products:

Sorry,

there are no posts to show...


Helpful Resources

News:

CMMC CompanionRESTON, Va.—November 24, 2020—CyberSheath Services International has published the 2020 / 2021 CMMC Companion guide to help defense contractors navigate and comply with new rules from the Department of Defense (DoD) to secure the Defense Industrial Base from cyberthreats. This new resource for defense contractors provides a clear, concise primer that summarizes the CMMC, discusses why the rule has been created, and proposes useful tips for its mandatory implementation.

“The defense industry has been clamoring for help as new rules emerge and the risk of losing out on defense contracts and revenue becomes more real,” says Eric Noonan, CEO of CyberSheath. “CyberSheath has been supporting compliance initiatives for defense contractors and other companies since 2012, and they’ve channeled that experience into this new resource. Anyone dealing with CMMC will gain enormous benefits in terms of understanding the history, terminology, approach, and future direction.”

Though the industry has been charged with meeting stringent requirements for years, recent updates with real deadlines have created urgency and angst among prime and subprime contractors. Not only are the prime contractors ensuring their own compliance, but they are also putting pressure on their suppliers to verify compliance. If defense contractors do not comply, they risk the security of the supply chain, national security, the ability to secure DoD contracts, and, thus, their revenue.

New rules under the recent DFARS interim law rule, coupled with requests from prime contractor demands mean suppliers must confirm their NIST 800-171 Assessment Score, provide a Plan of Action and Milestones (POAM) estimated completion date (ECD) for any unimplemented requirements, their status and ECD for an additional 20 CMMC practices, and their status and ECD for the CMMC Level 2 and 3 maturity processes. On top of that, suppliers have to provide updates on their progress until all practices and progress are implemented, as well as their “estimated date for closure of all NIST SP 800-171 POAM items, and the expected closure date for the additional controls.”

The new CMMC Companion guide comes on the heels of the first-ever CMMC Con, a virtual gathering hosted by CyberSheath attended by some 1,000 CMMC partners, including government stakeholders, services providers, and contractors.

For more information or details, please contact info@cybersheath.com.

 

About CyberSheath Services International, LLC
Established in 2008, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at www.cybersheath.com.

CyberSheath is pleased to introduce our distinguished CMMC Con 2020 guest and powerful industry and national resource Richard Wakeman.  Richard Wakeman is the Senior Director of Aerospace & Defense for Azure Global Engineering and is the commercial industry lead for Azure Government, Microsoft’s cloud solution specifically engineered to meet US government compliance and security requirements. He specializes in the Defense Industrial Base adopting cloud services from Microsoft and is the Program Manager for the Microsoft Cybersecurity Maturity Model Certification (CMMC) Acceleration Program. Richard engages with Microsoft partners and customers end-to-end from engineering to drive adoption of Azure Government, Microsoft 365 GCC High and Dynamics 365 GCC High as solutions within the Microsoft US Sovereign Cloud.

Richard joined Microsoft in 2007 as a developer, identity and messaging expert at the dawn of Microsoft Online Services. Shortly after joining, he was engaged by the Exchange Product Group to lead cloud deployments worldwide for Live@edu as part of the Exchange Labs program, the predecessor of Office 365. He led the charge for the integration of MCS and Premier services with cloud offerings, becoming a Senior Architect for the Microsoft Enterprise Services Business Productivity Global Domain Solution Architecture Office. During the decade of tenure in professional services, Richard had an impact on deploying over 100 million seats into the Microsoft cloud.  He deployed the first Microsoft cloud customers, to include the first million seat organization in the public multi-tenant cloud to the first Government Community Cloud customer.

Among Richard’s main roles is to overview what Microsoft is doing with CMMC concepts.

Microsoft and CMMC

Microsoft has a deep and long history of supporting government customers and their unique mission requirements; in fact, about a year ago, Richard Wakeman wrote this blog specific to the Microsoft Cloud Service Offerings. Suffice it to say Microsoft uniquely understands the U.S. Government’s mission in a way that only decades of experience working alongside one another will allow. Microsoft understands the required people, processes, and technologies to support the DoD mission from both a compliance and operational perspective so well that it can often be difficult for anyone to lay it all out in one succinct communication. Microsoft has done more for the United States Government than any other cloud provider. Their decades of successful partnership with DoD have enabled them to provide resources that will enable your journey to CMMC compliance.

Here are three resources to get you started on your journey to CMMC compliance:

1. Shared Responsibility Model

CMMC compliance for many, if not most, companies will undoubtedly rely on the cloud at some point in the journey. When in the cloud, and frankly, on-premises, it is important to understand the concept of shared responsibility. When relying on cloud services, understanding the shared responsibility model is foundational to meeting and maintaining compliance. For an excellent blog on shared responsibility in the cloud start here and as you read think about which CMMC security tasks are handled by your cloud provider and which tasks are handled by you. Now for the many companies that rely on Managed Service Providers, Managed Security Service Providers, or otherwise defined Third-Party Providers, how are you extending the shared responsibility to those entities?

Almost no MSSPs understand CMMC in the context of the shared responsibility model. To my knowledge, CyberSheath is the only one that has built our entire CMMC management platform around Microsoft Azure technology, which is detailed here along with a detailed breakdown of how CMMC has been 13 years in the making.

CMMC compliance isn’t a “go it alone” model and requires an understanding of the shared responsibility model, regardless of your CMMC compliance level. Rare is the company that does everything in-house without exception.

2. Azure Blueprints

Azure blueprints enable customers to easily create, deploy, and update compliant environments and leverage the enormous Microsoft investment in data security and privacy. Microsoft invests more than USD 1 billion annually on cybersecurity research and development, employs more than 3,500 security experts entirely dedicated to your data security and privacy and Azure has more certifications than any other cloud provider. View the comprehensive list.

Blueprints simplify largescale Azure deployments by packaging key environment artifacts, such as Azure Resource Manager templates, role-based access controls, and policies, in a single blueprint definition. Customers can easily apply the blueprint to new subscriptions and environments and fine-tune control and management through versioning. Specific to CMMC, blueprints present a tremendous advantage for customers who want to quickly address the majority of the CMMC Maturity Level 3 requirements.

The NIST SP 800-171 R2 blueprint sample provides governance guard-rails using Azure Policy that help you assess specific NIST SP 800-171 R2 requirements or controls. This blueprint helps customers deploy a core set of policies for any Azure-deployed architecture that must implement NIST SP 800-171 R2 requirements or controls. As many readers know, approximately 85% of the CMMC Maturity Level 3 requirements are essentially the NIST 800-171 security requirements, so this blueprint can be a force for progress in your CMMC compliance efforts.

3. Office 365 GCC High and DoD

As many defense contractors already know, CMMC was, in part, created to address the security of CUI, and Microsoft has long been a partner with DoD working to protect this information.

To meet the unique and evolving requirements of DoD and contractors holding or processing DoD controlled CUI or subject to International Traffic in Arms Regulations (ITAR), Microsoft offers GCC High and DoD environments. Microsoft GCC High and DoD meet the compliance requirements for the following certifications and accreditations:

  • The Federal Risk and Authorization Management Program at FedRAMP High, including those security controls and control enhancements as outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-53.
  • The security controls and control enhancements for the United States Department of Defense Cloud Computing Security Requirements Guide (SRG) for information up to Impact Level 5 (L5).

DoD Office 365 subscribers will receive services provided from the DoD exclusive environment that meets DoD SRG L5. Non-DoD subscribers will receive services from the U.S. Government Defense environment, which is assessed at L5, but uses L4 segmentation.

There is much debate and often confusion on whether CMMC requires GCC high, and it is one of many issues that highlight the need for a Managed Compliance Partner, but the point is that Microsoft has long been the partner of choice for the DoD in addressing this challenge.

For additional information join us at CMMC Con 2020

For additional information on Microsoft’s CMMC acceleration, join Microsoft’s Richard Wakeman, Senior Director of Aerospace & Defense for Azure Global, on November 18th at CMMC Con 2020.  Mr. Wakeman will host a Technology Spotlight session dedicated to discovering how Microsoft solutions are assisting the DIB in government compliance.   Register Now.

RESTON, Va.—October 29, 2020—CyberSheath Services International today announced that it has been selected to join the Microsoft Intelligent Security Association (MISA) as one of the association’s first CMMC-focused managed security service providers.

“MISA members are cybersecurity industry leaders,” said Eric Noonan, CEO at CyberSheath. “They’re unified by the common goal of helping secure our customers by offering unique and valuable customized expertise and making the association more effective as it becomes more diverse.”

CyberSheath has extensive Microsoft expertise, including professional and managed security services for a wide array of U.S. defense contractors, and was nominated for MISA for their managed security service offerings for Azure Sentinel and Microsoft Defender for Endpoint. CyberSheath uses a Microsoft technology stack fueled by Microsoft Azure Sentinel, the cloud-native Security Information and Event Management (SIEM) solution that quickly identifies security threats across hybrid enterprises.

MISA began as an ecosystem of independent software vendors (ISVs) that integrated their security products with Microsoft’s to better defend against a world of increasing threats. Due to increased demand for a closely interwoven security ecosystem, the association is growing and launching an invitation-only pilot program for select managed security service providers.

MISA plays a vital role in reducing the cost and complexity of integrating disparate security tools. Adding managed security service providers promises to increase the ecosystem’s value even more by offering an extra layer of threat protection without requiring day-to-day involvement of in-house security teams,” said Andy Shooman, COO at CyberSheath. “It’s another important step in both strengthening and simplifying security at a time when risk mitigation is one of IT’s highest priorities.”

“The Microsoft Intelligent Security Association has grown into a vibrant ecosystem comprised of the most reliable and trusted security software vendors across the globe,” said Rani Lofstrom, Senior Product Marketing Manager, Microsoft Security. “Our members, like CyberSheath, share Microsoft’s commitment to collaboration within the cybersecurity community to improve our customers’ ability to predict, detect, and respond to security threats faster.”

About CyberSheath Services International, LLC

Established in 2008, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at www.cybersheath.com.

 

 

Press Contact:

Kristen Morales

Kristen.Morales@cybersheath.com

CyberSheath is pleased to introduce CMMC Con 2020 attendees to one of our keynote speakers and CMMC discussion panelists, retired Brigadier General Dr. Robert Spalding. As emphasized by his experience, Dr. Spalding is an expert on national security and highly-qualified to speak on China’s role in the theft of intellectual property across the defense industrial base. Far too often, the conversation on CMMC is mired in legislative workings, never addressing the “why” behind the need for CMMC in the first place. We felt the “why” is an often-overlooked agenda item and could think of no better speaker to address this topic than Dr. Spalding.

Dr. Spalding has served in senior positions of strategy and diplomacy within the Defense and State Departments for more than 26 years, retiring as a brigadier general. The chief architect for the Trump Administration’s widely praised National Security Strategy (NSS), and the Senior Director for Strategy to the President at the National Security Council, Dr. Spalding, is a national security expert, patriot, and entrepreneur. We are thrilled to have him at CMMC Con 2020 as our honored guest.

His work has been published in The Washington Post, The Washington Times, Foreign Affairs, The American Interest, War on the Rocks, FedTech Magazine, Defense One, The Diplomat, and other edited volumes. His Air Power Journal article on America’s Two Air Forces is frequently used in the West Point curriculum.

Dr. Spalding is a Life Member of the Council on Foreign Relations. He has lectured globally, including engagements at the Naval War College, National Defense University, Air War College, Columbia University, S. Rajaratnam School of International Studies in Singapore, Johns Hopkins Applied Physics Laboratory, and other Professional Military Educational institutions. Spalding received his Bachelor of Science and Master of Science degrees in Agricultural Business from California State University, Fresno, and holds a doctorate in economics and mathematics from the University of Missouri, Kansas City. He was a distinguished graduate of the Defense Language Institute in Monterey and is fluent in Chinese Mandarin.

Please join us on November 18th for the LIVE session(s) with Dr. Spalding. Through the liberal use of vignettes and examples, he will eloquently detail the modern threat posed by China to the US Defense Industrial Base. Register Now

Dr. Spalding is the author of an authoritative book on the same topic called “Stealth War,” which is available here.

Lockheed Martin and other prime contractors are contacting their suppliers and requesting a security status update; in many cases requesting a demonstration of compliance before the DoD November 30th deadline.  If you’ve received this request, you’re not alone. We’re helping many of our clients demonstrate that they’re achieving the requirements and submit the requested documentation before the deadline set by primes.

When the new DFARS Interim Rule and Cybersecurity Maturity Model Certification (CMMC) requirements were released at the end of September, we knew it would start to trickle down the supply chain. The primes heard the message loud and clear, and now suppliers do too. Lockheed Martin, for example, is requiring suppliers to complete a survey by November 5th so it can assess risk before the new rules take effect on November 30.

What is Required of Suppliers?

Suppliers must confirm their NIST 800-171 Assessment Score, provide a Plan of Action and Milestones (POA&M) estimated completion date (ECD) for any unimplemented requirements, their status and ECD for an additional 20 CMMC practices, and their status and ECD for the CMMC Level 2 and 3 maturity processes. On top of that, suppliers have to provide updates on their progress until all practices and progress are implemented, as well as their “estimated date for closure of all NIST SP 800-171 POA&M items, and the expected closure date for the additional controls.”

The primes are hard at work getting a sense of where their supply chain stands before the interim rule takes effect and the CMMC requirements start showing up in RFIs, RFPs, and contracts.

Where Should You Go from Here?

Start with this overview of the DFARS interim rule, an FAQ on everything we do, and don’t know at this point, and steps you should take immediately to meet the requirements. We’re here to help and explain the rules in plain English. Don’t hesitate to reach out with any questions or to talk through a project plan or schedule for responding to these requests by the deadline.

Join Us at CMMC Con 2020.  A Virtual Event Designed to Support Stakeholders in the DIB.

If you are a prime or subcontractor looking to better understand how to navigate the rapidly shifting future of cybersecurity compliance – CMMC Con 2020 is the event for you. Join us on November 18th for this one-day event where you will hear an expert line-up engage in conversations focused on DFARS compliance, the threat from China, and a “how-to” session for small & medium-sized businesses struggling with NIST 800-171 and CMMC.

Register Now

 

 

It’s been quite a week.

The DoD released an interim rule to “amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a DoD Assessment Methodology and Cybersecurity Maturity Model Certification framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain.”

The DoD requested, and OMB authorized, emergency processing of the collection of information tied to this rule. The emergency justification impacts all DoD contractors in the long term and short term as they will now be required to prove and submit evidence of compliance with DFARS clause 252.204-7012 and NIST 800-171. Additionally, the rule creates the following new solicitation provision and contract clauses:

  • DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements;
  • DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements; and
  • DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements.

The interim rule, effective 60 days from publication, has triggered a number of questions from contractors. Here are the answers we believe we know, the answers that we aren’t certain about, and the answers that are unclear, but we can surmise based on past experience.

 

DFARS Interim Rule and Emergency Justification FAQ

 

DFARS Interim Rule and Emergency Action: What We Believe We Know

What is the nature of the emergency justification?

The government is finally asking the defense industrial base to submit evidence of compliance with DFARS clause 252.204-7012 and NIST 800-171. In the past, the DoD trusted, with almost no verification, contractors to adhere to the rules and there was no compulsory submission required to prove compliance. The nature of the emergency is “The aggregate loss of sensitive controlled unclassified information and intellectual property from the DIB sector could undermine U.S. technological advantages and increase risk to DoD missions.”

Why did the change occur?

Explicitly, to make sure two things are happening:

  • The supply chain is making strong improvements to security and meeting current contractual commitments
  • To motivate contractors who have ignored the current requirements by forcing information collection

But the interim rule also codifies into the CMMC. The onboarding of the CMMC structure will ramp up over the course of the next five years. The DoD can’t afford to wait that long to ensure American IP is protected so they will move to collect evidence of compliance with DFARS clause 252.204-7012 in parallel to CMMC ramp up.

What immediate steps should a covered entity take after this rule change?

First, reconcile how long it’s been since you’ve self-attested in line with the 2017 DFARS rule and more specifically NIST 800-171. A company that has fully implemented all 110 NIST SP 800-171 security requirements, would have a score of 110 to report in Supplier Performance Risk System (SPRS) for their Basic Assessment. A company that has unimplemented requirements will use the scoring methodology to assign a value to each unimplemented requirement, add up those values, and subcontract the total value from 110 to determine their score. The  NIST SP 800-171 DoD Assessment Methodology is available here.

Your properly scored Basic Assessment and self-attestation should show you have made a habit of improving your environment over the last three years. If you have not shown improvement on your Plan of Actions and Milestones (POA&Ms), you need to take steps to demonstrate what you are doing to make progress. Ideally, you should have at least three self-assessments from the past three years against DFARS 252.204-7012, and more if you’ve made major changes to your environment that would trigger another self-assessment.

Check out our article on the five steps every organization should take to meet the NIST 800-171 requirements.

What role do my Third-Party Providers (TPPs) have in my attestation?

A major role. You have to attest that your TPPs who handle CUI meet the same or higher security standards as you do.

The biggest stumbling block for many contractors is their TPP contract language. Any organization with a DoD contract that’s handling controlled unclassified information (CUI) must have specific contract language for any of their TPPs that handle CUI, requiring them to meet or exceed the same security standards you do. How many MSPs or MSSPs are doing that today…very few.

In fact, the interim DFARs rule has this verbatim clause buried within the latest 89-page update:

2) The Contractor shall not award a subcontract or other contractual instrument, that is subject to the implementation of NIST SP 800-171 security requirements, in accordance with DFARS clause 252.204-7012 of this contract, unless the subcontractor has completed, within the last 3 years, at least a Basic NIST SP 800- 171 DoD Assessment, as described here, for all covered contractor information systems relevant to its offer that are not part of an information technology service or system operated on behalf of the Government. (3) If a subcontractor does not have summary level scores of a current NIST SP 800-171 DoD Assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) posted in SPRS, the subcontractor may conduct and submit a Basic Assessment, in accordance with the NIST SP 800-171 DoD Assessment Methodology, to webptsmh@navy.mil for posting to SPRS along with the information required by paragraph (d) of this clause.

Can the government ask for my managed services contracts to demonstrate compliance with the DFARS verbiage inclusion?

Not only can they — they almost definitely will.

Is this rule retroactive? E.g. does this cover time periods of the previous self-attestation?

The truth is that this behavior and level of compliance were supposed to be in place all along and this action simply asks you to prove you’ve been doing it. This is where some contractors will find themselves between a rock and a hard place if they have self-attested but never really implemented NIST 800-171.

DFARS Interim Rule and Emergency Action: What’s Unclear

Does everyone who previously self-attested now submit documentation?

No, you don’t have to submit documentation today to the government but moving forward all DoD awards will require the submission of, at a minimum, a Basic Assessment.

It’s unclear why documentation has not been required before now. Maybe the government didn’t want to have access to the information or didn’t have a program to evaluate the information, or maybe the risk level wasn’t the same as it is today. It is also possible that lobbyists and industry trade associations fought off this requirement.

What needs to be submitted when to the government and when?

At a minimum, contractors will need to produce their assessment using the standard scoring methodology, which reflects the net effect of NIST SP 800-171 security requirements not yet implemented. There are three assessment levels (Basic, Medium, and High), which reflect the depth of the assessment performed and the associated level of confidence in the score resulting from the assessment. A Basic Assessment is a self-assessment completed by the contractor, while Medium or High Assessments are completed by the Government. The Assessments are completed for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.

Contractor assessments results are documented in the Supplier Performance Risk System (SPRS) to provide DoD Components with visibility into the scores of Assessments already completed; and verify that an offeror has a current (i.e., not more than three years old, unless a lesser time is specified in the solicitation) Assessment, at any level, on record prior to contract award.

The presumption is that the DoD wants what’s typically asked for in an audit or what prime contractors are asked to provide when they get a subcontractor: A System Security Plan (SSP), any POA&Ms, and attestation for where the program stands against NIST 800-171.

What does Basic / Medium / High mean in the release verbiage?

There are three assessment levels (Basic, Medium, and High), which reflect the depth of the assessment performed and the associated level of confidence in the score resulting from the assessment. A Basic Assessment is a self-assessment completed by the contractor, while Medium or High Assessments are completed by the Government. The Assessments are completed for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.

How does the interim rule affect CMMC roadmap and compliance?

The rule builds upon the NIST SP 800-171 and DoD Assessment Methodology mandating the CMMC framework which adds a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB contractor can adequately protect sensitive unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.

DoD is implementing a phased rollout of CMMC. Until September 30, 2025, the clause at  52.204-7021, Cybersecurity Maturity Model Certification Requirements, is prescribed for use in solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, excluding acquisitions exclusively for COTS items, if the required document or statement of work requires a contractor to have a specific CMMC level. In order to implement the phased rollout of CMMC, the inclusion of a CMMC requirement in a solicitation during this time period must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment.

CMMC will apply to all DoD solicitations and contracts, including those for the acquisition of commercial items (except those exclusively COTS items) valued at greater than the micro-purchase threshold, starting on or after October 1, 2025.

If the government finds fault with your self-attestation documentation, what are the ramifications?

Contractors who are not accurate in their assessment reporting could be subject to the False Claims Act (FCA) which imposes civil and potentially criminal liability on anyone who knowingly presents a false or fraudulent claim for payment to the federal government, or knowingly makes, uses, or causes to be made or used, a false record or statement material to a false or fraudulent claim. This is not theoretical, read more on the most visible DoD FCA case for cybersecurity.

Can an outside provider or third-party submit my documentation on my behalf?

This is unclear, but probably not. The government doesn’t want you to have the ability to say your service provider submitted it incorrectly or made material errors.  An outside provider can prepare the materials you can send along yourself, much like a CPA might prepare your taxes, but you sign them.  The exception would likely be the Medium or High Assessments that are completed by the Government in which they would submit the results.

What is the process if you want to dispute your compliance rating under the pre-CMMC assessment process?

We don’t know the answer to this one. There needs to be some sort of arbitration or dispute process to go through judgments against you and revisions to documents, as you might do with taxes, but the process is not obvious right now.

Is there any arbitration or a process of procedural review of negative findings?

Same answer as above — as of right now there is not an obvious process, but there should be one.

 

DFARS Interim Rule and Emergency Action: What We Know

What is the difference between DFARS 252.204-7012 and the new DFARS 252.204-7021?

7012 is universally applied and 7021 requires a demonstration of maturity based on the risk level of the contract.

7012 involves self-attesting and self-submitting documentation, and 7021 requires third-party assessments, but also self-submitting.

7012 is based on policing and enforcement and 7021 is based on the winning of revenue and contracts.

7012 allows tolerance for not having certain controls in place at the moment so long as you’ve identified those and you have a plan to rectify them, and 7021 is intolerant — you must not only have evident practices in place but also show they’re habitually deployed.

In five years, 7012 will be sunsetting, and 7021 will be sunrising. DFARS 252.204-7021 is the new law of the land.

How many CMMC driven contracts are expected in FY2021? 

