Presentation is loading. Please wait.

Presentation is loading. Please wait.

DFARS Cybersecurity Compliance

Similar presentations


Presentation on theme: "DFARS Cybersecurity Compliance"— Presentation transcript:

1 DFARS Cybersecurity Compliance
Adam Austin, MSIA, CISM, Sec+ Cybersecurity Lead Haight Bey & Associates (SVOB)

2 Agenda What is the DFARS requirement? Who is affected?
What is cybersecurity? How do I report cyber incidents? What are the cyber security requirements? What do I need to do to meet the requirement? How will this affect my business? What are challenges unique to small businesses? Questions and answers

3 DoD Federal Acquisition Regulation Supplement (DFARS)
“Covered contractor information system”: an unclassified IT system owned, or operated by or for, a contractor that processes, stores, or transmits covered defense information, e.g.: Controlled Unclassified Information (CUI): research and engineering data engineering drawings, and associated lists specifications standards process sheets manuals technical reports technical orders catalog-item identifications data sets studies and analyses and related information computer software executable code and source code CDRLs

4 Many (most?) DoD contractors are “covered”
If the contract specifies Contract Deliverable Requirements Lists (CDRL), your organization is likely covered Only the IT systems that process CUI E.g. CAD systems, MS Office systems used to develop Tech Manuals Includes “cloud”-based IT systems—need FedRAMP approval Example of IT system not covered: G-suite tools (e.g. Google Drive) used only for corporate communications

5 DFARS clause Adequate security:  The Contractor shall implement NIST SP , as soon as practical, but not later than December 31, 2017. Operational, managerial, and technical cybersecurity requirements for IT system Cyber incident reporting: Rapidly report cyber incidents to DoD at  Access to site requires ECA medium-assurance certificate (purchased by contractor), or CAC card

6 Cybersecurity = Risk Management
Business owners do risk management everyday Think Profit/Loss If Profit/Loss ratio <=1, then something has to change Cybersecurity is the same mindset

7 What is common to all three?
Cyber Risk Equation Assets (Impact): Vulnerabilities: Threats: What is common to all three? PEOPLE! People Information Corporate Customer IT systems, facilities Finances RISK Hacking Disasters Misuse Intentional Unintentional People Insecure configuration Lack of Ps: Policy Process Plans

8 Cyber Risk Equation (2) Threat + vulnerability = probability of compromise Probability x Impact = Risk is typically first calculated qualitatively, e.g: High Medium Low However, for meaningful action, we must calculate risk in terms of value of lost assets ($) If Asset/Risk ratio <=1, something has to change RISK

9 DoD Supply Chain Risk DoD has (correctly) determined its supply chain is a source of unacceptable risk Many of the notorious breaches of late were a result of a compromised contractor e.g. Target (2013), OPM (2014), and ongoing DoD-info exfiltration via contractor breaches Therefore, the DoD has levied general cybersecurity requirements on its contractors via DFARS

10 Configuration Management is Paramount
If you don’t know who/what’s on your network, how do you know where your weaknesses are? If you don’t know who/what’s changed on your network, how do you know where to start troubleshooting? The goal is to securely configure: Processes Systems People

11 Cyber Incidents Incident: Phases of incident response:
Suspected or confirmed cyber-related issue Ransomware attack Physical intrusion to facility DNS queries to strange or newly-registered domains Unknown device plugged into workstation Phases of incident response: Follow-up Recovery Containment / Response Detection / Analysis Preparation

12

13 .mil site requires ECA or CAC certificate
DISA ECA information:

14 Cyber Incident Report Elements
US CERT guidelines: CMS has IR report template that can be modified for use with CUI:

15 311 Assessment Objectives*
SP and A 14 Families 110 Controls 311 Assessment Objectives* *We refer to Assessment Objectives as “Organizational Actions”

16 Control Families Access Control Awareness and Training
Audit and Accountability Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Risk Assessment Security Assessment System and Communications Protection System and Information Integrity

17 Example Controls Control Family Control ID Control Text Access Control
3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Configuration Management 3.4.3 Track, review, approve/disapprove, and audit changes to information systems. Personnel Security 3.9.1 Screen individuals prior to authorizing access to information systems containing CUI. Security Assessment 3.12.2 Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems. 3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

18 Deep Dive into a 800-171A Control

19 Deep Dive into a 800-171A Control (2)

20 DoD Contractors w/CUI need to implement a cybersecurity program:
Gather existing system security plans (SSP) Perform gap assessment against Modify SSP accordingly; develop new policies/processes, written documentation for N/A controls Develop and execute a Plan of Action and Milestones (POA&M) to fix residual gaps Create and engage a continuous monitoring process Develop and implement a capability to report cyber incidents

21 DON’T PANIC DFARS Cybersecurity Compliance means “Implementing” 3 things: Develop and Approve a based System Security Plan (SSP) Develop and Execute a Plan of Actions and Milestones (POA&M) Develop and Implement a Cyber Incident Reporting Capability

22 How does this affect my business?
Cybersecurity is an additional cost DoD is not going to fund contractors to get healthy Cybersecurity is a business enabler, not an end to itself: Increased overhead rates Cybersecurity risk is one of many types of risk Where to start? User training Robust configuration management process

23 Small Business Challenges
Smaller overhead absorption ability How to continue to keep rates competitive No enterprise IT capability and reach back “Here’s Jim, the IT guy” Employees perform multiple roles Separation of duties ?! Decentralized processes “The policies exist…in my head”

24 Good News Free and/or open-source tech options
You create your SSP Create sensible custom policies Lots of policy resources to draw from US Gov’t SANS ASD Free and/or open-source tech options NetMon Freemium Security Onion GoPhish

25 Not sure what to do? We’re happy to talk; we’re in the same boat…
Haight Bey & Associates 1972W 2550S Suite A West Haven, UT 84401 (888) @haightbey Cybersecurity Empowerment SM

26 Questions?


Download ppt "DFARS Cybersecurity Compliance"

Similar presentations


Ads by Google