

DoD Supply Chain Risk DoD has (correctly) determined its supply chain is a source of unacceptable risk Many of the notorious breaches of late were a result of a compromised contractor e.g. Target (2013), OPM (2014), and ongoing DoD-info exfiltration via contractor breaches Therefore, the DoD has levied general cybersecurity requirements on its contractors via DFARS

Configuration Management is Paramount If you don’t know who/what’s on your network, how do you know where your weaknesses are? If you don’t know who/what’s changed on your network, how do you know where to start troubleshooting? The goal is to securely configure: Processes Systems People

Cyber Incidents Incident: Phases of incident response: Suspected or confirmed cyber-related issue Ransomware attack Physical intrusion to facility DNS queries to strange or newly-registered domains Unknown device plugged into workstation Phases of incident response: Follow-up Recovery Containment / Response Detection / Analysis Preparation

https://dibnet.dod.mil

.mil site requires ECA or CAC certificate DISA ECA information: https://iase.disa.mil/pki/eca/Pages/index.aspx

Cyber Incident Report Elements US CERT guidelines: https://www.us-cert.gov/incident-notification-guidelines CMS has IR report template that can be modified for use with CUI: https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/RMH-Chapter-08-Incident-Response-Appendix-K-Incident-Report-Template.html

311 Assessment Objectives* SP 800-171 and 800-171A 14 Families 110 Controls 311 Assessment Objectives* *We refer to Assessment Objectives as “Organizational Actions”

Control Families Access Control Awareness and Training Audit and Accountability Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Risk Assessment Security Assessment System and Communications Protection System and Information Integrity

Example Controls Control Family Control ID Control Text Access Control 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Configuration Management 3.4.3 Track, review, approve/disapprove, and audit changes to information systems. Personnel Security 3.9.1 Screen individuals prior to authorizing access to information systems containing CUI. Security Assessment 3.12.2 Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems. 3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

Deep Dive into a 800-171A Control

Deep Dive into a 800-171A Control (2)

DoD Contractors w/CUI need to implement a cybersecurity program: Gather existing system security plans (SSP) Perform gap assessment against 800-171 Modify SSP accordingly; develop new policies/processes, written documentation for N/A controls Develop and execute a Plan of Action and Milestones (POA&M) to fix residual gaps Create and engage a continuous monitoring process Develop and implement a capability to report cyber incidents

DON’T PANIC DFARS Cybersecurity Compliance means “Implementing” 3 things: Develop and Approve a 800-171-based System Security Plan (SSP) Develop and Execute a Plan of Actions and Milestones (POA&M) Develop and Implement a Cyber Incident Reporting Capability

How does this affect my business? Cybersecurity is an additional cost DoD is not going to fund contractors to get healthy Cybersecurity is a business enabler, not an end to itself: Increased overhead rates Cybersecurity risk is one of many types of risk Where to start? User training Robust configuration management process

Small Business Challenges Smaller overhead absorption ability How to continue to keep rates competitive No enterprise IT capability and reach back “Here’s Jim, the IT guy” Employees perform multiple roles Separation of duties ?! Decentralized processes “The policies exist…in my head”

Good News Free and/or open-source tech options You create your SSP Create sensible custom policies Lots of policy resources to draw from US Gov’t SANS ASD Free and/or open-source tech options NetMon Freemium Security Onion GoPhish

Not sure what to do? We’re happy to talk; we’re in the same boat… Haight Bey & Associates 1972W 2550S Suite A West Haven, UT 84401 (888) 379-0509 https://haightbey.com @haightbey https://www.linkedin.com/company/haight-bey-&-associates/ Cybersecurity Empowerment SM

Questions?