 The rule says:

“Based on information from the Federal Procurement Data System (FPDS), the number of unique prime contractors is 212,657 and the number of known unique subcontractors is 8,309. Therefore, the total number of known unique prime contractors and subcontractors is 220,966, of which approximately 163,391 (74 percent) are estimated to be unique small businesses. According to FPDS, the average number of new contracts for unique contractors is 47,905 for any given year.”

The document also includes a chart showing how many contracts to expect at each CMMC level each year:Proposed-CMMC-Contracts-by-Levels+Year

Will my self-disclosures be made public? Is it disclosable in a FOIA request?

 There is no mention of that in DFARS 252.204-7021, but the feeling is that the information will not be generally available to the public, but it might be subject to a FOIA request.

When you are self-attesting and going on record about what you do and don’t do from a security perspective, that invites hackers to open up the database and see where organizations are vulnerable. This information could also materially affect the way companies and investors view mergers and acquisitions, due diligence, and so forth. So, it is unlikely that the self-disclosures will be truly public.

 

The Bottom Line

Time’s up to get compliant or forgo DoD revenue, it is that simple.  The government is getting more aggressive in cracking down on cybersecurity to protect American assets throughout the defense industrial base and has been very specific as to their expectations.

The DoD means business. The time to take action is now.

The experts at CyberSheath understand your challenges – and we can help. Contact us to make sure your assessment gets – and stays – on track.

 

Next Steps

Sprint to compliance in less than 60 days with CyberSheath’s proven methodology based on three core disciplines: Assess, Implement, Manage (AIM™)

DFARS Interim Rule 60 Day Sprint Timeline

Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) is here. Often referred to as CMMC this long-awaited and hotly debated Interim Rule harmonizes legacy (DFARS clause 252.204-7012) and future (CMMC) requirements with the following statement:

“DoD has developed the following assessment methodology and framework to assess contractor implementation of cybersecurity requirements, both of which are being implemented by this rule: the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology and the Cybersecurity Maturity Model Certification (CMMC) Framework.”

Specifically, the rule creates the following new solicitation provision and contract clauses:

  • DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements;
  • DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements; and
  • DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements.

Assessment Methodology to ensure NIST 800-171 Compliance

DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, included in all solicitations and contracts, requires contractors to apply the security requirements of NIST SP 800-171 to “covered contractor information systems” or those that “are not part of an IT service or system operated on behalf of the Government”, i.e your contractor networks, labs, cloud environments, etc.  This clause has long existed but rarely been enforced by DoD or adhered to by contractors. Rare contractors who have been audited for compliance have been evaluated against the NIST SP 800-171 DoD Assessment Methodology for assessment of a contractor’s implementation of NIST SP 800-171 security requirements. The NIST SP 800-171 DoD Assessment Methodology is available, here.

If you are not familiar with the assessment methodology it is probably because you have not been audited or have done a quick internal assessment that did not adhere to the scoring defined within the methodology. Time to get familiar with it. Again, directly from the interim rule:

“The Assessment uses a standard scoring methodology, which reflects the net effect of NIST SP 800-171 security requirements not yet implemented by a contractor, and three assessment levels (Basic, Medium, and High), which reflect the depth of the assessment performed and the associated level of confidence in the score resulting from the assessment. A Basic Assessment is a self-assessment completed by the contractor, while Medium or High Assessments are completed by the Government. The Assessments are completed for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.”

The results of Assessments are documented in the Supplier Performance Risk System (SPRS) giving DoD visibility into completed assessment scores and an ability to verify that a contractor has a current (i.e., not more than three years old) assessment on record prior to contract award. This is something that contractors should pay careful attention to. Because of the widely unenforced existing compliance requirements, most contractors have already self-attested to compliance without ever having submitted an assessment or having been audited. This silent majority is now in the position of being required to, at a minimum, submit a self-assessment that will go into SPRS. How will contractors address the fact they have already attested to compliance and now have an assessment that shows, in our experience, on average 70% non-compliance? Squaring this conflict will require some thoughtful planning and time with your general counsel.

New Interim Rule Outlines the Purpose of CMMC

Nearly everyone expected the new rule to force CMMC implementation (it does with a new DFARS subpart (Subpart 204.75, Cybersecurity Maturity Model Certification CMMC) and mandating DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements, for use in all solicitations and contracts or task orders or delivery orders) it also thoughtfully describes a long transition from NIST 800-171 to CMMC.

The purpose of this blog is not to describe CMMC in detail but for those interested in an overview please look here. What contractors really need to know right now about CMMC is that DoD is implementing a phased rollout of CMMC, essentially making it an October 1, 2025 requirement. Up until September 30, 2025 inclusion of a CMMC requirement in a DoD solicitation must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment. On October 1, 2025, and thereafter CMMC will apply to all DoD solicitations and contracts, except those exclusively COTS items.  After this date, DoD contracting officers will not award, or exercise an option on a contract without a current (i.e. not older than three years) certification for the required CMMC level. Additionally, and as expected, CMMC certification requirements are required to be flowed down to subcontractors at all tiers.

The new CMMC has always been about assurance, giving DoD a way to ensure all of their suppliers are adequately protecting sensitive unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at a level commensurate with the risk and accounting for information flow down to its subcontractors in a multi-tier supply chain. Assurance, essentially third party validation, was and is required because DoD has proven that contractors self-attestation of compliance was optimistic to be generous. Few contractors actually implemented NIST 800-171 and the DoD is no longer going to accept that risk for its supply chain. As the new rule describes the purpose of CMMC:

“CMMC is designed to provide increased assurance to the Department that a DIB contractor can adequately protect sensitive unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain. A DIB contractor can achieve a specific CMMC level for its entire enterprise network or particular segment(s) or enclave(s), depending upon where the information to be protected is processed, stored, or transmitted.”

Key Takeaway

DoD has previously accepted a contractor’s self-attestation and contractors have had a statistically low risk of an audit, but now they have to produce evidence of what they’ve been saying all along.  DoD acquisition just changed and they are deadly serious about securing the supply chain, this is a call to action.

Contractors may find themselves between a rock and hard place with this new requirement as they balance previous attestation claims and best intentions against minimal compliance efforts.

Taking steps now, in response to this emergency action, will not only bring you into compliance with existing requirements but prepare you for CMMC as well. By focusing on compliance with NIST 800-171, you’ll be 85% of the way to CMMC ML 3 compliance when it arrives.

So where do you start? We’ve developed a proven, audited tested methodology over hundreds of assessments to enable contractors to meet NIST 800-171 compliance. Download our 5 Step Guide to CMMC preparation that assures compliance with NIST 800-171.

5 Steps to CMMC Preparation

The Department of Defense (DoD) has instituted an emergency action, possibly to confirm what is widely already known on cybersecurity compliance among the defense industrial base (DIB). Self-certification for defense contractors has enabled “barely there” cybersecurity unless you are one of the small number of contractors who took it seriously.

The action, approved by the Office of Information and Regulatory Affairs (OIRA), requires offerors and contractors to assess their compliance with DFARS clause 252.204-7012 and NIST 800-171. All offerors and contractors must submit a basic self-assessment, or a medium or high assessment conducted by DoD assessors. Details are scarce and connection to the Cybersecurity Maturity Model Certification (CMMC) is anyone’s guess, but for contractors who have previously self-certified as compliant but not actually implemented the controls, this could be problematic, to say the least.

The DoD has previously accepted a contractor’s self-attestation and contractors have had a statistically low risk of an audit, but now they have to produce evidence of what they’ve been saying all along.  This emergency rule isn’t just a call to action. It’s the DoD calling the DIB’s bluff. If anyone doubted the seriousness of the DoD’s efforts to avert data loss, this emergency action should be evidence enough that they want the data to confirm or refute claims of compliance.

Contractors may find themselves between a rock and hard place with this new requirement as they balance previous attestation claims and best intentions against minimal compliance efforts. Many contractors kept waiting for the “cyber police” to show up and when they never came it was largely business as usual. The cyber police are here and it’s time to get your house in order.

Taking steps now, in response to this emergency action, will not only bring you into compliance with existing requirements but prepare you for CMMC as well. By focusing on compliance with NIST 800-171, you’ll be 85% of the way to CMMC ML 3 compliance if/when that it arrives. If it never arrives, an unlikely outcome, you will at least have met your current contractual obligations.

 

So where do you start? We’ve developed a proven, audited tested methodology over hundreds of assessments to enable contractors to meet NIST 800-171 compliance.

 

Follow our five-step process for success:

1. Assess current operations for compliance with NIST 800-171.

Start with a gap assessment of your current people, processes, and technology against compliance with NIST 800-171. This assessment will:

  • Directly link to Control 3.12.1 of NIST 800-171, which requires that you “periodically assess the security controls in organizational systems to determine if the controls are effective in their application.”
  • Give you a clear view of your current compliance with the remaining controls.
  • Generate a System Security Plan (SSP) and associated Plan of Actions & Milestones (POA&Ms), both of which are NIST SP 800-171 requirements.

 

2. Write your SSP.

NIST 800-171, Revision 1, requires contractors to develop, document, and periodically update SSPs that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

Initially, your SSP will be an aspirational document. You’ll find that many of the 110 required NIST SP 800-171 controls are not fully implemented in your environment. A common mistake is to write an SSP that doesn’t reflect the reality of control implementation.

 

3. Document your POA&Ms.

Also a requirement of NIST 800-171, Revision 1, your POA&Ms will detail your plans to correct deficiencies, reduce or eliminate vulnerabilities, and achieve compliance.

These plans can be documented in a variety of formats, but at a minimum, they should detail:

  • The deficiency identified
  • The plan to correct the deficiency (people, processes, and/or technology)
  • Dates by which you intend to be compliant against the specific deficiency

Well-documented POA&Ms will enable eventual mapping to CMMC maturity levels.

Note that SSPs and POA&Ms can be documented as separate or combined documents. You should choose a format that integrates with existing business processes and can be easily maintained.

 

4. Implement the required controls.

Execute your POA&Ms and achieve full compliance with NIST 800-171. This is probably going to be a full-time effort and depending on your resources, you can benefit from working with a third party to implement the controls.

If you’re looking for an effective partner, make sure to ask the following questions:

  • Have they implemented the NIST 800-171 controls for similar-sized businesses?
  • Have they solved the unique challenges that come with implementing NIST 800-171 controls in manufacturing, lab, and engineering environments?
  • Can they provide several references?

 

5. Maintain Compliance.

Once you’ve made it this far, it’s time to plan for ongoing compliance. You’ll need to achieve the following:

  • Documented and automated compliance reporting
  • Support Request for Proposal (RFP) and other acquisition-related business development activities
  • Ongoing operational expense related to maintaining compliance

 

For almost two years now, we’ve been telling clients that their focus is and should always have been on NIST 800-171 compliance, as mandated in DFARS clause 252.204-7012. Now the DoD is clamping down on noncompliance. As we look ahead to CMMC, taking action now will put you in a better position when the next action arrives.

Background

In 2019, the Department of Defense (DoD) officially announced the introduction of a Cybersecurity Maturity Model Certification (CMMC). This unique maturity model is designed to improve the cybersecurity regarding Controlled Unclassified Information (CUI) within supply chains, especially as it applies to the Defense Industrial Base (DIB).

Version 1.0 of the CMMC framework was released in January 2020. By June 2020, CMMC requirements have started to be included in DoD and later GSA Stars Contracts Request for Information (RFIs) and Requests for Proposals (RFPs). Think about that for a second, within six months of creating a new model to assess the cybersecurity of defense contractor networks the language has started appearing in official acquisition documents. The CMMC train has left the station, in a hurry.

CMMC is the latest entry in regulations from a decade long process of public/private partnership between the DoD and DIB. Critically, the DoD is moving away from contractor led self-assessment and reporting to compulsory third-party certification pre-contract award. You will need certification, from an independent third party for future DoD contracts. (See graphic below.)

DFARS NIST CMMC Timeline

Who Must Comply?

As of this post, CMMC was still working its way through the rulemaking process for DFARS (Defense Federal Acquisition Regulation Supplement), which is expected to be released in November 2020. That said if your company provides products being sold to the Department of Defense (DoD) you are required to comply with the minimum cybersecurity standards set by the current DFARS clause 252.204-7012. All DoD contractors that process, store, or transmit Controlled Unclassified Information (CUI) must meet DFARS minimum security standards or risk losing their DoD contracts. DFARS provides a set of adequate security controls to safeguard information systems where contractor data resides. Based on NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations,” manufacturers must implement these security controls through all levels of their supply chain. The silver lining is that CMMC builds on NIST 800-171 so when in doubt that is where you should start as it’s the current legal requirement.

If your DoD contracts do not require you to process, store, or transmit CUI, you must still protect Federal Contract Information (FCI) under Federal Acquisition Regulation (FAR) 52.204-21. Examples of FCI include contract documents, schedules, billing information, etc. The new DFARS clause is expected to combine the cybersecurity requirements from DFARS 25.204-7012 and FAR 52.204-21 into a common framework based on the CMMC model.

Government contractors are now being asked to effectively police their supply chains to address, among other risks, cybersecurity.  Supply chain management is now a key element to ensuring a company’s compliance with laws, regulations, and its internal policies, and to identify risks that could impact a company’s ability to perform, as well as its reputation. The fact that supply chains are global, increases the risks and demands on companies.

In fact, they must not simply police their supply chain, but they are legally bound to use specific contract verbiage with providers who may interface with CUI information which is as follows:

DFARS 252.204-7012(m):  “Include this clause, including this paragraph (m), in subcontracts, or similar contractual instruments, for operationally critical support, or for which subcontract performance will involve covered defense information,…”

Keypoints to this law:

  1. All third-party providers (TPPs) and Managed Security Service Providers (MSSPs) must be obligated to DFARS if they house, control, process, or maintain CUI.
  2. You are not in compliance with CMMC if your downstream MSSPs / TPPs are not compliant.
  3. You are not compliant if you don’t have contractually compliant language between you and the TPPs / MSSPs.

Navigating the dizzying world of different CMMC solutions can be a daunting task.  The recommended solutions and vendor mix can be very hard to understand.  Now let’s investigate these key points made above in more detail:

Pivotal question: Does my TPP or MSSP need to be compliant?

All TPPs and MSSPs must be obligated to DFARS if they house, control, process, or maintain CUI.   What exactly is CUI?  Let’s read on:

I want to repost an excerpt from our key business partner Microsoft in which Richard Wakeman provides a blog on CUI as follows:

What is Controlled Unclassified Information?
If you have not read the CUI History from the National Archives and Records Administration (NARA), I highly recommend it.  It’s a short read, and helpful for context. To summarize, before the advent of CUI, there was a myriad of autonomous Federal agencies and departments that had each developed its own practices for protecting sensitive information.  This non-conformity made it extremely difficult to share information with transparency throughout the Federal government and its stakeholders, such as the Defense Industrial Base (DIB). The CUI program is an ever-evolving initiative to standardize the markings and data protection practices across Federal agencies to facilitate sharing of sensitive information, transcending individual agencies.  Ultimately, NARA oversees the CUI Program and is primarily scoped to the Federal executive branch agencies.  Major contributors to the program include the DoD, the Department of Energy (DoE), the Department of Homeland Security (DHS), the Department of State (DoS), etc. NARA defines CUI as: “Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”Presidential executive orders evolved to a rule published in 2016 called “32 CFR Part 2002 Controlled Unclassified Information”.  You can read about it here in the Federal Register. 32 CFR Part 2002 prescribes the CUI Program markings that span many categories and groupings.  The groupings consist of everything from Financial and Privacy data, all the way up to Export Controlled and Intelligence data.  You can find the list here.
Microsoft Summary CUI Registry

3 Key Questions for your MSSP to indicate CMMC Compliance

Question 1: Is the CUI housed in USA Sovereignty? –  Or – Where are the location of all operations?  Perhaps another way to ask this question is by querying if the vendor has any operations located outside of the US?

A key attribute to the US DoD supply chain is understanding where their supply chain is located, and whether the location may provide some risk to the DoD supply chain.  U.S. companies that do business abroad or handle overseas data will now have to comply with a host of new cybersecurity rules after China became the latest country to impose regulations on firms operating there.

This follows hot on the heels of the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which came into force in the U.S. in March 2018, and the European Union’s (EU) General Data Protection Regulation (GDPR), introduced two months later.

The implementation of these new protocols is driven by the recent surge in cyberattacks and, in the case of China, greater protectionism, exacerbated by the U.S. trade war, as the world becomes more divided.   Regardless, there are many cybersecurity firms that maintain global operations and software maintenance stations in unassuming regions of the world and this must be understood before you select your vendor.

 

Question 2:  Like Amazon Web Services, Microsoft and Google, do you separate out your government CUI customers from the infrastructure of all of your other customers? Does your provider know how to make the infrastructure comply with the various forms of CUI?

Here is the issue with mixed tenants of cloud environments and the protection of CUI which was quoted by Microsoft’s blog:

“Microsoft has prescribed the US Sovereign Cloud with Azure Government and Microsoft 365 GCC High to protect CUI and CDI consistently.  Our rationale is that CUI does include ITAR regulated data, and the DoD requires DFARS 7012 to protect it.  We only accommodate that contractually across Azure, Office 365, and Dynamics 365 in the US Sovereign Cloud.  It’s that simple.  It’s true that you may demonstrate compliance for CUI in our Commercial or GCC cloud offerings, but you will not get a contractual obligation from Microsoft to protect an aggregate of CUI anywhere else other than in the US Sovereign Cloud.  It will be your sole responsibility to prove and maintain compliance for it in other clouds.”

 

Question 3: Have you placed the DFARs compliant verbiage on CUI into the contract with the MSSP / TPP?   Was this a standard offering in verbiage in their contracts or non-standard?

I believe this is self-explanatory however to make this point very poignant let’s look at the prescribing law:

DAU Related Policies Cloud Computing

For many organizations, their technology, and the corresponding data are among their most valued assets. An organization’s CMMC / CUI Cybersecurity Program is an ever-evolving initiative that attempts to standardize the security data protection practices across supply chains including third-party providers and managed security service providers.  If your TPP or MSSP cannot meet the full requirements of CMMC certification, it is unlikely that you will be able to successfully complete a CMMC certification assessment. When choosing TPP’s or MSSP’s, choose wisely, your DoD revenue may depend on it.

Looking for an MSSP to partner with on your journey to CMMC preparation?

Join CyberSheath’s Eric Noonan, CEO, and Carl Herberger, VP of Security Services, dive into CyberSheath’s CMMC Managed Services for Defense Contractors using Microsoft Technology Stack during our upcoming webinar September 30, 2020, at 9:00 am | 12:00 pm EST > Save Your Spot

CMMC Compliance Managed Service Launch - Register Now

The U.S. has to up-level its cybersecurity. That’s the gist of what we’ve been hearing from multiple sources, including congressional commissions and the Department of Defense (DoD). The alarm bells — and the calls for more stringent security practices — will only grow louder.

The Cyberspace Solarium Commission used the U.S. COVID-19 response as an opportunity to assess the nation’s preparedness for a major, debilitating cyberattack. It highlighted the need to implement more than 30 recommendations from a previous report, as well as five more based on its findings around the pandemic.

Eric Noonan, CyberSheath’s CEO, will be speaking about those kinds of preparations for a national cyberattack against the U.S. on a panel at Cybersecurity Forum 2020. He will be joined by Paul Anderson of Port Tampa Bay, and Michael Wee of Northrop Grumman to talk about lessons learned from the pandemic, the state of cybersecurity planning and organization, and where to focus efforts to better prepare for a major attack. Register for the event here and tune in on Wednesday, September 16 at 2:15 pm ET, if you’d like to learn more.

Another ongoing effort to shore up security is the Cybersecurity Maturity Model Certification (CMMC). This is the DoD’s effort to ensure all defense contractors are practicing and maintaining the proper level of security to better protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

As founder and CEO of CyberSheath, the Title Sponsor of Cybersecurity Forum 2020, Eric is well versed in the goals and efforts behind the CMMC. CyberSheath has been delivering audit-ready, compliance-focused managed services for NIST 800-171 requirements for 8+ years, and the CMMC is the next evolution of those standards.

It’s one of the most comprehensive and impactful moves by the DoD to better secure sensitive data that resides on defense contractors’ systems and networks. As a new set of requirements, many defense contractors are still working to understand the complexities and nuances of the standards, what they’re responsible for, and how to implement those changes.

CyberSheath launched our compliance managed services for CMMC to assist DoD contractors through the process. Through our managed services, we’re able to meet contractors where they are, identify gaps in CMMC compliance, implement the changes, and maintain and assure their compliance at the proper level.

We wanted to be the Title Sponsor of Cybersecurity Forum 2020 because it’s advancing important conversations around the state of security and where we can go from here. In particular, we are looking forward to keynote speakers Senator Marco Rubio, who will give an overview of the risks of national cyber breaches; and Katie Arrington, CISO for the Office of the Secretary of Defense for Acquisition and Sustainment, who will speak on what’s needed for CMMC compliance.

While the U.S. faces cyber threats from around the world, we have plenty of lessons to learn from other disaster responses and a new bar for effective cybersecurity. We don’t know what attacks might be coming, but we do know how to prepare. We hope this year’s conference will spur all in attendance to advance the cybersecurity goals that will defend American innovation and infrastructure.

Recently, the National Institute of Standards and Technology (NIST) re-released the Draft Special Publication (SP) 800-171B as Draft SP 800-172. This document is in final draft review with all comments due August 21, 2020.

What is new in NIST 800-172?

The new NIST 800-172 is intended as a supplement to NIST 800-171, the cybersecurity framework required by DFARS 252.204-7012 on all DoD contracts to protect Controlled Unclassified Information (CUI). While NIST 800-171 provides the basic cybersecurity controls required to protect CUI on a majority of DoD programs and suppliers, NIST 800-172 defines enhanced cybersecurity controls intended to protect CUI subject to enhanced threats. In particular, NIST 800-172 aims to protect programs and contractors that might be the target of one or more Advanced Persistent Threats (APT). An APT is a stealthy threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. As such, it requires enhanced cybersecurity activities to prevent an APT from accessing a contractor’s network, or even identifying that an APT has already gained unauthorized access to a contractor’s systems or networks.

How will NIST SP 800-172 Affect My Contracts?

One question that comes up is, “How will NIST 800-172 affect my contracts?” Currently, the answer is that it does not directly. Unlike NIST 800-171, the required cybersecurity framework imposed on all DoD contracts that handle CUI through DFARS 252.204-7012, no DFARS clause requires NIST 800-172. Once NIST 800-172 has completed the NIST Draft comment phase and been formally released, an individual contract that is considered high risk from an APT may call out part or all of the NIST 800-172 cybersecurity controls as requirements, but this is likely to be very rare. The more likely scenario for these contracts will be adopting the Cybersecurity Maturity Model Certification (CMMC) framework at Maturity Levels 4 or 5. But even this is expected to be a rare situation. Katie Arrington, CISO for Assistant Secretary for Defense Acquisition, estimates that .06% of all contractors will require CMMC Level 4 or 5 certification.

