It’s Midnight…. do you know where your Federal Safeguards are? image courtesy Brendan Loy
It’s Midnight on May 11, 2017… do you know where your safeguards were?
What is Cybersecurity? The Department of Homeland Security (DHS) defines cybersecurity as “the protection of computers and computer systems against unauthorized attacks or intrusion.”
It’s Midnight…do you know where your Federal Safeguards are? Moderator: Richard Stump, AIA; Vice President, Stanley Consultants Speakers: Robert E. Jones, CPCM, Fellow; Left Brain Professionals Terry O’Connor, Partner; Berenzweig Leonard, LLP
Topics of Coverage A Brief Introduction – Safeguarding Data Today Awareness Considerations for AECs, Small and Large Proactive Management Resolution The Value Proposition-Why Do It? Discussion and Takeaways
Password Tools LastPass KeePass Onelogin ManageEngine SplashID A Brief Introduction – Safeguarding Data Today
DoD Cybersecurity Clauses FAR and DFARS DFARS 252.204-7012 Safeguarding Covered Defense Information (CDI) DFARS 252.204-7300 Safeguarding CDI and Cyber Incident Reporting NIST (SP) 800-171
What is the purpose of DFARS 252.204-7012? DFARS clause 252.204-7012 was structured to ensure that unclassified DoD information residing on a contractor’s internal information system is safeguarded from cyber incidents, and that any consequences associated with the loss of this information are assessed and minimized via the cyber incident reporting and damage assessment processes. In addition, by providing a single DoD-wide approach to safeguarding covered contractor information systems, the clause prevents the proliferation of cyber security clauses and contract language by the various entities across DoD. Source: 27 Jan 17 FAQ, DFARS Case 2013-D018
What is the purpose of DFARS 252.204-7012? Safeguard unclassified DOD information on contractor information storage systems Minimize consequences of a cyber incident Provide a single DOD-wide approach
NIST (SP) 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations 14 Requirements: Access Control Awareness and Training Audit & Accountability Configuration Management Identification and Authentication Incident Response
NIST (SP) 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Maintenance Media Protection Personnel Security Physical Protection Risk Assessment Security Assessment System and Communications Protection System and Information Integrity
Contractor Compliance Large businesses struggle Time and financial commitment can appear overwhelming How do small businesses have a chance?
Awareness Considerations for AECs, Small and Large Proactive Management Resolution The Value Proposition-Why Do It?
Awareness. Cyber Awareness Month is in October. The government expects you to be aware (and compliant with its clauses) all year long.
Positive Share
Safety Check
What to Protect? Corporate networks Cloud storage (Dropbox, Office 365) E-mail Social media Online accounts (banks, utilities, etc) Mobile devices IoT (phones, printers, other devices)
Physical Security Control access to building. Limit access to servers and systems. Visitor policy. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) Limit information system access to the types of transactions and functions that authorized users are permitted to execute Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals Escort visitors and monitor visitor activity; maintain audit logs of physical access, and control and manage physical access devices
Update & Virus Protection Update OS and programs regularly. Invest in quality virus protection. Auto-update program and definitions. Provide protection from malicious code at appropriate locations within organizational information systems Update malicious code protection mechanisms when new releases are available; and Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
Virus Tools Avast McAfee AVG Eset MalwareBytes
Password Management Strong passwords are critical! California California2017 C@l1f0rn!a C@l1f0rn!a2017 Secret Q&A does not have to be real – only YOU need to know the answer. Verify and control/limit connections to and use of external information systems Identify information system users, processing acting on behalf of users, or devices
Password Tools LastPass KeePass Onelogin ManageEngine SplashID
Password Tools How Secure Is My Password? https://howsecureismypassword.net/ California – Instantly California2017 – 10 million years C@l1f0rn!a – 6 years C@l1f0rn!a2017 – 204 million years
Wi-fi and Bluetooth Keep them off until needed. Separate guest network. Monitor, control, and protect organizational communications (i.e. information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks
Wi-fi Tools SecureLine VPN PureVPN
Mobile Devices Use Passcode/PIN for encryption. Have a method to remote wipe.
Mobile Tools Avast Mobile Avira Lookout
E-mail Keep separate accounts. Use a professional domain for work.
Email Tools Setup multi-factor authentication on every account.
Cloud Storage Use separate storage for work & personal. Don’t cross contaminate!
Cloud Tools Dropbox Google Drive Box iCloud Carbonite
Encryption Look for “https” in websites.
Encryption Tools SertintyOne
Multi-Factor Authentication User name Password Another item Text code Digital certificate One-time password Biometric Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems
Multi-Factor Tools Windows Authenticator Google Authenticator IdenTrust RSA SecurID
Awareness Considerations for AECs, Small and Large Proactive Management Resolution The Value Proposition-Why Do It?
Considerations for Business Prime AEC Contracts with Federal Agencies Subcontracts Joint Venture Partners Host Nation Partners and Subconsultants
Prime Contract Considerations Clause Compliance 31 Dec 17 – compliance required for DFARS 252.204-7012 Notification to DOD CIO within 30 days of award Flowdown of clauses CDI Identification and Management
Subcontractor Considerations Clause Compliance Conformance to Prime AE cybersecurity requirements Need to report your compliance, post-award Costs of compliance vs. benefits of subcontract
Joint Venture Considerations Clause Compliance for all parties All Parties’ Cybersecurity Conformance Incident Management and Reporting Location and Management of Data
Meeting the 31 Dec 17 Deadline DFARS 252.204-7012 Costs and time for compliance vary Larger contractor, greater compliance requirement Upfront costs and recurring costs Smaller firms benefit from smaller footprint Many firms will not be fully compliant by Dec 2017 If you haven’t yet started…you still need to comply!
Awareness Considerations for AECs, Small and Large Proactive Management Resolution The Value Proposition-Why Do It?
Explaining the Basic Safeguards FAR requires 15 controls at a minimum on covered contractor information systems
Definitions Covered contractor information systems Federal contract information Information Information system
Definitions The 15 requirements are requirements that “most prudent businesses already follow.”
Access controls Limit access: To authorized users To the transactions/functions authorized users can execute
Access Controls Control: use of external information systems posting of information on publicly accessible information systems
Identification and Authentication Identify users and authenticate their identity before letting them use information system
Media Protection Destroy media before disposal
Physical Protection Limit physical access Escorts, sign-in logs, door-openers
Systems and Communications Protection Boundary protections Subnetworks
System and Information Integrity Timely report and fix flaws Protect against malicious code and install update protections Scan system periodically and scan downloads in real-time
Systems and Communications Protection Boundary protections Subnetworks
Awareness Considerations for AECs, Small and Large Proactive Management Resolution The Value Proposition-Why Do It?
Value Proposition Slide by Robert
Value Proposition Slide by Rich
Value Proposition Slide by Terry
A Little Bit of Conversation Questions, Comments and Answers
It’s Midnight…. do you know where your Federal Safeguards are? image courtesy Brendan Loy
Your Best Way Forward Takeaway 1 Takeaway 2 Takeaway 3 Takeaway 4
703.760.0402 Robert E. Jones (614) 556-4415 Robert@leftbrainpro.com Contact Information Robert E. Jones (614) 556-4415 Robert@leftbrainpro.com Richard Stump (808) 542-9265 stumprichard@stanleygroup.com Terry O’Connor 703.760.0402 toconnor@berenzweiglaw.com