CMMC’s Incorporation of NIST 800-172

The CMMC framework was formally released in January 2020 and is currently positioned as a replacement for NIST 800-171. CMMC defines five (5) cybersecurity maturity levels. Maturity Level 3 corresponds roughly to NIST 800-171, incorporating all 110 security controls from NIST 800-171 plus 20 new controls drawn from other frameworks. CMMC Maturity Levels 4 and 5 provide 41 additional cybersecurity controls specifically targeted at contracts and contractors considered subject to an APT. CMMC Levels 4 and 5 include 15 of the NIST 800-172 (formerly NIST 800-171B) controls.

The DoD is working now to publish a new DFARS clause and contract language to allow DoD agencies to include the new CMMC framework in future requests for proposals (RFPs). Once this has completed the public comment and final release phases, the DoD plans to roll out the CMMC over the next five years, starting with approximately 15 “Pathfinder” programs in FY2021.

How to Prepare for Cybersecurity Maturity Model Certification

Compliance with ever-evolving DoD cybersecurity mandates like DFARS 252.204-7012, NIST 800-171, and CMMC is complicated and confusing. It can be hard to understand the outcomes that you should focus on and how to measure success. What does success even look like? How can I partner with a Managed Services provider to deliver measurable outcomes that ensure compliance?

Access our latest webinar, NIST 800-171 Case Study: Surviving a DoD Audit, to prepare your organization for CMMC. Go behind the scenes through a defense contractor’s journey from 35% compliance to a successful audit and “low-risk rating” by the DoD.

Access Webinar Now.

Current Compliance Landscape

Deputy Defense Secretary Patrick Shanahan spoke at the Armed Forces Communications and Electronics Association (AFCEA) on Feb 6, 2018, and said, “The culture we need to get to [around IT security] is that we’re going to defend ourselves and that we want the bar to be so high that it becomes a condition of doing business.” Fast forward two years later and we are on the cusp of one of the largest changes to DoD acquisition ever with mandatory minimums for cybersecurity across all DoD contracts.

For commercial firms providing services to the U.S. defense industry, the challenge that is cybersecurity has been growing for years but largely without any oversight from the DoD. Defense budgets and the use of contractors have grown in parallel to the storing of important, yet unclassified information on commercial defense contractor networks. This exposure, Controlled Unclassified Information (CUI) resident on unregulated and often under secured contractor networks across the DoD supply chain has become a risk that requires addressing for the DoD.

The Defense Industry has always worried about security around products and services.  However, the business systems and IT infrastructure that supported those defense contractors were not monitored or significantly regulated by the US Government although vulnerable to attack.  The Pentagon has acknowledged an urgent need to tighten cybersecurity across its vast contracting operations and hold contractors accountable for minimum standards of care around cybersecurity.  Indeed, the requirements to protect data have been expanding for more than a decade and the Federal Acquisition Regulation (FAR) and the General Services Acquisition Regulation (GSAR) are expected to add data protection requirements in 2020.  In truth, the new Cybersecurity Maturity Model Certification (CMMC) and the ambitious effort to secure the DoD supply chain has been underway for many years now (see chart below).

DFARS-NIST-CMMC-Timeline-11Aug2020

Overview of CMMC

The Cybersecurity Maturity Model Certification (CMMC) program will serve as a method of verifying that appropriate levels of cybersecurity controls and processes meet a specific standard and are in place to protect controlled unclassified information that may be held on the DoD’s industry partners’ networks.

The CMMC program builds on another US government acquisition regulation called DFARS Clause 252.204-7012 which requires the implementation of NIST SP 800-171, Protecting Unclassified Information in Nonfederal Information Systems, and Organizations, as the standard for defense contractors handling CUI data.  As such, compliance with NIST 800-171 has been essential for winning and sustaining contracts since 2017 but the lack of oversight and auditing has led to many self-certified contractors that might not stand up to the scrutiny of a 3rd party audit. Because CMMC is at its foundation based on DFARS Clause 252.204-7012 and NIST SP 800-171 it’s important to understand these two separate but related requirements.

Understanding DFARS Clause

 

CMMC, when finalized and fully mature, will require independent validation of compliance by a CMMC Third-Party Assessor Organization (C3PAO). This is a significant change from DFARS Clause 252.204-7012 which allowed for self-certification and could upend a largely unprepared supply chain that has taken advantage of lax oversight and enforcement.

CMMC is broken down into five compliance levels which a company will need to be certified to be able to be awarded a DoD contract.  The levels break down (see below) into demonstrable levels of cybersecurity maturity from which a defense contractor can acquire more and more abilities to conduct services with the DoD.

CMMC Level Requirements

Your Current Managed Security Service Provider (MSSP) Probably Isn’t Doing Enough For CMMC

Most small business defense contractors do not separate IT from cybersecurity and often the IT work takes priority, not cybersecurity or compliance. Small businesses with one or two IT staff members who are already oversubscribed have no chance of ingesting CMMC and achieving compliance without the help of a Managed CMMC Service. Maintaining the security and compliance programs required by the government is now a full-time job and failure to do so will prevent your company from doing business with the DoD.  No matter how qualified or knowledgeable, a small team simply does not have time or the breadth of skills to architect, administer, and manage their environments in alignment with CMMC requirements. You cannot do it alone.

Over the last decade, many businesses have outsourced their security and/or compliance requirements through a Managed Security Service Provider (MSSP).  Effectively MSSPs take care of the security requirements and allow a business to focus on their core competencies. Few if any MSSPs have any real skin in the game when it comes to compliance. Read their statement of work and it is lightly mentioned if at all and there are caveats galore around why they are not responsible or accountable in any meaningful way. In many cases, MSSPs introduce their own set of issues, vulnerabilities, and compliance headaches because the MSSP is not properly equipped to manage data and processes in a manner aligned with CMMC requirements.  With the MSSP handling most every piece of security and monitoring but never documenting and attesting compliance with CMMC, the current MSSP model falls short of CMMC requirements.

Investing in CMMC compliance (which includes compliance with DFARS 7012 and NIST 800-171) is a big effort because it now includes line of business systems including finance, personnel, and IT vulnerability information.  While MSSPs are valuable partners who reduce overhead costs and enable businesses to stay focused on their core mission, it is important to remember that MSSPs will have access to documents, CUI, and data including passwords, access codes, and vulnerability information about their IT environment.  Because MSSPs have this kind of sensitive data in their possession, it is critical that they make the same investment in NIST 800-171 to ensure that you stay compliant and properly manage CUI information and the security of your IT environment. Again, most MSSPs have very little if anything in their statements of work regarding compliance so small businesses are left with a false sense of security around achieving CMMC compliance.

Without clear lines of responsibilities between the owner of compliance and the business and IT operations of the host company, the failure of a compliance audit is inevitable.

That is the bad news, now for the good news.

CyberSheath’s Managed CMMC Service

In response to the new federal requirements and an ever-changing landscape, CyberSheath has created a whole new set of Managed Services to allow for any business to achieve any CMMC compliance level they desire. Unlike every other MSSP in the market today our CMMC service offerings are an evolution of our successful legacy NIST 800-171 Managed Services. Said another way, we aren’t new to this space and we have been through dozens of successful third-party audits over the past five-plus years.

We offer 5 different levels of assured compliance for you to choose from based on your business requirements. To date, 100% of our customers are focused on CMMC Maturity Level (ML) 3 as it so closely aligns with the NIST 800-171 requirements.

First Step:

  • We meet your business where it is today. We will gain visibility of your desired CMMC ML and any gaps in processes, documentation, practices, or technology.
  • Gain current and ongoing visibility into NIST 800-171 / CMMC via professional certified assessments and remediation plans.

Second Step – Select Hosted Compliance Level(s):

  • Level 1: Become compliant with CMMC ML1 over your entire infrastructure within weeks.
  • Level 2: Work with a virtual security officer and get assistance with ongoing compliance program oversight and routine reporting.
  • Level 3: Quickly gain the ability to achieve compliance and bid on CMMC ML3 contracts with our cloud-based guaranteed compliance offering.
  • Level 4 or Level 5: Leverage our expertise as we maintain the rigorous program, technology, engineering, and implementation required for the most robust security standards.
  • Beyond:
    • Future-proof your compliance to changes in CMMC policy or implementation approaches by assigning ongoing program maintenance to CyberSheath.
    • High Cloud infrastructure in a hosted compliant process.

Third Step:   We manage your compliance as an outsourced compliance program inclusive of an MSSP.

 

 

CMMC Managed Service - Levels 1-5

CyberSheath’s CMMC Shared Security Model is the Answer to CMMC Compliance for Small Businesses

Whether it be a public, private, or hybrid architecture, businesses must take responsibility for ensuring that their data is secure. With limited resources and no time to become a CMMC expert, the solution to the problem is clearly a shared responsibility model. CyberSheath has successfully implemented and been audited against our shared responsibility model many times over the last five-plus years so our solution is tested and audit-ready. Our tailored responsibility matrix eliminates single points of failure and ensures that all required security requirements have an owner and produce the required documentation and evidence. The shared responsibility model reduces the day-to-day operational demands on your business and ensures documented, repeatable, and audit-ready compliance.

With government revenues on the line, it is crucial to determine who controls the various components of the CMMC compliant infrastructure and operations. CyberSheath defines where and how security measures should be applied, with a special focus on CUI and other sensitive government data.

CyberSheath differentiates itself by taking ownership of assured CMMC compliance and it is a contractual requirement that we put right into our statements of work. This cannot be done in isolation and requires shared and distinct responsibilities on both sides of the partnership which tend to be specific to each company.  CyberSheath offers a ‘single-pane-of-glass’ to gain visibility into CMMC compliance, continuous security monitoring, and various important datasets, analytics, and user interfaces in one place. Our CMMC management platform is built around Microsoft Azure’s FedRAMP GCC High environment which ensures infrastructure capabilities that can detect and remedy security misconfigurations, leveraging services to ensure near-real-time compliance features.

Why CyberSheath?

Cybersheath has leveraged and lived this Shared Responsibility Model for NIST 800-171 successfully for many years now, and expect that it will be a fundamental part of CMMC attestation and MSSP partnerships going forward.  The experts at CyberSheath understand your challenges – and we can help. Contact us to make sure your CMMC readiness gets – and stays – on track.

The US Department of Defense (DoD) has one of the largest supply chains in the world, scaling to hundreds of thousands of different vendors and partners. While valuable, these vital partners in our nation’s defense infrastructure pose a huge cyber risk. Today that risk is largely unchecked and unregulated as contractors can “self-attest” to their ability to protect Controlled Unclassified Information (CUI).

Commercial companies are the lifeblood of any economy and the circulatory system of modern day societies.  They provide needed innovation, new discoveries, critical high-value support as well as materials and quick solutions to a myriad of problems. From the most arcane to the most mundane, the US Defense Department has needs in nearly every aspect of procuring commercial services, but this lifeblood paradoxically may imperil the entire system by leveraging companies with little respect for cybersecurity controls. In fact, in this connected world, no government or company can perfectly protect all its data from hackers and rival states. Even so, it is astonishing that, from January 2016 to February 2018, nearly 6 percent of U.S. military and aerospace contractors reported data breaches (according to Stars & Stripes).

And experts feel this is just the tip of the iceberg – the vast majority of security incidents are never uncovered. The Pentagon needs to tighten cybersecurity across its vast contracting operations and hold contractors accountable for minimum standards of care around cybersecurity. Essentially that is the goal behind the Cybersecurity Maturity Model Certification (CMMC) and the ambitious effort to secure the DoD supply chain. The CMMC effort is not without its critics but who can argue that real change wasn’t urgently needed?  Learn More about CMMC

Let us review some major breaches of national security that hopefully can be prevented in a post CMMC world so that you might be the judge:

Example One – Jan-Feb, 2018:  Comprise of US Navy “Operation SEA DRAGON” – Chinese hackers stole sensitive U.S. Navy submarine plans from Rhode Island DoD contractor

Citing unnamed U.S. officials, the Washington Post reported in June of 2018 about a very disturbing cyberattack of a US DoD contractor.  Evidently Chinese government hackers compromised the computers of a U.S. Navy contractor and stole a large amount (approximately 600+ Gigabits) of highly sensitive data on undersea warfare, including plans for a supersonic anti-ship missile for use on U.S. submarines.

The breaches took place in January and February, the officials told the Post, speaking on condition of anonymity about an ongoing investigation led by the Navy and assisted by the Federal Bureau of Investigation.

The U.S. Navy and an unnamed defense contractor are/were working on a new missile which the Navy says will give its submarines a new, “disruptive offensive capability” to take on enemy ships. The previously unknown weapon, known as Sea Dragon, supposedly combines an existing U.S. Navy platform with an existing capability, is likely a new version of a versatile air defense missile capable of pinch-hitting as an anti-ship missile.

Example Two – March 2019:  US Navy Review Concludes it is “Under Siege” by Chinese Hackers & Attackers

An internal U.S. Navy review concluded that the service and its various industry partners are “under cyber siege” from Chinese hackers who are building Beijing’s military capabilities while eroding the U.S.’s advantage, The Wall Street Journal reported Dec 2018 – Mar 2019. Chinese hackers have repeatedly hit the Navy, defense contractors, and even universities that partner with the service. “We are under siege,” a senior Navy official told The Journal. “People think it’s much like a deadly virus — if we don’t do anything, we could die.”

Three particularly worrisome recent incidents (2018-2020) were the theft by China of highly sensitive information on naval projects left on an unclassified network (2019), last year’s breach of private information on 30,000 Pentagon employees(2018), and the exposure of 60,000 files on a publicly accessible server involving a subcontractor to Booz Allen Hamilton (2018), the firm that employed Edward Snowden. And perhaps most embarrassing was the 2016 theft of sensitive plans for the F-35 fighter — a plane that will cost taxpayers $1.5 trillion over its lifespan. A small Australian subcontractor on the project had reportedly never changed its Windows passwords from the defaults “admin” and “guest.”

Example Three – Sept-Dec 2019:  Compromise of Emails and LinkedIn Accounts of military defense companies

In a report released in June 2020 by Slovakia-headquartered ESET cybersecurity company who said the cyberattacks of mainly European aerospace and military defense firms were launched between September and December 2019. A collaborative investigation with two of the affected European companies allowed them to gain insight into the operation and uncover previously undocumented malware.

To compromise their targets, the attackers used social engineering via LinkedIn, hiding behind the ruse of attractive, but bogus, job offers. Having established an initial foothold, the attackers deployed their custom, multistage malware, along with modified open-source tools. Besides malware, the adversaries made use of living off the land tactics, abusing legitimate tools and OS functions. Several techniques were used to avoid detection, including code signing, regular malware recompilation, and impersonating legitimate software and companies.

According to their investigation, the primary goal of the operation was espionage. However, in one of the cases we investigated, the attackers attempted to monetize access to a victim’s email account through a business email compromise (BEC) attack as the final stage of the operation.

As part of the initial compromise phase, the Operation In(ter)ception attackers had created fake LinkedIn accounts posing as HR representative of well-known companies in the aerospace and defense industries. In our investigation, we’ve seen profiles impersonating Collins Aerospace (formerly Rockwell Collins) and General Dynamics, both major US corporations in the field.

Fake-LinkedIn-Account

With the profiles set up, the attackers sought out employees of the targeted companies and messaged them with fictitious job offers using LinkedIn’s messaging feature, as seen in Figure 1. (Note: The fake LinkedIn accounts no longer exist.)

Once the attackers had the targets’ attention, they snuck malicious files into the conversation, disguised as documents related to the job offer in question.

Example Four – 2017-2020:  The Chinese APT Threat to Cleared Defense Contractors

In a report published in June of 2020, cyber-security firm Lookout said it found evidence connecting Android malware (APT 15) that was used to spy on minorities in China to a large government defense contractor from the city of Xi’an.

Lookout’s 52-page report details a years-long hacking campaign that has primarily targeted the Uyghur ethnic minority, living in western China, but also the Tibetan community, to a lesser degree.

The campaign infected individuals in these communities with malware, allowing government hackers to keep an eye on the activities of minority communities in China’s border regions but also living abroad in at least 14 other countries.

“Activity of these surveillance campaigns has been observed as far back as 2013,” Lookout researchers said. The company attributed this secret surveillance to a hacking group they believe operates on behalf of the Chinese government.

The fact that Lookout linked an APT15 malware sample to a Chinese defense contractor is not a novel discovery. From 2017 to 2019, four other Chinese state-sponsored hacking groups have been linked to contractors hired by Chinese intelligence agencies operating in various regional offices.

This includes:

APT3 – linked to a company named Boyusec operating on behalf of Chinese state security officials in the province of Guangdong

APT10 – linked to several companies operating on behalf of Chinese state security officials in the province of Tianjin

NEW!  APT 10 – Xi’an Tianhe Defense Technology, a large defense contractor in the city of Xi’an, in central China.

APT17 – linked to several companies operating on behalf of Chinese state security officials in the province of Jinan

APT40 – linked to several shell companies operating on behalf of Chinese state security officials in the province of Hainan

Operators behind APT3 and APT10 have eventually been charged by the US Department of Justice in November 2017 and December 2018, respectively.

Based on previous threat intelligence reports published by cyber-security firms Recorded Future and CrowdStrike, the Chinese Ministry of State Security outsources hacking operations to outside contractors, who report directly to, and take orders from intelligence officials.

In an FBI warning in 2018, https://publicintelligence.net/fbi-defense-contractors-apt/, specifically cites examples against “Cleared Defense Contractors” and here is an excerpt of the alert:

“APT actors in the near future likely intend to target US Cleared Defense Contractors (CDC) via spear phishing campaigns or network infrastructure compromises, according to recent intelligence. Common spear phish targets may include individuals featured on internet-facing CDC Web sites and high-ranking CDC executives.

FBI has observed APT actors over the past two years precede spear phishing campaigns with open source research of targeted US company websites, particularly sections containing contact information for company officials which include names, titles, telephone numbers, and email addresses. In one case, an APT actor sent spear phishing emails within one-to-two weeks after researching the targeted US company.

Historically, APT actors have a strong desire to collect US defense and scientific intelligence to further their interests and advance strategic goals. As a result, US CDCs and research facilities may likely be targets for cyber adversaries due to their involvement in national security and their close relationship with the US Government.”

Example Five – Feb-June 2020:  DCSA Bulletin – US Defense Focused

In a report published recently by politico, they suggest they obtained a Defense Counterintelligence and Security Agency (DCSA) bulletin marked “unclassified/for official use only” and warns that DCSA’s cyber division detected nearly 600 “inbound and outbound connections” from “highly likely Electric Panda cyber threat actors” targeting 38 cleared contractor facilities, including those specializing in health care technology.   Moreover, the bulletin goes on to say, “Nearly 40 U.S. contracting facilities with access to classified information have been targeted by a hacking group with suspected ties to the Chinese government since Feb. 1”, according to a bulletin disseminated to contractors by the Defense Counterintelligence and Security Agency.

The so-called Electric Panda group is not new and appears to have been operating since at least 2016, according to one of the indicators listed by DCSA. The bulletin goes on to say that this group has been targeting contractors that specialize in cybersecurity, aerospace, naval, health care, power generation, IT systems, telecommunications, risk analysis, and space systems.

Conclusions: How to Solve the Problem?

Given this, how safe is the US DoD Supply chain from cyberattacks?  From casual, publicly available information, there is strong evidence that the supply chain base of the US DoD system is under dedicated and constant attack, most probably needs dramatic investments in order to stay safe and sound from cyberattacks and to keep the US military safe.

The key to understanding the solution is to understand that the threat is immeasurably more serious as we must concern ourselves with the great possibility of a loss of life scenarios.

Let us hope that the new CMMC regulation is a very important step in accelerating the awareness of the real possibilities of these dangers, then to assemble a well-orchestrated cybersecurity risk and mitigation strategy for each attribute of DoD Supply chain may be placed in harm’s way.

Next Steps

If you have any questions or would like support as you ready your organization for CMMC, contact us.  We also invite you to listen to Eric Noonan, CyberSheath CEO, in a recorded webinar to learn how to start preparing your organization for CMMC by leveraging the steps you have taken to be compliant under DFARS.  Register Now

In this webinar you will learn:

  • Mapping NIST 800-171 to CMMC
  • Levels 1-5: Challenges and complexities to consider at each compliance level
  • Step by step path to attaining CMMC

 

According to a Department of Defense (DoD) official as confirmed to Inside Cybersecurity, DoD is planning to publish the proposed acquisition rule required for the implementation of the Cybersecurity Maturity Model Certification (CMMC) program in the next few weeks.

The proposed rule change, titled “Strategic Assessment and Cybersecurity Certification Requirements” under Defense Federal Acquisition Regulation Supplement (DFARS), is required for the Pentagon to award contracts containing CMMC language. Final timing is a decision for the White House Office of Management and Budget’s Office of Information and Regulatory Affairs, but the proposed timing aligns with the tremendous push forward for CMMC across the DoD.

This news should continue to melt away any doubts that the train has left the station and getting compliant with DFARS 252.204-7012 and NIST 800-171 for current contracts and planning for CMMC implementation for future contracts is a major priority for all DoD suppliers.

How to Prepare for Cybersecurity Maturity Model Certification

Compliance with ever-evolving DoD cybersecurity mandates like DFARS 252.204-7012, NIST 800-171, and CMMC is complicated and confusing. It can be hard to understand the outcomes that you should focus on and how to measure success. What does success even look like? How can I partner with a Managed Services provider to deliver measurable outcomes that ensure compliance?

Access our latest webinar, NIST 800-171 Case Study: Surviving a DoD Audit, to prepare your organization for CMMC. Go behind the scenes through a defense contractor’s journey from 35% compliance to a successful audit and “low-risk rating” by the DoD.

Access Webinar Now.

 

We are in unprecedented times. As we all work to maintain as much normalcy in our personal and professional lives as possible, important projects such as those involving your organization’s cybersecurity might not be top of mind.

You’ve worked hard to secure your company’s valuable information technology resources to guard it against all sorts of cyberattacks. Neglecting IT security now would be a misstep. Here’s why.

Three Reasons Quarantine Shouldn’t Stall Your Cybersecurity Plans

1 – CMMC is moving forward in spite of the current crisis.

In an interview with Government Matters on March 29, Katie Arrington, the chief information security officer in the Office of the Undersecretary for Acquisition and Sustainment, announced the DoD is still moving forward with the newly launched Cybersecurity Maturity Model Certification (CMMC), even with the current challenges companies are facing due to COVID-19.

2 – Protecting controlled unclassified information (CUI) remains important.

It’s worth considering if the scope of your CUI environment has changed now that many or all of your employees are working from home. With that in mind as well as an increase in cyberattacks, including phishing and hacking, it’s possible that your dispersed and remote workforce could be more at risk – potentially exposing your company to nefarious threats.  And, unchanged is the regulatory requirement of protecting CUI under NIST 800-171. Now is not the time to be lax on IT security.

3 – Assessments can be done remotely.

While the present environment might alter some aspects of your approach, it shouldn’t change your CMMC timeline. With all of your organization’s digital capabilities – which undoubtedly have been tested and broadened in recent weeks – collaborating with a skilled provider on your CMMC assessment makes sense.

A skilled partner like CyberSheath will be able to work with you remotely to assess your current IT infrastructure and security posture, helping to get you ready for CMMC. The assessment is the first step to understand the gaps your organization is facing to meet CMMC requirements. To prepare you for the assessment process, to know what to expect, and what is needed to manage a successful engagement, we interviewed a cybersecurity practitioner to share from his years of experience, access the interview now.

As we look to the coming months and plan for an uncertain future, one thing that remains constant is the need to develop, execute, and maintain a robust cybersecurity plan. Delaying your efforts to comply with CMMC could impact your business – and making your IT security a priority is always a good idea – especially now.

The experts at CyberSheath understand your challenges – and we can help. Contact us to make sure your CMMC assessment gets – and stays – on track.

Technology photo created by freepik – www.freepik.com

In today’s security landscape, threats to your IT infrastructure are constantly evolving. As you work to secure your IT systems and processes, penetration testing (pen testing) is an important component of your plan. Pen testing can help your organization gain a fresh perspective with a third party looking at your security from the viewpoint of an attacker.

What is a penetration test?

A pen test is performed by attempting to exploit any of your organization’s identified vulnerabilities or configuration flaws to determine if the protective controls of a given system can be bypassed. Penetration tests can have multiple goal-based scenarios, including PII hunting, database breaches, domain control, and more.

Following the initial compromise of a host or credential set, analysts performing the pen test continue the attack lifecycle by pivoting to other hosts in the network, and then work to show how a compromised host can impact your business.

Why should you run penetration tests?

Pen testing examines the subsystems, components, and security mechanisms comprising your organization’s infrastructure and identifies weaknesses. Penetration tests can help you:

  • Validate the effectiveness of your environment
  • Meet contractual requirements
  • Satisfy compliance objectives (PCI)
  • Test your system from multiple adversary roles including potential employees, external adversaries, and more
  • Adopt an agile methodology and regularly examine your systems

How do you conduct pen testing?

  • Use commercial tools, public domain utilities, and proprietary tools to examine the security posture of a system or application and apply numerous industry frameworks like OWASP.
  • Conduct tests from both the vantage point of an unauthorized and authorized user. Working from both of these perspectives drives a more complete understanding of the threats to your organization’s security.
  • Go beyond automated tools and use manual testing methodology. Manual testing involves verifying vulnerabilities identified by the automated scanners so that any false positives can be eliminated. It also shows the business impact of a reported vulnerability. Automated scanners lack the ability to detect business logic flaws in the application. A combination of automated and manual testing provides a more thorough analysis.
  • Leverage the expertise of licensed, third party analysts holding the appropriate certifications to provide an outside view of those looking to infiltrate your systems. These professionals have no personal ties to the company, thus removing any negative theories.
  • Know when to run pen tests. This can be at defined frequencies like annually for small businesses, twice-annually for mid-size organizations or quarterly for large enterprises. Note that PCI requires pen testing annually. It is also good practice to pen test during the development of new systems, such as applications, services, or platforms, when system components or modules are in a static pre-production state. This can address vulnerabilities before exposing a system. In addition, make sure to pen test after changes to system components that are expected to have an impact on the security of a system, including the launch of new technologies, major infrastructure or application changes, modification to authentication mechanisms, or logging capability adjustments.
  • Document findings and know how to proceed. The results of the pen test should be incorporated into a report reviewing the results to ensure all findings and vulnerabilities are categorized and documented. This report should provide detailed results of the test including a summary of the findings and the technical details for significant findings per project task, in-depth conclusions identifying affected hosts or application identifiers (i.e. Internet Protocol addresses), recommendations for remediation for each significant finding, and other details such as testing limitations, tools used during the test, and any follow-on environment clean up requirements.

Other pen testing tips

  • Ensure that the scope of your pen test is appropriate for what you are protecting such as internet exposed applications and services, internet exposed APIs, access gateways and mechanisms, supporting infrastructure (authentication services and management interfaces), and sensitive data sets existing on applications, databases, and unstructured storage repositories.
  • Know and define your attacker’s perspective. An external internet-based attacker targets applications and network services exposed to the internet, whereas a malicious insider earmarks sensitive internal network applications or known network locations housing important datasets. Both types of attackers may or may not have credentials to your network and both may proceed with either a wide scope discovery or a pinpoint approach. Attackers can also test roles to see the impact of escalating privileges and pivot to other roles within an application.

Penetration testing is an important part of your security plan. Make sure you get it right. If you would like help from experienced security professionals on running penetration tests for your organization, contact us.

It has finally arrived, the Cybersecurity Maturity Model Certification (CMMC) version (v) 1.0. CMMC v1.0 changes the DoD acquisition process with certification becoming a pre-RFP requirement to bid a government contract.  Like you, CyberSheath has been aggressively following the CMMC’s progression to this final version which included 3 previous drafts 0.4, 0.6 and 0.7. Overall not much has changed from draft 0.7; however, version 1.0 does have some noteworthy updates.

 

Overview of CMMC Levels 1-5 per the DoD’s released CMMC v1.0 pdf

Level 1 focuses on the protection of Federal Contract Information (FCI) and the practices under the basic safeguarding requirements detailed in 48 CFR 52.204-21.  Level 1 is the only level where processes will not be assessed.

Level 2 is the step between Levels 1 and 3 and as such begins to include a portion of NIST 800-171 controls, in addition to other frameworks. The subset of frameworks introduced at Level 2 also starts to refer to Controlled Unclassified Information (CUI).  Unlike Level 1, documentation of processes and policies is a requirement in Level 2.

Level 3 requires the implementation of all 110 NIST 800-171 controls. There is also 20 new CMMC practices introduced at Level 3.  In addition to documenting processes, “Level 3 requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation.”

Level 4 concentrates on the “protection of CUI from APTs and encompasses a subset” of practices from the NIST 800-171B draft combined with other cybersecurity models.  Level 4 requires documenting, managing in addition to reviewing processes as well as improving as necessary.

Level 5, like Level 4, Level 5 concentrates on the “protection of CUI from APTs.”  Level 5 requires the continuous optimization of documentation and processes across the organization.

 

Key Differences between NIST 800-171 and CMMC v1.0

CMMC includes security practices in new Domains including Asset Management, Recovery, and Situation Awareness.

Level 2 requires increased standards for Incident Response

Level 2 requires an organization to review logs

Level 3 requires increased standards for Risk Management

Level 3 requires organizations to collect audit logs in one or more central repositories

Level 3 includes new requirements to protect email services

Level 3 includes new requirements to filter access to potentially malicious internet sites (DNS filtering)

Level 3 builds on Levels 1 and 2, requiring 100% compliance with NIST 800-171 plus 20 new CMMC practices (1 less than the previous draft version)

 

Key Differences between CMMC draft v0.7 and CMMC v1.0

Level 4 SOC is now 24/7 instead of “normal business hours”

Levels 3, 4 + 5 the new practice (P1035) requiring organizations to, “Identify, categorize, and label all CUI data” has been removed from all Levels that originally required it in draft versions. However, the original control to mark media is still there, so if you print or put media on a thumb drive, you need to mark it. But identifying and labeling CUI content is not explicitly stated as it was in all previous drafts.

 

If you have any questions or would like support as you ready your organization for CMMC, contact us.  We also invite you to listen to Eric Noonan, CyberSheath CEO, in a recorded webinar to learn how to start preparing your organization for CMMC by leveraging the steps you have taken to be compliant under DFARS.  Register Now

In this webinar you will learn:

  • Mapping NIST 800-171 to CMMC
  • Levels 1-5: Challenges and complexities to consider at each compliance level
  • Step by step path to attaining CMMC

You have completed your NIST 800-171 security controls assessment to see how your company is doing in meeting the requirements of the standard. The evaluation revealed some gaps within your organization’s implementation of the solutions, tools, and processes you have launched. Unsurprisingly, these gaps typically occur in those controls most difficult to rollout. These challenges include those relating to:

Technology – Issues may include trouble identifying the right solution to address problems and the cost to acquire and implement the tools.

Process – There are often organizational matters to navigate as the company deals with changing the way it has always done things. This can extend to the need to adjust attitudes and upgrade the skillsets of members of the IT team as well as executive staff.

People – Impacting how employees perform their day-to-day work can make your whole organization run less smoothly.

 

Based on our work performing hundreds of assessments each year, we have identified consistent implementation gaps regarding the following controls:

 

5 – Training and Awareness, Control 3.2.1

  • Control requirements: This control mandates on-boarding and periodic refresher training of all users with access to sensitive information, as well as specific training for security-related roles.
  • Implementation challenges: Training and awareness impacts everyone and is one of the most effective ways to improve your security. Some employees consider it boring or not directly related or important to their work. The size of your workforce and the technical background of employees will have a direct impact on your implementation. While not the most difficult control to put into action, it can provide the most improvement to your security.
  • 51% of our assessed clients had issues with this control.

 

4 – FIPS-validated Cryptography, Control 3.13.11

  • Control requirements: Using FIPS-validated cryptography is compulsory to protect Controlled Unclassified Information (CUI). This includes deploying it on mobile platforms, including cell phones, tablets, and laptop drives, as well as on removable media and during transmission over unprotected communication channels.
  • Implementation challenges: This technology is complex and integrating it with the rest of your systems can be onerous. The size of your workforce and complexity of your environment also affects your implementation. Conducting the due diligence necessary to determine that all the encryption tools you employ to protect CUI can be challenging. Some of our customers understand that the encryption algorithms employed by their tools are FIPS-validated but are not aware that FIPS-validated cryptography includes other parameters, such as key generation, protection, and management.
  • 52% of our assessed clients had issues with this control.

 

3 – Incident Response, (Controls Class) 3.6.X

  • Control requirements: This control mandates that you establish an incident response capability that includes preparation, detection, analysis, containment, recovery, and user response, as well as the ability to track, document, and report incidents.
  • Implementation challenges: There is a tendency to be reactive rather than proactive, as often people do not like to think about things going wrong, and employees are often not eager to report to management or customers about negative events. Again, the complexity of your environment and size and training of your IT workforce impacts the implementation. Also, effective Incident Response processes go beyond IT and Security, requiring coordination with other organizations such as HR, Legal Consul, Communications, and the Executive Leadership Team.
  • 64% of our assessed clients had issues with this control.

 

2 – Multi-factor Authentication, Control 3.5.3

  • Control requirements: To comply, it is necessary to use multi-factor authentication (MFA) for network and remote access by all users, and in addition, privileged users require MFA for all local access. Authentication factors include “something you know”, such as a password; “something you have”, such as a token or cell phone; and “something you are”, such as a fingerprint. To meet this control, your organization must use two (or more) different factors. For example, using two passwords is not MFA. Using a password and your fingerprint is MFA.
  • Implementation challenges: This control is potentially expensive as it necessitates a new process and affects your service desk, every piece of hardware, and your people, as logging in is different. Implementation is impacted by your current systems and processes, the size of your environment, and the diversity of your platforms.
  • 73% of our assessed clients had issues with this control.

 

1 – Documentation for all Controls

  • Control requirements: NIST SP 800-171 r1 “expects” that nonfederal organizations will have policy, process, and plan documentation covering all the security domains as part of their comprehensive security program.
  • Implementation challenges: Most companies don’t have policy, process, or plans to measure if they are doing the right thing and doing it consistently – and this will be even more important with the introduction of Cybersecurity Maturity Model Certification (CMMC). Also, technical people typically enjoy doing technical work, such as design, implementation, and support and are not as motivated to complete the required paperwork. Implementation of a comprehensive documentation system hinges on your resources and what your company already has in place and on-file.
  • Approaching 100% of our assessed clients had issues with this control.

 

If you need expert help complying with these challenging requirements or any others, you can rely on CyberSheath. Contact us to see how we can help your organization move forward.  We also invite you to join Eric Noonan, CyberSheath CEO, at our upcoming webinar on February 26th, 2020 at 9:00 am (PST) | 12:00 pm (EST) to learn how these difficult NIST 800-171 controls could affect your CMMC efforts.  Register Now

In this webinar you will learn:

  • Mapping NIST 800-171 to CMMC
  • Levels 1-5: Challenges and complexities to consider at each compliance level
  • Step by step path to attaining CMMC

 

Webinar Leveraging NIST 800-171 to Achieve CMMC Registration Link

There is a lot your organization is already doing that you can apply to your preparation for the impending launch of CMMC (Cybersecurity Maturity Model Certification). One important and useful component to consider is a Plan of Action and Milestones  (POA&M or POAM).

Required to achieve compliance with NIST 800-171, a POAM is an extremely useful tool in helping your organization plan for a multitude of security projects, including compliance with standards like CMMC.

How a POAM Helps Realize Project Goals

Providing a structured approach for how to approach any security issue, a POAM delivers many benefits. It:

  • Outlines activities necessary to mitigate security issues.
  • Helps identify the security issue you are having or might have, and the underlying gap in your systems or processes.
  • Assigns resources needed to mitigate issues.
  • Holds your organization accountable with projected completion of milestone activities.
  • Calls out how vulnerabilities were identified.
  • Denotes risk level, labels status, and captures the estimated cost to remediate.

It’s a good idea to be well-versed and able to use a POAM now. Once you factor in the added benefit of helping your organization get ready for proceeding with CMMC compliance, using a POAM just makes sense.

POAM and CMMC Compliance

Preparation  As you ready your organization for tackling CMMC compliance, a POAM will matter more than ever. The plan can be used as a guide to understand what is required of your organization to receive the CMMC level certification your organization needs to bid on a government contract. It will actively manage and guide your project by highlighting the timeframe and resources required to achieve a CMMC level of certification by a specific date.

Maintenance – In the constantly evolving threat and technology landscapes, the tool can also assist in maintaining your certified level. A change to the threat environment could make a security practice no longer, or less, effective. A POAM could be used to reestablish compliance with the security practice if the new threat creates a gap.

Changes to your infrastructure may also create practice or process gaps that require a POAM to remediate. For example, if you are Maturity Level 3 certified at contract bid, which requires you have resources to collect and review your audit logs, and your organization doubles in size during the contract, you could potentially need a POAM to address the resources needed to collect and review audit logs which have now doubled in volume.

Advancement – After you have achieved initial CMMC compliance, a POAM can continue to add value, assisting your organization in leveling up and reaching a new degree of certification (i.e. advancing from CMMC Level 2 to CMMC Level 3). A POAM again becomes a driving force to manage your time around a project completion date as well as the resources required to successfully reach the determined milestones.

Executive Buy-In – As you look for budget and resource approvals to tackle CMMC compliance, a POAM can be a helpful tool in communicating with and getting buy-in from senior management.

Start familiarizing yourself with this valuable tool now by downloading our sample POAM template below.

CMMC Update – Draft Version 0.6

CMMC is being further refined and another update to the standard was recently released (Version 0.7). Draft Version 0.6 includes notable updates such as:
  • Changed from 18 to 17 Domains with the elimination of the Governance domain.
  • Focused more of the Practices on NIST 800-171 Controls.
  • Identified 21 Practices through Practice Level 3 which are not attributed to NIST 800-171 R1. That is, to achieve Practice Level 3, you need to be fully compliant with NIST 800-171 R1 and implement the 21 new CMMC practices.
  • Started referencing international frameworks including those from Australia and the UK.
  • Removed the “redundant” Practices. For example, in Draft Version 0.4 of the standard, Level 1 might have a Practice that is implemented “at least in an ad hoc fashion” and the same control is fully applied in Level 2. These “ad hoc” practices were removed from Level 1.

If you have any questions or would like support as you ready your organization for CMMC, contact us.

 

POAM Template Download

As you are probably aware, there is a new mandatory certification model that will be required to do business with the Department of Defense (DoD). The CMMC (Cybersecurity Maturity Model Certification) builds on best practices established in NIST 800-171 (DFARS), NIST 800-53, ISO 27001, ISO 27032, AIA NAS9933, and others, to create one unified standard for cybersecurity.

CMMC will be a dynamic standard, growing and evolving with the demands of the ever-changing cybersecurity landscape. While the structure of CMMC is set, the details of the new standard are still being vetted, refined, and finalized. The target for launch is early 2020.

How CMMC Compares to NIST 800-171

Similarities

The purpose of both standards is to ensure that DoD contractors employ healthy cybersecurity practices to protect sensitive information. There are several facets of security posture that must be met in order to be in compliance with both standards. Both also require demonstrated compliance to do business with DoD, via self-certification for DFARS and via an audit by certifying organization for CMMC.

Differences

One important distinction touched on above is that CMMC will not allow self-certification. Compliance with the standard will be verified by an outside third-party hired by your company to determine your compliance with the requirements.

The CMMC control framework is (currently) much larger than the 14 control families and 110 controls outlined in NIST 800-171. As of October 31, 2019, CMMC contains 18 domains, 241 practices, and 90 processes at Maturity Level 3.

CMMC Components

The elements of CMMC include:

  • Maturity Levels – These levels range from basic security controls required for level 1 through highly advanced requirements for level 5.
  • Domains – Based on cybersecurity best practices, these are key sets of capabilities for cybersecurity, such as Access Control, Incident Response, Security Assessment, and more.
  • Capabilities – These achievements are the building blocks of each domain, ensuring cybersecurity within each domain.
  • Practices – These are individual cybersecurity activities related to NIST “controls”. They range from Level 1 practices including anti-virus and ad hoc cybersecurity governance to Level 5 practices such as real-time asset tracking and device authentication.
  • Processes – These are documented standards for implementing practices based on the maturity level of your organization.

Below is an example of a cross-reference matrix between NIST and CMMC draft 0.4. It shows some interesting characteristics, such as:

– One NIST Family mapping to multiple CMMC Domains
– One NIST control mapping to multiple CMMC Levels
– One NIST control mapping to multiple CMMC Capabilities
– One NIST control mapping to multiple CMMC Practices
– New CMMC practices not found in the NIST controls

Note, as with most mappings of this kind, they are not always clean, with some aspects of a Control in one framework mapping to elements of a Practice in a different framework.

What You Can Do Now

CMMC specifically calls out the requirement for documentation for all domains in order to achieve compliance. Note that this condition was never explicitly requested in NIST 800-171; rather it is noted in the DFARS appendix that it was assumed you had the appropriate documentation.

While CMMC is continuing to evolve, you can ready your organization to meet the requirements of the new standard. Achieving CMMC compliance will not be a quick endeavor as you will need to define and record your real working processes.

Start now by cataloging your processes and building out the documentation that is called out in NIST as this will surely aid your CMMC compliance activities.

CMMC Maturity Levels 2, 3, 4, and 5 will require Policy, Process, and Plan documents. According to NIST, here are the plans you should have in place:

  • Business Continuity Plans
  • Contingency Plans
  • Continuity of Operations Plans
  • Critical Infrastructure Plans
  • Crisis Communications Plan
  • Disaster Recovery Plans
  • Incident Response Plan
  • Incident Response Testing Plan
  • Occupant Emergency Plan
  • Physical/Environmental Protection Plan
  • Plan of Action
  • Security Assessment Plan
  • Security Plan
  • System Security Plan

And here are the policies and procedure you should have as well:

  • Access Control
  • Audit and Accountability
  • Configuration Management
  • Configuration Planning
  • Incident Response
  • Identification and Authentication
  • Information Flow Control
  • Information Flow Enforcement
  • Information System Maintenance
  • Media Protection
  • Media Sanitation and Disposal
  • Mobile Code Implementation
  • Password
  • Personnel Security
  • Physical and Environmental Protection
  • Portable Media
  • Risk Assessment
  • Security Assessment and Authorization
  • Security Awareness and Training
  • Security Planning
  • Separation of Duties
  • System and Information Integrity
  • System and Services Acquisition
  • System and Communication Protection
  • System Use

Prepare yourself by understanding the latest CMMC updates and, more importantly, how your business should respond to achieve documented, audit-proof evidence of compliance. Listen to Eric Noonan, CyberSheath CEO, in this recorded webinar as he explains how to cut through the noise and jump-start your DFARS compliance efforts.  No matter where you are in your journey towards NIST 800-171 compliance this webinar is guaranteed to better equip you in understanding, implementing, and maintaining compliance!

Register Now to gain your access to the webinar. If you have any questions or would like support as you ready your organization for CMMC, contact us.

Cybersecurity requirements for Department of Defense (DoD) contractors continue to evolve. However, NIST 800-171 compliance is as much required by law today as it was on the December 2017 deadline. In fact, with the introduction of the Cybersecurity Maturity Model Certification (CMMC) we are fast approaching a major change in how government contracts are bid. Recently, Katie Arrington, Chief Information Security Officer for the Assistant Defense Secretary for Acquisition, spoke at the Billington CyberSecurity Summit where it was noted,  “the new Cybersecurity Maturity Model Certification framework, or CMMC, is out in draft form for public comment. It would start appearing as a requirement in pre-solicitation acquisition documents like RFIs in June. ‘In the fall, we will start putting it into [actual bid solicitation documents like] RFPs,’ Arrington said.”  

With the proposed CMMC requirements contractors will be required to demonstrate compliance as referenced in section L and M of a government Request for Proposal (RFP). Demonstration of compliance will require a third-party certification as self-certification will no longer be allowed. This update is critical, noncompliance with a requirement in section L and M means you are not qualified to bid a proposal. The risk of not meeting compliance with NIST 800-171 pre-RFP will mean the loss of existing and potential work with the DoD.  

Prepare yourself by understanding the latest updates and, more importantly, how your business should respond to achieve documented, audit-proof evidence of compliance. Listen to Eric Noonan, CyberSheath CEO, in this recorded webinar as he explains how to cut through the noise and jump-start your DFARS compliance efforts.

 In this webinar you will learn:

  • What’s New: Cybersecurity Maturity Model Certification (CMMC), NIST 800-171 Revision 2, and NIST 800-171B
  • What’s Not: Understanding DFARS Clause 252.204-7012 and NIST 800-171
  • What To Do Now and Why: How to stay competitive in the DoD acquisition process and comply with DFARS Clause 252.204-7012 and NIST 800-171

No matter where you are in your journey towards NIST 800-171 compliance this webinar is guaranteed to better equip you in understanding, implementing, and maintaining compliance!

Register Now to gain your access to the webinar.

Have contractors implemented the NIST 800-171 controls? DoD Inspector General (IG) audit suggests not, recommends third-party audits. Are you ready?

A recent audit conducted in response to a request from the Secretary of Defense determined that DoD contractors did not consistently implement DoD‑mandated system security controls for safeguarding Defense information. Specifically, Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 requires contractors that maintain Controlled Unclassified Information (CUI) to implement security controls specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which lists security requirements for safeguarding sensitive information on non-Federal information systems. The requirements include controls for user authentication, user access, media protection, incident response, vulnerability management, and confidentiality of information.

DoD IG Report Findings

The findings across the DoD contractors audited included deficiencies related to:

  • Multifactor authentication;
  • Enforcing the use of strong passwords;
  • Identifying network and system vulnerabilities;
  • Mitigating network and system vulnerabilities;
  • Protecting CUI stored on removable media;
  • Overseeing network and boundary protection services provided by a third-party company;
  • Documenting and tracking cybersecurity incidents;
  • Configuring user accounts to lock automatically after extended periods and unsuccessful login attempts;
  • Implementing physical security controls;
  • Creating and reviewing system activity reports, and granting system access based on the user’s assigned duties.

The audit also found that while DoD requires contractors to protect CUI by complying with NIST 800-171 requirements, DoD contracting offices did not establish processes to:

  • Verify that contractors’ networks and systems met National Institute of Standards and Technology security requirements before contract award;
  • Notify contractors of the specific CUI category related to the contract requirements;
  • Determine whether contractors’ access, maintain, or develop CUI to meet contractual requirements;
  • Mark documents that contained CUI and notify contractors when CUI was exchanged between DoD agencies and the contractor; and
  • Verify that contractors implemented minimum security controls for protecting CUI.

The effect of these findings is that DoD does not know the amount of DoD information managed by contractors and cannot determine whether contractors are protecting unclassified DoD information from unauthorized disclosure.

The results of the audit probably don’t surprise the DoD or its many contractors but the recommendations in the DoD IG report, combined with the proposed Cybersecurity Model Certification (CMMC), should have contractors making plans to immediately implement the NIST 800-171 security requirements. All signs point to a game-changing, pre-RFP validation of compliance making cybersecurity a “go/no-go” factor for DoD contract awards.

DoD IG Report Recommendations

Recommendations out of the DoD IG report included:

  • Revise its current policy related to assessing a contractor’s ability to protect DoD information to require DoD Component contracting offices, as part of the Request for Proposal and source selection processes, and requiring activities, during the contract performance, to validate, at least annually, that contractors comply with security requirements for protecting CUI before contract award and throughout the contract’s period of performance.
  • Develop and implement a policy requiring DoD Component contracting offices and requiring activities to maintain an accurate accounting of contractors that access, maintain, or develop controlled unclassified information as part of their contractual obligations.
  • Revise its current policy to include language that would require DoD Component contracting offices to validate contractor compliance with minimum security requirements. We also recommend that the DoD Component contracting offices, in coordination with requiring activities, implement a plan to verify that the internal control weaknesses for the contractors discussed in this report are addressed.

All these recommendations are in alignment with the proposed CMMC efforts led by Katie Arrington, and DoD contractors who have delayed NIST 800-171 implementation should take notice and act now. Mandatory third-party validation of security requirements is coming in 2020 and failing to act will likely result in exclusion from contracting with the DoD. Both the recommendations from the DoD IG audit and CMMC are proposing third-party validation of control implementation as part of the Request for Proposal and source selection processes – self-certification and implementation after you win the work are going away. Contractors will need to demonstrate compliance before responding to an RFP and that means taking the necessary steps now before these inevitable changes are implemented in 2020.

Prepare for CMMC and NIST 800-171 Third-Party Verification

CMMC proposes that all companies conducting business with the DoD must be certified. The level of certification required depends upon the Controlled Unclassified Information (CUI) a company handles or processes and the intent of CMMC is to combine various cybersecurity control standards such as NIST SP 800-171 into one unified standard for cybersecurity. Given NIST 800-171 security requirements are at the core of CMMC, and NIST 800-171 implementation has been mandated for nearly two years now, that’s where DoD contractors should focus their efforts. Under CMMC the DoD is building on and strengthening, not abandoning NIST 800-171. Implementing the NIST 800-171 security requirements now is the best way to prepare for CMMC and meet your existing contractual requirements around DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting and NIST 800-171.

Implementing the NIST 800-171 requirements includes writing a System Security Plan (SSP) and with 110 security requirements, you can expect to be out of compliance with some number of those individual requirements. For requirements not yet implemented you will need to also document Plans of Action & Milestones (POA&Ms). The heavy lifting is in implementing the security requirements as you prepare for CMMC and controls like Multi-Factor Authentication and Incident Response which require time to fully implement. With 2020 less than six months away implementing all 110 security requirements will be a challenge and DoD contractors, subcontractors and vendors taking a wait and see approach to CMMC are ignoring the last decade of clear warning signs that security has become the foundation of acquisition. The DoD IG audit and recommendations are simply the most recent in a flurry of activity that should have contractors taking immediate action to comply.

5 Steps to CMMC Preparation

Download our 5 Step Guide to CMMC Preparation to plan and enable certification as a documented, automated outcome of day-to-day operations. This easy to follow guide presents a plan to prepare for CMMC in a way that fits your business and budget. Third-party certification is coming in 2020, get the compliance and control implementation expertise you need to stay competitive!

5 Steps to CMMC Preparation

CyberSheath has attended multiple listening sessions and events with DoD leadership revealing more information regarding the DoD Cybersecurity Maturity Model Certification (CMMC).  I want to expand on our previous blog with the additional details and actionable plans on what DoD contractors need to do to prepare for the changes.

What We Understand about CMMC so Far

CMMC stands for “Cybersecurity Maturity Model Certification” and will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in Request for Proposals (RFP) sections L and M to be used as a “go / no go decision.” This means that instead of the ability to bid and win a contract and then comply post-award with cybersecurity requirements, DoD contractors will have to be certified to the CMMC level required in advance, pre-bid, to even be eligible to bid. DoD will determine the appropriate tier (i.e. not everything requires the highest level) for contracts they administer and the required CMMC level will be contained in sections L & M of the RFP making cybersecurity an “allowable cost” in DoD contracts. CMMC level requirements will begin appearing in DoD RFP’s as soon fall 2020 and Version 1.0 of the CMMC framework will be available January 2020 to support training requirements. In June 2020, the industry should begin to see the CMMC requirements as part of Requests for Information. DoD contractors are expected to begin achieving certification sometime after June 2020. That is less than 12 months away so if you have not started implementing the NIST 800-171 security requirements, you had better get moving.

How to Best Prepare for CMMC and Stay Eligible for DoD Contracts

All companies conducting business with the DoD must be certified. The level of certification required depends upon the Controlled Unclassified Information (CUI) a company handles or processes. The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes. If you have worked to implement NIST 800-171, your hard work will not go to waste. Unlike NIST SP 800-171, CMMC will implement multiple levels of cybersecurity and does not allow for self-certification. There will be no CMMC self-certification, instead, DoD contractors will coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule your CMMC assessment.

Everything You Should Do to Effectively Prepare for Certification

All the information shared to date on CMMC maturity levels aligns with the implementation of the 110 security requirements of NIST 800-171. The DoD is building on and strengthening not abandoning NIST 800-171. While the specific maturity levels for individual contracts have not been determined it’s understood that implementing the NIST 800-171 security requirements is the best way to prepare for CMMC. Meeting your existing contractual requirements around DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting and NIST 800-171 implementation is how you prepare for CMMC.

Implementing the NIST 800-171 requirements includes writing a System Security Plan (SSP) and with 110 security requirements, you can expect to be out of compliance with some number of those individual requirements. For requirements not yet implemented you will need to also document Plans of Action & Milestones (POA&Ms). The heavy lifting is in implementing the security requirements as you prepare for CMMC and controls like Multi-Factor Authentication and Incident Response which require time to fully implement. DoD contractors, subcontractors and vendors taking a wait and see approach to CMMC are ignoring the last decade of clear warning signs that security has become the foundation of acquisition. Act now!

5 Steps to CMMC Preparation

Download our 5 Step Guide to CMMC Preparation to plan and enable certification as a documented, automated outcome of day-to-day operations. This easy to follow guide presents a plan you can follow to prepare for CMMC in a way that fits your business and budget.

5 Steps to CMMC Preparation

When shopping for a Managed Security Services Provider (MSSP), there are plenty of checklists that you can download to help funnel you right to that vendor’s particular product. This isn’t that blog post, although at some point I am sure we have published one too. While checklists are helpful in narrowing down the capabilities and tools that you want to add to your probably already too big portfolio of tools, the focus should really be on the services that you will be adding to your existing team.

Candidly, the capabilities are generally similar across MSSP’s and cover some kind of SIEM platform, monitoring, incident response (IR), vulnerability management (VM) and a number of other competencies that are bundled into a managed service offering. They are bundled in part because these are what the vast majority of business lack and need, but also because the bundling enables sales, at scale, for product vendors and MSSP’s. It’s been our experience that the material difference from one product vendor or MSSP to the next, in your favorite version of a Magic Quadrant, covers features and capabilities that don’t ultimately make your business more secure or compliant. Often, it’s a distinction without a difference, especially for a security program that is still struggling with the blocking and tackling of cybersecurity-related patching, asset management, and incident response. So, beyond checklists, “threat hunting” and “advanced intelligence platforms”, where should your business focus when trying to make a mid to long term commitment with your first or a new MSSP?

Where Should Your Business Focus When Deciding on an MSSP?

Start with service, as in the service your business specifically needs to extract value from the MSSP relationship. The service your business needs are, in fact, unique to your business. If it wasn’t, you could pick the first Google Ads result that comes up (which isn’t the best MSSP for your business, just the best MSSP at creating Google Adword campaigns on any given day). Instead of analysis that is overly focused on the most advanced capabilities and toolsets, it will pay dividends to meet with a potential MSSP and align their offering with your business requirements. Selecting an MSSP is a business decision, even if the vendor marketing is geared towards making it a technology decision. For example, if you are in a highly regulated industry like Defense Contracting, and NIST 800-171 compliance is fundamental to your ability to win business, your MSSP should have core expertise in delivering on these security requirements. The technology, SIEM, VM, IR, etc. are a given but the ability of your MSSP to enable documented, automated and auditable compliance with your customer requirements isn’t. Ultimately, the MSSP you choose in this scenario should make compliance a natural outcome of day-to-day security operations so that over time you can focus more resources on actual defense. What does this look like in practice?

Achieving Compliance as a Natural Outcome of Day-to-Day Security Operations

For most businesses, it doesn’t look like a laundry list of acronyms and industry jargon about threat intelligence and advanced threat hunting capabilities. It looks like an integrated team, your internal staff (to the extent you have one) and that of your MSSP, working together on a weekly basis to deliver measurable outcomes over time. The tools leveraged by your MSSP can produce beautiful charts and endless trends but the critical questions to answer relate to outcomes achieved. It’s nice that an MSSP can tell you the top 10 vulnerabilities in your environment, but the outcome you should be focused on is remediating those vulnerabilities. If your team is too busy to patch or otherwise remediate the “top 10 vulnerabilities”, you just end up with a pretty graphic that doesn’t make you more secure or compliant.

To drive outcomes, instead of charts and trendlines, you must have a regular cadence of meetings with your MSSP focused on the things that matter most at any given point in time to your business. Ideally, these meetings are weekly and are more aligned with the initiatives underway within IT and Security and not just focused on the tools that the MSSP brought to the party. In our experience, the MSSP relationship is a combination of managed services and staff augmentation. Staying with the same example of NIST 800-171 compliance, if you are struggling to implement all 110 security requirements then drive your MSSP to help at a minimum, but ideally lead the efforts. Eliminate redundant meetings for your already oversubscribed team by incorporating your compliance and operational project management meetings into your weekly MSSP meetings. Create an integrated project plan with specific accountabilities for your team and the MSSP. Your MSSP should be working on your agenda and not driving theirs. If implementing Multi-Factor Authentication or Privileged Account Management is an internal priority for your business, a great MSSP will make it a priority for their business.

Partnering with the Right MSSP for Your Business

None of this is easy, but nothing worth doing ever is. Contractually it’s hard to create this kind of defined yet flexible arrangement and it generally requires an acceptance that outside of the core service offerings there will be a shifting list of priorities that you are going to rely on your MSSP to tackle. Not every MSSP is going to have the staff or program management skills to partner this way. If you have had a series of successful engagements and measurable outcomes with a professional services partner that knows your people, processes, and technologies but doesn’t show up on the “Top MSSP” list of the day, weight your personal experience over the pay to play marketing that dominates our industry.

To better understand what it means to contract for Managed Security Services that matter and what that experience can look like for your business, schedule a 30-minute introductory call with CyberSheath today and start your journey by focusing on outcomes instead of checklists.

Schedule-One-on-One-Session-Link

A recently released 10-month review consisting of 10 years’ worth of inspector general’s (IG) reports across eight federal agencies by the Permanent Subcommittee on Investigations of the Senate Homeland Security Committee found that “Agencies currently fail to comply with basic cybersecurity standards.” The full report can be found here and the major themes identified in the report highlighted yet again the fundamental work that isn’t being done to comply with basic cybersecurity standards. So why isn’t the work being done? Is it a lack of money, tools, people, all the above? Buried on page 46 of the report then-DHS CIO Richard Staropoli is quoted in a 2017 interview with the Subcommittee on the state of the OCIO saying, “You can write this down and quote me, the problem is piss-poor management.”

That blunt assessment, it’s a management problem, is worth considering. Better outcomes can be achieved, across the Federal government and industry, with a disciplined, framework-based approach to cybersecurity. This approach and the guaranteed better outcomes that will follow require a recognition that many of the management disciplines inherent in other business supporting functions like finance and engineering are missing in cybersecurity. The problems in cybersecurity are different but the principles required to improve them are not. Said another way by the late W. Edwards Deming:

“A common disease that afflicts management and government administration the world over is the impression that “Our problems are different.” They are different, to be sure, but the principles that will help to improve quality of product and of service are universal in nature.” W. Edwards Deming

Many of the failures identified in the Subcommittee review focused on people and processes, management, rather than the need to buy more vendor tools and products. Too often the answer to a cybersecurity failure is a procurement activity. Instead of focusing on the root cause, a breakdown in process, lack of auditable process or some other management issue.

The Audit Results

The agencies reviewed included the Department of Homeland Security and seven other agencies cited by OMB as having the lowest ratings regarding cybersecurity practices based on NIST’s cybersecurity framework in the fiscal year 2017.  The IGs identified several common, repeat historical failures at the eight agencies reviewed by the Subcommittee including:

Protection of PII. Agencies failing to properly protect the PII entrusted to their care included State, DOT, HUD, Education, and SSA. The HUD IG has noted this issue in nine of the last eleven audits.

Comprehensive list of IT assets. A persistent, recurring issue with agencies failing to maintain an accurate and comprehensive inventory of its IT assets is a recurrent problem for State, DOT, HUD, HHS, and SSA.

Remediation of cyber vulnerabilities. Over the past decade, IGs for all eight agencies reviewed by the Subcommittee found each agency failed to timely remediate cyber vulnerabilities and apply security patches. HUD and State IGs identified the failure to patch security vulnerabilities seven of the last ten annual audits. HHS and Education cybersecurity audits highlighted failures to apply security patches eight out of ten years. For the last nine years, USDA failed to timely apply patches. Both DHS and DOT failed to properly apply security patches for the last ten consecutive years.

Authority to operate. Failure to ensure systems had valid authorities to operate were observed at DHS, DOT, HUD, USDA, HHS, and Education. Again, a recurring issue, HHS systems lacked valid authorities to operate for the last nine consecutive audits and DHS operated systems without valid authorities in seven of the last ten audits.

Overreliance on legacy systems. All eight agencies examined by the Subcommittee relied on legacy systems. The DHS IG noted the use of unsupported operating systems for at least the last four years, including Windows XP and Windows 2003.

If these findings sound all too familiar what is the solution?

The issues above will look familiar to almost any cybersecurity professional and the problems generally lend themselves to the same solution. The principles required, both in the private sector and across the Federal government, truly are universal in nature.

The solution, choose a Cybersecurity Framework.  There are many to pick from and we recommend one that best aligns with your existing regulatory requirements. There are many frameworks and standards and if you can’t decide which one best fits your business ask for help. Regardless of your industry, there is a suitable framework and the time wasted debating best fit is time that should be spent remediating issues. When all else fails the NIST Cybersecurity Framework is flexible and detailed enough to meet just about any business requirements that you might have and should easily map to all your regulatory and compliance requirements.

Assess Yourself Against the Framework

The assessment is not an audit so don’t describe it that way; socialize it appropriately with your management and your team. How? Every culture and set of circumstances is different but something along the lines of, “We’ve got a good understanding of what we need to do in security to better align with the business and we are using this assessment to validate that thinking and create a multi-year investment strategy that will drive measurable improvement as opposed to the one-off point solution improvements.”  If this assessment is going to be transformative you need to build support before it starts and ultimately you will have a burning platform off which you can launch your strategy. The assessment is a tactic that will enable the execution of your strategy.

Don’t do the assessment yourself; you won’t have the time to do it justice and somehow having a third party conduct the assessment is always more effective. When you select a third party make sure they invest the time to know what you want to get out of this assessment. Many mediocre companies can produce assessments that follow a boilerplate template and answer all your obvious questions leaving you no better off than where you started and a little poorer. Take the time up front to write a statement of work that forces your provider to deliver real value and not just a 100-page report. Define the value for your business in doing the assessment and the expected outcomes. Need help? CyberSheath has delivered hundreds of framework-based assessments that deliver compliance and improved operational security, find out how here.

Create a Project Plan, Remediate Assessment Findings, and Track Progress

Once you have the assessment completed you can prioritize the findings and give management a detailed, multi-year plan for how you are going to transform security into a transparent, measurable business supporting function. Your assessment results should change security conversations from procurement driven discussions around products to strategic discussions around compliance and enabling more resources to be spent on actual defense. You will have objective, fact-based data to articulate risk and prioritize resources.

Remediation efforts should be actively managed in a project plan and briefed to business stakeholders on a recurring basis. Take this opportunity to transform the security discussion from event-driven fire drills to documented, measurable progress against a prioritized list of cybersecurity improvements. Depending on the size and culture of your business the project plan related to remediation can be part of a company-wide strategy that the security function can be measured against.

Obviously, none of this is simple but it is critical if you want to transform from a reactive event-driven cybersecurity organization into a strategic business partner. Don’t Fight Phishing Attacks Alone.

With the federal agencies and commercial companies facing many of the same cybersecurity problems year in and year out, it’s time to try a better approach. Get hands-on professional and managed security services from CyberSheath and apply the universal principles that will improve the quality and effectiveness of your cybersecurity efforts. Contact us now to find out how we can help.

 

NIST 800-171 Revision 2 and 800-171B drafts were released for comment last week, and as expected there have been no major changes proposed to the controls in NIST 800-171 Revision 2. For DoD contractors waiting to implement the required security requirements of NIST 800-171 Revision 1 pending the latest updates, the proposed updates won’t buy you any time. The fact is enforcement is underway and compliance with DoD cybersecurity requirements is a go/no go decision if you are serious about being eligible to do business with the DoD.

The 800-171B draft enhanced security controls are in addition to 800-171 controls, in cases where the information held by the contractor is determined to be a high-value target. The enhanced requirements are to be applied to nonfederal systems and organizations processing, storing, or transmitting controlled unclassified information (CUI), when such information is contained in a critical program or designated high-value asset. The enhanced security requirements of the 800-171B draft were designed to address advanced persistent threats (APTs) and are mapped to the security controls in NIST 800-53. The implied maturity level required and associated costs with implementing the 800-171B draft enhanced security controls is significant.

The enhanced security requirements include three, mutually supportive and reinforcing components:

(1) penetration resistant architecture;

(2) damage limiting operations; and

(3) designing for cyber resiliency and survivability.

The Path Forward for DoD Contractors

With a tremendous amount of activity related to The Cybersecurity Maturity Model Certification (CMMC), DCMA audits of NIST 800-171 compliance, False Claims Act litigation, and the 800-171 revisions and supplements, the path forward for DoD contractors is clear:

Fund and execute compliance with NIST 800-171 now. Despite all of the proposed changes, the fact remains that the DFARS 252.204-7012 clause in ANY of your contracts requires the implementation of NIST 800-171. That is your contractual requirement and all changes proposed so far rely on NIST 800-171 as a foundation of compliance.

There has been a level of paralysis by analysis across industry caused by the questions of cost reimbursement, proposed changes and uneven auditing of compliance. This is the kind of noise that has caused many DoD contractors across the supply chain to delay their DFARS compliance efforts but that high-risk approach invites legal and competitive pain that should be avoided. While there are many changes to be aware of CyberSheath advises focusing on what you are required to do today as the best approach to current and future compliance requirements. Nothing that has been proposed eliminates the requirement to implement NIST 800-171.

Compliance with the DFARS and NIST 800-171 requirements involves much more than writing a System Security Plan (SSP) and vendors selling you a tool to get compliant are misleading you. There are 110 security requirements in NIST 800-171 and you have to actually implement them, there isn’t a single product to solve this problem.

5 Steps To DFARS Compliance

Download our 5 Steps to DFARS Compliance Guide to plan and enable compliance as a documented, automated outcome of day-to-day operations. This easy to follow guide presents a plan you can follow to achieve compliance in a way that fits your business and budget. DoD contractors, subcontractors and vendors taking a wait and see approach before achieving compliance are ignoring the last decade of clear warning signs that security has become the foundation of acquisition. Act now!

5 Steps to DFARS Compliance

 

The recently announced Cybersecurity Maturity Model Certification (CMMC) scheduled for completion by January 2020 has many DoD contractors scrambling to anticipate how to prepare (learn more about the CMMC announcement here). While there are many unknowns regarding what the CMMC will ultimately look like, DoD contractors should focus on what is already known and currently mandatory with DFARS 252.204-7012, which requires the implementation of NIST 800-171. Stop trying to read the tea leaves and doing the bare minimum by writing System Security Plans (SSP’s) and start implementing the 110 security requirements of NIST 800-171. Demonstrable action, that is NIST 800-171 control implementation, is the best way to prepare for the CMMC.

Katie Arrington, the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD, recently said that only 1% of the Defense Industrial Base has implemented the required controls.  “If we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are. We need to level set because a good portion of our defense industrial base doesn’t have robust cyber hygiene. Only 1% of [Defense Industrial Base] companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation state attacks.”

Why are Contractors Delaying NIST 800-171 Implementation?

Across hundreds of NIST 800-171 implementations, CyberSheath has found the most common reason for delay by DoD contractors has come down to, “Who is going to pay for this?”

Arrington clearly spoke to that concern last week at an event sponsored by the Professional Services Council in Arlington, Virginia, saying “I need you all now to get out your pens and you better write this down and tell your teams: Hear it from Katie Arrington, who got permission to say it from Mr. [Kevin] Fahey [the assistant secretary of Defense for Acquisition in the Office of the Under Secretary of Acquisition and Sustainment] security is an allowable cost. Amen, right?”

After more than a decade of policy, law, memorandums and continued momentum towards enforcement businesses who continue to delay actual implementation of the 110 security requirements will be in a far worse position come January 2020 when the CMMC rolls out. Don’t wait, implement the NIST 800-171 security requirements in a way that is actionable, measurable and audit ready.

Beyond Your SSP’s and POA&Ms

Compliance with the DFARS and NIST requirements involves much more than writing a SSP’s and vendors selling you a tool to get compliant are misleading you. There are 110 security requirements in NIST 800-171 and you have to actually implement them, there isn’t a single product to solve this problem. Implementing security requirements like multifactor authentication, incident response, encryption and more require thoughtful decisions leveraging what you already own. For the gaps identified in your existing people, processes, and technologies a product purchase, if required, needs to be part of the larger plan to achieve compliance. Too often businesses are over-sold on silver bullet product purchases that aren’t thoughtfully integrated into a system of documented and repeatable control implementation.

5 Steps to DFARS Compliance

To enable compliance as a documented, automated outcome of day-to-day operations download our 5 Steps to DFARS Compliance Guide. This easy to follow guide presents a plan you can follow to achieve compliance in a way that fits your business and budget. Act now to move from thinking about implementation to taking action towards full compliance.

 

 

The window of opportunity for achieving compliance with DFARS 252.204-7012, which requires the implementation of NIST 800-171 across the DoD supply chain, continues to get smaller as the ability to self-certify is set to expire.

CyberSheath attended the Professional Service Council’s 2019 Federal Acquisition Conference where Special Assistant to DoD’s Assistant Secretary of Defense Acquisition for Cyber Katie Arrington stated clearly that “…cost, schedule, and performance cannot be traded for security.” Security is the foundation of defense acquisition.

Much has been written about The Defense Department (DoD) Office of the Under Secretary Acquisition of Sustainment creation of a new certification model to enforce compliance, but the fact is compliance is already required. So, while it is important to understand where the DoD is headed in enforcing compliance, it’s more important to stop delaying and act now. The DoD has been working with industry for more than a decade to address the cybersecurity problem across the supply chain and contractors who continue to self-certify with Plans of Action & Milestones (POA&Ms) that never actually get implemented will be frozen out of acquisition as DoD makes cybersecurity a “go/no-go” part of procurement.

Cybersecurity Maturity Model Certification (CMMC) and the New Certification

The Cybersecurity Maturity Model Certification (CMMC) and the new certification will have required CMMC levels once the certification is released, with levels ranging between one and five –from basic cyber hygiene requirements through “state-of-the-art” cybersecurity capabilities.

Arrington is moving quickly to complete the CMMC by January 2020, and contractors can expect to start seeing the certification in contract requests for information by June 2020.

Within CMMC, a third-party cybersecurity certifier will also conduct audits, collect metrics, and information risk mitigation for the entire supply chain.

“With 70 percent of my data living in your environment, I’m home, so we need to work together to secure it,” Arrington said. “Who is the government? You are when you’re the taxpayer. That’s your money. That’s your data that you have paid for that our adversaries are taking and using it against us. We should be infuriated as a nation about our data. With $600 billion a year being expelled by our adversaries; this room should be irate.”

All of these developments, coupled with the May 8, 2019, California court Civil False Claims Act decision as the first reported FCA decision involving allegations of non-compliance with DFARS 252.204-7012 should spur action towards immediate compliance. Checklist compliance and continued delays of actual control implementation will absolutely cost you more in the long run so get started now, make a plan and execute.

5 Steps To DFARS Compliance

Compliance with the DFARS and NIST requirements involves much more than writing a System Security Plan (SSP) and vendors selling you a tool to get compliant are misleading you. There are 110 security requirements in NIST 800-171 and you have to actually implement them, there isn’t a single product to solve this problem.

Download our 5 Steps to DFARS Compliance Guide to plan and enable compliance as a documented, automated outcome of day-to-day operations. This easy to follow guide presents a plan you can follow to achieve compliance in a way that fits your business and budget. DoD contractors, subcontractors and vendors taking a wait and see approach before achieving compliance are ignoring the last decade of clear warning signs that security has become the foundation of acquisition. Act now!

 

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with the DoD and the incentives to act now are many and include:

  • Compliance was mandatory as of December 2017; regardless of when you found out about the requirement, it’s been on the books for several years now
  • Noncompliance penalties for failure to meet the requirements can lead to criminal, civil, administrative, or contract penalties that include:
    • Breach of Contract Damages
    • False Claims Act Damages
    • Liquidated Damages
    • Termination for Default
    • Termination for Convenience
    • Poor Past Performance
    • Suspension/Debarment

Ultimately the DoD has been preparing the contractor community for more than a decade and with audits underway there is little doubt that cybersecurity compliance is becoming a competitive discriminator.

Read more about DoD audits of cybersecurity compliance here.

Understanding DFARS 252.204-7012 and NIST SP 800-171

The Defense Federal Acquisition Regulation Supplement, or DFARS, has been working to encourage DoD contractors to proactively comply with certain frameworks in order to achieve this goal. Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is the latest mandatory addition.

Under the Clause, all contractors must comply with the National Institute of Standards and Technology’s Special Publication 800-171 (NIST SP 800-171), a framework that lays out how contractors must protect sensitive defense information and report cybersecurity incidents.

The NIST framework requires you, as a defense contractor, to document how you have met the following requirements in particular:

  • Security requirement 3.12.4 requires the contractor to develop, document, and periodically update System Security Plans (SSPs) that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
  • Security Requirement 3.12.2 requires the contractor to develop and implement Plans of Action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.

Read more about implementing SSPs and POAs.

Under the Clause, DoD contractors are obliged to submit evidence of their compliance with NIST SP 800-171 to the U.S. Government. However, the Clause goes beyond NIST compliance and sets out additional rules for the protection of Covered Defense Information (CDI).

Supply Chain Management

DFARS Clause 252.204-7012 aims to encourage you, as a contractor, to take a proactive role in the protection of CDI. Not only are you required to demonstrate compliance within your own business, but in order to strengthen the entire supply chain, you must take steps to ensure that your subcontractors comply, too.

It is the responsibility of your subcontractors to inform you if their practices deviate in any way from the DFARS and NIST 800-171 guidelines, and it is your responsibility to demonstrate that an equally secure alternative practice is in place before you share CDI with that subcontractor.

Reporting Cybersecurity Incidents

A cybersecurity incident is defined as a breach of security protocols that negatively impacts, compromises, or endangers CDI held on your systems or networks, or those of your subcontractors.

In the event of a cybersecurity incident, your responsibility under DFARS Clause 252.204-7012 is to report the incident to the DoD within 72 hours. You must present the affected data and all related data covering the 90 days prior to the date of the report, along with any infected software. You must also conduct a thorough systems review and identify ways in which you will prevent future breaches.

If a subcontractor experiences a cybersecurity incident, they must report it to you, or to the next highest tier of subcontractor, and present the evidence as required. As the prime contractor, you’re then required to report the incident to the DoD and submit the evidence, as detailed above.

Cloud Service Provision

If you offer your own cloud services as part of your DoD contract, then DFARS states that you must enact the safeguards set forth in the Cloud Computing Security Requirements Guide (SRG), unless waived by the Chief Information Officer of the DoD. If you use a third-party cloud service, then you’re required to ensure that your cloud service provider follows the security provisions therein.

Not DFARS Compliant?

A quick look at documents like the above and it’s clear to see why some contractors are still struggling with compliance long after the December 31st, 2017 deadline has passed. Bringing your business in line with these extensive regulations is required and the stakes are so high.

Download our 5 Steps to DFARS Compliance Guide to avoid penalties and make compliance a documented, automated outcome of day-to-day operations. This easy to follow guide presents a plan you can follow to achieve compliance in a way that fits your business and budget.

5 Steps to DFARS Compliance

 

The management of organizational risk is a key element in any organization’s information security program, particularly those like Department of Defense (DoD) contractors that process highly sensitive, critical data.

With this in mind, the National Institute of Standards and Technology (NIST) has developed the Risk Management Framework (RMF), a set of processes for federal bodies to integrate information security and risk management into their systems development life cycles.

The Six Steps of the Risk Management Framework (RMF)

The RMF consists of six steps to help an organization select the appropriate security controls to protect against resource, asset, and operational risk. They are:

Step 1: Categorize the system and the information that is processed, stored and transmitted by the system.

Step 2: Select an initial set of baseline security controls for the system based on the categorization, tailoring and supplementing as needed.

Step 3: Implement the security controls and document how they are deployed.

Step 4: Assess the security controls to determine the extent to which they are meeting the security requirements for the system.

Step 5: Authorize system operation based upon a determination that the level of risk is acceptable.

Step 6: Monitor and assess selected security controls in the system on an ongoing basis and reporting the security state of the system to appropriate organizational officials.

Who Needs to Implement the RMF and Why?

Industries with critical or highly sensitive data needs are increasingly adopting the RMF in an effort to cope with growing risk and comply with their strict legislation— think defense (DFARS), healthcare (HIPAA), and retail/payment (PCI).

However, it’s our professional opinion that every organization that handles sensitive data can benefit from adopting the RMF. Why?

First, the RMF functions as a very effective security planning tool that gives you a comprehensive picture of your organizational risk. This helps to inform a solid risk management strategy and focus your attention on the areas that matter most to your organizational security.

Second, the RMF is not specific to any one agency or body, which gives it the flexibility to be adopted and applied by organizations of all shapes, sizes, and industries — including yours.

Finally, the RMF is seen as the gold standard on which many risk management approaches are modeled. For that reason, it wouldn’t be surprising to see it mandated in some form in the near future, particularly for high-risk industries, but possibly across the board.

This happened recently with the EU’s General Data Protection Regulation (GDPR), which mandated that any and every company handling sensitive data comply with the regulations, regardless of industry.

By adopting RMF in your own organization, you’ll be automatically compliant if and when any similar legislation comes into force on our own shores, while your competitors will likely be scrambling to catch up.

RMF and Defense Contractors

Contractors of the DoD have a set of legal obligations under the Defense Federal Acquisition Regulation Supplement, or DFARS. This legislation requires such contractors to demonstrate proactive compliance with, among other frameworks, the NIST Special Publication 800-171 (NIST 800-171), which lays out how they must protect sensitive defense information and report cybersecurity incidents.

So, if a contractor is already DFARS-compliant, and they’re already implementing the security controls set out in NIST 800-171, why do they need to adopt the RMF too? (Not DFARS Compliant? Download our 5 Steps to DFARS Compliance Guide to avoid penalties and make compliance a documented, automated outcome of day-to-day operation.)

In working with our defense clients on securing their acquisitions processes, we’ve consistently observed the need for security controls above and beyond what NIST 800-171 requires. That’s exactly what the RMF provides, paying attention to areas such as resilience enhancements and tailoring requirements.

It’s our opinion, then, that the RMF can help defense contractors to plan risk-based security control implementation in a much more broad, holistic manner than DFARS and NIST 800-171 compliance alone.

Limitations of RMF

Because it’s a framework, the NIST RMF doesn’t tell you how to achieve the recommended steps. That means that for small and medium organizations without significant information security experience, or the resources to obtain it, implementing the framework can be a challenge.

That’s Where CyberSheath Comes In

Our cybersecurity experts can help you to minimize your organizational risk with comprehensive risk management planning, including the implementation of the NIST Risk Management Framework. Contact us now to find out how we can help protect your organization.

Who’s Been Playing Solitaire on the Domain Controller?

It’s a classic scene. You’re sorting through the attic and you end up browsing through old memories: photos from a forgotten road trip, souvenirs, and trinkets from your world travels, old board games you bought in a flash of excitement and only played once. Things you once loved, but that now sit unused, gathering dust and taking up space.

In the workplace, computer systems often end up cluttered in the same way. We end up with stacks of unnecessary software sitting around in files and folders where we’ve long stopped looking. But unlike the charming, nostalgic relics laying around the attic, that unused software sitting on your computer might be leaving you open to danger in the form of vicious cyberattacks.

Cybercriminals are constantly looking for ways into your system. Software like browsers (Firefox, Chrome, Edge), plug-ins (Java, Adobe Flash, Silverlight) and random applications (games, messaging apps, etc.) are well-known to be extremely vulnerable to malware and other forms of data hacking, particularly if they’re out of date.

This begs the question: how many useless apps are lying around on your system right now, putting your business at unnecessary risk? Here’s how to find out, and what to do about it…

Inventory Your Software Assets

The first step is to dig through your systems and figure out what’s absolutely necessary — and what’s not. If you have a contract that requires compliance with DFARS 252.204-7012, a software inventory is required, but further, it’s just common sense: You have to know what you have before you can protect it.

Nowadays, there’s an app for everything. Chances are that you and your employees have loaded up on them in an attempt to find more efficient ways to manage time, stay connected, or even have more fun at work.

That schedule management software you downloaded may have seemed useful at the time, but if it’s no longer in use then it’s time to send it to the trash.

Any piece of software not essential to your business should be considered potentially harmful and promptly cleared from your system. Delete software installers, remove unnecessary browser add-ons and extensions, and of course, make sure to update any apps that will be sticking around.

Eliminate Redundant Apps

There are so many solutions available for every problem that you’ll often discover you have several applications doing the same job. Figuring out what pieces of software are currently being used to solve the same problem can help you see where you need to cut the fat.

Do you need three browsers, or would one be sufficient? If you’re using Google Hangouts for video conferencing, do you need to have Skype on your system as well?

It’s also a good idea to take a look at the software that was already installed on your device when you took it out of the box. Known as bloatware, many new computers, tablets, and mobile devices come pre-packaged with lots of this third-party software to increase revenue for the vendor.

If you have bloatware on your systems, you might find that many of these extra apps have sat unused since day one. And some bloatware behaves like spyware, sending information about you and your system to outside agents without your knowledge. If they’re not currently in use, or they’re performing simple functions you can do through more essential applications, consider getting them off of your systems ASAP.

Limit Access

Sometimes system clutter grows out of control simply because we’ve given too many people the green light to do whatever they please. For this reason, it’s probably best to adopt a tougher approach to access privileges.

Keeping your systems clean and organized is undoubtedly easier if you allow fewer people to access and install software. Consider using special permissions to allow only top-level decision-makers to install new software. Carefully monitor who is adding new applications and require that they justify why these programs are needed. And finally, terminate dormant accounts so that hackers can’t use them to infiltrate your system and install harmful malware.

Get Superior Protection Today

If cleaning house feels like a major job, it’s time to call in reinforcements! CyberSheath’s comprehensive managed cybersecurity services can help you to conduct a professional software risk assessment, simplify your systems, and save you from putting your business at unnecessary risk. Contact Us now to find out how.

Companies are becoming increasingly enamored with the advantages offered by cloud computing. However, many mistakenly assume that once you upload your data, it’s up to the cloud service provider (CSP) to keep it all safe and sound. In reality, most CSPs use what’s known as a shared responsibility model for security, meaning that only certain aspects of your cybersecurity plan are their responsibility. Ultimately, YOU are responsible for the security of YOUR data.

With cybercriminals attacking from every direction, it’s your responsibility to prevent misunderstandings that might lead to damaging data breaches. For this reason, having a full picture of the risks associated with your chosen CSP, along with a clear agreement on roles and responsibilities, is paramount if you hope to keep your sensitive data protected.

Review Your Security Documentation

In the excitement of exploring the capabilities of the cloud, it’s easy to be less than thorough in your assessment of your CSP’s security practices.

However, you need to be sure that your CSP is employing industry-leading incident response tools, consistently auditing its security systems, rigorously testing for weaknesses, and protecting against emerging threats. You can do this by taking a look at your provider’s System Security Plan (SSP).

Reviewing an SSP is the most accurate way to assess the security controls your CSP is implementing. As the main document in a security package, an SSP gives you a detailed report on security protocols and highlights any gaps that may need to be addressed.

If you have a contract that requires compliance with DFARS 252.204-7012, then your CSP must meet the standards set by the FedRAMP moderate level of protection, and support government incident response efforts.

Doing your due diligence and insisting on rigorous compliance certifications, such as SOC Type II or PCI DSS, will give you peace of mind that your CSP is following the latest regulatory measures and maintaining the highest levels of data security.

Treat the Cloud like It’s Your Home

Some businesses are under the illusion that, since the cloud is not an on-site system, it doesn’t need to be treated in the same way they’d treat their personal systems. If you’ve made that mistake, then it’s imperative that you start viewing the cloud like the extension of your business it truly is.

It’s critical to be proactive in this regard, as opposed to waiting for a problem to occur and then addressing your security gaps. In the same way that you don’t allow every employee unrestricted access to your in-house systems, it’s essential to manage and control access to the cloud within your company.

Create written guidelines that specify who can use which cloud services, what data can be stored there, and for which purposes the cloud is to be used. Train your staff on the risks of cloud use and make sure they are aware of the latest trends in cybercrime that affect cloud users.

Encrypting the data you move to and from the cloud is also an absolute must. You want to take particular care to ensure that data is encrypted during transit when it is most open to attacks. Also, verify that your CSP encrypts your data at rest and on backup media to prevent data leaks.

In short, make sure you’re treating the cloud-like you would your own home. Lock the doors, turn on the alarms, and train yourself on how to respond to emergencies, so you can sleep easy knowing you’re adequately protected.

Stay Alert About Your Cloud Vendor

The world of cybersecurity moves quickly and, in the event that there’s a breach or a threat concerning your specific vendor, it’s best that you know as soon as possible. If your cloud provider has security alerts, make sure you have notifications enabled, and check resources such as the US-CERT for announcements about threats that have been reported.

Looking for Secure Cloud Solutions?

If you want to stay ahead of developing cyber threats and you’re wondering how to implement strong security measures for your cloud services, let the cloud experts help you. CyberSheath’s cloud solutions are second to none, so contact us now and let us give you a helping hand to keep your business secure.

In today’s digital world, no matter what type of sensitive data you handle, attackers are hard at work developing ways to access it. The rash of high-profile security breaches making headlines every day is clear evidence of the struggle businesses face in trying to stay ahead of these sophisticated cyber attacks.

In response to these threats, local and federal governments around the world have begun to impose increasingly stringent regulations to force companies to re-examine their internal cybersecurity standards.

DFARS clause 252.204-7012, HIPAA, PCI DSS, and GDPR are just some of the many compliance mandates that companies are currently juggling. And considering the disastrous fallout of even the smallest breach, not to mention the heavy penalties associated with non-compliance, there’s no time to waste in getting up to date.

The Risks of Non-compliance

As early as 2005, former U.S. President Barack Obama voiced his concern about cyberattacks, calling them a “national emergency.” In the years following this call to action, Federal agencies continually increased the regulatory mandates for private contractors, and over half of the state governments in the U.S. passed laws to put in place punitive measures for companies that fail to sufficiently protect sensitive data.

These include hefty fines and in some cases, jail time. Of course, these punishments are minuscule when compared to the consequences of actually being hacked. The costs of penalties, legal fees, and possible compensation for damages pile up quickly and can completely change the financial outlook of your company. Most damaging, however, is the subsequent destruction of your company’s reputation and the irreparable loss of confidence from your customer base.

Entities with the proper vision and intelligence work exceptionally hard to avoid these outcomes at all cost by prioritizing day-to-day operational security. Not only does this protect the company as a whole, but it ensures that the satisfaction of government or contractual requirements is a natural outcome of day-to-day security practices.

An Industry Leader in Cyber Protection

The unfortunate truth is that, even though compliance is absolutely essential, it’s not easy. Combing through the myriad of regulatory requirements to assess which apply to your business, coupled with the complex processes of then actually meeting these standards, leaves many companies lost.

With the right support, businesses can dramatically simplify this process. An industry leader in cybersecurity, CyberSheath has developed the one-of-a-kind systematic Measure Once, Comply Many ® approach to cybersecurity, enabling companies to reach compliance by implementing a specifically tailored security strategy.

CyberSheath starts by expertly identifying the vulnerabilities in your network and then uses this information to plan and build a strategic security organization that optimizes your personnel, security processes, and technology. We then monitor your systems in real-time, providing you early threat recognition and proactive prevention that helps eliminate the risk of attacks.

By using this proven and patented method, CyberSheath paves the way towards both reaching regulatory milestones and achieving optimal operational cybersecurity.

Measure Once, Comply Many ® utilizes the following services to provide a full-service comprehensive security platform, keep your data safe and secure, and assure across-the-board compliance:

• Centralized 24/7/365 Security Operations Center (SOC) capabilities.
• SIEM, network IDS, host IDS, file integrity monitoring, vulnerability reporting and management, and more.
• Real-time security intelligence, including correlation directives, IDS signatures, NIDS signatures, and asset fingerprints.
• Full suite of compliance reporting, including DFARS clause 252.204-7012, NIST 800-171, HIPAA, PCI DSS, GDPR, and state data breach laws.
• Instant detection and notification of ransomware and other malware variants.
• Managed Privilege Account Management Services to stop security breaches involving privileged accounts.

With these advantages in place, you’ll never be caught off-guard, regardless of the current regulatory measures. Your business will not only take the necessary steps towards compliance, but you’ll also be able to continually read and react to the latest state-of-the-art threats. It’s all part of our patented system designed to achieve compliance as a result of committing to optimal operational security.

Assure Your Cybersecurity Now

Staying on top of your cybersecurity requirements can be overwhelming, but being hacked is undoubtedly even worse. Partnering with CyberSheath can help you gain peace of mind by putting a proactive plan in place to ensure your business is not just compliant, but also efficient and thorough in every aspect of cybersecurity. Contact us today to learn more about Measure Once, Comply Many ®.

 

 

On December 31, 2017, the deadline passed for defense suppliers to comply with NIST 800-171, a requirement specified in Defense Federal Acquisition Regulation Supplement 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting.

This mandate attempted to ensure a higher standard of security controls surrounding the processes and procedures for protecting controlled unclassified information (CUI). As defined by the National Archives, CUI is “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”

Confused? You’re not alone! Assessing what is and what isn’t CUI, as well as navigating the complex and potentially costly road to compliance, has left many contractors struggling to stay on schedule. Although the deadline has passed, a large number of companies are still standing around scratching their heads, wondering how to proceed.

Consequences of Non-compliance

Non-compliance is not going to be acceptable for much longer. Clause 3.12.4 of NIST 800-171 allows for the submission of a Security System Plan (SSP) and a Plan of Actions and Milestones (POA&M) to help companies define how they will bridge the gap, but it is also reasonable to expect that the U.S. Government will soon begin to terminate contracts that fail to meet the accepted requirements. Defense prime contractors will also begin to terminate non-compliant subcontractors and suppliers to avoid having to report themselves as non-compliant.

Because so many companies have fallen behind, those that have achieved this rare milestone will have positioned themselves to receive the lion’s share of future defense contracts. Simply put, if companies want to remain competitive, they must move as quickly as they can to get on track or risk falling behind their competition.

Becoming Compliant

If your company has fallen behind, don’t get discouraged. The path to compliance is a confusing one, but it’s possible to find your way. Start by taking the following steps…

1. Define CUI

CUI is situation-specific and can be tricky to assess. In some cases, the information that needs to be protected are specified in the awarded contract. However, most of the time the definition is unclear.

In their own definition, DFARS has included CUI that is “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.” Information that has been created or received by contractors, but not marked, may also need to be appropriately safeguarded. Identifying what needs to be protected is the first step.

2. Identify where it lives

The next step is to figure out exactly where the CUI is being stored, processed, or transmitted from so that you know which systems need to be secured.

Creating a Data Flow Diagram (DFD) is a helpful way to begin figuring out how CUI is traveling through your network. It could also be useful to create a network diagram to identify what controls you already have in place that are effectively safeguarding your CUI. Together, these tools can help you identify the weak points you’ll need to address to close the gaps in your systems.

3. Document your progress

Having identified CUI and where it lives, you should now begin the process of referring back to NIST 800-171 to figure out the controls you will need to put into place.

As you forge ahead in making these updates, it’s critical to document what you’ve changed, how it will improve security, what controls are not applicable to your current situation, and why they won’t be needed.

This process will create a record demonstrating your ability to assess and safeguard sensitive information, moving you closer to your ultimate goal of declaring full compliance with the DFARS/NIST 800-171 mandate.

Your Competitors are Working on Compliance — Are You?

If you’re not currently working towards meeting the DFARS/NIST requirements, rest assured your competitors are! The window for implementing this essential security update is closing rapidly, so don’t lose your competitive edge — contact us now for a free consultation on achieving your compliance goals.

On December 31, 2017, the deadline for compliance with the NIST 800-171, a mandate for contractors serving local and federal governments, came and went.

This Special Publication provided guidance on the processes and procedures needed to adequately safeguard controlled unclassified information (CUI), defined as any information created by the government or entities on behalf of the government that is unclassified, but still must be appropriately safeguarded.

While some companies were quick to adapt to these new regulatory measures, many companies fell behind because of a lack of resources, confusion over the head-spinning compliance process, or just downright procrastination.

With the deadline long gone and the Department of Defense (DoD) making it crystal-clear that NIST 800-171 is here to stay, becoming compliant is an absolute must for those looking to remain competitive in the industry.

A Common Problem

Unlike previous security mandates, this is the first that impacts sub-contractors working further down the federal supply chain. This means that for many companies, it’s the first time they’re having to figure out compliance.

If this describes your company, you’re by no means alone. Because these standards must be met by anyone who stores, processes, or transmits CUI for the DoD, General Services Administration (GSA), NASA, or other federal or state agencies, many contractors are struggling to wrap their heads around the complex process ahead.

As it’s critical to a supplier’s ability to win new business and keep current defense contracts, both prime and sub-contractors will want to confirm that they are, at the very least, on the path to compliance with NIST 800-171.

Achieving Compliance

Of course, becoming compliant is easier said than done. The fact that there is no certification process for NIST means contractors work on the honor system, attesting that they have reviewed and heeded the applicable requirements specified in the regulation.

This also means that becoming compliant is not a one-time achievement. Rather, it’s an ongoing process of continuous evaluation. Here are the three key actions you can take to get started…

Assess Your Compliance Level

First, you’ll need to do due diligence in identifying CUI as it applies to you. Check with your contracting officers or look through your contract to see if CUI has been clearly defined. In many cases, it may not be, and you’ll have to review the CUI registry to find similar examples of CUI.

Once you’ve clearly defined what you need to protect, you can begin to figure out if it’s actually being protected sufficiently. You’ll have to carefully review your critical systems, including servers, laptops, storage devices, network devices, end-user workstations. You’ll also need to assess the physical security of those devices that contain CUI to make sure they are properly safeguarded.

Design a Plan of Action

Chances are there will be a gap between where you are now and where you need to be. This is common so don’t worry!

Fortunately, clause 3.12.4 allows for the submission of a Security System Plan (SSP) and a Plan of Actions and Milestones (POA&M) to buy yourself some time as you work towards your compliance goal. Since many contractors are not yet compliant, these documents are required to show procurement officials you are heading in the right direction.

An SSP will provide an overview of the security requirements needed for every system you use, describe the curent controls you have in place, and outline the expected behaviors of all who access them. Your POA&M will show a clearly defined corrective strategy for exactly when and how you plan to resolve any security weaknesses. 

Begin Implementation  

All this planning and assessing means nothing if you don’t step up and deliver! Once you’ve put milestones in place, you’ll need to train your staff and ensure they adhere rigorously to these deadlines. You’ll also need to document critical advancements in your quest for compliance, properly maintaining your records as you go.

Still Nowhere Near Compliance? Don’t Panic!

If you missed the December 2017 deadline and you’re starting to feel the pressure, don’t panic. CyberSheath’s Managed Security Services can help you to define your CUI obligations, create a plan of action, and move step-by-step towards full compliance. Contact us today for a free consultation.

 

 

Cybersecurity at small and mid-sized businesses are often under-resourced with an “Army of One” approach to compliance and risk management. Compliance with regulatory requirements like DFARs 252.204-7012, HIPAA, PCI DSS, NERC CIP, Sarbanes Oxley (SOX) and more compete with actual cyber defense efforts to monitor, detect and respond to threats. Doing what you have always done, buying more products and surviving audits, isn’t effective and doesn’t scale. There is a better way and its effectiveness can be measured with contractual Service Level Agreements (SLA’s) that enable cybersecurity to be a force multiplier for your business.

Instead of hiring FTE’s and deploying one-off, point solution products that don’t integrate with existing investments, consider Managed Security Services that deliver:

  • Cloud-based security monitoring platform in one unified solution
  • Integrated security information and event management (SIEM) and log management
  • Asset discovery
  • Vulnerability assessment
  • Intrusion detection
  • Behavioral monitoring
  • Threat intelligence
  • Privileged account management
  • Automated and simplified regulatory compliance management

Just think about your infrastructure today. How many tools and products do you have spread across too few engineers without enough time to deploy, monitor and manage them? Do you feel like a SIEM solution is a luxury that a business your size can’t afford? Small and mid-sized businesses often have to make tough choices between resource allocation, and a SIEM solution rarely makes the cut because of cost and complexity. The irony is that a SIEM solution is a foundational investment that improves your ability to allocate resources, meet compliance requirements and defend your infrastructure. Coupled with Managed Security Services, the return on investment (ROI) for your business is measurable in a variety of ways.

Our partner, AlienVault, commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study that detailed the potential ROI organizations can realize by deploying the AlienVault Unified Security Management ® (USM) platform. The results aligned with our experience delivering managed services in the defense, financial, healthcare, technology and manufacturing industries. Here is what Forrester Consulting found:

Simplified compliance reporting for companies, resulting in nearly 6,000 hours of time-savings each year. Prior to adopting AlienVault USM Anywhere, key pieces of information had to be pulled from many different systems and consolidated into reports for the auditor. This process took nearly four months, but with AlienVault, onsite audits could be completed in one week as the compliance information and reports were readily available in real-time. This resulted in approximately 2,000 hours of time savings per audit and, on average, three audits were being held each year.

AlienVault USM Anywhere reduces the cost of incidents by improving threat detection and incident response time by 80%. Based on a 2017 study conducted by the Ponemon Institute, the probability that an organization will experience a breach greater than 1,000 records is 14%. However, with the deployment of USM Anywhere, the time to detect incidents was dramatically reduced, helping organizations identify and respond to attacks much faster. With 80% faster detection and response time, the impact and probability of a breach could be reduced.

An 80% security operations staff productivity improvement. Prior to adopting AlienVault solutions, organizations didn’t dedicate much time to daily monitoring tasks. On average, two to three investigations arose each week, which took the combined effort of two dedicated resources. After the deployment of AlienVault’s USM Anywhere platform, the security operations team was able to monitor and detect issues in real-time. This reduced the manual effort involved in investigative activities by 80% and allowed the resources to focus their time on more value-added tasks. “We are still responsible for monitoring alerts and logging, but it’s gone from hours per day to minutes. It allows us to focus on things like serving our customers, writing new code, and ultimately bringing more business in the door.”

Threat intelligence saves time and money. With AlienVault Labs threat intelligence, organizations no longer have to dedicate resources to sifting through multiple sources of information and bulletins to keep up with the latest intelligence. Now they can rely on the AlienVault Labs Security Research Team for continuous updates to threat correlation rules and directives. With the added benefit of not having to pay for an alternative threat intelligence subscription, the overall annual cost savings for the composite organization resulted in more than $40,000 per year.

The data from the study was clear, managed services save time and money by enabling more effective regulatory compliance and risk management. You’re probably already intuitively know that managed security services will be a game-changer for your organization and the data from the study only further strengthened your opinion. That said there are often at least two challenges to moving forward that businesses struggle with:

  1. Senior management doesn’t want to spend the money, I don’t care what your fancy study says.
  2. Managed Security Services Providers are like gas stations, there’s one on every corner and they all sell the same thing.

Getting past these barriers to realizing the benefits of managed services requires the same solution, selecting a Managed Security Services Provider that can push past them before you have spent any money. You will know when you have selected the right partner when they invest the time upfront to specifically show you how their services benefit your business. Candidly, management is right. Nobody cares what a vendor study says might happen at your business based on possibility. Your potential MSSP should be spending time documenting and demonstrating how their services will reduce risk and simplify compliance at your business. You will quickly be able to differentiate MSSP’s offering canned reporting and push-button threat detection from those with teams that span CISO through operations analyst level experience. You are buying a service and that service should have real people that can document and articulate the MSSP value specific to your business before you spend any money. Regardless of whether that takes two weeks or six months, you will know you have the right MSSP when they invest the time pre-sales to detail the value to your business.

Managed security services are the answer to your small and mid-sized business cybersecurity needs and selecting the right partner will be a force multiplier for your business.

Contact us today to learn how to save time and money with CyberSheath Managed Security Services.

Thanks to the increasingly sophisticated and aggressive cybersecurity threats facing the U.S., there has been much focus recently on reinforcing the nation’s cybersecurity. Much of this effort has revolved around strengthening the Department of Defense (DoD) supply chain.

The Defense Federal Acquisition Regulation Supplement, or DFARS, has been working to encourage DoD contractors to proactively comply with certain frameworks in order to achieve this goal. Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is the latest mandatory addition.

Under the Clause, all contractors must comply with the National Institute of Standards and Technology’s Special Publication 800-171 (NIST SP 800-171), a framework that lays out how contractors must protect sensitive defense information and report cybersecurity incidents.

The NIST framework requires you, as a defense contractor, to document how you have met the following requirements in particular:

• Security requirement 3.12.4 requires the contractor to develop, document, and periodically update System Security Plans (SSPs) that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
Security Requirement 3.12.2 requires the contractor to develop and implement Plans of Action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.

Read more about implementing SSPs and POAs.

Under the Clause, DoD contractors are obliged to submit evidence of their compliance with NIST SP 800-171 to the U.S. Government. However, the Clause goes beyond NIST compliance and sets out additional rules for the protection of Covered Defense Information (CDI).

Supply Chain Management

DFARS Clause 252.204-7012 aims to encourage you, as a contractor, to take a proactive role in the protection of CDI. Not only are you required to demonstrate compliance within your own business, but in order to strengthen the entire supply chain, you must take steps to ensure that your subcontractors comply, too.

It is the responsibility of your subcontractors to inform you if their practices deviate in any way from the DFARS and NIST 800-171 guidelines, and it is your responsibility to demonstrate that an equally secure alternative practice is in place before you share CDI with that subcontractor.

Reporting Cybersecurity Incidents

A cybersecurity incident is defined as a breach of security protocols that negatively impacts, compromises, or endangers CDI held on your systems or networks, or those of your subcontractors.

In the event of a cybersecurity incident, your responsibility under DFARS Clause 252.204-7012 is to report the incident to the DoD within 72 hours. You must present the affected data and all related data covering the 90 days prior to the date of the report, along with any infected software. You must also conduct a thorough systems review and identify ways in which you will prevent future breaches.

In the event that a subcontractor experiences a cybersecurity incident, they must report it to you, or to the next highest tier of subcontractor, and present the evidence as required. As the prime contractor, you’re then required to report the incident to the DoD and submit the evidence, as detailed above.

Cloud Service Provision

If you offer your own cloud services as part of your DoD contract, then DFARS states that you must enact the safeguards set forth in the Cloud Computing Security Requirements Guide (SRG), unless waived by the Chief Information Officer of the DoD. If you use a third-party cloud service, then you’re required to ensure that your cloud service provider follows the security provisions therein.

Don’t Know Where to Start?

A quick look at documents like the above and it’s clear to see why some contractors are still struggling with compliance long after the December 31st, 2017 deadline has passed. It truly is a daunting task bringing your business into line with these extensive regulations, especially when the stakes are so high.

That’s where a Managed Services expert like CyberSheath comes in. We’ve helped defense contractors large and small to achieve comprehensive DFARS and NIST compliance.

Put Your Cybersecurity Compliance in Expert Hands

We’ll take the stress and the guesswork out of compliance by handling every step of the journey, from assessment and gap identification to the development of robust System Security Plans and Plans of Action. And because we’re always monitoring the evolution of DoD frameworks, we’ll continue to update your plans in line with regulatory changes to guarantee ongoing compliance.

Let CyberSheath help you to protect your valuable DoD contracts and remain competitive in the defense supply chain. Contact us now for a no-obligation discussion to find out how.

 

5 Steps to DFARS Compliance

In the last decade, the way in which nation-states have targeted the U.S. has changed dramatically. Where warfare was once predictably physical in nature, more and more of today’s threats come via virtual and digital channels.

After more than a decade of massive intellectual property theft including the theft of massive amounts of highly sensitive data from a U.S. Navy contractor’s computer systems, allegedly by Chinese hackers, the Department of Defense (DoD) has sought new guidance on how to secure its $100bn supply chain in the face of modern threats.

In the recent report Deliver Uncompromised, researchers Mitre Corp. discuss how the Department of Defense (DoD) and intelligence agencies can adapt to meet the growing threat of cyber warfare. They identify a number of ways in which national security can be compromised remotely, including the virtual hijacking and sabotage of military equipment; the infiltration of software for espionage purposes; and the data theft to which the Navy contractor fell victim.

Beyond Compliance

Up until now, the focus has been on encouraging contractor compliance. A recent example is the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, a framework that lays out how contractors must safeguard sensitive defense information and report cyber security incidents. By December 2017, prime contractors were required to demonstrate exactly how they’d implemented mandatory policies and achieved full compliance.

However, the Deliver Uncompromised report argues for a full cultural shift in the way in which the issue of cybersecurity is framed, with an emphasis on the role of the contractor. Instead of simply requesting or even mandating co-operation in support of their security objectives — a reactive role — the report recommends that defense and intelligence agencies encourage contractors to share ownership of the problem itself and proactively develop solutions.

At present, the DoD chooses suppliers based on cost, schedule, and performance, but the report notes that this can actually encourage suppliers to cut corners on their security provision. Factoring in the price of implementing enhanced security measures makes the supplier less attractive to the DoD in terms of cost, but when the alternative is to eat the cost themselves, most businesses will choose to simply do the bare minimum in order to achieve compliance.

In order to avoid the ‘compliance effect’ and incentivize suppliers to go above and beyond, DoD is attempting to elevate security to a key metric in the procurement process, on par with cost, schedule, and performance. In making enhanced security a competitive advantage and not just a ‘checkbox’, the DoD is essentially leveraging its position as the primary source of revenue for many of its contractors in order to shape their behavior.

That’s not to say compliance is moving down the agenda; quite the opposite, in fact. Deliver Uncompromised identifies a number of major holes in current compliance legislation, noting that they undermine any ‘softer’ attempts by the DoD to influence suppliers.

Financial Liability

First, the report says, it’s unclear what tangible consequences a contractor will face in the event that their non-compliance with DoD mandates leads to a security breach. Because there are so few financial repercussions, the very real risk is that some suppliers will fail to commit the necessary resources to implement their contractual obligations, while others will ignore them altogether.

To address this risk, Deliver Uncompromised recommends that DoD re-examines financial liability processes for suppliers that fail to take reasonable or timely assurance measures to protect the DoD from a threat. It also implores the DoD to consider seeking the legislative authority to hold suppliers liable for gross negligence in circumstances where cybersecurity obligations have not been met.

Software Practices

Software was identified as a major area of vulnerability for the DoD supply chain, especially given the widespread use of open-source software components with uncertain origins. And yet, the report says, the current practice is to absolve users, operators, and even developers from responsibility for security threats arising from software failure.

Deliver Uncompromised calls for an overhaul of this policy and suggests that the DoD demand much higher standards of security throughout the life cycle of mission-critical software. It also recommends placing much greater accountability on users, operators, and developers, which may be achieved by soliciting the help of Congress to change laws surrounding software immunity.

What Does this Mean for You as a Defense Supplier?

If a significant proportion of your revenue depends on government contracts, it’s likely you already know that compliance is becoming an increasingly important deciding factor in the awarding of contracts. However, it’s no longer enough to simply comply.

Deliver Uncompromised is a crystal-clear statement of the DoD’s intent to reward suppliers that go above and beyond in terms of security. In fact, the cultural shift is already happening, with the 2017 case of IPKeys Technologies serving as a prime example.

IPKeys protested to the U.S. Government Accountability Office (GOA) when they lost out on a defense contract to a higher-priced competitor. While both companies met the mandatory cybersecurity compliance requirements, the awardee had demonstrated a proactive commitment to non-mandatory security frameworks, too. Despite their higher cost, the awardee went above and beyond compliance and received a higher value rating — and won the contract — as a direct result.

The GAO denied the protest, strengthening the notion that minimum security compliance is no longer enough to remain competitive. Should the DoD implement the recommendations outlined in Deliver Uncompromised — and they likely will, given the current concerns about foreign interference and cyberattacks — enhanced security will become a legal matter as well as a commercial one.

For you, that means getting ahead of the game and fortifying your cybersecurity now. While other suppliers continue to do the bare minimum in order to check off compliance boxes, your focus should be on strengthening security procedures and adding value wherever possible. Take these measures now, and when the legislative environment inevitably moves forward, you’ll be leading the way — not scrambling to keep up.

Want to Remain a Competitive Defense Supplier?

Then now is the time to start enhancing your security practices with a comprehensive, free cybersecurity evaluation from CyberSheath. Let us help you to make sense of the changing security environment and make sure your business stays one step ahead. Contact us now to arrange your free evaluation.

 

As cyber-attacks become more frequent and sophisticated, addressing tighter security needs has become a priority for the federal government. Enforcement of “Controlled Unclassified Information” (CUI) protection continues to intensify as private contractors and organizations are now required to upgrade their cybersecurity systems and overall procedures to keep up with these increasing threats. On April 24, 2018, the Department of Defense (DoD) issued draft guidance for assessing contractors’ System Security Plans (SSPs) and the implementation of security controls in NIST Special Publication (SP) 800-171.  If you’re a defense contractor, you’re required to comply with these regulations and provide “adequate security” for networks where covered defense information (CDI) is processed, stored, or transmitted. DoD issued two draft guidance documents. The first, “Assessing the State of a Contractor’s Information System,” provides guidance on four different objectives.  They include what must be in an RFP, how the source selection authority would evaluate the requirement, what resources are available for that evaluation, and the contract provisions that will be needed to implement the requirement during performance. The second draft guidance document, “DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented,” was developed by DoD to determine the risks that an unimplemented security control has on an information system, and which of the unmet controls need to be prioritized. What does “adequate security” mean? At a minimum, defense contractors must implement the requirements in NIST SP 800-171 to become compliant. Contractors need to provide an SSP to prove the implementation of the security requirements, and also develop plans of action and milestones (POA&M) that describe how any unimplemented security requirements will be met.

Unimplemented Controls Receive a Value Rating

NIST 800-171 is comprised of 110 technical controls to ensure the best security policies and procedures.  DoD has decided to assess the risk of unimplemented controls by assigning a “DoD Value” for each security requirement ranging from 5 (highest impact on the cybersecurity system) to 1 (lowest impact on the cybersecurity system). These priority codes are used for priority rankings that NIST assigns to the NIST SP 800-53 Revision 4 security controls that are used for government information systems and which form the basis for NIST SP 800-171.

Non-Compliance is Not an Option 

In 2018, proposed DOD guidance is already moving to full enforcement of compliance. Compliance failures can lead to more serious consequences than a data breach.  Failure to comply with DFARS can lead contractors to incur penalties either by the United States Government (civil, criminal, contractual actions in law and administrative), or by individuals and private organizations that were damaged by lack of compliance (actions for damages).

  • Bid Protests: While SSPs and POA&Ms are important for determining “adequate security,” it’s still unclear the exact part they’ll play in bid protests and the implementation of NIST SP 800-171. After reviewing the implementation status during the pre-award stage, the DoD can make an unacceptable or acceptable determination, and ultimately decide if the contract should be rewarded. Another option is to evaluate implementation as a “separate technical evaluation factor.” During the pre-award process, contractors may choose to protest terms where a solicitation’s treatment of NIST SP 800-171 implementation fails to be consistent with DoD’s guidance. On the other hand, if a contract was rewarded to another contractor, disappointed offerors may consider challenging the award to another offeror where the assessment of the protester’s or awardee’s implementation of NIST SP 800-171 is inconsistent with the guidance documents. If the DoD notices inconsistencies between the implementation of NIST SP 800-171 and your SSP and POA&M, they could award the contract to another contractor. During 2018, contract protests awarded to higher-priced bidders were based in part on compliance with cybersecurity and employing more than the minimum security requirements in NIST SP-800-171.
  • Termination Risk: The accuracy of your SSP and POA&M, along with providing proof that you’re moving toward full compliance, is crucial. For the most accurate evaluation, the draft guidance states that solicitations and contracts must include contract data requirements (CDRLs) to “require delivery of System Security Plan and any Plans of action after contract award.” Now that both SSPs and POA&Ms are a contractual obligation, failure to be in compliance may provide a basis for termination if compliance isn’t completed. Or, if the SSP does not accurately state the implementation status of the contractor’s cybersecurity.
  • DCMA Audits: DoD has recently stated that as part of its audit function, DCMA will pull out all the stops to confirm all contractors have an SSP and POA&M.  However, DCMA will not be providing an analysis if the SSP fully complies with the NIST 800-171 security requirements. It’s unknown at this point if the DCMA would leverage any of DoD’s guidance in its review.
  • False Claims Act: If a contractor is audited by DoD and found not to have implemented DFARS/NIST 800-171, the contractor can be on the receiving end of numerous penalties. For example, if your SSP misrepresents your actual cybersecurity status, DoD can bring an action based on fraud, which is a False Claims Act violation. DoD may also be able to prove that the original SSP was key to the Department’s award decision. If DoD’s argument is successful, your earnings under the original contract are at risk, along with the reputation of your organization.

Make Compliance a Priority Before it’s Too Late!

At CyberSheath, we know that implementing these new security controls can seem like a daunting undertaking. We’ve successfully assessed and implemented the required NIST 800-171 controls for leading organizations in the defense industrial base supply chain.

Last week the Washington Post reported that in January and February of this year Chinese government hackers stole 614 gigabytes of material relating to a closely held project known as Sea Dragon from a Navy contractor’s unclassified network. Stolen data included signals and sensor data, information relating to cryptographic systems, and the Navy submarine development unit’s electronic warfare library.  Officials said the material, when aggregated, could be considered classified and this should come as no surprise to anyone familiar with unclassified defense contractor networks.

Unclassified contractor networks often contain a wealth of important information related to the important work they do in support of the Department of Defense DoD and other government entities. This reality is one of the many reasons that the DoD made compliance with DFARs clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting and implementation of NIST 800-171 mandatory no later than December 31, 2017. Unfortunately, many companies are still struggling with implementing the NIST 800-171 requirements or worse, writing the required System Security Plans (SSP) and Program of Action and Milestones (POA&M) and never getting around to implementing the security requirements.

The delay in implementing the NIST 800-171 requirements is likely in part why on April 24th, 2018 the DoD released its draft “Guidance for Reviewing System Security Plans and the NIST SP-800-171 Security Requirements Not Yet Implemented.” The extensive document contains more stringent guidelines on exactly how the DOD will enforce and assess the implementation of security controls for awarding contracts and evaluating proposals. It also provides detailed recommendations for properly assessing System Security Plans (SSPs) and Plans of Action and Milestones (POA&M).

The DoD Guidance provides additional information on how they might penalize business partners who fail to adhere to new security rules, including penalties and not being awarded new contracts. Aside from the obvious competitive business reasons to immediately implement the NIST 800-171 security requirements this latest theft of project Sea Dragon data is a reminder of the implications to national security. Most of NIST 800-171 is just good cybersecurity hygiene that at a minimum will make contractors harder targets for hostile nation-states.

In February, Director of National Intelligence Daniel Coats testified that most of the detected Chinese cyberoperations against U.S. industry focus on defense contractors or tech firms supporting government networks. During his April nomination hearing to lead U.S. Indo-Pacific Command, Adm. Philip S. Davidson, told the Senate Armed Services Committee “One of the main concerns that we have, is cyber and penetration of the dot-com networks, exploiting technology from our defense contractors, in some instances.”  These comments along with the new DoD guidance are a clear indication that compliance isn’t going away.

Attention and focus on contractor networks started in earnest at least ten years ago when industry and the DoD started working together, voluntarily, to select NIST 800-53 base security requirements for implementation and defining cyber incident and information sharing processes. That effort has now evolved into the mandatory implementation of DFARs clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting and implementation of NIST 800-171. The deadline for achieving compliance has come and gone.

At CyberSheath, we know that successfully implementing these new security controls can be a daunting undertaking for your organization. We’ve successfully assessed and implemented the required NIST 800-171 controls for organizations large and small in the defense industrial base supply chain. We’ll ensure your System Security Plan (SSP) and associated Plans of Action & Milestones (POA&M) are documented and fully implemented. Our cybersecurity experts will take care of all identified gaps in your information systems, schedule implementation of any outstanding items and ensure your organization is compliant with all of the latest requirements. We follow all DOD guidance to ensure review of SSPs and POA&Ms and “assist in prioritizing the implementation of security requirements not yet implemented.” After we have delivered a fully compliant solution we offer managed services to maintain your compliance and incorporate any updates from the DoD.

Contact CyberSheath today for a no-obligation phone consultation, and learn how we can ensure compliance with NIST SP 800-171 in five steps sales@cybersheath.com

 

 

These days, it’s not easy to be in charge of your organization’s IT security. With cyberattacks increasing in frequency, severity, and reach, it’s more important than ever to develop a plan for achieving, managing, and documenting the security of all of your systems.

It’s Not Only Good Practice to Have a System Security Plan, but It’s Also a Requirement

NIST SP 800-17, Revision 1 recently added requirement 3.12.4 to the Security Assessment control family stating that organizations must “Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.”

This one-sentence requirement is based on NIST SP 800-18 – Guide for Developing Security Plans for Federal Information Systems.

Identify What Systems Need a System Security Plan

Now it’s time to figure out which systems in your organization require a System Security Plan (SSP). Each SSP should be focused on an information system, which is defined as “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.” An application, information or technology service, platform, and infrastructure are all considered systems, and their security must be formally planned according to the NIST SP 800-171 requirement for in-scope systems.

Compile your list of systems needing an SSP and start uncovering all the information you will need to write them. Each SSP will need two types of information, both of which can be a challenge to compile. These include:

  1. System details documenting how the system operates
  2. Details about how the NIST SP 800-171 Revision 1 controls requirements are met for that particular system. Note that the control statement responses are a granular system-specific response to the 110 control requirements.

Once you have your inventory of systems that store, process, or transmit Controlled Defense Information (CDI) or Controlled Unclassified Information (CUI), it’s time to start planning.

First, create a system security planning template. The appendix to NIST SP 800-18 – Guide for Developing Security Plans for Federal Information Systems has a template, which provides a great starting point for creating your organization’s SSPs.

Next, assemble your team for the planning process, making sure to include these roles:

  • System Owner – This role is critical to the system security planning process as this person has deep knowledge about the systems and understands what the system does, how it works, and how it is controlled. The system owner owns the security plan for the system and is responsible for providing diagrams and explanations that articulate where the sensitive data is stored at rest, where and how it is transmitted, and what system interfaces exist, especially those interfacing systems that transmit the sensitive (CDI and CUI) data.
  • IT/Security Support Staff – Depending on the size of your organization, your support team may provide a set of core IT services that provide control to the broader network and computing environment. Inheritable controls could include authentication services, firewalls, network segmentation, secure system baselining, access management, and change management. A system owner will work hand-in-hand with the support team to understand how and if the controls apply to his or her particular system.
  • Administrative/Business Operations Support Staff – Some controls that apply to systems may not be technical. Administrative and/or business operations staff will need to provide input into how non-technical controls, such as background screening processes, facility security mechanisms, training and awareness programs, and staff management controls, are addressed. The people who have ownership of these functional business capabilities will need to weigh in on the security planning effort so that controls are adequately defined.

Once you have the right people involved, it’s time to get to work and write the plan. It’s a laborious process, but the intent is to provide defensible information and responses as to how a system works and how security controls are applied. An auditor or contracting official will want to know how you safeguard their sensitive data, and the information you document along with control responses should provide assurance of that protection.

Create a Master SSP

Every system used for the storage, processing, and transmission of CDI/CUI should have a security plan. Think about the roles above and the functional areas they represent. If these roles exist as a core, corporate function that is applied consistently across the organization, then consider creating a master system security plan that documents a core set of controls meeting the NIST 800-171 requirements.

A Master SSP helps you define a standard across the enterprise for inheritable controls, which provides guidance to the system owners about how they may be consuming controls that are broadly applied to the organization. The effectiveness of using the master system security planning concept depends on how effective those broad controls are applied by mandate.

  • For those organizations who strictly apply their standards, the master system security planned controls would be thoroughly applied and relied on.
  • For those organizations looser about applying standards and mandates, a master system security plan makes a good reference, but system owners should pay close attention to whether they actually inherit the standard control offering, or if a system-specific control response is required.

Build Proactive Measures into Your SSPs

Developing your System Security Plan(s) will provide a systems-focused macro-view of how your security controls are being applied. The process also helps identify non-compliance and uncover insecure practices, alerting you and helping you create a plan to resolve issues.

Consider building your Plan of Actions & Milestones (POAM) into your SSPs, and track compliance deficiencies to resolution. This helps you be proactive in your remediation and corrective action planning and moves you closer to a mature state in managing security controls.

The CyberSheath team is experienced at helping organizations like yours create System Security Plans. Contact us to learn how we can help you.

As a contractor, you need to safeguard covered defense information that is processed or stored on your internal information system or network.

To stay in the running for work from your primes, you need to comply with DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which requires contractors to implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”. You have until December 31, 20 I 7 to implement NIST SP 800-171.

How will non-compliance with NIST SP 800-171 impact contractors’ future acquisition?

On September 21, 2017, The Director, Defense Pricing/Defense Procurement and Acquisition Policy issued guidance for acquisition personnel in anticipation of the December 31, 2017 deadline, which:

  • Outlines how contractors might implement NIST SP 800-171.
  • Addresses how a contractor may use a system security plan to document the implementation of the NIST SP 800-171 security requirements.
  • Describes how DoD organizations might choose to leverage the contractor’s system security plan (SSP), and any associated plans of action, in the contract formation, administration, and source selection processes.

To not jeopardize future opportunities, contractors should focus on developing a well-written SSP and associated Plan of Action and Milestones (POA&M) to achieve compliance.

What are the SSP and POA&M requirements?

NIST SP 800-171 was revised (Revision 1) in December 2016 to require a “system security plan” and associated “plans of action.” Specifically:

  • Security requirement 3.12.4 (System Security Plan, added by NIST SP 800-171, Revision 1), requires the contractor to develop, document, and periodically update, system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
  • Security Requirement 3.12.2 (Plans of Action), requires the contractor to develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.

How do you write an SSP and POA&M?

Documenting implementation of the NIST SP 800-171 security requirements by the December 31, 2017, implementation deadline requires an SSP and associated plans of action which describe how and when you will meet unimplemented security requirements, how you will implement planned mitigations, and how and when you will correct deficiencies and reduce or eliminate vulnerabilities in the systems. System security plans and plans of action can be documented as separate or combined documents. You should choose a format that integrates with existing business processes and can be easily maintained year-over-year. Governance, Risk, and Compliance platforms can provide a technical, somewhat automated capability to meet this objective.

There is no prescribed methodology for contractors to implement the requirements of NIST SP 800-171, or even to assess your current compliance with the requirements -nor is there a prescribed format for SSPs or POA&Ms. A reasonable first step in creating an SSP and POA&M is to use company personnel or a qualified third party to execute a gap assessment against current operations compared to the NIST SP 800-171 requirements. The gap assessment will detail changes to policy and highlight areas where additional hardware or software are required to achieve compliance. A well-executed gap assessment will determine:

  1. Requirements that can be met using in-house IT personnel.
  2. Requirements that can be met using outside assistance.
  3. Plan of Action and Milestones for achieving compliance.

Which version of NIST 800-171 applies?

DFARS Clause 252.204-7012 requires the contractor to implement the version of the NIST SP 800-171 that is in effect at the time of the solicitation, or such other version that is authorized by the contracting officer.

How do you inform the Government of compliance with NIST SP 800-171 requirements?

You can inform the Government of your implementation of the NIST SP 800-171 requirements in a number of ways.

  • The solicitation provision DFARS 252.204-7008, “Compliance with Safeguarding Covered Defense Information Controls,” provides that by submitting the offer, the contractor is representing its compliance (and provides a procedure for the contractor to request the DoD Chief Information Officer (CIO) to authorize a variance from any of those requirements as being non-applicable, or because the contractor has a different but equally effective security measure).
  • Paragraph (c)(2)(ii)(A) of DFARS Clause 252.204-7012 requires the contractor that is performing a contract awarded prior to October 1, 2017, to notify the DoD CIO of any requirements of NIST SP 800-171 that are not implemented at the time of contract award.

Keep in mind, the solicitation may require or allow elements of the system security plan, which documents the implementation of NIST SP 800-171, to be included with your technical proposal, and may be incorporated as part of the contract (e.g., via a Section H special contract requirement).

What is the role of the SSP and POA&M in contract formulation, administration, and source selection?

Chapter 3 of NIST SP 800-171, Revision 1, states that Federal agencies may consider the contractor’s system security plan and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization, and whether or not it is advisable to pursue an agreement or contract with the nonfederal organization.

DFARS Clause 252.204-7012 is not structured to require contractor implementation of NIST SP 800-171 as a mandatory evaluation factor in the source selection process, but the requiring activity is not precluded from using a company’s SSP and associated POA&Ms to evaluate the overall risk introduced by the state of the contractor’s internal information system or network.

The Director, Defense Pricing/Defense Procurement and Acquisition Policy guidance for acquisition personnel provide the following examples of how the government may utilize the system security plan and associated plans of action:

  • Using proposal instructions and corresponding evaluation specifics (detailed in sections L and M of the solicitation as well as the Source Selection Plan) regarding how implementation of NIST SP 800-171 (and other applicable security measures) will be used by DoD to determine whether it is an acceptable or unacceptable risk to process, store, or transmit covered defense information on a system hosted by the offeror. The solicitation must notify the offeror whether and how its approach to protecting covered defense information and providing adequate security in accordance with DFARS 252.204-7012 will be evaluated in the solicitation.
  • Establishing compliance with DFARS 252.204-7012 as a separate technical evaluation factor and notifying the offeror that its approach to providing adequate security will be evaluated in the source selection process. The specifics of how the offeror’s implementation of NIST SP 800-171 will be evaluated must be detailed in Sections L and M of the solicitation as well as the Source Selection Plan.  If you are behind in implementing the required controls of NIST SP 800-171, are unsure of how to write your SSP and POA&M’s, or need expert help complying with the requirements, Contact CyberSheath at NIST800171@cybersheath.com for immediate assistance.

As a small- or medium-sized business, you are faced with many challenges. How do you stay focused on your company’s core mission while scaling your organization’s infrastructure to accommodate growth and investing in the right technologies and solutions?

That’s where managed services come in. Instead of investing in the headcount, you can outsource key services to IT professionals focused on critical areas. Advantages of this approach include:

  • Consistent, known, and manageable costs with a good return on investment
  • Ability to leverage innovations and stay at the front of the technology curve
  • Improved security and peace of mind knowing experts are proactively handling issues
  • Internal team members can focus on strategic projects, furthering your company’s cause

How CyberSheath Can Help

You can rely on CyberSheath for your Managed Security Services or Governance, Risk, and Compliance needs. Partnering with other managed service providers while carving out our area of expertise means that you see no additional spend for licensing costs.

You need:CyberSheath offers:
A DFARS-compliant security management platform that monitors your cloud, hybrid cloud, and on-premises infrastructure to provide a unified approach to threat detection and compliance management

Needs to satisfy: NIST 800-171 Rev. 1 Requirements defined in sections 3.3.1, 3.3.4, 3.3.5, 3.3.6, and 3.3.8

Security Management Platform

  • Security Information and Event Management (SIEM) | Gathers and analyzes logs and event data from disparate security controls and devices across the network, and correlates them to identify related security events.
  • Vulnerability Management & Asset Discovery | Provides visibility into assets and user activity and identifies vulnerabilities across the environment.
  • Intrusion Detection System | Detects intrusions and monitors behavior to track events and establish a benchmark for normal conduct.
  • Threat Intelligence | Implements correlation rules, IDS signatures, vulnerability detection rules, and IP reputation updates to ensure the security management platform is appropriately maintained and detecting current threats.
A DFARS compliant incident response monitoring program that will continuously monitor your environment for malicious outsider threats as well as malicious and non-malicious insider threats.

Needs to satisfy: NIST 800-171 Rev. 1 Requirements defined in sections 3.3.3, 3.6.1, 3.6.2, 3.14.3, 3.14.6, and 3.14.7

Incident Response Monitoring Managed Service

  • Comprehensively monitors and analyzes correlated alerts derived from log feeds of selected devices feeding into the SIEM solution. Monitoring will be provided by security experts to identify and respond to security threats.
  • Provides detailed notification and recommendation for containment, eradication, and recovery from security incidents as dictated in the organizational Incident Response Plan (IRP).
  • Creates, edits, and manages all details of the incident in a tracking solution until incident closure.
  • Tracks metrics for incident occurrences, time to resolution, and other critical measurements of the IRP.
  • Provides updates and improvements to the IRP based on after-action reports and lessons learned.
An identification and authentication service that complies with the DFARS security requirements for multi-factor authentication

Needs to satisfy: NIST 800-171 Rev. 1 Requirements defined in sections 3.5.3, 3.5.5, and 3.7.5

Multifactor Authentication (MFA) Managed Service

  • Secures access to accounts by offering a layered approach to security for your VPN, privileged accounts, and Covered Defense Information (CDI) systems.
  • Work with stakeholders and end-users to test the validity of MFA solutions against the in-scope systems and defined use-cases.
  • Deployment of the capability to the in-scope users and systems.
  • Develop and deliver training material for all in-scope users who will be required to use the MFA solution.
  • Work to resolve any system irregularities or issues with the MFA solution.
A mobile device management service for mobile devices that complies with the DFARS security requirements for systems which store, process, or transmit CDI.

Needs to satisfy: NIST 800-171 Rev. 1 Requirements defined in sections 3.1.1, 3.1.8, 3.1.10, 3.1.18, 3.1.19, 3.8.6, 3.13.11, and 3.13.16

Mobile Device Management (MDM) Managed Service

  • Enforces security configuration and encryption for bring-your-own-device (BYOD) or company-provided mobile phones or tablets.
  • Work with stakeholders and end-users to test the capabilities of the mobile device management solution against the in-scope systems and defined use-cases.
  • Deployment of the capability to the in-scope users and systems.
  • Develop and deliver training material for all in-scope users.
  • Work with the organizations to administer the MDM solution as it relates to the provisioning and de-provisioning of mobile devices and users within the scoped environment.
An endpoint protection solution that complies with the DFARS security requirements for the protection of endpoints (client systems and servers) and removable media which store, process, or transmit CDI.

Needs to satisfy: NIST 800-171 Rev. 1 Requirements defined in sections 3.1.19, 3.8.6, 3.8.7, 3.13.11, 3.13.16, 3.14.2, 3.14.4, 3.14.5

Endpoint Protection Managed Service

  • Centralize management of anti-virus, anti-malware, and full disk encryption of the laptops, work stations, and servers.
  • Work with stakeholders and end-users to test the capabilities of the endpoint protection and encryption solutions against the in-scope systems.
  • Deployment of the capability to the in-scope users and systems.
  • Develop and deliver training material for all in-scope users who will be required to use the encryption solutions.
  • Work with the organization to administer the endpoint protection suite as it relates to the configuration and troubleshooting of systems within the scope environment.
A GRC program that enables the organization to track and maintain DFARS compliance after all remediation efforts have been completed

Needs to satisfy: NIST 800-171 Rev. 1 Requirements defined in sections 3.2.1, 3.2.2, 3.2.3, 3.4.1, 3.6.2, 3.12.3, 3.12.1, 3.12.3

Governance, Risk, and Compliance (GRC) Managed Service

  • Provides and maintains a repository of assets, threats, and pre-mapped controls, and assigns controls based on role throughout the organization.
  • Manages policy based on your organization’s unique risk profile, regulatory requirements, and best practice needs.
  • Inventories, tracks and manages of all vendor and service provider assessment activities.
  • Manages training with web-based information security awareness training in-line with DFARS security requirements.
  • Provides audit management with a streamlined verification process of IT security controls through defined audit workflows.
  • Identifies, tracks, and manages regulatory changes to ensure your organization maintains a state of compliance.

You can rely on CyberSheath to provide quality managed services for your IT security needs. Contact us to learn more about how we can help your organization.

There are less than 100 days left until the mandatory compliance deadline for implementing the DFARS required controls of NIST 800-171. Is your organization ready?

If you have been focusing on other strategic business initiatives and have not yet dedicated resources to NIST 800-171 compliance, you still have time. It will take a lot of work, but your organization can have a documented plan in place to guide your efforts and make material gains towards compliance this quarter.


Month-by-Month DFARS Compliance Guide

To remain competitive in your pursuit of new contracts with the Department of Defense, you should:

  1. Assess your current state and create an implementation plan for your needed controls.
  2. Formulate a DFARS-required System Security Plan (SSP).
  3. Achieve DFARS compliance.

Here’s how to accomplish that by the end of 2017.

October

  • Conduct security assessment – You might be tempted to save time and skip this step – but don’t assume that you already know what work needs to be done. Execute an internally or externally-led gap assessment against the fourteen families of controls in NIST 800-171. Document your compliance with each family of controls. Be sure to record the people, processes, technologies, and related artifacts involved and demonstrate that your security program is implementing the required controls as a part of your day-to-day operations.
  • Unsure of how to proceed? Work with a vendor – If you are struggling with the interpretation of the controls, enlist the help of a skilled outside party to execute the gap assessment.
    • Find a vendor – Look for a services provider with specific NIST 800-171 experience, both assessing compliance and implementing remediation programs to achieve compliance. Get references and make the vendor provide proof of past success in helping defense contractors achieve compliance. Query the vendor about the deliverable from the assessment and be clear that you are looking for more than best practice recommendations – you require information specific to your internal operations.
    • Leverage the third-party vendor to engage your executive team – Have your vendor work with your executives and get answers to the inevitable questions around DFARS compliance. You probably have already had a talented team that has been briefing NIST 800-171 internally for some time. Often the same message from a trusted third party with past experience can jumpstart the conversation at the executive level and secure the support your team needs.

November and December

  • Create a project plan and start implementing controls – Using the results of your gap assessment, create a project plan and start implementing controls that don’t currently exist in your organization and remediating the ones that fall short of meeting the requirements.
  • Be proactive in engaging procurement – If you have to purchase tools or engage a third party to assist in remediation, make sure that your purchasing is streamlined. With less than 100 days left there is little time for delays related to procurement processing. Ideally, you will have already spent time to get executive buy-in on this effort and have created the required sense of urgency around meeting the December compliance deadline.
  • Start writing your SSP – In parallel to your remediation efforts, start writing your SSP. It’s a requirement of compliance – and it will force you to be strategic about long-term compliance and not get lost in the tactical details of getting specific controls implemented before December. Your SSP should be a true reflection of your NIST 800-171 compliance program. You should plan to review and update this document annually.

CyberSheath is skilled at performing security assessments, creating remediation plans, writing SSPs, and most importantly actually implementing the required controls. If you need assistance achieving DFARS compliance before the deadline, Contact Us today.

In less than five months your organization needs to be DFARS NIST 800-171 compliant. If you have already formulated a remediation plan to help you address your deficiencies, continue working through your prioritized roadmap to meet the compliance deadline. If you haven’t yet begun planning, get started today. Don’t jeopardize your ability to secure and execute DoD contracts by being non-compliant.

Three Areas to Focus on as You Craft Your Compliance Roadmap

After you’ve assessed your organization against the 110 security controls in NIST 800-171, you’ll need to build a plan to address your compliance gaps. An effective plan will have components that address these three areas.

  1. Multi-Factor authentication
    • What it is: Multi-Factor authentication (MFA) is a security measure where more than one method of authentication from independent categories of credentials is required to verify the user’s identity for a login or other transaction. It is an important component of any security plan as increasing authentication from a single factor greatly improves the security of your systems.
    • What you need to do: Procure an identification and authentication service that complies with the DFARS security requirements. Make sure the MFA solution is scoped and implemented to address the unique requirements of your environment. Also, work with stakeholders and end-users to conduct use-case and validity testing. Integrate with your authentication management processes to administer the user lifecycle. Make sure you have access to training, maintenance, and support of your solution.
  1. Privileged Account Management
    • What it is: Privileged account management (PAM) is managing and auditing account and data access by privileged users, who are individuals with administrative access to critical systems. Better managing access to privileged accounts can help prevent cyber adversaries and rogue insiders from going after privileged credentials as a way to gain broad and undetected access to your information systems.
    • What you need to do: Ensure your PAM solution provides automated, monitored, and controlled privileged access. Elevate administrative access to avoid granting excessive access to privileged accounts. Require the verification of a ticket or an approval to ensure administrative access is only granted when it is required for a specific activity. Work with engineers who are well versed in fine-tuning the configuration of the PAM suite and who can provide technical expertise and customization for your unique project.
  1. Vulnerability Management
    • What it is: Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities in your security infrastructure. It is important that your organization continually be monitoring for vulnerabilities to ensure you stay ahead of potential threats.
    • What you need to do: A DFARS compliant vulnerability management program will continuously assess your environment for vulnerabilities and patch compliance. Make sure your solution performs monthly vulnerability scans, as well as scans after any significant changes are made, of all your internal and public-facing systems. Also, ensure you receive a monthly report detailing new findings and findings from the previous month(s) which have yet to be remediated. Verify implementation of patches or workarounds for each fix with follow-up scans as needed.

Plan, Provision, and Outsource if Needed to Meet the December 31, 2017 Deadline

Determine what you can reasonably accomplish with your internal resources and what you need to outsource to meet the December deadline. Also, as part of your roadmap, make sure you plan for a post-compliance world where you need to maintain the controls you’ve implemented.

Regardless of where you are in your DFARS compliance process, time is of the essence. Continue your efforts or get started now – five months is not much time to affect the change mandated by NIST 800-171 compliance.

If you need support, contact us for a FREE consultation.

FAQs:

Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft