products:

Sorry,

there are no posts to show...


Helpful Resources

News:

RESTON, Va.—October 29, 2020—CyberSheath Services International today announced that it has been selected to join the Microsoft Intelligent Security Association (MISA) as one of the association’s first CMMC-focused managed security service providers.

“MISA members are cybersecurity industry leaders,” said Eric Noonan, CEO at CyberSheath. “They’re unified by the common goal of helping secure our customers by offering unique and valuable customized expertise and making the association more effective as it becomes more diverse.”

CyberSheath has extensive Microsoft expertise, including professional and managed security services for a wide array of U.S. defense contractors, and was nominated for MISA for their managed security service offerings for Azure Sentinel and Microsoft Defender for Endpoint. CyberSheath uses a Microsoft technology stack fueled by Microsoft Azure Sentinel, the cloud-native Security Information and Event Management (SIEM) solution that quickly identifies security threats across hybrid enterprises.

MISA began as an ecosystem of independent software vendors (ISVs) that integrated their security products with Microsoft’s to better defend against a world of increasing threats. Due to increased demand for a closely interwoven security ecosystem, the association is growing and launching an invitation-only pilot program for select managed security service providers.

MISA plays a vital role in reducing the cost and complexity of integrating disparate security tools. Adding managed security service providers promises to increase the ecosystem’s value even more by offering an extra layer of threat protection without requiring day-to-day involvement of in-house security teams,” said Andy Shooman, COO at CyberSheath. “It’s another important step in both strengthening and simplifying security at a time when risk mitigation is one of IT’s highest priorities.”

“The Microsoft Intelligent Security Association has grown into a vibrant ecosystem comprised of the most reliable and trusted security software vendors across the globe,” said Rani Lofstrom, Senior Product Marketing Manager, Microsoft Security. “Our members, like CyberSheath, share Microsoft’s commitment to collaboration within the cybersecurity community to improve our customers’ ability to predict, detect, and respond to security threats faster.”

About CyberSheath Services International, LLC

Established in 2008, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at www.cybersheath.com.

 

 

Press Contact:

Kristen Morales

Kristen.Morales@cybersheath.com

Lockheed Martin and other prime contractors are contacting their suppliers and requesting a security status update; in many cases requesting a demonstration of compliance before the DoD November 30th deadline.  If you’ve received this request, you’re not alone. We’re helping many of our clients demonstrate that they’re achieving the requirements and submit the requested documentation before the deadline set by primes.

When the new DFARS Interim Rule and Cybersecurity Maturity Model Certification (CMMC) requirements were released at the end of September, we knew it would start to trickle down the supply chain. The primes heard the message loud and clear, and now suppliers do too. Lockheed Martin, for example, is requiring suppliers to complete a survey by November 5th so it can assess risk before the new rules take effect on November 30.

What is Required of Suppliers?

Suppliers must confirm their NIST 800-171 Assessment Score, provide a Plan of Action and Milestones (POA&M) estimated completion date (ECD) for any unimplemented requirements, their status and ECD for an additional 20 CMMC practices, and their status and ECD for the CMMC Level 2 and 3 maturity processes. On top of that, suppliers have to provide updates on their progress until all practices and progress are implemented, as well as their “estimated date for closure of all NIST SP 800-171 POA&M items, and the expected closure date for the additional controls.”

The primes are hard at work getting a sense of where their supply chain stands before the interim rule takes effect and the CMMC requirements start showing up in RFIs, RFPs, and contracts.

Where Should You Go from Here?

Start with this overview of the DFARS interim rule, an FAQ on everything we do, and don’t know at this point, and steps you should take immediately to meet the requirements. We’re here to help and explain the rules in plain English. Don’t hesitate to reach out with any questions or to talk through a project plan or schedule for responding to these requests by the deadline.

Join Us at CMMC Con 2020.  A Virtual Event Designed to Support Stakeholders in the DIB.

If you are a prime or subcontractor looking to better understand how to navigate the rapidly shifting future of cybersecurity compliance – CMMC Con 2020 is the event for you. Join us on November 18th for this one-day event where you will hear an expert line-up engage in conversations focused on DFARS compliance, the threat from China, and a “how-to” session for small & medium-sized businesses struggling with NIST 800-171 and CMMC.

Register Now

 

 

On September 29, 2020, the Department of Defense (DoD) issued an interim rule (Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)) implementing two separate requirements for defense contractors related to cybersecurity that change acquisition. The two requirements give contractors much-needed clarity around how to prioritize their efforts to improve cybersecurity in alignment with DoD acquisition. The DFARS interim rule provides timelines and scoping information related to the Cybersecurity Maturity Model Certification (CMMC) implementation, enabling contractors to plan and implement against those requirements accordingly. In priority order and plain English here are both the new requirements and what your company should be doing now; for a deeper look at the 89-page rule please read our FAQ.

What You Should Do Immediately to Address the DFARS Interim Rule

Let’s start with the answer; get compliant with NIST 800-171 by implementing all the security requirements defined within that publication. Immediately actionable is the requirement to submit your NIST 800-171 assessment, using the DoD approved scoring methodology, through the Supplier Performance Risk System (SPRS).

First, understand that this interim rule immediately impacts all of your future DoD awards if they include DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. This includes contracts, task orders, options, etc. Below is the language directly from the DFARS Interim Rule as to scope and impact for anyone who thinks this does not apply to them:

“The contracting officer shall verify that the summary level score of a current NIST SP 800-171 DoD Assessment (i.e., not more than three years old, unless a lesser time is specified in the solicitation) (see 252.204-7019) for each covered contractor information system that is relevant to an offer, contract, task order, or delivery order are posted in Supplier Performance Risk System (SPRS), prior to:

(1) Awarding a contract, task order, or delivery order to an offeror or contractor that is required to implement NIST SP 800-171 in accordance with the clause at 252.204-7012; or

(2) Exercising an option period or extending the period of performance on a contract, task order, or delivery order with a contractor that is required to implement the NIST SP 800-171 in accordance with the clause at 252.204-7012.”

Ideally, you will submit your scored assessment within the next 60 days but at a minimum, it is required before your next expected DoD contract award so timing is unique to each company. Information that you are required to share and enter with the results of your Basic NIST SP 800-171 DoD Assessment into SPRS includes:

  • Date of the assessment
  • Summary level score (e.g., 95 out of 110, NOT the individual value for each requirement)
  • Scope of the Basic Assessment – identify each system security plan (security requirement 3.12.4) supporting the performance of this contract. All company CAGE codes must be mapped to the appropriate system security plan(s). Additionally, a brief description of the planned architecture may be required, if more than one plan exists
  • Plan of Action Completion Date – a date that a score of 110 is expected to be achieved for each system security plan assessed (i.e., all requirements implemented) based on information gathered from the associated plan(s) of action developed in accordance with NIST SP 800-171 (security requirement 3.12.2)

Why You Should Immediately Address these Aspects of the Interim Rule

Given the level of information that you are required to expose to the government contractors should have a sense of urgency around getting started with NIST 800-171 compliance if they have not already. If you score poorly it’s doubtful that your general counsel, contracts, or other business partners will want a substandard assessment sitting in a government database potentially putting you at a competitive disadvantage. Scoring can range from +110 (Perfect) to -203 (Failure), so you will want to use these next 60 days to make improvements and produce the best score possible before you submit your assessment.

Scoring for Basic, Medium, and High NIST SP 800-171 DoD Assessments is the same. The scoring methodology security requirements are weighted so just looking at some of the highest weighted requirements can give you a sense of how much work you might have ahead of you. If you are responsible for NIST 800-171 compliance at your company it’s easy to quickly determine how bad, or good, you might fare by looking at the scoring methodology and comparing that to what you are, or are not, doing today. Of the hundreds of assessments CyberSheath has done over the last eight years we have observed, on average, 70% non-compliance. Take a quick look at these requirements and associated values and compare them against what you know to be true for your organization, did you just lose 35 points before you even started your assessment?

DFARS Interim Rule - Security Requirements

These are just 7 of the 110 security requirements but they all require hard work and dedicated resources to become compliant. Again, this represents only 35 of 110 possible points so hopefully, our point is clear, implementing these security requirements takes time.  The DFARS Interim rule represents an emergency for non-compliant DoD contractors.

For almost two years now, we’ve been telling clients that their focus is and should always have been on NIST 800-171 compliance, as mandated in DFARS clause 252.204-7012. Now the DoD is clamping down on non-compliance.

Next Steps

Sprint to compliance in less than 60 days with CyberSheath’s proven methodology based on three core disciplines: Assess, Implement, Manage (AIM™)

DFARS Interim Rule 60 Day Sprint Timeline

It’s been quite a week.

The DoD released an interim rule to “amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a DoD Assessment Methodology and Cybersecurity Maturity Model Certification framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain.”

The DoD requested, and OMB authorized, emergency processing of the collection of information tied to this rule. The emergency justification impacts all DoD contractors in the long term and short term as they will now be required to prove and submit evidence of compliance with DFARS clause 252.204-7012 and NIST 800-171. Additionally, the rule creates the following new solicitation provision and contract clauses:

  • DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements;
  • DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements; and
  • DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements.

The interim rule, effective 60 days from publication, has triggered a number of questions from contractors. Here are the answers we believe we know, the answers that we aren’t certain about, and the answers that are unclear, but we can surmise based on past experience.

 

DFARS Interim Rule and Emergency Justification FAQ

 

DFARS Interim Rule and Emergency Action: What We Believe We Know

What is the nature of the emergency justification?

The government is finally asking the defense industrial base to submit evidence of compliance with DFARS clause 252.204-7012 and NIST 800-171. In the past, the DoD trusted, with almost no verification, contractors to adhere to the rules and there was no compulsory submission required to prove compliance. The nature of the emergency is “The aggregate loss of sensitive controlled unclassified information and intellectual property from the DIB sector could undermine U.S. technological advantages and increase risk to DoD missions.”

Why did the change occur?

Explicitly, to make sure two things are happening:

  • The supply chain is making strong improvements to security and meeting current contractual commitments
  • To motivate contractors who have ignored the current requirements by forcing information collection

But the interim rule also codifies into the CMMC. The onboarding of the CMMC structure will ramp up over the course of the next five years. The DoD can’t afford to wait that long to ensure American IP is protected so they will move to collect evidence of compliance with DFARS clause 252.204-7012 in parallel to CMMC ramp up.

What immediate steps should a covered entity take after this rule change?

First, reconcile how long it’s been since you’ve self-attested in line with the 2017 DFARS rule and more specifically NIST 800-171. A company that has fully implemented all 110 NIST SP 800-171 security requirements, would have a score of 110 to report in Supplier Performance Risk System (SPRS) for their Basic Assessment. A company that has unimplemented requirements will use the scoring methodology to assign a value to each unimplemented requirement, add up those values, and subcontract the total value from 110 to determine their score. The  NIST SP 800-171 DoD Assessment Methodology is available here.

Your properly scored Basic Assessment and self-attestation should show you have made a habit of improving your environment over the last three years. If you have not shown improvement on your Plan of Actions and Milestones (POA&Ms), you need to take steps to demonstrate what you are doing to make progress. Ideally, you should have at least three self-assessments from the past three years against DFARS 252.204-7012, and more if you’ve made major changes to your environment that would trigger another self-assessment.

Check out our article on the five steps every organization should take to meet the NIST 800-171 requirements.

What role do my Third-Party Providers (TPPs) have in my attestation?

A major role. You have to attest that your TPPs who handle CUI meet the same or higher security standards as you do.

The biggest stumbling block for many contractors is their TPP contract language. Any organization with a DoD contract that’s handling controlled unclassified information (CUI) must have specific contract language for any of their TPPs that handle CUI, requiring them to meet or exceed the same security standards you do. How many MSPs or MSSPs are doing that today…very few.

In fact, the interim DFARs rule has this verbatim clause buried within the latest 89-page update:

2) The Contractor shall not award a subcontract or other contractual instrument, that is subject to the implementation of NIST SP 800-171 security requirements, in accordance with DFARS clause 252.204-7012 of this contract, unless the subcontractor has completed, within the last 3 years, at least a Basic NIST SP 800- 171 DoD Assessment, as described here, for all covered contractor information systems relevant to its offer that are not part of an information technology service or system operated on behalf of the Government. (3) If a subcontractor does not have summary level scores of a current NIST SP 800-171 DoD Assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) posted in SPRS, the subcontractor may conduct and submit a Basic Assessment, in accordance with the NIST SP 800-171 DoD Assessment Methodology, to webptsmh@navy.mil for posting to SPRS along with the information required by paragraph (d) of this clause.

Can the government ask for my managed services contracts to demonstrate compliance with the DFARS verbiage inclusion?

Not only can they — they almost definitely will.

Is this rule retroactive? E.g. does this cover time periods of the previous self-attestation?

The truth is that this behavior and level of compliance were supposed to be in place all along and this action simply asks you to prove you’ve been doing it. This is where some contractors will find themselves between a rock and a hard place if they have self-attested but never really implemented NIST 800-171.

DFARS Interim Rule and Emergency Action: What’s Unclear

Does everyone who previously self-attested now submit documentation?

No, you don’t have to submit documentation today to the government but moving forward all DoD awards will require the submission of, at a minimum, a Basic Assessment.

It’s unclear why documentation has not been required before now. Maybe the government didn’t want to have access to the information or didn’t have a program to evaluate the information, or maybe the risk level wasn’t the same as it is today. It is also possible that lobbyists and industry trade associations fought off this requirement.

What needs to be submitted when to the government and when?

At a minimum, contractors will need to produce their assessment using the standard scoring methodology, which reflects the net effect of NIST SP 800-171 security requirements not yet implemented. There are three assessment levels (Basic, Medium, and High), which reflect the depth of the assessment performed and the associated level of confidence in the score resulting from the assessment. A Basic Assessment is a self-assessment completed by the contractor, while Medium or High Assessments are completed by the Government. The Assessments are completed for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.

Contractor assessments results are documented in the Supplier Performance Risk System (SPRS) to provide DoD Components with visibility into the scores of Assessments already completed; and verify that an offeror has a current (i.e., not more than three years old, unless a lesser time is specified in the solicitation) Assessment, at any level, on record prior to contract award.

The presumption is that the DoD wants what’s typically asked for in an audit or what prime contractors are asked to provide when they get a subcontractor: A System Security Plan (SSP), any POA&Ms, and attestation for where the program stands against NIST 800-171.

What does Basic / Medium / High mean in the release verbiage?

There are three assessment levels (Basic, Medium, and High), which reflect the depth of the assessment performed and the associated level of confidence in the score resulting from the assessment. A Basic Assessment is a self-assessment completed by the contractor, while Medium or High Assessments are completed by the Government. The Assessments are completed for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.

How does the interim rule affect CMMC roadmap and compliance?

The rule builds upon the NIST SP 800-171 and DoD Assessment Methodology mandating the CMMC framework which adds a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB contractor can adequately protect sensitive unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.

DoD is implementing a phased rollout of CMMC. Until September 30, 2025, the clause at  52.204-7021, Cybersecurity Maturity Model Certification Requirements, is prescribed for use in solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, excluding acquisitions exclusively for COTS items, if the required document or statement of work requires a contractor to have a specific CMMC level. In order to implement the phased rollout of CMMC, the inclusion of a CMMC requirement in a solicitation during this time period must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment.

CMMC will apply to all DoD solicitations and contracts, including those for the acquisition of commercial items (except those exclusively COTS items) valued at greater than the micro-purchase threshold, starting on or after October 1, 2025.

If the government finds fault with your self-attestation documentation, what are the ramifications?

Contractors who are not accurate in their assessment reporting could be subject to the False Claims Act (FCA) which imposes civil and potentially criminal liability on anyone who knowingly presents a false or fraudulent claim for payment to the federal government, or knowingly makes, uses, or causes to be made or used, a false record or statement material to a false or fraudulent claim. This is not theoretical, read more on the most visible DoD FCA case for cybersecurity.

Can an outside provider or third-party submit my documentation on my behalf?

This is unclear, but probably not. The government doesn’t want you to have the ability to say your service provider submitted it incorrectly or made material errors.  An outside provider can prepare the materials you can send along yourself, much like a CPA might prepare your taxes, but you sign them.  The exception would likely be the Medium or High Assessments that are completed by the Government in which they would submit the results.

What is the process if you want to dispute your compliance rating under the pre-CMMC assessment process?

We don’t know the answer to this one. There needs to be some sort of arbitration or dispute process to go through judgments against you and revisions to documents, as you might do with taxes, but the process is not obvious right now.

Is there any arbitration or a process of procedural review of negative findings?

Same answer as above — as of right now there is not an obvious process, but there should be one.

 

DFARS Interim Rule and Emergency Action: What We Know

What is the difference between DFARS 252.204-7012 and the new DFARS 252.204-7021?

7012 is universally applied and 7021 requires a demonstration of maturity based on the risk level of the contract.

7012 involves self-attesting and self-submitting documentation, and 7021 requires third-party assessments, but also self-submitting.

7012 is based on policing and enforcement and 7021 is based on the winning of revenue and contracts.

7012 allows tolerance for not having certain controls in place at the moment so long as you’ve identified those and you have a plan to rectify them, and 7021 is intolerant — you must not only have evident practices in place but also show they’re habitually deployed.

In five years, 7012 will be sunsetting, and 7021 will be sunrising. DFARS 252.204-7021 is the new law of the land.

How many CMMC driven contracts are expected in FY2021? 

 The rule says:

“Based on information from the Federal Procurement Data System (FPDS), the number of unique prime contractors is 212,657 and the number of known unique subcontractors is 8,309. Therefore, the total number of known unique prime contractors and subcontractors is 220,966, of which approximately 163,391 (74 percent) are estimated to be unique small businesses. According to FPDS, the average number of new contracts for unique contractors is 47,905 for any given year.”

The document also includes a chart showing how many contracts to expect at each CMMC level each year:Proposed-CMMC-Contracts-by-Levels+Year

Will my self-disclosures be made public? Is it disclosable in a FOIA request?

 There is no mention of that in DFARS 252.204-7021, but the feeling is that the information will not be generally available to the public, but it might be subject to a FOIA request.

When you are self-attesting and going on record about what you do and don’t do from a security perspective, that invites hackers to open up the database and see where organizations are vulnerable. This information could also materially affect the way companies and investors view mergers and acquisitions, due diligence, and so forth. So, it is unlikely that the self-disclosures will be truly public.

 

The Bottom Line

Time’s up to get compliant or forgo DoD revenue, it is that simple.  The government is getting more aggressive in cracking down on cybersecurity to protect American assets throughout the defense industrial base and has been very specific as to their expectations.

The DoD means business. The time to take action is now.

The experts at CyberSheath understand your challenges – and we can help. Contact us to make sure your assessment gets – and stays – on track.

 

Next Steps

Sprint to compliance in less than 60 days with CyberSheath’s proven methodology based on three core disciplines: Assess, Implement, Manage (AIM™)

DFARS Interim Rule 60 Day Sprint Timeline

Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) is here. Often referred to as CMMC this long-awaited and hotly debated Interim Rule harmonizes legacy (DFARS clause 252.204-7012) and future (CMMC) requirements with the following statement:

“DoD has developed the following assessment methodology and framework to assess contractor implementation of cybersecurity requirements, both of which are being implemented by this rule: the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology and the Cybersecurity Maturity Model Certification (CMMC) Framework.”

Specifically, the rule creates the following new solicitation provision and contract clauses:

  • DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements;
  • DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements; and
  • DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements.

Assessment Methodology to ensure NIST 800-171 Compliance

DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, included in all solicitations and contracts, requires contractors to apply the security requirements of NIST SP 800-171 to “covered contractor information systems” or those that “are not part of an IT service or system operated on behalf of the Government”, i.e your contractor networks, labs, cloud environments, etc.  This clause has long existed but rarely been enforced by DoD or adhered to by contractors. Rare contractors who have been audited for compliance have been evaluated against the NIST SP 800-171 DoD Assessment Methodology for assessment of a contractor’s implementation of NIST SP 800-171 security requirements. The NIST SP 800-171 DoD Assessment Methodology is available, here.

If you are not familiar with the assessment methodology it is probably because you have not been audited or have done a quick internal assessment that did not adhere to the scoring defined within the methodology. Time to get familiar with it. Again, directly from the interim rule:

“The Assessment uses a standard scoring methodology, which reflects the net effect of NIST SP 800-171 security requirements not yet implemented by a contractor, and three assessment levels (Basic, Medium, and High), which reflect the depth of the assessment performed and the associated level of confidence in the score resulting from the assessment. A Basic Assessment is a self-assessment completed by the contractor, while Medium or High Assessments are completed by the Government. The Assessments are completed for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.”

The results of Assessments are documented in the Supplier Performance Risk System (SPRS) giving DoD visibility into completed assessment scores and an ability to verify that a contractor has a current (i.e., not more than three years old) assessment on record prior to contract award. This is something that contractors should pay careful attention to. Because of the widely unenforced existing compliance requirements, most contractors have already self-attested to compliance without ever having submitted an assessment or having been audited. This silent majority is now in the position of being required to, at a minimum, submit a self-assessment that will go into SPRS. How will contractors address the fact they have already attested to compliance and now have an assessment that shows, in our experience, on average 70% non-compliance? Squaring this conflict will require some thoughtful planning and time with your general counsel.

New Interim Rule Outlines the Purpose of CMMC

Nearly everyone expected the new rule to force CMMC implementation (it does with a new DFARS subpart (Subpart 204.75, Cybersecurity Maturity Model Certification CMMC) and mandating DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements, for use in all solicitations and contracts or task orders or delivery orders) it also thoughtfully describes a long transition from NIST 800-171 to CMMC.

The purpose of this blog is not to describe CMMC in detail but for those interested in an overview please look here. What contractors really need to know right now about CMMC is that DoD is implementing a phased rollout of CMMC, essentially making it an October 1, 2025 requirement. Up until September 30, 2025 inclusion of a CMMC requirement in a DoD solicitation must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment. On October 1, 2025, and thereafter CMMC will apply to all DoD solicitations and contracts, except those exclusively COTS items.  After this date, DoD contracting officers will not award, or exercise an option on a contract without a current (i.e. not older than three years) certification for the required CMMC level. Additionally, and as expected, CMMC certification requirements are required to be flowed down to subcontractors at all tiers.

The new CMMC has always been about assurance, giving DoD a way to ensure all of their suppliers are adequately protecting sensitive unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at a level commensurate with the risk and accounting for information flow down to its subcontractors in a multi-tier supply chain. Assurance, essentially third party validation, was and is required because DoD has proven that contractors self-attestation of compliance was optimistic to be generous. Few contractors actually implemented NIST 800-171 and the DoD is no longer going to accept that risk for its supply chain. As the new rule describes the purpose of CMMC:

“CMMC is designed to provide increased assurance to the Department that a DIB contractor can adequately protect sensitive unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain. A DIB contractor can achieve a specific CMMC level for its entire enterprise network or particular segment(s) or enclave(s), depending upon where the information to be protected is processed, stored, or transmitted.”

Key Takeaway

DoD has previously accepted a contractor’s self-attestation and contractors have had a statistically low risk of an audit, but now they have to produce evidence of what they’ve been saying all along.  DoD acquisition just changed and they are deadly serious about securing the supply chain, this is a call to action.

Contractors may find themselves between a rock and hard place with this new requirement as they balance previous attestation claims and best intentions against minimal compliance efforts.

Taking steps now, in response to this emergency action, will not only bring you into compliance with existing requirements but prepare you for CMMC as well. By focusing on compliance with NIST 800-171, you’ll be 85% of the way to CMMC ML 3 compliance when it arrives.

So where do you start? We’ve developed a proven, audited tested methodology over hundreds of assessments to enable contractors to meet NIST 800-171 compliance. Download our 5 Step Guide to CMMC preparation that assures compliance with NIST 800-171.

5 Steps to CMMC Preparation

The Department of Defense (DoD) has instituted an emergency action, possibly to confirm what is widely already known on cybersecurity compliance among the defense industrial base (DIB). Self-certification for defense contractors has enabled “barely there” cybersecurity unless you are one of the small number of contractors who took it seriously.

The action, approved by the Office of Information and Regulatory Affairs (OIRA), requires offerors and contractors to assess their compliance with DFARS clause 252.204-7012 and NIST 800-171. All offerors and contractors must submit a basic self-assessment, or a medium or high assessment conducted by DoD assessors. Details are scarce and connection to the Cybersecurity Maturity Model Certification (CMMC) is anyone’s guess, but for contractors who have previously self-certified as compliant but not actually implemented the controls, this could be problematic, to say the least.

The DoD has previously accepted a contractor’s self-attestation and contractors have had a statistically low risk of an audit, but now they have to produce evidence of what they’ve been saying all along.  This emergency rule isn’t just a call to action. It’s the DoD calling the DIB’s bluff. If anyone doubted the seriousness of the DoD’s efforts to avert data loss, this emergency action should be evidence enough that they want the data to confirm or refute claims of compliance.

Contractors may find themselves between a rock and hard place with this new requirement as they balance previous attestation claims and best intentions against minimal compliance efforts. Many contractors kept waiting for the “cyber police” to show up and when they never came it was largely business as usual. The cyber police are here and it’s time to get your house in order.

Taking steps now, in response to this emergency action, will not only bring you into compliance with existing requirements but prepare you for CMMC as well. By focusing on compliance with NIST 800-171, you’ll be 85% of the way to CMMC ML 3 compliance if/when that it arrives. If it never arrives, an unlikely outcome, you will at least have met your current contractual obligations.

 

So where do you start? We’ve developed a proven, audited tested methodology over hundreds of assessments to enable contractors to meet NIST 800-171 compliance.

 

Follow our five-step process for success:

1. Assess current operations for compliance with NIST 800-171.

Start with a gap assessment of your current people, processes, and technology against compliance with NIST 800-171. This assessment will:

  • Directly link to Control 3.12.1 of NIST 800-171, which requires that you “periodically assess the security controls in organizational systems to determine if the controls are effective in their application.”
  • Give you a clear view of your current compliance with the remaining controls.
  • Generate a System Security Plan (SSP) and associated Plan of Actions & Milestones (POA&Ms), both of which are NIST SP 800-171 requirements.

 

2. Write your SSP.

NIST 800-171, Revision 1, requires contractors to develop, document, and periodically update SSPs that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

Initially, your SSP will be an aspirational document. You’ll find that many of the 110 required NIST SP 800-171 controls are not fully implemented in your environment. A common mistake is to write an SSP that doesn’t reflect the reality of control implementation.

 

3. Document your POA&Ms.

Also a requirement of NIST 800-171, Revision 1, your POA&Ms will detail your plans to correct deficiencies, reduce or eliminate vulnerabilities, and achieve compliance.

These plans can be documented in a variety of formats, but at a minimum, they should detail:

  • The deficiency identified
  • The plan to correct the deficiency (people, processes, and/or technology)
  • Dates by which you intend to be compliant against the specific deficiency

Well-documented POA&Ms will enable eventual mapping to CMMC maturity levels.

Note that SSPs and POA&Ms can be documented as separate or combined documents. You should choose a format that integrates with existing business processes and can be easily maintained.

 

4. Implement the required controls.

Execute your POA&Ms and achieve full compliance with NIST 800-171. This is probably going to be a full-time effort and depending on your resources, you can benefit from working with a third party to implement the controls.

If you’re looking for an effective partner, make sure to ask the following questions:

  • Have they implemented the NIST 800-171 controls for similar-sized businesses?
  • Have they solved the unique challenges that come with implementing NIST 800-171 controls in manufacturing, lab, and engineering environments?
  • Can they provide several references?

 

5. Maintain Compliance.

Once you’ve made it this far, it’s time to plan for ongoing compliance. You’ll need to achieve the following:

  • Documented and automated compliance reporting
  • Support Request for Proposal (RFP) and other acquisition-related business development activities
  • Ongoing operational expense related to maintaining compliance

 

For almost two years now, we’ve been telling clients that their focus is and should always have been on NIST 800-171 compliance, as mandated in DFARS clause 252.204-7012. Now the DoD is clamping down on noncompliance. As we look ahead to CMMC, taking action now will put you in a better position when the next action arrives.

The US Department of Defense (DoD) has one of the largest supply chains in the world, scaling to hundreds of thousands of different vendors and partners. While valuable, these vital partners in our nation’s defense infrastructure pose a huge cyber risk. Today that risk is largely unchecked and unregulated as contractors can “self-attest” to their ability to protect Controlled Unclassified Information (CUI).

Commercial companies are the lifeblood of any economy and the circulatory system of modern day societies.  They provide needed innovation, new discoveries, critical high-value support as well as materials and quick solutions to a myriad of problems. From the most arcane to the most mundane, the US Defense Department has needs in nearly every aspect of procuring commercial services, but this lifeblood paradoxically may imperil the entire system by leveraging companies with little respect for cybersecurity controls. In fact, in this connected world, no government or company can perfectly protect all its data from hackers and rival states. Even so, it is astonishing that, from January 2016 to February 2018, nearly 6 percent of U.S. military and aerospace contractors reported data breaches (according to Stars & Stripes).

And experts feel this is just the tip of the iceberg – the vast majority of security incidents are never uncovered. The Pentagon needs to tighten cybersecurity across its vast contracting operations and hold contractors accountable for minimum standards of care around cybersecurity. Essentially that is the goal behind the Cybersecurity Maturity Model Certification (CMMC) and the ambitious effort to secure the DoD supply chain. The CMMC effort is not without its critics but who can argue that real change wasn’t urgently needed?  Learn More about CMMC

Let us review some major breaches of national security that hopefully can be prevented in a post CMMC world so that you might be the judge:

Example One – Jan-Feb, 2018:  Comprise of US Navy “Operation SEA DRAGON” – Chinese hackers stole sensitive U.S. Navy submarine plans from Rhode Island DoD contractor

Citing unnamed U.S. officials, the Washington Post reported in June of 2018 about a very disturbing cyberattack of a US DoD contractor.  Evidently Chinese government hackers compromised the computers of a U.S. Navy contractor and stole a large amount (approximately 600+ Gigabits) of highly sensitive data on undersea warfare, including plans for a supersonic anti-ship missile for use on U.S. submarines.

The breaches took place in January and February, the officials told the Post, speaking on condition of anonymity about an ongoing investigation led by the Navy and assisted by the Federal Bureau of Investigation.

The U.S. Navy and an unnamed defense contractor are/were working on a new missile which the Navy says will give its submarines a new, “disruptive offensive capability” to take on enemy ships. The previously unknown weapon, known as Sea Dragon, supposedly combines an existing U.S. Navy platform with an existing capability, is likely a new version of a versatile air defense missile capable of pinch-hitting as an anti-ship missile.

Example Two – March 2019:  US Navy Review Concludes it is “Under Siege” by Chinese Hackers & Attackers

An internal U.S. Navy review concluded that the service and its various industry partners are “under cyber siege” from Chinese hackers who are building Beijing’s military capabilities while eroding the U.S.’s advantage, The Wall Street Journal reported Dec 2018 – Mar 2019. Chinese hackers have repeatedly hit the Navy, defense contractors, and even universities that partner with the service. “We are under siege,” a senior Navy official told The Journal. “People think it’s much like a deadly virus — if we don’t do anything, we could die.”

Three particularly worrisome recent incidents (2018-2020) were the theft by China of highly sensitive information on naval projects left on an unclassified network (2019), last year’s breach of private information on 30,000 Pentagon employees(2018), and the exposure of 60,000 files on a publicly accessible server involving a subcontractor to Booz Allen Hamilton (2018), the firm that employed Edward Snowden. And perhaps most embarrassing was the 2016 theft of sensitive plans for the F-35 fighter — a plane that will cost taxpayers $1.5 trillion over its lifespan. A small Australian subcontractor on the project had reportedly never changed its Windows passwords from the defaults “admin” and “guest.”

Example Three – Sept-Dec 2019:  Compromise of Emails and LinkedIn Accounts of military defense companies

In a report released in June 2020 by Slovakia-headquartered ESET cybersecurity company who said the cyberattacks of mainly European aerospace and military defense firms were launched between September and December 2019. A collaborative investigation with two of the affected European companies allowed them to gain insight into the operation and uncover previously undocumented malware.

To compromise their targets, the attackers used social engineering via LinkedIn, hiding behind the ruse of attractive, but bogus, job offers. Having established an initial foothold, the attackers deployed their custom, multistage malware, along with modified open-source tools. Besides malware, the adversaries made use of living off the land tactics, abusing legitimate tools and OS functions. Several techniques were used to avoid detection, including code signing, regular malware recompilation, and impersonating legitimate software and companies.

According to their investigation, the primary goal of the operation was espionage. However, in one of the cases we investigated, the attackers attempted to monetize access to a victim’s email account through a business email compromise (BEC) attack as the final stage of the operation.

As part of the initial compromise phase, the Operation In(ter)ception attackers had created fake LinkedIn accounts posing as HR representative of well-known companies in the aerospace and defense industries. In our investigation, we’ve seen profiles impersonating Collins Aerospace (formerly Rockwell Collins) and General Dynamics, both major US corporations in the field.

Fake-LinkedIn-Account

With the profiles set up, the attackers sought out employees of the targeted companies and messaged them with fictitious job offers using LinkedIn’s messaging feature, as seen in Figure 1. (Note: The fake LinkedIn accounts no longer exist.)

Once the attackers had the targets’ attention, they snuck malicious files into the conversation, disguised as documents related to the job offer in question.

Example Four – 2017-2020:  The Chinese APT Threat to Cleared Defense Contractors

In a report published in June of 2020, cyber-security firm Lookout said it found evidence connecting Android malware (APT 15) that was used to spy on minorities in China to a large government defense contractor from the city of Xi’an.

Lookout’s 52-page report details a years-long hacking campaign that has primarily targeted the Uyghur ethnic minority, living in western China, but also the Tibetan community, to a lesser degree.

The campaign infected individuals in these communities with malware, allowing government hackers to keep an eye on the activities of minority communities in China’s border regions but also living abroad in at least 14 other countries.

“Activity of these surveillance campaigns has been observed as far back as 2013,” Lookout researchers said. The company attributed this secret surveillance to a hacking group they believe operates on behalf of the Chinese government.

The fact that Lookout linked an APT15 malware sample to a Chinese defense contractor is not a novel discovery. From 2017 to 2019, four other Chinese state-sponsored hacking groups have been linked to contractors hired by Chinese intelligence agencies operating in various regional offices.

This includes:

APT3 – linked to a company named Boyusec operating on behalf of Chinese state security officials in the province of Guangdong

APT10 – linked to several companies operating on behalf of Chinese state security officials in the province of Tianjin

NEW!  APT 10 – Xi’an Tianhe Defense Technology, a large defense contractor in the city of Xi’an, in central China.

APT17 – linked to several companies operating on behalf of Chinese state security officials in the province of Jinan

APT40 – linked to several shell companies operating on behalf of Chinese state security officials in the province of Hainan

Operators behind APT3 and APT10 have eventually been charged by the US Department of Justice in November 2017 and December 2018, respectively.

Based on previous threat intelligence reports published by cyber-security firms Recorded Future and CrowdStrike, the Chinese Ministry of State Security outsources hacking operations to outside contractors, who report directly to, and take orders from intelligence officials.

In an FBI warning in 2018, https://publicintelligence.net/fbi-defense-contractors-apt/, specifically cites examples against “Cleared Defense Contractors” and here is an excerpt of the alert:

“APT actors in the near future likely intend to target US Cleared Defense Contractors (CDC) via spear phishing campaigns or network infrastructure compromises, according to recent intelligence. Common spear phish targets may include individuals featured on internet-facing CDC Web sites and high-ranking CDC executives.

FBI has observed APT actors over the past two years precede spear phishing campaigns with open source research of targeted US company websites, particularly sections containing contact information for company officials which include names, titles, telephone numbers, and email addresses. In one case, an APT actor sent spear phishing emails within one-to-two weeks after researching the targeted US company.

Historically, APT actors have a strong desire to collect US defense and scientific intelligence to further their interests and advance strategic goals. As a result, US CDCs and research facilities may likely be targets for cyber adversaries due to their involvement in national security and their close relationship with the US Government.”

Example Five – Feb-June 2020:  DCSA Bulletin – US Defense Focused

In a report published recently by politico, they suggest they obtained a Defense Counterintelligence and Security Agency (DCSA) bulletin marked “unclassified/for official use only” and warns that DCSA’s cyber division detected nearly 600 “inbound and outbound connections” from “highly likely Electric Panda cyber threat actors” targeting 38 cleared contractor facilities, including those specializing in health care technology.   Moreover, the bulletin goes on to say, “Nearly 40 U.S. contracting facilities with access to classified information have been targeted by a hacking group with suspected ties to the Chinese government since Feb. 1”, according to a bulletin disseminated to contractors by the Defense Counterintelligence and Security Agency.

The so-called Electric Panda group is not new and appears to have been operating since at least 2016, according to one of the indicators listed by DCSA. The bulletin goes on to say that this group has been targeting contractors that specialize in cybersecurity, aerospace, naval, health care, power generation, IT systems, telecommunications, risk analysis, and space systems.

Conclusions: How to Solve the Problem?

Given this, how safe is the US DoD Supply chain from cyberattacks?  From casual, publicly available information, there is strong evidence that the supply chain base of the US DoD system is under dedicated and constant attack, most probably needs dramatic investments in order to stay safe and sound from cyberattacks and to keep the US military safe.

The key to understanding the solution is to understand that the threat is immeasurably more serious as we must concern ourselves with the great possibility of a loss of life scenarios.

Let us hope that the new CMMC regulation is a very important step in accelerating the awareness of the real possibilities of these dangers, then to assemble a well-orchestrated cybersecurity risk and mitigation strategy for each attribute of DoD Supply chain may be placed in harm’s way.

Next Steps

If you have any questions or would like support as you ready your organization for CMMC, contact us.  We also invite you to listen to Eric Noonan, CyberSheath CEO, in a recorded webinar to learn how to start preparing your organization for CMMC by leveraging the steps you have taken to be compliant under DFARS.  Register Now

In this webinar you will learn:

  • Mapping NIST 800-171 to CMMC
  • Levels 1-5: Challenges and complexities to consider at each compliance level
  • Step by step path to attaining CMMC

 

According to a Department of Defense (DoD) official as confirmed to Inside Cybersecurity, DoD is planning to publish the proposed acquisition rule required for the implementation of the Cybersecurity Maturity Model Certification (CMMC) program in the next few weeks.

The proposed rule change, titled “Strategic Assessment and Cybersecurity Certification Requirements” under Defense Federal Acquisition Regulation Supplement (DFARS), is required for the Pentagon to award contracts containing CMMC language. Final timing is a decision for the White House Office of Management and Budget’s Office of Information and Regulatory Affairs, but the proposed timing aligns with the tremendous push forward for CMMC across the DoD.

This news should continue to melt away any doubts that the train has left the station and getting compliant with DFARS 252.204-7012 and NIST 800-171 for current contracts and planning for CMMC implementation for future contracts is a major priority for all DoD suppliers.

How to Prepare for Cybersecurity Maturity Model Certification

Compliance with ever-evolving DoD cybersecurity mandates like DFARS 252.204-7012, NIST 800-171, and CMMC is complicated and confusing. It can be hard to understand the outcomes that you should focus on and how to measure success. What does success even look like? How can I partner with a Managed Services provider to deliver measurable outcomes that ensure compliance?

Access our latest webinar, NIST 800-171 Case Study: Surviving a DoD Audit, to prepare your organization for CMMC. Go behind the scenes through a defense contractor’s journey from 35% compliance to a successful audit and “low-risk rating” by the DoD.

Access Webinar Now.

 

Compliance with ever-evolving DoD cybersecurity mandates like DFARS 252.204-7012, NIST 800-171, and Cybersecurity Maturity Model Certification (CMMC) is complicated and confusing. It can be hard to understand the outcomes that you should focus on and how to measure success. Discover what outcome-based Managed Services look like from start to finish, including a successful DoD audit, with a New England based defense contractor.

The contractor recognized the need for compliance with DFARS 252.204-7012, NIST 800-171, and eventually CMMC.  With processes largely informal and undocumented, insufficient staffing, and key technologies not deployed, partnership with a Managed Services provider who truly understood the requirements of a DoD contractor was the only way forward.

Our MSSP team quickly propelled the organization to 90% compliance with the DFARS controls, and with POA&Ms in place to close the remaining gaps. The CyberSheath team’s work resulted in a satisfactory DoD assessment and specific recognition by the DoD officials of the unique role that CyberSheath played as a managed services partner, enabling compliance.


Learn more about this real-world client success story at our webinar on July 8

Gain insight from behind the scenes through a defense contractor’s journey from 35% compliance to a successful audit and low-risk rating by the DoD.

Sign up today

 

DFARS Compliance with CyberSheath

As a defense contractor, it is imperative to your organization’s survival that you stay competitive in the Department of Defense (DoD) acquisition process and implements the required security requirements including DFARS Clause 252.204-7012 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 1.  And soon, the Cybersecurity Maturity Model Certification (CMMC).

CMMC requires mandated minimum levels of cybersecurity, validated by a third party, for 100% of DoD contracts.

How do you ensure that you achieve compliance while thriving at your core competency and growing your business – and how do you right-size the security requirements? Internal IT and security staff are already stretched thin and have no time to learn the complexities of DFARS, NIST, and CMMC. So how can you possibly be successful with so many things working against you?

Leverage CyberSheath Managed Security Services for DFARS compliance.

How CyberSheath Managed Services Enable Compliance

Working with CyberSheath will have a profound impact on your business. With clear direction and measurable outcomes to support DFARS, NIST, and CMMC requirements, your company can confidently move forward and:

  • Pass your DoD customer assessment.
  • Achieve a low cybersecurity risk rating by a DoD third-party assessor.
  • Stay compliant as risks and requirements evolve.

CyberSheath Managed Security Services include:

  • Assessment – By providing documented, actionable annual compliance assessments against all necessary security requirements, you will know where to focus efforts to improve your security posture. To help you address vulnerabilities, CyberSheath tailors a master System Security Plan (SSP) specific to your environment.
  • Remediation – Specific remediation tasks are aligned with Plan of Actions and Milestones (POA&Ms) and often include creating cyber incident response processes, vulnerability management programs, launching multi-actor authentication (MFA), and implementing mobile device management (MDM).
  • Compliance – CyberSheath documents, automates, and assess compliance that can be easily validated during a third-party audit. Implementing the NIST/DFARS and CMMC requirements across your infrastructure, formalizing security policies and procedures, and making key processes repeatable. The end result is a centralized 24x7x365 Security Operations Center (SOC) capabilities and continuous evidence of regulatory compliance.

Why CyberSheath DFARS Managed Services?

CyberSheath delivers turnkey compliance from assessment through your mandatory third-party audit. We also take accountability for compliance every step of the way and cut through the confusion of NIST 800-171 and CMMC to ensure measurable, ongoing compliance.

You need an MSSP that has seen it all. When you are vetting providers, be sure you partner with a skilled, knowledgeable security expert with years of experience helping organizations and securing infrastructures like your own. Look for a company with extensive DoD experience and with professionals who have seen every iteration of DFARS from voluntary to the current mandatory state.

 

Learn how CyberSheath’s partnership as a Managed Service led to a successful DoD audit at our webinar on July 8

Get details on how to become compliant and go beyond templates and policy documents to get a glimpse of what total success and compliance looks like as measured by a successful customer audit.

Sign up today

 

The theft of intellectual property and sensitive information across the Defense Industrial Base (DIB) and the supply chain of the Department of Defense (DoD) threatens economic security and national security. Malicious cyber actors have persistently targeted the DIB sector and the DoD supply chain resulting in loss of intellectual property and unclassified information, which threatens U.S. technical advantages and significantly increase risks to national security.

The DoD is taking action to combat these threats. CMMC maturity levels will soon be used to determine whether a company will or will not be awarded a contract. To state that a different way: There are new regulatory cybersecurity minimums that must be validated by an independent third party prior to contract award on Defense Contractor networks.

What is CMMC?

CMMC encompasses multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. The evolving certification is focused on the protection of unclassified information across the supply chain categorized as:

  • Federal Contract Information (FCI): FCI is information provided by or generated for the Government under contract and not intended for public release.
  • Controlled Unclassified Information (CUI): CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954 as amended.

The CMMC model consists of five maturity levels and 171 cybersecurity practices mapped across these maturity levels. This structure helps to institutionalize cybersecurity activities, ensuring that they are consistent, repeatable, and of high quality. The CMMC practices provide a range of mitigation across the levels, starting with basic safeguarding at Level 1, moving to the broad protection of Controlled Unclassified Information (CUI) at Level 3, and culminating with reducing the risk from Advanced Persistent Threats (APTs) at Levels 4 and 5.

 

DoD CMMC 1-5 Maturity Levels

 

The CMMC framework is coupled with a certification program to verify the implementation of these important cybersecurity processes and practices.

Is CMMC different from DFARS Clause 252.204-7012 and NIST 800-171?

Yes. While the requirement for DFARS Clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting has been mandatory for several years, enforcement has been inconsistent and self-certification has been allowed, until now. CMMC changes that. Defense Contractors must now implement mandatory minimum levels of cybersecurity prior to contract award. They must also have their implementation of cybersecurity controls validated by a third party. Self-certification is no longer allowable.

The majority of CMMC practices (110 of 171) originate from the safeguarding and security requirements specified in FAR Clause 52.204-21 and DFARS Clause 252.204-7012. It is expected that the vast majority of defense contractors will need to be certified at CMMC Maturity Level 1 or 3.

  • Level 1 is equivalent to all of the safeguarding requirements from FAR Clause 52.204-21.
  • Level 3, building on Levels 1 and 2, includes all of the security requirements in NIST 800-171 plus other practices.

While the actual CMMC certification process is still a work in progress, defense contractors that implement the 110 security requirements of NIST 800-171 will have a head start towards achieving compliance with the new certification once it takes effect. In fact, CMMC Maturity Level 3 includes all 110 NIST 800-171 security requirements, making 85% of Maturity Level 3 compliance based on NIST 800-171 compliance.

The DoD is building on and strengthening, not abandoning, NIST 800-171. While specific maturity levels for individual contracts have not yet been determined, it is understood that implementing NIST 800-171 security requirements is the best way to prepare for CMMC. Get to work implementing NIST 800-171 to put yourself in a position to succeed.

How will CMMC affect the Acquisition Process?

CMMC will have a dramatic impact. Self-certification is being replaced with third party validation prior to the contract award. Checkbox compliance with nothing more than the documentation of a System Security Plan (SSP) and Plans of Action & Milestones (POA&Ms) is no longer sufficient. Doing business with the DoD now means a commitment to cybersecurity that is based on trust but verify DoD process for all 300,000 plus DoD suppliers.

How can I get ready for CMMC?

Given that the DoD has made NIST 800-171 the foundation for certification, preparing for CMMC is a relatively straightforward process. While not easy or free, it is uncomplicated to determine the steps necessary, timing, and priority. Here are measures to take to get started.

  • Step 1. Assess your current operations for compliance with NIST 800-171.
  • Step 2. Document your System Security Plan (SSP).
  • Step 3. Document your Plan of Actions & Milestones (POAMs).
  • Step 4. Implement the required controls.
  • Step 5. Maintain compliance.

For an easy-to-follow guide on how and in what order you should start getting ready for your mandatory third party CMMC audit, download our guide.

Why CyberSheath

There is no better company to help you in doing the actual work required to achieve CMMC compliance. CyberSheath has been working with the DoD and its suppliers for nearly a decade as CMMC has evolved from voluntary to self-certification, and now mandatory third party certification. Our CEO is a former Chief Information Security Officer for one of the largest defense companies in the world, and our employees are all practitioners, not consultants. What is the difference? Consultants just tell you what to do in presentation slides; we know what action to take and we do it.

It has finally arrived, the Cybersecurity Maturity Model Certification (CMMC) version (v) 1.0. CMMC v1.0 changes the DoD acquisition process with certification becoming a pre-RFP requirement to bid a government contract.  Like you, CyberSheath has been aggressively following the CMMC’s progression to this final version which included 3 previous drafts 0.4, 0.6 and 0.7. Overall not much has changed from draft 0.7; however, version 1.0 does have some noteworthy updates.

 

Overview of CMMC Levels 1-5 per the DoD’s released CMMC v1.0 pdf

Level 1 focuses on the protection of Federal Contract Information (FCI) and the practices under the basic safeguarding requirements detailed in 48 CFR 52.204-21.  Level 1 is the only level where processes will not be assessed.

Level 2 is the step between Levels 1 and 3 and as such begins to include a portion of NIST 800-171 controls, in addition to other frameworks. The subset of frameworks introduced at Level 2 also starts to refer to Controlled Unclassified Information (CUI).  Unlike Level 1, documentation of processes and policies is a requirement in Level 2.

Level 3 requires the implementation of all 110 NIST 800-171 controls. There is also 20 new CMMC practices introduced at Level 3.  In addition to documenting processes, “Level 3 requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation.”

Level 4 concentrates on the “protection of CUI from APTs and encompasses a subset” of practices from the NIST 800-171B draft combined with other cybersecurity models.  Level 4 requires documenting, managing in addition to reviewing processes as well as improving as necessary.

Level 5, like Level 4, Level 5 concentrates on the “protection of CUI from APTs.”  Level 5 requires the continuous optimization of documentation and processes across the organization.

 

Key Differences between NIST 800-171 and CMMC v1.0

CMMC includes security practices in new Domains including Asset Management, Recovery, and Situation Awareness.

Level 2 requires increased standards for Incident Response

Level 2 requires an organization to review logs

Level 3 requires increased standards for Risk Management

Level 3 requires organizations to collect audit logs in one or more central repositories

Level 3 includes new requirements to protect email services

Level 3 includes new requirements to filter access to potentially malicious internet sites (DNS filtering)

Level 3 builds on Levels 1 and 2, requiring 100% compliance with NIST 800-171 plus 20 new CMMC practices (1 less than the previous draft version)

 

Key Differences between CMMC draft v0.7 and CMMC v1.0

Level 4 SOC is now 24/7 instead of “normal business hours”

Levels 3, 4 + 5 the new practice (P1035) requiring organizations to, “Identify, categorize, and label all CUI data” has been removed from all Levels that originally required it in draft versions. However, the original control to mark media is still there, so if you print or put media on a thumb drive, you need to mark it. But identifying and labeling CUI content is not explicitly stated as it was in all previous drafts.

 

If you have any questions or would like support as you ready your organization for CMMC, contact us.  We also invite you to listen to Eric Noonan, CyberSheath CEO, in a recorded webinar to learn how to start preparing your organization for CMMC by leveraging the steps you have taken to be compliant under DFARS.  Register Now

In this webinar you will learn:

  • Mapping NIST 800-171 to CMMC
  • Levels 1-5: Challenges and complexities to consider at each compliance level
  • Step by step path to attaining CMMC

There is a lot your organization is already doing that you can apply to your preparation for the impending launch of CMMC (Cybersecurity Maturity Model Certification). One important and useful component to consider is a Plan of Action and Milestones  (POA&M or POAM).

Required to achieve compliance with NIST 800-171, a POAM is an extremely useful tool in helping your organization plan for a multitude of security projects, including compliance with standards like CMMC.

How a POAM Helps Realize Project Goals

Providing a structured approach for how to approach any security issue, a POAM delivers many benefits. It:

  • Outlines activities necessary to mitigate security issues.
  • Helps identify the security issue you are having or might have, and the underlying gap in your systems or processes.
  • Assigns resources needed to mitigate issues.
  • Holds your organization accountable with projected completion of milestone activities.
  • Calls out how vulnerabilities were identified.
  • Denotes risk level, labels status, and captures the estimated cost to remediate.

It’s a good idea to be well-versed and able to use a POAM now. Once you factor in the added benefit of helping your organization get ready for proceeding with CMMC compliance, using a POAM just makes sense.

POAM and CMMC Compliance

Preparation  As you ready your organization for tackling CMMC compliance, a POAM will matter more than ever. The plan can be used as a guide to understand what is required of your organization to receive the CMMC level certification your organization needs to bid on a government contract. It will actively manage and guide your project by highlighting the timeframe and resources required to achieve a CMMC level of certification by a specific date.

Maintenance – In the constantly evolving threat and technology landscapes, the tool can also assist in maintaining your certified level. A change to the threat environment could make a security practice no longer, or less, effective. A POAM could be used to reestablish compliance with the security practice if the new threat creates a gap.

Changes to your infrastructure may also create practice or process gaps that require a POAM to remediate. For example, if you are Maturity Level 3 certified at contract bid, which requires you have resources to collect and review your audit logs, and your organization doubles in size during the contract, you could potentially need a POAM to address the resources needed to collect and review audit logs which have now doubled in volume.

Advancement – After you have achieved initial CMMC compliance, a POAM can continue to add value, assisting your organization in leveling up and reaching a new degree of certification (i.e. advancing from CMMC Level 2 to CMMC Level 3). A POAM again becomes a driving force to manage your time around a project completion date as well as the resources required to successfully reach the determined milestones.

Executive Buy-In – As you look for budget and resource approvals to tackle CMMC compliance, a POAM can be a helpful tool in communicating with and getting buy-in from senior management.

Start familiarizing yourself with this valuable tool now by downloading our sample POAM template below.

CMMC Update – Draft Version 0.6

CMMC is being further refined and another update to the standard was recently released (Version 0.7). Draft Version 0.6 includes notable updates such as:
  • Changed from 18 to 17 Domains with the elimination of the Governance domain.
  • Focused more of the Practices on NIST 800-171 Controls.
  • Identified 21 Practices through Practice Level 3 which are not attributed to NIST 800-171 R1. That is, to achieve Practice Level 3, you need to be fully compliant with NIST 800-171 R1 and implement the 21 new CMMC practices.
  • Started referencing international frameworks including those from Australia and the UK.
  • Removed the “redundant” Practices. For example, in Draft Version 0.4 of the standard, Level 1 might have a Practice that is implemented “at least in an ad hoc fashion” and the same control is fully applied in Level 2. These “ad hoc” practices were removed from Level 1.

If you have any questions or would like support as you ready your organization for CMMC, contact us.

 

POAM Template Download

As you are probably aware, there is a new mandatory certification model that will be required to do business with the Department of Defense (DoD). The CMMC (Cybersecurity Maturity Model Certification) builds on best practices established in NIST 800-171 (DFARS), NIST 800-53, ISO 27001, ISO 27032, AIA NAS9933, and others, to create one unified standard for cybersecurity.

CMMC will be a dynamic standard, growing and evolving with the demands of the ever-changing cybersecurity landscape. While the structure of CMMC is set, the details of the new standard are still being vetted, refined, and finalized. The target for launch is early 2020.

How CMMC Compares to NIST 800-171

Similarities

The purpose of both standards is to ensure that DoD contractors employ healthy cybersecurity practices to protect sensitive information. There are several facets of security posture that must be met in order to be in compliance with both standards. Both also require demonstrated compliance to do business with DoD, via self-certification for DFARS and via an audit by certifying organization for CMMC.

Differences

One important distinction touched on above is that CMMC will not allow self-certification. Compliance with the standard will be verified by an outside third-party hired by your company to determine your compliance with the requirements.

The CMMC control framework is (currently) much larger than the 14 control families and 110 controls outlined in NIST 800-171. As of October 31, 2019, CMMC contains 18 domains, 241 practices, and 90 processes at Maturity Level 3.

CMMC Components

The elements of CMMC include:

  • Maturity Levels – These levels range from basic security controls required for level 1 through highly advanced requirements for level 5.
  • Domains – Based on cybersecurity best practices, these are key sets of capabilities for cybersecurity, such as Access Control, Incident Response, Security Assessment, and more.
  • Capabilities – These achievements are the building blocks of each domain, ensuring cybersecurity within each domain.
  • Practices – These are individual cybersecurity activities related to NIST “controls”. They range from Level 1 practices including anti-virus and ad hoc cybersecurity governance to Level 5 practices such as real-time asset tracking and device authentication.
  • Processes – These are documented standards for implementing practices based on the maturity level of your organization.

Below is an example of a cross-reference matrix between NIST and CMMC draft 0.4. It shows some interesting characteristics, such as:

– One NIST Family mapping to multiple CMMC Domains
– One NIST control mapping to multiple CMMC Levels
– One NIST control mapping to multiple CMMC Capabilities
– One NIST control mapping to multiple CMMC Practices
– New CMMC practices not found in the NIST controls

Note, as with most mappings of this kind, they are not always clean, with some aspects of a Control in one framework mapping to elements of a Practice in a different framework.

What You Can Do Now

CMMC specifically calls out the requirement for documentation for all domains in order to achieve compliance. Note that this condition was never explicitly requested in NIST 800-171; rather it is noted in the DFARS appendix that it was assumed you had the appropriate documentation.

While CMMC is continuing to evolve, you can ready your organization to meet the requirements of the new standard. Achieving CMMC compliance will not be a quick endeavor as you will need to define and record your real working processes.

Start now by cataloging your processes and building out the documentation that is called out in NIST as this will surely aid your CMMC compliance activities.

CMMC Maturity Levels 2, 3, 4, and 5 will require Policy, Process, and Plan documents. According to NIST, here are the plans you should have in place:

  • Business Continuity Plans
  • Contingency Plans
  • Continuity of Operations Plans
  • Critical Infrastructure Plans
  • Crisis Communications Plan
  • Disaster Recovery Plans
  • Incident Response Plan
  • Incident Response Testing Plan
  • Occupant Emergency Plan
  • Physical/Environmental Protection Plan
  • Plan of Action
  • Security Assessment Plan
  • Security Plan
  • System Security Plan

And here are the policies and procedure you should have as well:

  • Access Control
  • Audit and Accountability
  • Configuration Management
  • Configuration Planning
  • Incident Response
  • Identification and Authentication
  • Information Flow Control
  • Information Flow Enforcement
  • Information System Maintenance
  • Media Protection
  • Media Sanitation and Disposal
  • Mobile Code Implementation
  • Password
  • Personnel Security
  • Physical and Environmental Protection
  • Portable Media
  • Risk Assessment
  • Security Assessment and Authorization
  • Security Awareness and Training
  • Security Planning
  • Separation of Duties
  • System and Information Integrity
  • System and Services Acquisition
  • System and Communication Protection
  • System Use

Prepare yourself by understanding the latest CMMC updates and, more importantly, how your business should respond to achieve documented, audit-proof evidence of compliance. Listen to Eric Noonan, CyberSheath CEO, in this recorded webinar as he explains how to cut through the noise and jump-start your DFARS compliance efforts.  No matter where you are in your journey towards NIST 800-171 compliance this webinar is guaranteed to better equip you in understanding, implementing, and maintaining compliance!

Register Now to gain your access to the webinar. If you have any questions or would like support as you ready your organization for CMMC, contact us.

Your assessment is behind you. You have been working to create a System Security Plan (SSP) detailing a Plan of Action & Milestones (POA&Ms) based on your assessment findings.  Your goal, to remediate gaps discovered to ensure NIST 800-171 compliance with full implementation of all 110 security requirements.

Think of your SSP and POA&Ms as the required foundation and roadmap to get you to compliance. With over 110 security requirements in NIST 800-171, you need this layer of groundwork and direction to effectively tackle what is likely the most significant aspect of NIST 800-171 compliance, remediation or full implementation. So, where to start when working toward implementation?

 

3 Things to Consider Before Diving into Your NIST 800-171 Implementation:

 

1. Project Management

The SSP and POA&Ms outline the plan and timeline, but who is responsible for owning the outcome? A dedicated resource whose primary focus is ensuring the implementation of the plan is the best way to guarantee success. Implementing outstanding NIST 800-171 requirements is a large project but a project, nonetheless. By assigning a project manager, you have a clear leader to accept accountability, coach, and motivate your team. Also, they will ensure the right processes, resources, and tools are available to keep the project on schedule and within budget.

 

2. Staff Augmentation

NIST 800-171 has been a contractual obligation since December 2017, maybe you’re new to the DoD acquisition process or have been contracting with the DoD for some time. If you are the latter, there is a good chance one reason you are not compliant today is due to a lack of resources. As we all know, NIST 800-171 is in addition to your day job, so making it a priority is challenging. If you are already struggling to keep up with your day job due to constrained resources, then NIST compliance may not seem possible. If hiring a long-term employee is not an option contracting a third-party to partner with during the NIST 800-171 compliance project can help alleviate the stress of limited or already overworked staff.

 

3. Experience

Maybe you have the resources but lack the expertise.  Missing the experience, specifically, with NIST 800-171, within your team, can reduce efficiency ultimately increasing the cost.  The difference between how you handle the implementation for a tier 1 level Prime versus a small 1 to 10-person Subcontractor are significantly dissimilar, yet the same requirements apply.

We are often asked questions like, “Does CyberSheath have a list of tools for a business our size?” ” Does CyberSheath have experience implementing the NIST 800-171 controls for similar-sized businesses?”

Questions like this rely on our 10+ years of experience and 100+ successful NIST 800-171 implementations. Experience allows for decisions to be made in a manner that enables compliance as a documented, automated outcome of day-to-day operations. Hiring a third-party that has demonstrated NIST knowledge will allow your team to learn and grow through the lessons learned and best practices formed by other’s past experiences. More importantly, enable your organization to continue the work of maintaining compliance after the greater effort is complete.

 

Start Your NIST 800-171 Implementation Today

Overall, all three areas of consideration can be handled internally within your organization. The first step being your assessment to discover gaps.  Second, putting the SSP and POA&Ms in place to address those gaps. Lastly, creating a team dedicated to ensuring all 110 security requirements are implemented. However, partnering with a third-party organization will help ease the pains of growing an internal staff or burdening a current resource to manage the project. If partnering with a third-party interest you, check out our NIST Managed Services.  CyberSheath’s Managed Services are specifically designed to address the hurdles you will need to overcome during your implementation of the NIST requirements.  Learn More

 

Business photo created by pressfoto – www.freepik.com

Cybersecurity requirements for Department of Defense (DoD) contractors continue to evolve. However, NIST 800-171 compliance is as much required by law today as it was on the December 2017 deadline. In fact, with the introduction of the Cybersecurity Maturity Model Certification (CMMC) we are fast approaching a major change in how government contracts are bid. Recently, Katie Arrington, Chief Information Security Officer for the Assistant Defense Secretary for Acquisition, spoke at the Billington CyberSecurity Summit where it was noted,  “the new Cybersecurity Maturity Model Certification framework, or CMMC, is out in draft form for public comment. It would start appearing as a requirement in pre-solicitation acquisition documents like RFIs in June. ‘In the fall, we will start putting it into [actual bid solicitation documents like] RFPs,’ Arrington said.”  

With the proposed CMMC requirements contractors will be required to demonstrate compliance as referenced in section L and M of a government Request for Proposal (RFP). Demonstration of compliance will require a third-party certification as self-certification will no longer be allowed. This update is critical, noncompliance with a requirement in section L and M means you are not qualified to bid a proposal. The risk of not meeting compliance with NIST 800-171 pre-RFP will mean the loss of existing and potential work with the DoD.  

Prepare yourself by understanding the latest updates and, more importantly, how your business should respond to achieve documented, audit-proof evidence of compliance. Listen to Eric Noonan, CyberSheath CEO, in this recorded webinar as he explains how to cut through the noise and jump-start your DFARS compliance efforts.

 In this webinar you will learn:

  • What’s New: Cybersecurity Maturity Model Certification (CMMC), NIST 800-171 Revision 2, and NIST 800-171B
  • What’s Not: Understanding DFARS Clause 252.204-7012 and NIST 800-171
  • What To Do Now and Why: How to stay competitive in the DoD acquisition process and comply with DFARS Clause 252.204-7012 and NIST 800-171

No matter where you are in your journey towards NIST 800-171 compliance this webinar is guaranteed to better equip you in understanding, implementing, and maintaining compliance!

Register Now to gain your access to the webinar.

Have contractors implemented the NIST 800-171 controls? DoD Inspector General (IG) audit suggests not, recommends third-party audits. Are you ready?

A recent audit conducted in response to a request from the Secretary of Defense determined that DoD contractors did not consistently implement DoD‑mandated system security controls for safeguarding Defense information. Specifically, Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 requires contractors that maintain Controlled Unclassified Information (CUI) to implement security controls specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which lists security requirements for safeguarding sensitive information on non-Federal information systems. The requirements include controls for user authentication, user access, media protection, incident response, vulnerability management, and confidentiality of information.

DoD IG Report Findings

The findings across the DoD contractors audited included deficiencies related to:

  • Multifactor authentication;
  • Enforcing the use of strong passwords;
  • Identifying network and system vulnerabilities;
  • Mitigating network and system vulnerabilities;
  • Protecting CUI stored on removable media;
  • Overseeing network and boundary protection services provided by a third-party company;
  • Documenting and tracking cybersecurity incidents;
  • Configuring user accounts to lock automatically after extended periods and unsuccessful login attempts;
  • Implementing physical security controls;
  • Creating and reviewing system activity reports, and granting system access based on the user’s assigned duties.

The audit also found that while DoD requires contractors to protect CUI by complying with NIST 800-171 requirements, DoD contracting offices did not establish processes to:

  • Verify that contractors’ networks and systems met National Institute of Standards and Technology security requirements before contract award;
  • Notify contractors of the specific CUI category related to the contract requirements;
  • Determine whether contractors’ access, maintain, or develop CUI to meet contractual requirements;
  • Mark documents that contained CUI and notify contractors when CUI was exchanged between DoD agencies and the contractor; and
  • Verify that contractors implemented minimum security controls for protecting CUI.

The effect of these findings is that DoD does not know the amount of DoD information managed by contractors and cannot determine whether contractors are protecting unclassified DoD information from unauthorized disclosure.

The results of the audit probably don’t surprise the DoD or its many contractors but the recommendations in the DoD IG report, combined with the proposed Cybersecurity Model Certification (CMMC), should have contractors making plans to immediately implement the NIST 800-171 security requirements. All signs point to a game-changing, pre-RFP validation of compliance making cybersecurity a “go/no-go” factor for DoD contract awards.

DoD IG Report Recommendations

Recommendations out of the DoD IG report included:

  • Revise its current policy related to assessing a contractor’s ability to protect DoD information to require DoD Component contracting offices, as part of the Request for Proposal and source selection processes, and requiring activities, during the contract performance, to validate, at least annually, that contractors comply with security requirements for protecting CUI before contract award and throughout the contract’s period of performance.
  • Develop and implement a policy requiring DoD Component contracting offices and requiring activities to maintain an accurate accounting of contractors that access, maintain, or develop controlled unclassified information as part of their contractual obligations.
  • Revise its current policy to include language that would require DoD Component contracting offices to validate contractor compliance with minimum security requirements. We also recommend that the DoD Component contracting offices, in coordination with requiring activities, implement a plan to verify that the internal control weaknesses for the contractors discussed in this report are addressed.

All these recommendations are in alignment with the proposed CMMC efforts led by Katie Arrington, and DoD contractors who have delayed NIST 800-171 implementation should take notice and act now. Mandatory third-party validation of security requirements is coming in 2020 and failing to act will likely result in exclusion from contracting with the DoD. Both the recommendations from the DoD IG audit and CMMC are proposing third-party validation of control implementation as part of the Request for Proposal and source selection processes – self-certification and implementation after you win the work are going away. Contractors will need to demonstrate compliance before responding to an RFP and that means taking the necessary steps now before these inevitable changes are implemented in 2020.

Prepare for CMMC and NIST 800-171 Third-Party Verification

CMMC proposes that all companies conducting business with the DoD must be certified. The level of certification required depends upon the Controlled Unclassified Information (CUI) a company handles or processes and the intent of CMMC is to combine various cybersecurity control standards such as NIST SP 800-171 into one unified standard for cybersecurity. Given NIST 800-171 security requirements are at the core of CMMC, and NIST 800-171 implementation has been mandated for nearly two years now, that’s where DoD contractors should focus their efforts. Under CMMC the DoD is building on and strengthening, not abandoning NIST 800-171. Implementing the NIST 800-171 security requirements now is the best way to prepare for CMMC and meet your existing contractual requirements around DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting and NIST 800-171.

Implementing the NIST 800-171 requirements includes writing a System Security Plan (SSP) and with 110 security requirements, you can expect to be out of compliance with some number of those individual requirements. For requirements not yet implemented you will need to also document Plans of Action & Milestones (POA&Ms). The heavy lifting is in implementing the security requirements as you prepare for CMMC and controls like Multi-Factor Authentication and Incident Response which require time to fully implement. With 2020 less than six months away implementing all 110 security requirements will be a challenge and DoD contractors, subcontractors and vendors taking a wait and see approach to CMMC are ignoring the last decade of clear warning signs that security has become the foundation of acquisition. The DoD IG audit and recommendations are simply the most recent in a flurry of activity that should have contractors taking immediate action to comply.

5 Steps to CMMC Preparation

Download our 5 Step Guide to CMMC Preparation to plan and enable certification as a documented, automated outcome of day-to-day operations. This easy to follow guide presents a plan to prepare for CMMC in a way that fits your business and budget. Third-party certification is coming in 2020, get the compliance and control implementation expertise you need to stay competitive!

5 Steps to CMMC Preparation

NIST 800-171 Revision 2 and 800-171B drafts were released for comment last week, and as expected there have been no major changes proposed to the controls in NIST 800-171 Revision 2. For DoD contractors waiting to implement the required security requirements of NIST 800-171 Revision 1 pending the latest updates, the proposed updates won’t buy you any time. The fact is enforcement is underway and compliance with DoD cybersecurity requirements is a go/no go decision if you are serious about being eligible to do business with the DoD.

The 800-171B draft enhanced security controls are in addition to 800-171 controls, in cases where the information held by the contractor is determined to be a high-value target. The enhanced requirements are to be applied to nonfederal systems and organizations processing, storing, or transmitting controlled unclassified information (CUI), when such information is contained in a critical program or designated high-value asset. The enhanced security requirements of the 800-171B draft were designed to address advanced persistent threats (APTs) and are mapped to the security controls in NIST 800-53. The implied maturity level required and associated costs with implementing the 800-171B draft enhanced security controls is significant.

The enhanced security requirements include three, mutually supportive and reinforcing components:

(1) penetration resistant architecture;

(2) damage limiting operations; and

(3) designing for cyber resiliency and survivability.

The Path Forward for DoD Contractors

With a tremendous amount of activity related to The Cybersecurity Maturity Model Certification (CMMC), DCMA audits of NIST 800-171 compliance, False Claims Act litigation, and the 800-171 revisions and supplements, the path forward for DoD contractors is clear:

Fund and execute compliance with NIST 800-171 now. Despite all of the proposed changes, the fact remains that the DFARS 252.204-7012 clause in ANY of your contracts requires the implementation of NIST 800-171. That is your contractual requirement and all changes proposed so far rely on NIST 800-171 as a foundation of compliance.

There has been a level of paralysis by analysis across industry caused by the questions of cost reimbursement, proposed changes and uneven auditing of compliance. This is the kind of noise that has caused many DoD contractors across the supply chain to delay their DFARS compliance efforts but that high-risk approach invites legal and competitive pain that should be avoided. While there are many changes to be aware of CyberSheath advises focusing on what you are required to do today as the best approach to current and future compliance requirements. Nothing that has been proposed eliminates the requirement to implement NIST 800-171.

Compliance with the DFARS and NIST 800-171 requirements involves much more than writing a System Security Plan (SSP) and vendors selling you a tool to get compliant are misleading you. There are 110 security requirements in NIST 800-171 and you have to actually implement them, there isn’t a single product to solve this problem.

5 Steps To DFARS Compliance

Download our 5 Steps to DFARS Compliance Guide to plan and enable compliance as a documented, automated outcome of day-to-day operations. This easy to follow guide presents a plan you can follow to achieve compliance in a way that fits your business and budget. DoD contractors, subcontractors and vendors taking a wait and see approach before achieving compliance are ignoring the last decade of clear warning signs that security has become the foundation of acquisition. Act now!

5 Steps to DFARS Compliance

 

The recently announced Cybersecurity Maturity Model Certification (CMMC) scheduled for completion by January 2020 has many DoD contractors scrambling to anticipate how to prepare (learn more about the CMMC announcement here). While there are many unknowns regarding what the CMMC will ultimately look like, DoD contractors should focus on what is already known and currently mandatory with DFARS 252.204-7012, which requires the implementation of NIST 800-171. Stop trying to read the tea leaves and doing the bare minimum by writing System Security Plans (SSP’s) and start implementing the 110 security requirements of NIST 800-171. Demonstrable action, that is NIST 800-171 control implementation, is the best way to prepare for the CMMC.

Katie Arrington, the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD, recently said that only 1% of the Defense Industrial Base has implemented the required controls.  “If we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are. We need to level set because a good portion of our defense industrial base doesn’t have robust cyber hygiene. Only 1% of [Defense Industrial Base] companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation state attacks.”

Why are Contractors Delaying NIST 800-171 Implementation?

Across hundreds of NIST 800-171 implementations, CyberSheath has found the most common reason for delay by DoD contractors has come down to, “Who is going to pay for this?”

Arrington clearly spoke to that concern last week at an event sponsored by the Professional Services Council in Arlington, Virginia, saying “I need you all now to get out your pens and you better write this down and tell your teams: Hear it from Katie Arrington, who got permission to say it from Mr. [Kevin] Fahey [the assistant secretary of Defense for Acquisition in the Office of the Under Secretary of Acquisition and Sustainment] security is an allowable cost. Amen, right?”

After more than a decade of policy, law, memorandums and continued momentum towards enforcement businesses who continue to delay actual implementation of the 110 security requirements will be in a far worse position come January 2020 when the CMMC rolls out. Don’t wait, implement the NIST 800-171 security requirements in a way that is actionable, measurable and audit ready.

Beyond Your SSP’s and POA&Ms

Compliance with the DFARS and NIST requirements involves much more than writing a SSP’s and vendors selling you a tool to get compliant are misleading you. There are 110 security requirements in NIST 800-171 and you have to actually implement them, there isn’t a single product to solve this problem. Implementing security requirements like multifactor authentication, incident response, encryption and more require thoughtful decisions leveraging what you already own. For the gaps identified in your existing people, processes, and technologies a product purchase, if required, needs to be part of the larger plan to achieve compliance. Too often businesses are over-sold on silver bullet product purchases that aren’t thoughtfully integrated into a system of documented and repeatable control implementation.

5 Steps to DFARS Compliance

To enable compliance as a documented, automated outcome of day-to-day operations download our 5 Steps to DFARS Compliance Guide. This easy to follow guide presents a plan you can follow to achieve compliance in a way that fits your business and budget. Act now to move from thinking about implementation to taking action towards full compliance.

 

 

The window of opportunity for achieving compliance with DFARS 252.204-7012, which requires the implementation of NIST 800-171 across the DoD supply chain, continues to get smaller as the ability to self-certify is set to expire.

CyberSheath attended the Professional Service Council’s 2019 Federal Acquisition Conference where Special Assistant to DoD’s Assistant Secretary of Defense Acquisition for Cyber Katie Arrington stated clearly that “…cost, schedule, and performance cannot be traded for security.” Security is the foundation of defense acquisition.

Much has been written about The Defense Department (DoD) Office of the Under Secretary Acquisition of Sustainment creation of a new certification model to enforce compliance, but the fact is compliance is already required. So, while it is important to understand where the DoD is headed in enforcing compliance, it’s more important to stop delaying and act now. The DoD has been working with industry for more than a decade to address the cybersecurity problem across the supply chain and contractors who continue to self-certify with Plans of Action & Milestones (POA&Ms) that never actually get implemented will be frozen out of acquisition as DoD makes cybersecurity a “go/no-go” part of procurement.

Cybersecurity Maturity Model Certification (CMMC) and the New Certification

The Cybersecurity Maturity Model Certification (CMMC) and the new certification will have required CMMC levels once the certification is released, with levels ranging between one and five –from basic cyber hygiene requirements through “state-of-the-art” cybersecurity capabilities.

Arrington is moving quickly to complete the CMMC by January 2020, and contractors can expect to start seeing the certification in contract requests for information by June 2020.

Within CMMC, a third-party cybersecurity certifier will also conduct audits, collect metrics, and information risk mitigation for the entire supply chain.

“With 70 percent of my data living in your environment, I’m home, so we need to work together to secure it,” Arrington said. “Who is the government? You are when you’re the taxpayer. That’s your money. That’s your data that you have paid for that our adversaries are taking and using it against us. We should be infuriated as a nation about our data. With $600 billion a year being expelled by our adversaries; this room should be irate.”

All of these developments, coupled with the May 8, 2019, California court Civil False Claims Act decision as the first reported FCA decision involving allegations of non-compliance with DFARS 252.204-7012 should spur action towards immediate compliance. Checklist compliance and continued delays of actual control implementation will absolutely cost you more in the long run so get started now, make a plan and execute.

5 Steps To DFARS Compliance

Compliance with the DFARS and NIST requirements involves much more than writing a System Security Plan (SSP) and vendors selling you a tool to get compliant are misleading you. There are 110 security requirements in NIST 800-171 and you have to actually implement them, there isn’t a single product to solve this problem.

Download our 5 Steps to DFARS Compliance Guide to plan and enable compliance as a documented, automated outcome of day-to-day operations. This easy to follow guide presents a plan you can follow to achieve compliance in a way that fits your business and budget. DoD contractors, subcontractors and vendors taking a wait and see approach before achieving compliance are ignoring the last decade of clear warning signs that security has become the foundation of acquisition. Act now!

 

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with the DoD and the incentives to act now are many and include:

  • Compliance was mandatory as of December 2017; regardless of when you found out about the requirement, it’s been on the books for several years now
  • Noncompliance penalties for failure to meet the requirements can lead to criminal, civil, administrative, or contract penalties that include:
    • Breach of Contract Damages
    • False Claims Act Damages
    • Liquidated Damages
    • Termination for Default
    • Termination for Convenience
    • Poor Past Performance
    • Suspension/Debarment

Ultimately the DoD has been preparing the contractor community for more than a decade and with audits underway there is little doubt that cybersecurity compliance is becoming a competitive discriminator.

Read more about DoD audits of cybersecurity compliance here.

Understanding DFARS 252.204-7012 and NIST SP 800-171

The Defense Federal Acquisition Regulation Supplement, or DFARS, has been working to encourage DoD contractors to proactively comply with certain frameworks in order to achieve this goal. Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is the latest mandatory addition.

Under the Clause, all contractors must comply with the National Institute of Standards and Technology’s Special Publication 800-171 (NIST SP 800-171), a framework that lays out how contractors must protect sensitive defense information and report cybersecurity incidents.

The NIST framework requires you, as a defense contractor, to document how you have met the following requirements in particular:

  • Security requirement 3.12.4 requires the contractor to develop, document, and periodically update System Security Plans (SSPs) that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
  • Security Requirement 3.12.2 requires the contractor to develop and implement Plans of Action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.

Read more about implementing SSPs and POAs.

Under the Clause, DoD contractors are obliged to submit evidence of their compliance with NIST SP 800-171 to the U.S. Government. However, the Clause goes beyond NIST compliance and sets out additional rules for the protection of Covered Defense Information (CDI).

Supply Chain Management

DFARS Clause 252.204-7012 aims to encourage you, as a contractor, to take a proactive role in the protection of CDI. Not only are you required to demonstrate compliance within your own business, but in order to strengthen the entire supply chain, you must take steps to ensure that your subcontractors comply, too.

It is the responsibility of your subcontractors to inform you if their practices deviate in any way from the DFARS and NIST 800-171 guidelines, and it is your responsibility to demonstrate that an equally secure alternative practice is in place before you share CDI with that subcontractor.

Reporting Cybersecurity Incidents

A cybersecurity incident is defined as a breach of security protocols that negatively impacts, compromises, or endangers CDI held on your systems or networks, or those of your subcontractors.

In the event of a cybersecurity incident, your responsibility under DFARS Clause 252.204-7012 is to report the incident to the DoD within 72 hours. You must present the affected data and all related data covering the 90 days prior to the date of the report, along with any infected software. You must also conduct a thorough systems review and identify ways in which you will prevent future breaches.

If a subcontractor experiences a cybersecurity incident, they must report it to you, or to the next highest tier of subcontractor, and present the evidence as required. As the prime contractor, you’re then required to report the incident to the DoD and submit the evidence, as detailed above.

Cloud Service Provision

If you offer your own cloud services as part of your DoD contract, then DFARS states that you must enact the safeguards set forth in the Cloud Computing Security Requirements Guide (SRG), unless waived by the Chief Information Officer of the DoD. If you use a third-party cloud service, then you’re required to ensure that your cloud service provider follows the security provisions therein.

Not DFARS Compliant?

A quick look at documents like the above and it’s clear to see why some contractors are still struggling with compliance long after the December 31st, 2017 deadline has passed. Bringing your business in line with these extensive regulations is required and the stakes are so high.

Download our 5 Steps to DFARS Compliance Guide to avoid penalties and make compliance a documented, automated outcome of day-to-day operations. This easy to follow guide presents a plan you can follow to achieve compliance in a way that fits your business and budget.

5 Steps to DFARS Compliance

 

The management of organizational risk is a key element in any organization’s information security program, particularly those like Department of Defense (DoD) contractors that process highly sensitive, critical data.

With this in mind, the National Institute of Standards and Technology (NIST) has developed the Risk Management Framework (RMF), a set of processes for federal bodies to integrate information security and risk management into their systems development life cycles.

The Six Steps of the Risk Management Framework (RMF)

The RMF consists of six steps to help an organization select the appropriate security controls to protect against resource, asset, and operational risk. They are:

Step 1: Categorize the system and the information that is processed, stored and transmitted by the system.

Step 2: Select an initial set of baseline security controls for the system based on the categorization, tailoring and supplementing as needed.

Step 3: Implement the security controls and document how they are deployed.

Step 4: Assess the security controls to determine the extent to which they are meeting the security requirements for the system.

Step 5: Authorize system operation based upon a determination that the level of risk is acceptable.

Step 6: Monitor and assess selected security controls in the system on an ongoing basis and reporting the security state of the system to appropriate organizational officials.

Who Needs to Implement the RMF and Why?

Industries with critical or highly sensitive data needs are increasingly adopting the RMF in an effort to cope with growing risk and comply with their strict legislation— think defense (DFARS), healthcare (HIPAA), and retail/payment (PCI).

However, it’s our professional opinion that every organization that handles sensitive data can benefit from adopting the RMF. Why?

First, the RMF functions as a very effective security planning tool that gives you a comprehensive picture of your organizational risk. This helps to inform a solid risk management strategy and focus your attention on the areas that matter most to your organizational security.

Second, the RMF is not specific to any one agency or body, which gives it the flexibility to be adopted and applied by organizations of all shapes, sizes, and industries — including yours.

Finally, the RMF is seen as the gold standard on which many risk management approaches are modeled. For that reason, it wouldn’t be surprising to see it mandated in some form in the near future, particularly for high-risk industries, but possibly across the board.

This happened recently with the EU’s General Data Protection Regulation (GDPR), which mandated that any and every company handling sensitive data comply with the regulations, regardless of industry.

By adopting RMF in your own organization, you’ll be automatically compliant if and when any similar legislation comes into force on our own shores, while your competitors will likely be scrambling to catch up.

RMF and Defense Contractors

Contractors of the DoD have a set of legal obligations under the Defense Federal Acquisition Regulation Supplement, or DFARS. This legislation requires such contractors to demonstrate proactive compliance with, among other frameworks, the NIST Special Publication 800-171 (NIST 800-171), which lays out how they must protect sensitive defense information and report cybersecurity incidents.

So, if a contractor is already DFARS-compliant, and they’re already implementing the security controls set out in NIST 800-171, why do they need to adopt the RMF too? (Not DFARS Compliant? Download our 5 Steps to DFARS Compliance Guide to avoid penalties and make compliance a documented, automated outcome of day-to-day operation.)

In working with our defense clients on securing their acquisitions processes, we’ve consistently observed the need for security controls above and beyond what NIST 800-171 requires. That’s exactly what the RMF provides, paying attention to areas such as resilience enhancements and tailoring requirements.

It’s our opinion, then, that the RMF can help defense contractors to plan risk-based security control implementation in a much more broad, holistic manner than DFARS and NIST 800-171 compliance alone.

Limitations of RMF

Because it’s a framework, the NIST RMF doesn’t tell you how to achieve the recommended steps. That means that for small and medium organizations without significant information security experience, or the resources to obtain it, implementing the framework can be a challenge.

That’s Where CyberSheath Comes In

Our cybersecurity experts can help you to minimize your organizational risk with comprehensive risk management planning, including the implementation of the NIST Risk Management Framework. Contact us now to find out how we can help protect your organization.

In a previous blog post we detailed how the November 6th, 2018, DoD’s Acting Principal Director for Defense Pricing and Contracting (DPC) memorandum titled, “Guidance for Assessing Compliance and Enhancing Protections Required by DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting” was expected to be transformative in the enforcement of compliance throughout the acquisition process.

As a follow up to the November guidance; DoD has issued two additional guidance memoranda in the last 60 days further solidifying the DoD intent to enforce compliance. Contractors should be actively be addressing NIST 800-171 compliance.

Let’s See Your System Security Plans (SSP) Plans of Action and Milestones (POA&M)

On December 17, 2018, Kevin Fahey (Assistant Secretary of Defense for Acquisition) issued a memorandum, which provides contractual language addressing (i) access to and delivery of contractors’ and subcontractors’ SSPs (or extracts thereof), (ii) access to and delivery of a contractor’s plan to track flow down of CDI to subcontractors and restriction on unnecessary sharing/flow down of CDI and (iii) the requirement for a prime contractor to flow down (ii) and (iii) to its first-tier subcontractors.

The Fahey memo details requirements that were not clearly reflected in DFARS 252.204-7012.

The creation of SSPs and POA&M documents was included with NIST SP 800-171 and the November 6th guidance further clarified that DoD would require delivery of the Prime’s SSPs and POA&Ms to the government. Additionally, Prime contractors must ensure government access to the SSP and POA&Ms of its first- and second-tier subcontractors, vendors, and suppliers.

Contractors will need to ensure that their processes for subcontractors, vendors, and suppliers meet this requirement.

Auditing of DFARS Compliance

On January 21, 2019, Ellen Lord (Under Secretary of Defense for Acquisition and Sustainment) issued a second memorandum focused on assessing contractor compliance with the DFARS cyber clause via audits. The DCMA audits focus on contractor oversight of its first-tier subcontractors which can include first-tier subcontractors, vendors, and other suppliers.

The DCMA audits focus on contractor oversight for first-tier subcontractors and include:

  • Review Contractor procedures to ensure contractual DoD requirements for marking and distribution statements on DoD CUI flow down appropriately to their Tier 1 Level Suppliers.
  • Review Contractor procedures to assess compliance of their Tier 1 Level Suppliers with DFARS Clause 252.204-7012 and NIST SP 800-171.

While there is no specific requirement in the DFARS cyber clause for documented procedures to flow down CDI to first-tier subcontractors or any specific requirement to assess compliance of first-tier subcontractors with the DFARS cyber clause, it is expected these requirements will be mandated with the new contractual language in the December 17 Fahey memorandum.

Additionally, in May 2018 Defense Security Service (DSS) was directed to execute an operational plan for oversight of Controlled Unclassified Information (CUI) protection through collaboration with industry partners across the Defense Industrial Base (DIB).

Product Purchases Won’t Get You There

The disconnect between achieving compliance and the offerings that many product vendors are marketing is increasing both complexity and confusion. There isn’t a product in existence that addresses all 110 NIST 800-171 security requirements and many of the requirements can often be met with existing solutions contractors already own. Software that simply assesses your current compliance isn’t automated, despite claims, and does nothing to actually implement the required controls.

There are features or capabilities of products that can be mapped to the 110 NIST 800-171 security requirements but the first action in getting compliant doesn’t start with buying another product. Part of a comprehensive gap assessment will include detailing what you already own that can be configured, deployed or otherwise implemented to satisfy the control requirements.

Getting Compliant and Staying Compliant

Updated guidance, overlapping audits, and general confusion can make DFARS compliance difficult and expensive, but it doesn’t have to be. Cybersheath has enabled hundreds of contractors to achieve compliance and stay competitive in the DoD acquisition process and we guarantee success.

To learn more start here and Download our 5 Step Process To Comply With NIST 800-171. It’s free and if you have the right team and resources available you can do it all yourself.

Get expert assistance, before you are audited and achieve compliance in a way that fits your budget and mission, contact CyberSheath for a no-obligation scoping call to learn how to stay ahead of an audit and comply now!

DoD contractors, subcontractors and vendors taking a wait and see approach before achieving compliance are mistaken, the time is now!

On November 6th, 2018, DoD’s Acting Principal Director for Defense Pricing and Contracting (DPC) issued a memorandum titled, “Guidance for Assessing Compliance and Enhancing Protections Required by DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting” that is expected to be transformative in the enforcement of compliance throughout the acquisition process.

While the implementation of DFARS and NIT 800-171 requirements have been mandatory since December 2017, many Department of Defense (DoD) contractors haven’t yet felt the sting of an audit and efforts were largely contained to completing checklists from government contracting officers or Primes. The DoD telegraphed a transition to enforcement and the impacts of non-compliance with guidance made available to the public for comment in Federal Register, Volume 83 Issue 79 (Tuesday, April 24, 2018). All comments were considered and integrated, when appropriate, into the final documents and as expected 2019 will be a game changer for non-compliant Prime and subcontractors.

The November 6th, 2018 memorandum references two new guidance documents providing for enforcement of DFARS 252.204-7012 & NIST 800-171 across the entire supply chain:

“DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented”

“Guidance for Assessing Compliance of and Enhancing Protections for a Contractor’s Internal Unclassified Information System”

This new set of guidance empowers acquisition officers to enforce compliance throughout the entire acquisition lifecycle, both before and after contract award. Changes include:

  • A standard for the data content and format to be used in NIST SP 800-171 System Security Plans
  • Adding cybersecurity measures in addition to those found in NIST SP 800-171
  • Creating an “Acceptable” (Go/No Go threshold) rating, which can require “must-have” NIST 800-171 requirements to be in place before an award can be made
  • Incorporates 800-171 compliance as a technical evaluation factor, which often becomes part of the weighted score for contract awards
  • Conducting on-site assessments, using NIST SP 800-171A: Assessing Security Requirements for Controlled Unclassified Information
  • Requiring a contractor to complete a new form titled: ‘Contractor’s Record of Tier 1 Level Suppliers Receiving/Developing Covered Defense Information
  • Requesting a contractor’s plan to track flow down of Covered Defense Information
  • Requesting a contractor’s plan to assess the compliance of their own suppliers

With the ability to request a contractor’s plan to track flow down of Covered Defense Information (CDI) and request the contractor’s plan to assess the compliance of their own suppliers, Prime contractors are expected to document and demonstrate enforcement of their own supply chain’s compliance.

In 2019 Prime and Subcontractors can expect to be audited against actual implementation the DFARS 252.204-7012 & NIST 800-171 security requirements. For those taking a wait and see approach to the impact of your ability to do business with the DoD without implementing NIST 800-171; you just got your answer, 2019 will be a year of reckoning for non-compliant Prime and subcontractors.

If you have delayed documenting your SSP, POA&Ms or actually implementing the NIST 800-171 requirements, CyberSheath can lead your efforts to achieve compliance by conducting a gap assessment of your compliance with NIST 800-171, writing the required System Security Plan (SSP) and leading your implementation efforts. Contact Us today to get started!

As a subcontractor on a Department of Defense contract, you have likely had flow down requirements from your primes related to DFARS clause 252.204-7012, commonly referred to as NIST 800-171. Many subcontractors, as they scramble to secure their infrastructure to be in compliance before the December 2017 DFARS deadline, are also asking, “When should DFARS clause 252.204-7012 flow down to our subcontractors?”

To help you answer that question, here are some basics related to DFARS clause 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting (effective October 21, 2016) and NIST 800-171.

The Basics of DFARS Clause 252.204-7012

This clause is required in all contracts except for those contracts solely for the acquisition of COTS items. It requires contractors and subcontractors to:

  1. Safeguard covered defense information (CDI) that is resident on or transiting through a contractor’s internal information system or network.
  2. Report cyber incidents that affect covered defense information or that impact the contractor’s ability to perform requirements designated as operationally critical support.
  3. Submit malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center.
  4. If requested, submit media and additional information for damage assessment.

What is Covered Defense Information (CDI)?

This term is used to identify information that requires protection under DFARS Clause 252.204-7012. Covered defense information is unclassified controlled technical information (CTI) or other information as described in the controlled unclassified information (CUI) Registry that requires safeguarding or dissemination controls*, and is either:

  • Marked or otherwise identified in the contract, task order, or delivery order and provided to contractor by or on behalf of DoD, in support of the performance of the contract or
  • Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor, in support of the performance of the contract.

* Pursuant to and consistent with law, regulations, and Government-wide policies

Does DFARS clause 252.204-7012 flow down to subcontractors?

The clause impacts subcontractors when performance will involve operationally critical support or CDI. You should determine in consultation with your contracting officer if necessary, if the information required for subcontractor performance is or retains its identify as CDI, and requires safeguarding or dissemination controls. Flowdown is to be enforced by the prime contractor. If a subcontractor does not agree to comply with the clause, CDI should not be on that subcontractor’s information system.

What does DFARS Clause 252.204-7012 require?

Simply stated, this DFARS clause mandates adequate security. The contractor shall provide sufficient security on all covered contractor information systems. To provide satisfactory security for covered contractor information systems that are not part of an IT service or system operated on behalf of the Government, at a minimum, the contractor must implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017.

What is NIST SP 800-171?

This standard:

  • Enables contractors to comply using systems and practices likely already in place.
  • Significantly reduces unnecessary specificity, as requirements are performance-baseda, and more easily applied to existing systems.
  • Provides standardized, uniform set of requirements for all CUI security needs.
  • Allows non-federal organizations to consistently implement safeguards for the protection of CUI (i.e., one CUI solution for all customers).
  • Allows contractors to implement alternative, but equally effective, security measures to satisfy CUI security requirements.

If you are struggling with interpreting these requirements or need help implementing the security controls? CyberSheath can help you determine a path forward for achieving compliance by conducting a gap assessment of your compliance with NIST 800-171, writing the required System Security Plan (SSP) and leading your remediation efforts. Contact Us today to get started!

With the deadline for compliance with DFARS Clause 252.204-7012 having passed on December 31st 2017, many companies are still scrambling to catch up. But in their haste, many may be ignoring a vital aspect of the mandate.

Chiefly designed to ensure adequate security in safeguarding “covered defense information” (CDI), DFARS requires Department of Defense (DoD) contractors and subcontractors to implement controls to protect sensitive data “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.”

However, it also includes clearly specified mandates for cyber incident reporting, when a contractor or subcontractor discovers that CDI has been compromised or adversely affected within their networks. In addition to safeguarding CDI, it is imperative that companies follow these prescribed reporting requirements if they experience a cyber incident.

Report Rapidly

Collecting information on cyber incidents allows the government to investigate key details in order to monitor and hopefully contain future cyber threats. As such, DFARS cyber incident reporting mandates are designed to assure businesses turn over this information quickly.

According to DFARS, a cyber incident is defined as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.” If you have determined that a cyber incident has taken place, then in accordance with the “Rapid Reporting” requirement you must:

(i) Conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor’s ability to provide operationally critical support; and

(ii) Rapidly report cyber incidents to DoD at http://dibnet.dod.mil within 72 hours of discovery.

The DFARS provision defines a compromise as the “disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.”

Although there has been some debate as to what reporting triggers define the start of the 72-hour timeframe, implementing a clear cyber incident response plan can create a track record of internal consistency that would prove responsibility if a contractor’s reporting methods were ever to be scrutinized.

A full list of what to report can be found on this page of the DoD’s DIB Cyber Incident Reporting & Cyber Threat Information Sharing Portal.

Detect Malware

In the event that malicious software (malware) is found on a compromised system, the contractor must also collect information about the malware and submit it using a malware submission form to the DoD Cyber Crime Center (DC3) “in accordance with instructions provided by DC3 or the Contracting Officer.”

Preserve Your Media

The DoD may also choose to conduct a thorough post-incident investigation, also known as a damage assessment. To allow for this, they require companies that have been breached to “preserve and protect images of all known affected information systems” and “all relevant monitoring/packet capture data” for at least 90 days following the discovery of an intrusion.

Advice on Reporting

Opening up the lines of communication with the DoD prior to any incident ensures that the process is less complicated and helps you to report in a timely fashion.

In addition, making sure your forensics tools and procedures meet the DoD collection requirements will also ensure that you’re able to quickly gather the required information and report all the pertinent details in full.

Preparation is key. Make sure to practice using your forensics collection procedures so you can quickly report and recover without missing a beat. It’s also important to note that any report of a cyber incident must have a DOD-approved medium assurance certificate. Information on how to obtain this certificate can be found at  iase.disa.mil.

Need Assistance?

If you’re looking for someone to stay on top of your reporting so you don’t drop the ball, or if you just need further assistance understanding the complex process of reporting a cyber incident, Contact Cybersheath today for a free consultation.

 

 

In today’s digital world, no matter what type of sensitive data you handle, attackers are hard at work developing ways to access it. The rash of high-profile security breaches making headlines every day is clear evidence of the struggle businesses face in trying to stay ahead of these sophisticated cyber attacks.

In response to these threats, local and federal governments around the world have begun to impose increasingly stringent regulations to force companies to re-examine their internal cybersecurity standards.

DFARS clause 252.204-7012, HIPAA, PCI DSS, and GDPR are just some of the many compliance mandates that companies are currently juggling. And considering the disastrous fallout of even the smallest breach, not to mention the heavy penalties associated with non-compliance, there’s no time to waste in getting up to date.

The Risks of Non-compliance

As early as 2005, former U.S. President Barack Obama voiced his concern about cyberattacks, calling them a “national emergency.” In the years following this call to action, Federal agencies continually increased the regulatory mandates for private contractors, and over half of the state governments in the U.S. passed laws to put in place punitive measures for companies that fail to sufficiently protect sensitive data.

These include hefty fines and in some cases, jail time. Of course, these punishments are minuscule when compared to the consequences of actually being hacked. The costs of penalties, legal fees, and possible compensation for damages pile up quickly and can completely change the financial outlook of your company. Most damaging, however, is the subsequent destruction of your company’s reputation and the irreparable loss of confidence from your customer base.

Entities with the proper vision and intelligence work exceptionally hard to avoid these outcomes at all cost by prioritizing day-to-day operational security. Not only does this protect the company as a whole, but it ensures that the satisfaction of government or contractual requirements is a natural outcome of day-to-day security practices.

An Industry Leader in Cyber Protection

The unfortunate truth is that, even though compliance is absolutely essential, it’s not easy. Combing through the myriad of regulatory requirements to assess which apply to your business, coupled with the complex processes of then actually meeting these standards, leaves many companies lost.

With the right support, businesses can dramatically simplify this process. An industry leader in cybersecurity, CyberSheath has developed the one-of-a-kind systematic Measure Once, Comply Many ® approach to cybersecurity, enabling companies to reach compliance by implementing a specifically tailored security strategy.

CyberSheath starts by expertly identifying the vulnerabilities in your network and then uses this information to plan and build a strategic security organization that optimizes your personnel, security processes, and technology. We then monitor your systems in real-time, providing you early threat recognition and proactive prevention that helps eliminate the risk of attacks.

By using this proven and patented method, CyberSheath paves the way towards both reaching regulatory milestones and achieving optimal operational cybersecurity.

Measure Once, Comply Many ® utilizes the following services to provide a full-service comprehensive security platform, keep your data safe and secure, and assure across-the-board compliance:

• Centralized 24/7/365 Security Operations Center (SOC) capabilities.
• SIEM, network IDS, host IDS, file integrity monitoring, vulnerability reporting and management, and more.
• Real-time security intelligence, including correlation directives, IDS signatures, NIDS signatures, and asset fingerprints.
• Full suite of compliance reporting, including DFARS clause 252.204-7012, NIST 800-171, HIPAA, PCI DSS, GDPR, and state data breach laws.
• Instant detection and notification of ransomware and other malware variants.
• Managed Privilege Account Management Services to stop security breaches involving privileged accounts.

With these advantages in place, you’ll never be caught off-guard, regardless of the current regulatory measures. Your business will not only take the necessary steps towards compliance, but you’ll also be able to continually read and react to the latest state-of-the-art threats. It’s all part of our patented system designed to achieve compliance as a result of committing to optimal operational security.

Assure Your Cybersecurity Now

Staying on top of your cybersecurity requirements can be overwhelming, but being hacked is undoubtedly even worse. Partnering with CyberSheath can help you gain peace of mind by putting a proactive plan in place to ensure your business is not just compliant, but also efficient and thorough in every aspect of cybersecurity. Contact us today to learn more about Measure Once, Comply Many ®.

 

 

On December 31, 2017, the deadline passed for defense suppliers to comply with NIST 800-171, a requirement specified in Defense Federal Acquisition Regulation Supplement 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting.

This mandate attempted to ensure a higher standard of security controls surrounding the processes and procedures for protecting controlled unclassified information (CUI). As defined by the National Archives, CUI is “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”

Confused? You’re not alone! Assessing what is and what isn’t CUI, as well as navigating the complex and potentially costly road to compliance, has left many contractors struggling to stay on schedule. Although the deadline has passed, a large number of companies are still standing around scratching their heads, wondering how to proceed.

Consequences of Non-compliance

Non-compliance is not going to be acceptable for much longer. Clause 3.12.4 of NIST 800-171 allows for the submission of a Security System Plan (SSP) and a Plan of Actions and Milestones (POA&M) to help companies define how they will bridge the gap, but it is also reasonable to expect that the U.S. Government will soon begin to terminate contracts that fail to meet the accepted requirements. Defense prime contractors will also begin to terminate non-compliant subcontractors and suppliers to avoid having to report themselves as non-compliant.

Because so many companies have fallen behind, those that have achieved this rare milestone will have positioned themselves to receive the lion’s share of future defense contracts. Simply put, if companies want to remain competitive, they must move as quickly as they can to get on track or risk falling behind their competition.

Becoming Compliant

If your company has fallen behind, don’t get discouraged. The path to compliance is a confusing one, but it’s possible to find your way. Start by taking the following steps…

1. Define CUI

CUI is situation-specific and can be tricky to assess. In some cases, the information that needs to be protected are specified in the awarded contract. However, most of the time the definition is unclear.

In their own definition, DFARS has included CUI that is “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.” Information that has been created or received by contractors, but not marked, may also need to be appropriately safeguarded. Identifying what needs to be protected is the first step.

2. Identify where it lives

The next step is to figure out exactly where the CUI is being stored, processed, or transmitted from so that you know which systems need to be secured.

Creating a Data Flow Diagram (DFD) is a helpful way to begin figuring out how CUI is traveling through your network. It could also be useful to create a network diagram to identify what controls you already have in place that are effectively safeguarding your CUI. Together, these tools can help you identify the weak points you’ll need to address to close the gaps in your systems.

3. Document your progress

Having identified CUI and where it lives, you should now begin the process of referring back to NIST 800-171 to figure out the controls you will need to put into place.

As you forge ahead in making these updates, it’s critical to document what you’ve changed, how it will improve security, what controls are not applicable to your current situation, and why they won’t be needed.

This process will create a record demonstrating your ability to assess and safeguard sensitive information, moving you closer to your ultimate goal of declaring full compliance with the DFARS/NIST 800-171 mandate.

Your Competitors are Working on Compliance — Are You?

If you’re not currently working towards meeting the DFARS/NIST requirements, rest assured your competitors are! The window for implementing this essential security update is closing rapidly, so don’t lose your competitive edge — contact us now for a free consultation on achieving your compliance goals.

On December 31, 2017, the deadline for compliance with the NIST 800-171, a mandate for contractors serving local and federal governments, came and went.

This Special Publication provided guidance on the processes and procedures needed to adequately safeguard controlled unclassified information (CUI), defined as any information created by the government or entities on behalf of the government that is unclassified, but still must be appropriately safeguarded.

While some companies were quick to adapt to these new regulatory measures, many companies fell behind because of a lack of resources, confusion over the head-spinning compliance process, or just downright procrastination.

With the deadline long gone and the Department of Defense (DoD) making it crystal-clear that NIST 800-171 is here to stay, becoming compliant is an absolute must for those looking to remain competitive in the industry.

A Common Problem

Unlike previous security mandates, this is the first that impacts sub-contractors working further down the federal supply chain. This means that for many companies, it’s the first time they’re having to figure out compliance.

If this describes your company, you’re by no means alone. Because these standards must be met by anyone who stores, processes, or transmits CUI for the DoD, General Services Administration (GSA), NASA, or other federal or state agencies, many contractors are struggling to wrap their heads around the complex process ahead.

As it’s critical to a supplier’s ability to win new business and keep current defense contracts, both prime and sub-contractors will want to confirm that they are, at the very least, on the path to compliance with NIST 800-171.

Achieving Compliance

Of course, becoming compliant is easier said than done. The fact that there is no certification process for NIST means contractors work on the honor system, attesting that they have reviewed and heeded the applicable requirements specified in the regulation.

This also means that becoming compliant is not a one-time achievement. Rather, it’s an ongoing process of continuous evaluation. Here are the three key actions you can take to get started…

Assess Your Compliance Level

First, you’ll need to do due diligence in identifying CUI as it applies to you. Check with your contracting officers or look through your contract to see if CUI has been clearly defined. In many cases, it may not be, and you’ll have to review the CUI registry to find similar examples of CUI.

Once you’ve clearly defined what you need to protect, you can begin to figure out if it’s actually being protected sufficiently. You’ll have to carefully review your critical systems, including servers, laptops, storage devices, network devices, end-user workstations. You’ll also need to assess the physical security of those devices that contain CUI to make sure they are properly safeguarded.

Design a Plan of Action

Chances are there will be a gap between where you are now and where you need to be. This is common so don’t worry!

Fortunately, clause 3.12.4 allows for the submission of a Security System Plan (SSP) and a Plan of Actions and Milestones (POA&M) to buy yourself some time as you work towards your compliance goal. Since many contractors are not yet compliant, these documents are required to show procurement officials you are heading in the right direction.

An SSP will provide an overview of the security requirements needed for every system you use, describe the curent controls you have in place, and outline the expected behaviors of all who access them. Your POA&M will show a clearly defined corrective strategy for exactly when and how you plan to resolve any security weaknesses. 

Begin Implementation  

All this planning and assessing means nothing if you don’t step up and deliver! Once you’ve put milestones in place, you’ll need to train your staff and ensure they adhere rigorously to these deadlines. You’ll also need to document critical advancements in your quest for compliance, properly maintaining your records as you go.

Still Nowhere Near Compliance? Don’t Panic!

If you missed the December 2017 deadline and you’re starting to feel the pressure, don’t panic. CyberSheath’s Managed Security Services can help you to define your CUI obligations, create a plan of action, and move step-by-step towards full compliance. Contact us today for a free consultation.

 

 

More than two years ago, the Department of Defense (DoD) sounded the alarm for increased cybersecurity with a new set of controls designed to raise the level of safeguarding standards across the industry.
The requirements specified in Defense Federal Acquisition Regulation Supplement (DFARS) provision 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting”, were gleaned from Special Publication (SP) 800-171, authored by the National Institute of Standards and Technology (NIST).
A non-regulatory government agency designed to promote U.S. innovation and industrial competitiveness, NIST identified a set of 110 security control requirements, appropriate for non-government organizations, to be implemented by December 31st of 2017. But even with the deadline long since passed, many contractors are still struggling to meet these standards. Here are the three main reasons why…

Lack of Resources

NIST’s daunting to-do list has left many small to medium companies wondering how they’ll close the gap between what is required and what they can afford to implement.
Put at a disadvantage by budget and workforce limitations, companies find themselves falling behind due to a lack of cost-effective solutions and an inability to dedicate the manpower to keep their cybersecurity standards up-to-date.
Companies must report any shortcomings or gaps in their compliance to the DoD’s Chief Information Officer (CIO) within 30 days of any contract award. That means that the time and resource constraints are only exacerbated if the people in charge don’t have an intimate understanding of the NIST SP 800-171 security controls.
These companies need help but don’t know where to turn. As a result, they’ve found themselves exposed to increasingly advanced cybersecurity threats and will continue to accrue non-compliance penalties until they can find the assistance they need.

Complexity

In an attempt to provide flexibility, make the controls technology-neutral, and allow for contractors to implement whatever solutions best fit their company, NIST has inadvertently made it difficult to know whether your company has actually achieved compliance or not.
The first challenge contractors face is assessing whether or not an information system is processing covered defense information (CDI). CDI is defined by the registry maintained by the National Archives and Records Administration and includes Controlled Technical Information (CTI) and Controlled Unclassified Information (CUI).
If these information systems are precisely specified in the awarded contract, the process is simplified. But DFARS has also included CUI that is “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.”
This opens the door for large chunks of information that have been created or are received by contractors, but not marked, to also be considered CDI, making the process of identifying which systems process this information much more difficult.
On top of this, the DoD does not currently have any system in place to certify compliance and has not authorized any third-party certification process, leaving it up to you to accurately assess where you stand at any given moment. 

Being Human

As with any complex set of rules, the risk for human error also enters the mix. In the midst of wrapping their heads around a barrage of complicated regulations, many people simply drop the ball.
In companies that are already struggling to dedicate the necessary human resources to compliance, the overwhelm of adjusting to a whole new world of security requirements can lead to small errors that pave the way for much bigger problems.
In cases like these, it’s essential to have an extra set of eyes on the details to make sure problems don’t snowball and create an avalanche down the line.

Rising to the Challenge

If you’re a defense contractor struggling to keep up with NIST 800-171 requirements, performing a compliance assessment should be your top priority. CyberSheath’s Managed Security Services can help you identify the roadblocks on your path to NIST compliance and find cost-effective solutions to overcome them. Contact us today for a free consultation to find out more.

Cybersecurity at small and mid-sized businesses are often under-resourced with an “Army of One” approach to compliance and risk management. Compliance with regulatory requirements like DFARs 252.204-7012, HIPAA, PCI DSS, NERC CIP, Sarbanes Oxley (SOX) and more compete with actual cyber defense efforts to monitor, detect and respond to threats. Doing what you have always done, buying more products and surviving audits, isn’t effective and doesn’t scale. There is a better way and its effectiveness can be measured with contractual Service Level Agreements (SLA’s) that enable cybersecurity to be a force multiplier for your business.

Instead of hiring FTE’s and deploying one-off, point solution products that don’t integrate with existing investments, consider Managed Security Services that deliver:

  • Cloud-based security monitoring platform in one unified solution
  • Integrated security information and event management (SIEM) and log management
  • Asset discovery
  • Vulnerability assessment
  • Intrusion detection
  • Behavioral monitoring
  • Threat intelligence
  • Privileged account management
  • Automated and simplified regulatory compliance management

Just think about your infrastructure today. How many tools and products do you have spread across too few engineers without enough time to deploy, monitor and manage them? Do you feel like a SIEM solution is a luxury that a business your size can’t afford? Small and mid-sized businesses often have to make tough choices between resource allocation, and a SIEM solution rarely makes the cut because of cost and complexity. The irony is that a SIEM solution is a foundational investment that improves your ability to allocate resources, meet compliance requirements and defend your infrastructure. Coupled with Managed Security Services, the return on investment (ROI) for your business is measurable in a variety of ways.

Our partner, AlienVault, commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study that detailed the potential ROI organizations can realize by deploying the AlienVault Unified Security Management ® (USM) platform. The results aligned with our experience delivering managed services in the defense, financial, healthcare, technology and manufacturing industries. Here is what Forrester Consulting found:

Simplified compliance reporting for companies, resulting in nearly 6,000 hours of time-savings each year. Prior to adopting AlienVault USM Anywhere, key pieces of information had to be pulled from many different systems and consolidated into reports for the auditor. This process took nearly four months, but with AlienVault, onsite audits could be completed in one week as the compliance information and reports were readily available in real-time. This resulted in approximately 2,000 hours of time savings per audit and, on average, three audits were being held each year.

AlienVault USM Anywhere reduces the cost of incidents by improving threat detection and incident response time by 80%. Based on a 2017 study conducted by the Ponemon Institute, the probability that an organization will experience a breach greater than 1,000 records is 14%. However, with the deployment of USM Anywhere, the time to detect incidents was dramatically reduced, helping organizations identify and respond to attacks much faster. With 80% faster detection and response time, the impact and probability of a breach could be reduced.

An 80% security operations staff productivity improvement. Prior to adopting AlienVault solutions, organizations didn’t dedicate much time to daily monitoring tasks. On average, two to three investigations arose each week, which took the combined effort of two dedicated resources. After the deployment of AlienVault’s USM Anywhere platform, the security operations team was able to monitor and detect issues in real-time. This reduced the manual effort involved in investigative activities by 80% and allowed the resources to focus their time on more value-added tasks. “We are still responsible for monitoring alerts and logging, but it’s gone from hours per day to minutes. It allows us to focus on things like serving our customers, writing new code, and ultimately bringing more business in the door.”

Threat intelligence saves time and money. With AlienVault Labs threat intelligence, organizations no longer have to dedicate resources to sifting through multiple sources of information and bulletins to keep up with the latest intelligence. Now they can rely on the AlienVault Labs Security Research Team for continuous updates to threat correlation rules and directives. With the added benefit of not having to pay for an alternative threat intelligence subscription, the overall annual cost savings for the composite organization resulted in more than $40,000 per year.

The data from the study was clear, managed services save time and money by enabling more effective regulatory compliance and risk management. You’re probably already intuitively know that managed security services will be a game-changer for your organization and the data from the study only further strengthened your opinion. That said there are often at least two challenges to moving forward that businesses struggle with:

  1. Senior management doesn’t want to spend the money, I don’t care what your fancy study says.
  2. Managed Security Services Providers are like gas stations, there’s one on every corner and they all sell the same thing.

Getting past these barriers to realizing the benefits of managed services requires the same solution, selecting a Managed Security Services Provider that can push past them before you have spent any money. You will know when you have selected the right partner when they invest the time upfront to specifically show you how their services benefit your business. Candidly, management is right. Nobody cares what a vendor study says might happen at your business based on possibility. Your potential MSSP should be spending time documenting and demonstrating how their services will reduce risk and simplify compliance at your business. You will quickly be able to differentiate MSSP’s offering canned reporting and push-button threat detection from those with teams that span CISO through operations analyst level experience. You are buying a service and that service should have real people that can document and articulate the MSSP value specific to your business before you spend any money. Regardless of whether that takes two weeks or six months, you will know you have the right MSSP when they invest the time pre-sales to detail the value to your business.

Managed security services are the answer to your small and mid-sized business cybersecurity needs and selecting the right partner will be a force multiplier for your business.

Contact us today to learn how to save time and money with CyberSheath Managed Security Services.

Thanks to the increasingly sophisticated and aggressive cybersecurity threats facing the U.S., there has been much focus recently on reinforcing the nation’s cybersecurity. Much of this effort has revolved around strengthening the Department of Defense (DoD) supply chain.

The Defense Federal Acquisition Regulation Supplement, or DFARS, has been working to encourage DoD contractors to proactively comply with certain frameworks in order to achieve this goal. Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is the latest mandatory addition.

Under the Clause, all contractors must comply with the National Institute of Standards and Technology’s Special Publication 800-171 (NIST SP 800-171), a framework that lays out how contractors must protect sensitive defense information and report cybersecurity incidents.

The NIST framework requires you, as a defense contractor, to document how you have met the following requirements in particular:

• Security requirement 3.12.4 requires the contractor to develop, document, and periodically update System Security Plans (SSPs) that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
Security Requirement 3.12.2 requires the contractor to develop and implement Plans of Action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.

Read more about implementing SSPs and POAs.

Under the Clause, DoD contractors are obliged to submit evidence of their compliance with NIST SP 800-171 to the U.S. Government. However, the Clause goes beyond NIST compliance and sets out additional rules for the protection of Covered Defense Information (CDI).

Supply Chain Management

DFARS Clause 252.204-7012 aims to encourage you, as a contractor, to take a proactive role in the protection of CDI. Not only are you required to demonstrate compliance within your own business, but in order to strengthen the entire supply chain, you must take steps to ensure that your subcontractors comply, too.

It is the responsibility of your subcontractors to inform you if their practices deviate in any way from the DFARS and NIST 800-171 guidelines, and it is your responsibility to demonstrate that an equally secure alternative practice is in place before you share CDI with that subcontractor.

Reporting Cybersecurity Incidents

A cybersecurity incident is defined as a breach of security protocols that negatively impacts, compromises, or endangers CDI held on your systems or networks, or those of your subcontractors.

In the event of a cybersecurity incident, your responsibility under DFARS Clause 252.204-7012 is to report the incident to the DoD within 72 hours. You must present the affected data and all related data covering the 90 days prior to the date of the report, along with any infected software. You must also conduct a thorough systems review and identify ways in which you will prevent future breaches.

In the event that a subcontractor experiences a cybersecurity incident, they must report it to you, or to the next highest tier of subcontractor, and present the evidence as required. As the prime contractor, you’re then required to report the incident to the DoD and submit the evidence, as detailed above.

Cloud Service Provision

If you offer your own cloud services as part of your DoD contract, then DFARS states that you must enact the safeguards set forth in the Cloud Computing Security Requirements Guide (SRG), unless waived by the Chief Information Officer of the DoD. If you use a third-party cloud service, then you’re required to ensure that your cloud service provider follows the security provisions therein.

Don’t Know Where to Start?

A quick look at documents like the above and it’s clear to see why some contractors are still struggling with compliance long after the December 31st, 2017 deadline has passed. It truly is a daunting task bringing your business into line with these extensive regulations, especially when the stakes are so high.

That’s where a Managed Services expert like CyberSheath comes in. We’ve helped defense contractors large and small to achieve comprehensive DFARS and NIST compliance.

Put Your Cybersecurity Compliance in Expert Hands

We’ll take the stress and the guesswork out of compliance by handling every step of the journey, from assessment and gap identification to the development of robust System Security Plans and Plans of Action. And because we’re always monitoring the evolution of DoD frameworks, we’ll continue to update your plans in line with regulatory changes to guarantee ongoing compliance.

Let CyberSheath help you to protect your valuable DoD contracts and remain competitive in the defense supply chain. Contact us now for a no-obligation discussion to find out how.

 

5 Steps to DFARS Compliance

Last week the Washington Post reported that in January and February of this year Chinese government hackers stole 614 gigabytes of material relating to a closely held project known as Sea Dragon from a Navy contractor’s unclassified network. Stolen data included signals and sensor data, information relating to cryptographic systems, and the Navy submarine development unit’s electronic warfare library.  Officials said the material, when aggregated, could be considered classified and this should come as no surprise to anyone familiar with unclassified defense contractor networks.

Unclassified contractor networks often contain a wealth of important information related to the important work they do in support of the Department of Defense DoD and other government entities. This reality is one of the many reasons that the DoD made compliance with DFARs clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting and implementation of NIST 800-171 mandatory no later than December 31, 2017. Unfortunately, many companies are still struggling with implementing the NIST 800-171 requirements or worse, writing the required System Security Plans (SSP) and Program of Action and Milestones (POA&M) and never getting around to implementing the security requirements.

The delay in implementing the NIST 800-171 requirements is likely in part why on April 24th, 2018 the DoD released its draft “Guidance for Reviewing System Security Plans and the NIST SP-800-171 Security Requirements Not Yet Implemented.” The extensive document contains more stringent guidelines on exactly how the DOD will enforce and assess the implementation of security controls for awarding contracts and evaluating proposals. It also provides detailed recommendations for properly assessing System Security Plans (SSPs) and Plans of Action and Milestones (POA&M).

The DoD Guidance provides additional information on how they might penalize business partners who fail to adhere to new security rules, including penalties and not being awarded new contracts. Aside from the obvious competitive business reasons to immediately implement the NIST 800-171 security requirements this latest theft of project Sea Dragon data is a reminder of the implications to national security. Most of NIST 800-171 is just good cybersecurity hygiene that at a minimum will make contractors harder targets for hostile nation-states.

In February, Director of National Intelligence Daniel Coats testified that most of the detected Chinese cyberoperations against U.S. industry focus on defense contractors or tech firms supporting government networks. During his April nomination hearing to lead U.S. Indo-Pacific Command, Adm. Philip S. Davidson, told the Senate Armed Services Committee “One of the main concerns that we have, is cyber and penetration of the dot-com networks, exploiting technology from our defense contractors, in some instances.”  These comments along with the new DoD guidance are a clear indication that compliance isn’t going away.

Attention and focus on contractor networks started in earnest at least ten years ago when industry and the DoD started working together, voluntarily, to select NIST 800-53 base security requirements for implementation and defining cyber incident and information sharing processes. That effort has now evolved into the mandatory implementation of DFARs clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting and implementation of NIST 800-171. The deadline for achieving compliance has come and gone.

At CyberSheath, we know that successfully implementing these new security controls can be a daunting undertaking for your organization. We’ve successfully assessed and implemented the required NIST 800-171 controls for organizations large and small in the defense industrial base supply chain. We’ll ensure your System Security Plan (SSP) and associated Plans of Action & Milestones (POA&M) are documented and fully implemented. Our cybersecurity experts will take care of all identified gaps in your information systems, schedule implementation of any outstanding items and ensure your organization is compliant with all of the latest requirements. We follow all DOD guidance to ensure review of SSPs and POA&Ms and “assist in prioritizing the implementation of security requirements not yet implemented.” After we have delivered a fully compliant solution we offer managed services to maintain your compliance and incorporate any updates from the DoD.

Contact CyberSheath today for a no-obligation phone consultation, and learn how we can ensure compliance with NIST SP 800-171 in five steps sales@cybersheath.com

 

 

The December 31, 2017 deadline for achieving compliance with NIST 800-171 has come and gone. If you’re still not compliant, you’re at risk for penalties, and chances of winning future contracts and bids are at great risk. The good news is it’s not too late!

It’s understandable if you haven’t yet actually implemented the required NIST 800-171 security requirements. In the past, the DOD permitted businesses to choose a future date for implementing required security controls through the Plan of Actions & Milestones (POA&M) policy. As a result, businesses and organizations used POA&M merely as a simple checkbox system, which led to weak System Security Plans and stalled control implementations. Today, the DOD has upped their game by insisting on stronger cybersecurity practices among its business partners. They’ve moved to an enforcement phase for cybersecurity compliance and requirements with recently released DoD Guidance.

On April 24th, 2018 the U.S. Department of Defense released its draft “Guidance for Reviewing System Security Plans and the NIST SP-800-171 Security Requirements Not Yet Implemented.” The extensive document contains more stringent guidelines on exactly how the DOD will enforce and assess the implementation of security controls for awarding contracts and evaluating proposals. It also provides detailed recommendations for properly assessing System Security Plans (SSPs) and Plans of Action and Milestones (POA&M).

The DoD Guidance provides additional information on how they might penalize business partners who fail to adhere to new security rules, including penalties and not being awarded new contracts.

Failure to Implement the Required NIST 800-171 Controls will Lead to Lost Bids, Vendors and Revenue

For the best chances of new contract awards and superior contract performance in the competitive cybersecurity market, you need to implement the Security Controls and heightened information security requirements as outlined in NIST SP 800-171.

NIST has a set of 110 security requirements that stem from the NIST SP 800-53, which governs the cybersecurity standards for government systems. The new guidance was also designed to help businesses assess and prioritize the most effective ways for them to begin implementing these crucial 110 security controls specified in NIST SP 800-171.

The DOD has a new tactic for reviewing SSPs and security requirements not yet implemented, which is to assign risk scores to controls. For example, security controls that are considered high risk and haven’t been implemented pose an extremely high risk to the data being protected and your ability to win DoD contracts.

Security controls that haven’t been implemented are given a DOD Risk Value for each security requirement that ranges from the highest, which is 5 (highest risk and priority for implementation) to 1 (lowest risk and priority for implementation).

If you don’t meet the 110 security requirements, it will likely lead to losing potential contracts through poorly written SSPs and high-risk scores resulting from a failure to implement the required controls.

Relax. We’ve Got This!

At CyberSheath, we know that successfully implementing these new security controls can be a daunting undertaking for your organization. We’ve successfully assessed and implemented the required NIST 800-171 controls for organizations large and small in the defense industrial base supply chain. We’ll ensure your System Security Plan (SSP) and associated Plans of Action & Milestones (POA&M) are documented and fully implemented. Our cybersecurity experts will take care of all identified gaps in your information systems, schedule implementation of any outstanding items and ensure your organization is compliant with all of the latest requirements. We follow all DOD guidance to ensure review of SSPs and POA&Ms and “assist in prioritizing the implementation of security requirements not yet implemented.” After we have delivered a fully compliant solution we offer managed services to maintain your compliance and incorporate any updates from the DoD.

Contact CyberSheath today for a no-obligation phone consultation, and learn how we can ensure compliance with NIST SP 800-171 in five steps.

It’s time to demonstrate compliance with DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which requires contractors to implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 1, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”.

There is No Excuse for Non-compliance

Compliance with NIST SP 800-171 and DFARS clause 252.204-7012 is mission-critical for DoD contractors and demonstrating adherence to the requirements has become a competitive discriminator. For a deeper dive and a chance to ask questions specific to your implementation, please join us for the comprehensive webinar “NIST SP 800-171 DFARS clause 252.204-7012 Compliance in 5 Steps” on Thursday, March 29, 2018, 12:00 PM EST.

During the webinar you get answers to these critical questions and more:

  • Did the government extend the deadline?
  • How do I determine compliance with NIST SP 800-171 Rev. 1.?
  • What exactly does it mean to be compliant?
  • How do I know if I am already compliant?
  • What needs to be included in my System Security Plan (SSP)?
  • What are Plans of Actions & Milestones (POA&M’s)?
  • How do the controls apply to manufacturing environments?
  • Does NIST 800-171 apply to cloud computing?
  • How long will it take to achieve compliance?

No matter where you are in your journey towards NIST 800-171 compliance, this webinar is guaranteed to better equip you in understanding, implementing and maintaining compliance!

Achieving NIST SP 800-171 Rev. 1 compliance isn’t easy but the process doesn’t have to be complicated. If you need help staying competitive with this DoD mandate, contact us at sales@cybersheath.com.

 

It’s more important than ever to make sure your applications are secure. What tools are available to help in this effort – and what are the pros, cons, features, and benefits of these enablement tools?

In our previous post we set the stage for this discussion by covering the challenge application developers and their security teams face securing code in an efficient manner. Read about the impact securing (or not securing) application credentials can have on your organization and what you can do about it.

To continue our discussion, apps typically run in one of three network zone configurations. These include:

  • On-Prem – Apps that run in this space are your traditional applications, which usually run on physical machines or dedicated VMs. These apps have a long lifecycle.
  • Internal Cloud – Apps in this zone run on semi-elastic machines. Their lifecycle is much shorter than traditional servers and they are deployed much quicker than on-prem apps.
  • “The Cloud” – This zone exists outside the organization’s firewall. Apps in the cloud run on a very short-lived infrastructure, which is hosted by an outside vendor. These apps are deployed and destroyed auto-magically based on the application’s needs.

Whether you’re trying to meet DFARS, MAS, HIPPA, or NERC compliance, you have choices on where your apps run. Whichever environment meets your needs, CyberSheath has the resources to help keep your applications secure.

What you needHow CyberSheath can help
On-PremYour on-premise applications need to be just as secure as apps in the cloud.Depending on the way your application functions (homegrown code, services, scheduled tasks, IIS services), the CyberArk Enterprise Password Vault (EPV) has a feature for you. EPV is designed for:

  • Managing secrets.
  • Rotating passwords and keys.
  • Allowing humans and applications to fetch them for authorized tasks.
Your on-prem apps are developed on a platform like Java or C++.CyberArk’s Application Identity Manager can help. An agent, which serves as a credential provider, is installed on the local host. It:

  • Communicates between the application and the Vault, serving up the password each time it’s needed.
  • Is designed for high transaction volumes, and high availability.
  • Allows for seamless credential rotation with zero downtime.
  • Challenge: Agent workflow and management can be cumbersome.
Your on-prem applications rely on less hardcore code, but more scripting and basic Windows functions.The built-in remote management features of the Central Policy Manager are a good alternative.

  • Scheduled tasks, services, and IISAppPools running under a specific user can have that user’s password rotated automatically.
  • Challenge: Configuring the workflow for this is where most app teams get hung up.
Internal CloudYour apps running on an internal or private cloud tend to be less risk-oriented. These apps generally require faster deployment, have shorter return to operations (RTO) requirements, and need to be semi-elastic.CyberArk’s Central Credential Provider (CCP) is one recommended approach.

  • It allows app teams to make simple code changes.
  • Instead of an agent installed on a semi-elastic device, a web service call is made to retrieve the credential.
  • Identity can be established with a number of machine characteristics, in addition to client certificates.
  • Challenge: It can be difficult to define a clear and repeatable process to register applications and issue certificates to them.
“The Cloud”Your applications running on cloud infrastructure (a.k.a. the public cloud) generally require extremely high availability and elastic growth on demand.

Provisioning applications’ access to secrets at such quick speeds is challenging, which is why many organizations are hesitant to put apps in the cloud.

CyberArk’s Conjur, which is a DevOps security platform designed for cloud computing, can help.

  • As a cloud application itself, it conforms to the highly elastic nature of cloud applications.
  • It uses the concept of machine identity to establish trust that your app is who it says it is.
  • Using web calls (similar to CCP), Conjur serves up secrets to authorized applications.
  • No configuration is required for a new app instance. It’s built, has its authorizations, and it’s on its way.
  • Challenge: It’s not easy to create a system to import secrets or to build a methodology for developers to code in Conjur during their build process.

Contact CyberSheath to learn how we can help your organization secure your applications.

Are you a U.S. manufacturers who supply products within supply chains for the DOD? If you are it’s likely that you are required to ensure adequate security by implementing NIST SP 800-171 as part ensuring compliance with DFARS clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” available at:

http://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012

Manufacturing environments can pose unique challenges when implementing the 110 controls required by NIST 800-171 Rev. 1 and applying the controls to a production line can be daunting with the risk of business interruption often a click away. To de-risk the implementation of the NIST 800-171 Rev. 1 controls it’s recommended that you start with an assessment of your current operations (people, process, technology) against the NIST 800-171 Rev. 1 requirements. Finding a trusted third party with applicable manufacturing environment experience to execute your assessment can be a great way to jump start your compliance efforts. If you choose to so the assessment in-house one of the best resources, targeted to small manufacturers, is NIST Handbook 162 NIST MEP Cybersecurity Self-Assessment Handbook for Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements. Found here:

http://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf

NIST SP 800-171 Rev. 1 assumes that small manufacturers currently have IT infrastructures in place, and it is not necessary to develop or acquire new systems to handle Controlled Unclassified Information (CUI). Small manufacturers likely have some security measures to protect their information which satisfy some of the 800-171 security requirements. For controls that are not currently satisfied there are many potential security solutions that can be implemented to satisfy the security requirements. There is no single security technology or solution that will meet all requirements. Manufacturers will need to understand their operating environment and apply the security requirements to meet their unique operations which should be reflected in their System Security Plan (SSP). Manufacturers often have unique operational requirements that run counter to some required controls and will have to implement alternative, but equally effective, security measures to satisfy a control requirements.

NIST Handbook 162 was developed by the National Institute of Standards and Technology (NIST) and Manufacturing Extension Partnership (MEP) collaboration committed to strengthening U.S. manufacturing. The Handbook provides a step-by-step guide to assessing a small manufacturer’s information systems against the security requirements in NIST SP 800-171 Rev 1, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” The handbook is intended for use by a small manufacturer and essentially walks manufacturers through conducting a self-assessment answering Yes, No, Partially, Does Not Apply or Alternative Approach to each control.

The Handbook includes an excellent section titled “Using this Handbook to Conduct an Assessment” which details the preparation and expectation setting before, during, and after an assessment. Often this is an overlooked step in the process as the desire to “just get compliant” informs most activities. While understandable, it’s a mistake to set compliance as the only outcome of a your NIST 800-171 Rev. 1 self-assessment.  When preparing for your self-assessment take the time to think about educating executives and business stakeholders on the compliance requirements and how you are going to earn their long-term support for this initiative.  There is no end state to NIST 800-171 Rev. 1 compliance and you should answer the following questions in soliciting executive support and sponsorship:

Does the business even know about this requirement for doing business with the Department of Defense (DoD)?

They might not. Now is your opportunity to educate them on the long-term implications of the requirements and help them begin to think about building the cost of compliance into the business plan.

Does the business understand the NIST 800-171 Rev. 1 impact on Acquisition? (for a detailed explanation see this blog post: http://www.cybersheath.com/understanding-nist-800-171-impact-acquisition/

At some point, you will need to demonstrate compliance in order to be competitive for future acquisition. Engaging the business now and getting ahead of that inevitability will pay dividends in the future.

How will you measure and communicate your self-assessment and overall compliance to the business?

Don’t make the mistake of only communicating the fact that you are undertaking a self-assessment. This is your opportunity to communicate your long-term approach to managing a NIST 800-171 Rev. 1 compliance program. Take the time to develop a strategy that includes:

  • Executing an Annual Assessment
  • Documenting your System Security Plan (SSP) and Plans of Action & Milestones (POA&M’s)
  • Implementing the required controls
  • Maintaining Compliance

Developing this strategy up front presents the opportunity to transform security from” order takers” to a business enabling function, don’t pass that up!

When you are ready to start your self-assessment using NIST Handbook 162 you will find descriptions of each control and importantly practical recommendations on how to assess your compliance with each control. The guidance included suggestions around who to talk to, where to look and what tests to perform when assessing control compliance. The recommendations should help you and your team work your way through each control and ultimately complete a thorough self-assessment.

Achieving NIST SP 800-171 Rev. 1 compliance for a manufacturing  business has its own unique challenges, most of which CyberSheath has already solved.  If you need help staying competitive with this DoD mandate, contact us at sales@cybersheath.com.

 

The December 31, 2017 deadline for creating a System Security Plan (SSP) and associated Plans of Action & Milestones (POA&Ms) aligned with NIST special publication 800-171 requirements has passed. If you are a DoD prime contractor, now it’s time to focus subcontractor compliance.

Subcontractor Compliance and CDI

DFARS 252.204-7012 (“the DFARS cyber clause”) compelled you to validate your own compliance status and address any cybersecurity gaps. As a prime, you have satisfied your in-house compliance obligations. Now it’s time to turn your attention to your subcontractors since the DFARS cyber clause must be flowed down to all suppliers or subcontractors that store, process and/or generate Covered Defense Information (“CDI”) as part of contract performance.

Keep in mind that CDI is defined as “unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is:

  1. Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
  2. Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

Controlled technical information is technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.”

How to Ensure Subcontractor Compliance

Subcontractors can achieve compliance with the NIST 800-171 Rev. 1 requirements in a variety of ways including flow down of the 252.204-7012 clause in subcontract documents that contain detailed communication with the specific requirements of the DFARS cyber clause. This includes the mandate for subcontractors to:

  • Create an SSP and associated POA&Ms.
  • Fully implement the requirements outlined in the clause and NIST 800-171.
  • Report non-compliance to the DoD CIOs office within 30 days after contract award.
  • Report cyber incidents within 72 hours.
  • Formally flow down the DFARS cyber clause to all lower-tier suppliers/subcontractors storing, processing, and/or generating CDI.
  • Be in full compliance with the DFARS cyber clause.

Remember that as a prime contractor, you are ultimately liable for the compliance of your suppliers and subcontractors. Make sure the flow down of requirements and the validation of compliance is a formal, documented, and repeatable process.

Also, if you are using an existing Governance, Risk, and Compliance (GRC) technology for other regulatory compliance requirements, you should be able to extend its use to cover DFARS 252.204-7012 subcontractor compliance. If you don’t have an existing GRC solution consider these alternatives:

  • Partner with a Managed Security Services Partner (MSSP) that offers a compliance and reporting capability specific to NIST 800-171. Many of the required controls can be mapped back to managed service offerings to produce automated compliance reporting.
  • Work with your contracting organization to create and implement a process that can be incorporated into the existing contracting business cycle. Contracts staff already play a key role related to subcontractor compliance for other contract clauses and adding DFARS 252.204-7012 requirements should be a logical fit.

Bottom line: It’s the prime contractor’s obligation to flow down DFARS 252.204-7012 requirements to all suppliers or subcontractors. Planning for success now is imperative.

If you need help complying with NIST SP 800-171, contact us at sales@cybersheath.com

 

As an owner of a small or mid-sized business, you have endless options available as you partner with a Managed Security Services Provider (MSSP) to better secure your business. The array of choices, industry jargon, and configurable service options can leave you wondering if you left something on the table that you will later regret. Without a team of security experts to vet vendor service offerings, the selection process is even more daunting.

How can you simplify the process and ensure that you are getting everything you need to be secure and compliant?

Maximize Your Chance of Success When Selecting an MSSP

  1. Document your requirements
    • Increase your likelihood of getting what you need by taking the time to compile this list. It will make you a smarter buyer and tremendously help you find the right resource for your needs.
    • Note that this doesn’t have to be a detailed spreadsheet of operational capabilities and Service Level Agreements (SLAs). You may opt to start with compliance issues as most businesses have specific regulatory requirements that they must satisfy including DFARS NIST 800-171, Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and many others.
    • Ask potential MSSP vendors how they can help your business to measure, satisfy, or simplify compliance with any of the above compliance requirements. MSSPs should possess in-depth knowledge of the requirements, use cases from existing customers, and references.
  2. Be ready to answer questions
    • Have a technical person and someone who understands your business available to answer questions around current security tools in place including how they are used, which users need what level of access, and existing business processes. A good MSSP will want to understand your business both in terms of your existing on-premise and cloud-based infrastructure and your actual business.
    • Trust your instincts and steer clear of sales pitches that focus on technology rather than your business requirements. Know that MSSPs who don’t ask the right questions and who push technology won’t be good long-term partners. There isn’t a tool on the planet that can make you secure. Ideally, your conversations will be with the MSSP operational staff rather than salespeople as operational folks will have the experience that can be applied to your business requirements.
  3. Make sure your MSSP enables security and compliance
    • Remember that operational security enables compliance. Drive your MSSP to explain how their proposed solution to your requirements can make your business both secure and compliant. Chances are you don’t have the time or resources to manage compliance as a separate activity from securing the company. Whatever you contract for should enable both operational security and compliance and the alignment between the two should be documented.
      • Example: If an MSSP is offering a Security Incident Event Management (SIEM) and log management capability, there should be a documented alignment of the capability delivered and your specific compliance requirements. You intuitively understand why you need a firewall and anti-virus protection, but make the MSSP demonstrate how that operational need maps to your compliance requirements to become a force multiplier.
    • Keep in mind that other examples of operational technologies that your MSSP should easily be able to map to your compliance requirements include:
      • Asset Discovery and Inventory
      • Vulnerability Assessment
      • Intrusion Detection
      • Behavioral Monitoring
      • SIEM and Log Management
  4. Vet your MSSP to ensure service delivery
    • Spend time examining your MSSP to be sure that you are they are going to deliver on the “service” part of being an MSSP. SLAs should be a part of your contract but there is an undocumented level of service that you should be getting from your MSSP that can’t be captured in an SLA.
    • Consider these things:
      • Are you comfortable with their technical expertise?
      • When you call, do you know if you’ll get a knowledgeable expert who goes the extra mile to solve your problems or a tier-one analyst who just opens a ticket?
      • When compliance questions relating to a business issue arise, will you find your MSSP to be a partner working with you to solve to problems?
      • Does the MSSP have clear value-added services that go beyond “management dashboards” that only demonstrate tools are being deployed?
    • Narrow your selection to responsive, service-oriented vendors during your procurement process. Many customers has been sold MSSP “services” that do little more than collect logs and monitor.
  5. Be diligent in checking references
    • Ask for references and take the time to call these contacts. Inquire about the reference’s experience during onboarding and delivery of services months after the sale was made. Is the MSSP still engaged and delivering value or do they only surface at contract renewal time?
    • See if your chosen MSSP has delivered any remediation or implementation projects as they are indicators of hands-on experience that will benefit your business. Ideally, references will be in the same business or industry as yours, but if everything else checks out this isn’t a necessity.

Partnering with an MSSP is a great way to secure your business infrastructure. To find out how quickly CyberSheath can enable 24/7 operational security and compliance reporting for your business, contact us at sales@cybersheath.com.

 

It’s time to demonstrate compliance with DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which requires contractors to implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 1 (NIST 800-171), “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”.

There is No Excuse for Non-compliance

Originally Department of Defense (DoD) primes and subcontractors had until December 31, 2017, to demonstrate compliance with NIST 800-171. Recently, however, Ellen Lord, the defense undersecretary for acquisition, technology, and logistics told the Senate Armed Services Committee offered a bit of conflicting information. “We said that clearly, the only requirement for this year is to lay out what your plan is,” she said at the December 7th hearing. “That can be a very simple plan. We can help you with that plan. We can give you a template for that plan. Then just report your compliance with it.”

Bear in mind that those words are not an indication of all prevailing thoughts on the matter. Indeed, that guidance was contradicted by a Pentagon spokesman who said the change should not be considered a delay in the deadline since contractors must still document by December 31st how they will implement the new rules.

The clear takeaway is: This requirement for doing business with the DoD isn’t going away. Given the years of delays and widely available information regarding the requirements, there will be no excuse for non-compliance. The Director, Defense Pricing/Defense Procurement and Acquisition Policy issued guidance which articulates how compliance will be factored into acquisition which we explain here: http://www.cybersheath.com/understanding-nist-800-171-impact-acquisition/

4 Steps to Compliance with NIST 800-171

Note that these steps are not simple – you’ve got to put in the work to get the results. Another tip: Ignore vendors who are trying to sell you a product to easily achieve compliance, as such a solution does not exist. Many of the 110 controls of the NIST standard deal with the process – and how you implement the controls will be unique to your business.

To stay competitive in the DoD acquisition process and comply with NIST 800-171, you should (immediately):

  1. Assess current operations for compliance with NIST 800-171. – Starting with a gap assessment of your current people, process, and technology against compliance with NIST 800-171 is a useful step in achieving compliance. When done correctly an assessment will:
    • Directly link to Control 3.12.1 of NIST 800-171 which requires that you “periodically assess the security controls in organizational systems to determine if the controls are effective in their application.”
    • Give you a clear view of your current compliance with the remaining controls.
    • Generate a System Security Plan (SSP) and associated Plans of Action & Milestones (POA&Ms), both of which are NIST SP 800-171 requirements.
  1. Write your SSP & POA&Ms – NIST 800-171 was revised (Revision 1) in December 2016 to require a “system security plan (SSP)” and associated “plans of action (POA&Ms)”. Initially, your SSP will be an aspirational document as you will find that many of the required 110 NIST SP 800-171 controls are not fully implemented in your environment. Your POA&Ms will detail your plans to remediate deficiencies and achieve compliance. The requirements are:
    • Security Requirement 3.12.4 (System Security Plan, added by NIST 800-171), requires the contractor to develop, document, and periodically update, system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
    • Security Requirement 3.12.2 (Plans of Action), requires the contractor to develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.
    • Note that these plans can be documented in a variety of formats but at a minimum, they should detail:
      • The deficiency identified
      • The plan to correct the deficiency (people, process, and/or technology)
      • Dates by which you intend to be compliant against the specific deficiency
  2. Implement the required controls  – Execute your POA&M’s and achieve full compliance with NIST 800-171. This is probably going to be a full-time effort and if you are using only internal resources remember they all already have day jobs so set your expectations accordingly. If you work with a third party to implement the controls look for the following expertise:
    • Have they implemented the NIST 800-171 controls for similar-sized businesses?
    • Have they solved the unique challenges that come with implementing NIST 800-171 controls in manufacturing, lab, and engineering environments?
    • Ask for and check references.
  3. Maintain Compliance – If you have made it this far, congratulations! Now plan for ongoing compliance in a way that achieves the following:
    • Documented and automated compliance reporting
    • Support Request for Proposal (RFP) and other acquisition-related business development activities
    • Ongoing operational expense related to maintaining compliance

Compliance is a Journey – and Not a Destination

Your SSP will need to be updated as your business changes and specific control implementations need to be continually validated. If you have a Managed Security Services Partner (MSSP), have them map the work they do back to NIST 800-171 compliance for the appropriate controls and modify your contract to provide for periodic reporting. For the controls maintained by in-house staff, automate control validation and reporting so that you can demonstrate compliance on a real-time basis.

Achieving NIST 800-171 compliance isn’t easy but the process doesn’t have to be complicated. If you need help staying competitive with this DoD mandate, Contact Us at sales@cybersheath.com.

 

These days, it’s not easy to be in charge of your organization’s IT security. With cyberattacks increasing in frequency, severity, and reach, it’s more important than ever to develop a plan for achieving, managing, and documenting the security of all of your systems.

It’s Not Only Good Practice to Have a System Security Plan, but It’s Also a Requirement

NIST SP 800-17, Revision 1 recently added requirement 3.12.4 to the Security Assessment control family stating that organizations must “Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.”

This one-sentence requirement is based on NIST SP 800-18 – Guide for Developing Security Plans for Federal Information Systems.

Identify What Systems Need a System Security Plan

Now it’s time to figure out which systems in your organization require a System Security Plan (SSP). Each SSP should be focused on an information system, which is defined as “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.” An application, information or technology service, platform, and infrastructure are all considered systems, and their security must be formally planned according to the NIST SP 800-171 requirement for in-scope systems.

Compile your list of systems needing an SSP and start uncovering all the information you will need to write them. Each SSP will need two types of information, both of which can be a challenge to compile. These include:

  1. System details documenting how the system operates
  2. Details about how the NIST SP 800-171 Revision 1 controls requirements are met for that particular system. Note that the control statement responses are a granular system-specific response to the 110 control requirements.

Once you have your inventory of systems that store, process, or transmit Controlled Defense Information (CDI) or Controlled Unclassified Information (CUI), it’s time to start planning.

First, create a system security planning template. The appendix to NIST SP 800-18 – Guide for Developing Security Plans for Federal Information Systems has a template, which provides a great starting point for creating your organization’s SSPs.

Next, assemble your team for the planning process, making sure to include these roles:

  • System Owner – This role is critical to the system security planning process as this person has deep knowledge about the systems and understands what the system does, how it works, and how it is controlled. The system owner owns the security plan for the system and is responsible for providing diagrams and explanations that articulate where the sensitive data is stored at rest, where and how it is transmitted, and what system interfaces exist, especially those interfacing systems that transmit the sensitive (CDI and CUI) data.
  • IT/Security Support Staff – Depending on the size of your organization, your support team may provide a set of core IT services that provide control to the broader network and computing environment. Inheritable controls could include authentication services, firewalls, network segmentation, secure system baselining, access management, and change management. A system owner will work hand-in-hand with the support team to understand how and if the controls apply to his or her particular system.
  • Administrative/Business Operations Support Staff – Some controls that apply to systems may not be technical. Administrative and/or business operations staff will need to provide input into how non-technical controls, such as background screening processes, facility security mechanisms, training and awareness programs, and staff management controls, are addressed. The people who have ownership of these functional business capabilities will need to weigh in on the security planning effort so that controls are adequately defined.

Once you have the right people involved, it’s time to get to work and write the plan. It’s a laborious process, but the intent is to provide defensible information and responses as to how a system works and how security controls are applied. An auditor or contracting official will want to know how you safeguard their sensitive data, and the information you document along with control responses should provide assurance of that protection.

Create a Master SSP

Every system used for the storage, processing, and transmission of CDI/CUI should have a security plan. Think about the roles above and the functional areas they represent. If these roles exist as a core, corporate function that is applied consistently across the organization, then consider creating a master system security plan that documents a core set of controls meeting the NIST 800-171 requirements.

A Master SSP helps you define a standard across the enterprise for inheritable controls, which provides guidance to the system owners about how they may be consuming controls that are broadly applied to the organization. The effectiveness of using the master system security planning concept depends on how effective those broad controls are applied by mandate.

  • For those organizations who strictly apply their standards, the master system security planned controls would be thoroughly applied and relied on.
  • For those organizations looser about applying standards and mandates, a master system security plan makes a good reference, but system owners should pay close attention to whether they actually inherit the standard control offering, or if a system-specific control response is required.

Build Proactive Measures into Your SSPs

Developing your System Security Plan(s) will provide a systems-focused macro-view of how your security controls are being applied. The process also helps identify non-compliance and uncover insecure practices, alerting you and helping you create a plan to resolve issues.

Consider building your Plan of Actions & Milestones (POAM) into your SSPs, and track compliance deficiencies to resolution. This helps you be proactive in your remediation and corrective action planning and moves you closer to a mature state in managing security controls.

The CyberSheath team is experienced at helping organizations like yours create System Security Plans. Contact us to learn how we can help you.

As a contractor, you need to safeguard covered defense information that is processed or stored on your internal information system or network.

To stay in the running for work from your primes, you need to comply with DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which requires contractors to implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”. You have until December 31, 20 I 7 to implement NIST SP 800-171.

How will non-compliance with NIST SP 800-171 impact contractors’ future acquisition?

On September 21, 2017, The Director, Defense Pricing/Defense Procurement and Acquisition Policy issued guidance for acquisition personnel in anticipation of the December 31, 2017 deadline, which:

  • Outlines how contractors might implement NIST SP 800-171.
  • Addresses how a contractor may use a system security plan to document the implementation of the NIST SP 800-171 security requirements.
  • Describes how DoD organizations might choose to leverage the contractor’s system security plan (SSP), and any associated plans of action, in the contract formation, administration, and source selection processes.

To not jeopardize future opportunities, contractors should focus on developing a well-written SSP and associated Plan of Action and Milestones (POA&M) to achieve compliance.

What are the SSP and POA&M requirements?

NIST SP 800-171 was revised (Revision 1) in December 2016 to require a “system security plan” and associated “plans of action.” Specifically:

  • Security requirement 3.12.4 (System Security Plan, added by NIST SP 800-171, Revision 1), requires the contractor to develop, document, and periodically update, system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
  • Security Requirement 3.12.2 (Plans of Action), requires the contractor to develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.

How do you write an SSP and POA&M?

Documenting implementation of the NIST SP 800-171 security requirements by the December 31, 2017, implementation deadline requires an SSP and associated plans of action which describe how and when you will meet unimplemented security requirements, how you will implement planned mitigations, and how and when you will correct deficiencies and reduce or eliminate vulnerabilities in the systems. System security plans and plans of action can be documented as separate or combined documents. You should choose a format that integrates with existing business processes and can be easily maintained year-over-year. Governance, Risk, and Compliance platforms can provide a technical, somewhat automated capability to meet this objective.

There is no prescribed methodology for contractors to implement the requirements of NIST SP 800-171, or even to assess your current compliance with the requirements -nor is there a prescribed format for SSPs or POA&Ms. A reasonable first step in creating an SSP and POA&M is to use company personnel or a qualified third party to execute a gap assessment against current operations compared to the NIST SP 800-171 requirements. The gap assessment will detail changes to policy and highlight areas where additional hardware or software are required to achieve compliance. A well-executed gap assessment will determine:

  1. Requirements that can be met using in-house IT personnel.
  2. Requirements that can be met using outside assistance.
  3. Plan of Action and Milestones for achieving compliance.

Which version of NIST 800-171 applies?

DFARS Clause 252.204-7012 requires the contractor to implement the version of the NIST SP 800-171 that is in effect at the time of the solicitation, or such other version that is authorized by the contracting officer.

How do you inform the Government of compliance with NIST SP 800-171 requirements?

You can inform the Government of your implementation of the NIST SP 800-171 requirements in a number of ways.

  • The solicitation provision DFARS 252.204-7008, “Compliance with Safeguarding Covered Defense Information Controls,” provides that by submitting the offer, the contractor is representing its compliance (and provides a procedure for the contractor to request the DoD Chief Information Officer (CIO) to authorize a variance from any of those requirements as being non-applicable, or because the contractor has a different but equally effective security measure).
  • Paragraph (c)(2)(ii)(A) of DFARS Clause 252.204-7012 requires the contractor that is performing a contract awarded prior to October 1, 2017, to notify the DoD CIO of any requirements of NIST SP 800-171 that are not implemented at the time of contract award.

Keep in mind, the solicitation may require or allow elements of the system security plan, which documents the implementation of NIST SP 800-171, to be included with your technical proposal, and may be incorporated as part of the contract (e.g., via a Section H special contract requirement).

What is the role of the SSP and POA&M in contract formulation, administration, and source selection?

Chapter 3 of NIST SP 800-171, Revision 1, states that Federal agencies may consider the contractor’s system security plan and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization, and whether or not it is advisable to pursue an agreement or contract with the nonfederal organization.

DFARS Clause 252.204-7012 is not structured to require contractor implementation of NIST SP 800-171 as a mandatory evaluation factor in the source selection process, but the requiring activity is not precluded from using a company’s SSP and associated POA&Ms to evaluate the overall risk introduced by the state of the contractor’s internal information system or network.

The Director, Defense Pricing/Defense Procurement and Acquisition Policy guidance for acquisition personnel provide the following examples of how the government may utilize the system security plan and associated plans of action:

  • Using proposal instructions and corresponding evaluation specifics (detailed in sections L and M of the solicitation as well as the Source Selection Plan) regarding how implementation of NIST SP 800-171 (and other applicable security measures) will be used by DoD to determine whether it is an acceptable or unacceptable risk to process, store, or transmit covered defense information on a system hosted by the offeror. The solicitation must notify the offeror whether and how its approach to protecting covered defense information and providing adequate security in accordance with DFARS 252.204-7012 will be evaluated in the solicitation.
  • Establishing compliance with DFARS 252.204-7012 as a separate technical evaluation factor and notifying the offeror that its approach to providing adequate security will be evaluated in the source selection process. The specifics of how the offeror’s implementation of NIST SP 800-171 will be evaluated must be detailed in Sections L and M of the solicitation as well as the Source Selection Plan.  If you are behind in implementing the required controls of NIST SP 800-171, are unsure of how to write your SSP and POA&M’s, or need expert help complying with the requirements, Contact CyberSheath at NIST800171@cybersheath.com for immediate assistance.

As a subcontractor on a Department of Defense contract, you have likely had flow down requirements from your primes related to DFARS clause 252.204-7012, commonly referred to as NIST 800-171. Many subcontractors, as they scramble to secure their infrastructure to be in compliance before the December 2017 DFARS deadline, are also asking, “When should DFARS clause 252.204-7012 flow down to our subcontractors?”

To help you answer that question, here are some basics related to DFARS clause 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting (effective October 21, 2016) and NIST 800-171.

The Basics of DFARS Clause 252.204-7012

This clause is required in all contracts except for those contracts solely for the acquisition of COTS items. It requires contractors and subcontractors to:

  1. Safeguard covered defense information (CDI) that is resident on or transiting through a contractor’s internal information system or network.
  2. Report cyber incidents that affect covered defense information or that impact the contractor’s ability to perform requirements designated as operationally critical support.
  3. Submit malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center.
  4. If requested, submit media and additional information for damage assessment.

What is Covered Defense Information (CDI)?

This term is used to identify information that requires protection under DFARS Clause 252.204-7012. Covered defense information is unclassified controlled technical information (CTI) or other information as described in the controlled unclassified information (CUI) Registry that requires safeguarding or dissemination controls*, and is either:

  • Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD, in support of the performance of the contract or
  • Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor, in support of the performance of the contract.

* Pursuant to and consistent with law, regulations, and Government-wide policies

Does DFARS clause 252.204-7012 flow down to subcontractors?

The clause impacts subcontractors when performance will involve operationally critical support or CDI. You should determine in consultation with your contracting officer if necessary if the information required for subcontractor performance is or retains its identify as CDI, and requires safeguarding or dissemination controls. Flowdown is to be enforced by the prime contractor. If a subcontractor does not agree to comply with the clause, CDI should not be on that subcontractor’s information system.

What does DFARS Clause 252.204-7012 require?

Simply stated, this DFARS clause mandates adequate security. The contractor shall provide sufficient security on all covered contractor information systems. To provide satisfactory security for covered contractor information systems that are not part of an IT service or system operated on behalf of the Government, at a minimum, the contractor must implement NIST SP 800-171, as soon as practical, but no later than December 31, 2017.

What is NIST SP 800-171?

This standard:

  • Enables contractors to comply using systems and practices likely already in place.
  • Significantly reduces unnecessary specificity, as requirements are performance-based, and more easily applied to existing systems.
  • Provides a standardized, uniform set of requirements for all CUI security needs.
  • Allows non-federal organizations to consistently implement safeguards for the protection of CUI (i.e., one CUI solution for all customers).
  • Allows contractors to implement alternative, but equally effective, security measures to satisfy CUI security requirements.

If you are struggling with interpreting these requirements or need help implementing the security controls, CyberSheath can help you determine a path forward for achieving compliance ahead of the December deadline by conducting a gap assessment of your compliance with NIST 800-171, writing the required System Security Plan (SSP) and leading your remediation efforts.

There are less than 100 days left until the mandatory compliance deadline for implementing the DFARS required controls of NIST 800-171. Is your organization ready?

If you have been focusing on other strategic business initiatives and have not yet dedicated resources to NIST 800-171 compliance, you still have time. It will take a lot of work, but your organization can have a documented plan in place to guide your efforts and make material gains towards compliance this quarter.


Month-by-Month DFARS Compliance Guide

To remain competitive in your pursuit of new contracts with the Department of Defense, you should:

  1. Assess your current state and create an implementation plan for your needed controls.
  2. Formulate a DFARS-required System Security Plan (SSP).
  3. Achieve DFARS compliance.

Here’s how to accomplish that by the end of 2017.

October

  • Conduct security assessment – You might be tempted to save time and skip this step – but don’t assume that you already know what work needs to be done. Execute an internally or externally-led gap assessment against the fourteen families of controls in NIST 800-171. Document your compliance with each family of controls. Be sure to record the people, processes, technologies, and related artifacts involved and demonstrate that your security program is implementing the required controls as a part of your day-to-day operations.
  • Unsure of how to proceed? Work with a vendor – If you are struggling with the interpretation of the controls, enlist the help of a skilled outside party to execute the gap assessment.
    • Find a vendor – Look for a services provider with specific NIST 800-171 experience, both assessing compliance and implementing remediation programs to achieve compliance. Get references and make the vendor provide proof of past success in helping defense contractors achieve compliance. Query the vendor about the deliverable from the assessment and be clear that you are looking for more than best practice recommendations – you require information specific to your internal operations.
    • Leverage the third-party vendor to engage your executive team – Have your vendor work with your executives and get answers to the inevitable questions around DFARS compliance. You probably have already had a talented team that has been briefing NIST 800-171 internally for some time. Often the same message from a trusted third party with past experience can jumpstart the conversation at the executive level and secure the support your team needs.

November and December

  • Create a project plan and start implementing controls – Using the results of your gap assessment, create a project plan and start implementing controls that don’t currently exist in your organization and remediating the ones that fall short of meeting the requirements.
  • Be proactive in engaging procurement – If you have to purchase tools or engage a third party to assist in remediation, make sure that your purchasing is streamlined. With less than 100 days left there is little time for delays related to procurement processing. Ideally, you will have already spent time to get executive buy-in on this effort and have created the required sense of urgency around meeting the December compliance deadline.
  • Start writing your SSP – In parallel to your remediation efforts, start writing your SSP. It’s a requirement of compliance – and it will force you to be strategic about long-term compliance and not get lost in the tactical details of getting specific controls implemented before December. Your SSP should be a true reflection of your NIST 800-171 compliance program. You should plan to review and update this document annually.

CyberSheath is skilled at performing security assessments, creating remediation plans, writing SSPs, and most importantly actually implementing the required controls. If you need assistance achieving DFARS compliance before the deadline, Contact Us today.

In less than five months your organization needs to be DFARS NIST 800-171 compliant. If you have already formulated a remediation plan to help you address your deficiencies, continue working through your prioritized roadmap to meet the compliance deadline. If you haven’t yet begun planning, get started today. Don’t jeopardize your ability to secure and execute DoD contracts by being non-compliant.

Three Areas to Focus on as You Craft Your Compliance Roadmap

After you’ve assessed your organization against the 110 security controls in NIST 800-171, you’ll need to build a plan to address your compliance gaps. An effective plan will have components that address these three areas.

  1. Multi-Factor authentication
    • What it is: Multi-Factor authentication (MFA) is a security measure where more than one method of authentication from independent categories of credentials is required to verify the user’s identity for a login or other transaction. It is an important component of any security plan as increasing authentication from a single factor greatly improves the security of your systems.
    • What you need to do: Procure an identification and authentication service that complies with the DFARS security requirements. Make sure the MFA solution is scoped and implemented to address the unique requirements of your environment. Also, work with stakeholders and end-users to conduct use-case and validity testing. Integrate with your authentication management processes to administer the user lifecycle. Make sure you have access to training, maintenance, and support of your solution.
  1. Privileged Account Management
    • What it is: Privileged account management (PAM) is managing and auditing account and data access by privileged users, who are individuals with administrative access to critical systems. Better managing access to privileged accounts can help prevent cyber adversaries and rogue insiders from going after privileged credentials as a way to gain broad and undetected access to your information systems.
    • What you need to do: Ensure your PAM solution provides automated, monitored, and controlled privileged access. Elevate administrative access to avoid granting excessive access to privileged accounts. Require the verification of a ticket or an approval to ensure administrative access is only granted when it is required for a specific activity. Work with engineers who are well versed in fine-tuning the configuration of the PAM suite and who can provide technical expertise and customization for your unique project.
  1. Vulnerability Management
    • What it is: Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities in your security infrastructure. It is important that your organization continually be monitoring for vulnerabilities to ensure you stay ahead of potential threats.
    • What you need to do: A DFARS compliant vulnerability management program will continuously assess your environment for vulnerabilities and patch compliance. Make sure your solution performs monthly vulnerability scans, as well as scans after any significant changes are made, of all your internal and public-facing systems. Also, ensure you receive a monthly report detailing new findings and findings from the previous month(s) which have yet to be remediated. Verify implementation of patches or workarounds for each fix with follow-up scans as needed.

Plan, Provision, and Outsource if Needed to Meet the December 31, 2017 Deadline

Determine what you can reasonably accomplish with your internal resources and what you need to outsource to meet the December deadline. Also, as part of your roadmap, make sure you plan for a post-compliance world where you need to maintain the controls you’ve implemented.

Regardless of where you are in your DFARS compliance process, time is of the essence. Continue your efforts or get started now – five months is not much time to affect the change mandated by NIST 800-171 compliance.

If you need support, contact us for a FREE consultation.

Achieving compliance with NIST 800-171 before the mandatory December 2017 deadline can look like a daunting task. With only 6 months left in the year, time is running out to understand, evaluate, and implement the more than 100 DFARS controls. Where do you start – and how do you efficiently deploy resources to ensure success?

Here are 4 Simple Steps to Assess, Implement, Measure, and Maintain Compliance

  1. Conduct a gap assessment of your current security program. Using a trusted third party or internal resources, perform a binary, pass/fail assessment and make sure results are supported by artifacts and technical validation. Taking a pass or fail approach to each required control ensures an honest assessment and efficient process. Countless vendors have “proprietary” assessment methodologies that are ultimately subjective marketing documents. The NIST 800-171 controls are either implemented or they aren’t. This approach saves you time and endless debate that doesn’t move the needle on compliance.
  2. Turn your gap analysis into a remediation plan. Review your assessment results and start the process of remediating non-compliant controls. The project plan should identify the people, processes, and products required for control implementation. Your plan should be a “project management 101” kind of document that gives you a realistic view of cost, schedule, and performance. If you have budget constraints, look for opportunities to implement manual processes until you can automate with tools. Be sure to account for the documentation of your policies and processes as part of the plan.
  3. Execute your plan. Run your implementation of NIST 800-171 like a project with dedicated internal or third party resources if the workload requires them. Track project progress weekly and keep management informed. Be sure that after a control is fully implemented you have a way to continuously measure compliance. Like any other regulatory mandate, DFARS compliance is an ongoing requirement and not a one-time effort. This monitoring can be done manually or with a GRC (Governance, Risk, and Compliance) tool like RSA Archer or TraceCSO. If you are budget-constrained, use Excel or SharePoint to get the job done.
  4. Maintain compliance across your enterprise. Implement dashboard views of near real-time compliance and a process for on-boarding new contracts with CUI/CDI (Controlled Unclassified Information/Covered Defense Information). Budget for and perform an annual assessment to validate your compliance.

The Bottom Line

NIST 800-171 is an effective cybersecurity hygiene guide for DoD contractors. Controls like multi-factor authentication and encryption are heavy lifts initially but relatively easy to maintain after implementation. The interpretation of the controls may seem intimidating, but the pragmatic approach laid out above will go a long way in helping you meet the December 2017 deadline.

Get started! It’s likely your team is already overburdened with other work and adding this to their plate with only 6 months of the year remaining won’t be easy. That’s why CyberSheath exists. We’ve helped dozens of global companies achieve compliance – and we can help your organization too. Contact CyberSheath today for a FREE consultation.

There’s a lot at stake right now with your company’s DFARS / NIST 800-171 compliance. What you do – or don’t do – in the next six months could impact your ability to secure and execute DoD contracts.

Is your company compliant with all 110 security controls in NIST 800-171?

As a supplier, chances are you’ve received a letter from one of your Prime’s asking if you are compliant with the DFARS mandate and reminding you of the compliance deadline of December 31, 2017. If your Prime uses Exostar as their sourcing and collaboration tool as the major Defense Contractors do, you will have to fill out a DFARS questionnaire before a PO can be issued for your part of the contract.

There are three ways to handle the situation:

  • Misrepresent the truth about your organization’s infrastructure security and answer the questionnaire in a knowingly untruthful way and claim compliance in the hopes that the truth is never discovered and that your firm is never flagged for a security audit.
  • Determine where you are non-compliant and develop a plan to become compliant by year’s end.
  • Write a letter to the DoD explaining where you are not compliant, and why.

Of these options, I think we can agree that the first is ill-advised, and the third is not a way to build trust and foster confidence in your firm. That leaves the second option – becoming compliant. How do you proceed?

What exactly is the DFARS mandate and why it’s important?

NIST Special Publication 800-171 Protecting Covered Defense Information in Nonfederal Systems and Organizations, otherwise known as DFARS (Defense Federal Acquisition Regulation Supplement), details the fourteen families of security requirements for protecting the confidentiality of Covered Defense Information (CDI). This document outlines each of the controls your firm needs to meet in order to be able to continue providing services and products to your Prime and ultimately to the DoD.

The fact is, the controls outlined in DFARS are security measures that your firm should already be implementing as part of maintaining good security hygiene. Each item on the checklist helps your firm safeguard important information and, ultimately, helps your firm protect the confidentiality of CDI.

What should you do to keep your current contracts?

Right now your firm is probably compliant with about half of the 110 controls within NIST 800-171. Chances are the areas your company is deficient in include:

  • SIEM (security information and event management)
  • Multi-factor authentication
  • Applied encryption, both at rest and in-transit
  • Policies and written authentication for your security procedures and protocol

While addressing these deficiencies may seem onerous, it’s important to remember that becoming compliant is good for your company – and good for your bottom line. Perhaps you think you don’t have the resources, budget, or buy-in needed to move forward. Keep in mind that the path to compliance is the only viable option you have. Here is a plan on how to address and achieve DFARS compliance:

  • Get a security assessment to help you interpret what is required and if your company is in compliance with each of the 110 controls.
  • Create a plan to achieve compliance on all the items identified as deficient in your security assessment. Your remediation plan should solve for operational issues as well as protect covered defense information in a manner that demonstrably shows compliance. Note that remediation typically takes about 6 months – so you need to get started now.
  • Partner with a trusted, experienced company that:
    • Has truly walked a mile in your shoes and has experience implementing the controls required for DFARS compliance.
    • Tailors the control implementations to fit your reality and achieve compliance.
    • Understands the practical realities of implementing controls like multi-factor authentication in an operational environment on a limited budget.

CyberSheath uniquely understands the DFARS security requirements and can assist you with assessing compliance with these DoD mandated security requirements and creating a road map of how you can become compliant by December 31, 2017.

The clock is ticking. Get started on your DFARS compliance today.

Don’t scramble to do research to address your security shortcomings. Get your current security state assessed now and formulate a plan to become compliant – before your Primes come to hold you accountable to this new mandate.

Contact us today for a FREE consultation and we’ll make sure you have a strong cybersecurity defense strategy!

In December of 2016 the National Institute of Standards and Technology (NIST) finalized the first revision to it’s Special Publication 800-171, Protecting Controlled Unclassified Information (CUI) in Systems and Organizations. The updated document, NIST SP 800-171 Revision 1 is the new standard for which government contractors who store, transmit or process CUI, are required to comply with by the December 2017 deadline for compliance.

While many of the updates are verbiage changes to clarify the defined scope of the current controls, there are two major changes that need to be noted by those who are required to adhere to the regulation.

In the original 800-171 release, Control 3.1.19 specified the requirement to encrypt CUI on mobile devices. In the updated revision, the control is amended with the additional stipulation to include mobile computing platforms. Further, mobile devices and mobile platforms are more clearly defined to include smartphones, tablets, E-readers, and notebook computers. This additional specification is intended to remove any doubt as to the scope of the control. Encryption of mobile devices and mobile computing platforms is an instrumental step to help limit a data breach as these devices are often lost or stolen. If you are interested in additional information I have covered the importance and scope of the encryption of data at rest requirements required by the 800-171 in a previous blog post.

At the time of the original release, in June of 2015, NIST SP 800-171 was published with 14 Control Families which contained 109 security controls in total. The newly released revision publication has added just one control bringing the total number to 110. This added requirement is contained in the Security Assessment Control Family (3.12) and is defined as follows:

3.12.4-  Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

Additionally, SP 800-171 Rev 1 notes there is no prescribed format or a specified level of detail for ‘system security plans’. However, organizations must ensure the required information in Control 3.12.4 is appropriately conveyed in the plans that are developed.

Aside from the requirement being imposed to have a formally documented security plan, having such a plan is a good indicator of the maturity of your organization’s overall security program. No matter how large or small your company is, it is important to have a plan to define the security of your information assets. The plan development process will help make you think more holistically about your organization’s security and will bring the many elements of your security model to one place. This will help provide the framework for keeping your company at the desired security level required by the 800-171.

It is important to understand the new control requires the following components in a security plan:

  • Documentation of its systems and environments of operation, including boundaries
  • Description of how security measures are implemented to satisfy the controls of the regulation
  • Definition of relationships with, and/or connections to other integrated systems

While these elements meet the minimum requirements for the new control, it is imperative to recognize this is only a baseline. A security program plan is never ‘done’ per se and should be a living document. The new control further reinforces that thought by requiring organizations to ‘periodically update’ the plan. This concept is also true for the 800-171 regulation itself, shown with the release of the current revision we are discussing. The ever-changing nature of the document ensures your organization is continuously adapting to the dynamic IT environment and the associated threats that we are faced with every day.

Does your organization need assistance becoming compliant with NIST SP 800-171 before the December 2017 DFARS compliance deadline? CyberSheath has the expertise to provide you with the specialized guidance you need and deliver industry-leading solutions. We have a specialized team of Cybersecurity Professionals with proven experience to guide and assist your business in achieving compliance.

Contact us today for a FREE consultation and we’ll make sure you have a strong cybersecurity defense strategy!

Last week’s global ransomware attack on unpatched computer systems, labeled a “cyber pandemic” by the Wall Street Journal, once again pointed out that basic cybersecurity defense is still being ignored. While not all breaches are preventable, most of the ones that make news headlines are. Below we’ll discuss what Board of Directors should be doing differently.

The current landscape of cyber defense is dominated by OEM’s pushing tools onto under-resourced security teams who don’t have a battle plan for success. It’s like going to Home Depot and buying all the tools and materials to build a house and architecting the build as you go. It’s expensive, inefficient and the ad-hoc nature of this approach is guaranteed to disappoint.

What is the Best Cybersecurity Defense Approach?

Cybersecurity defense should be approached like every other business problem where you develop a strategy that you can execute against and measure your success. Human Resources has a plan and supporting processes to manage and measure employee hiring, onboarding,  retention, and engagement. Finance has a plan and supporting processes to manage and measure revenue, profits, cash, orders and a host of business-relevant metrics. Cybersecurity should steal a page from these mature business supporting functions and develop the same. Pick a framework or control set (NIST 800-53, NIST Cybersecurity Framework, there are many to choose from, just pick one!) and identify, assess and manage your cybersecurity risk.

Why take this approach instead of following the marketing noise? For starters, organizations like the National Institute of Standards and Technology (NIST) have no profit interest in your implementation of their work. Their publications are the result of years-long collaboration between the government and private sector and are continuously being reviewed and updated. NIST accurately summarizes the benefits of the Cybersecurity Framework in saying:

“Utilizing the Framework as a cybersecurity risk management tool, an organization can determine activities that are most important to critical service delivery and prioritize expenditures to maximize the impact of the investment.”

Surely any company utilizing this framework would have identified unpatched systems as critical service delivery and a priority in the operational execution of cybersecurity. As last weeks “cyber pandemic” proved, this isn’t the case.

Cybersecurity Added Benefits

An added benefit of managing your cybersecurity program against a defined framework or set of controls is the ability to explain to your Board or Executives your priorities and resource requirements. This demystifies cybersecurity and enables them to make informed business decisions rather than a decision to fund a specific tool. In-time decision making is transformed from tactical to strategic and allows the organization to take a proactive, rather than reactive, approach to cybersecurity.

Compliance requirements like SOC Type 1 and 2 reporting, DFARS, Sarbanes Oxley, HIPAA, and others can be integrated into your chosen framework to align and simplify management of cybersecurity compliance and operations. As practitioners well know, the scope of these compliance audits is often so narrow by design that it becomes an exercise to just ‘get through’ rather than a data point for holistic risk management.

If you are on a Board don’t accept a compliance audit, penetration test or vulnerability scan as evidence of cybersecurity effectiveness. Push for the implementation of a framework and give the accountable teams the resources to succeed.

Contact us today for a FREE consultation and we’ll make sure you have a strong cybersecurity defense strategy!

As previously discussed in the CyberSheath blog, government contractors who process, store or transmit Covered Defense Information (CDI) are required by DFARS 252.204-7008 to comply with the 14 control families of the NIST SP 800-171 by December 2017. The clause dictates the security requirements specified by DFARS 252.204-7012 for Safeguarding Covered Defense Information and Cyber Incident Reporting. The intention of the directive is to ensure the safeguards implemented to protect CDI are consistent across nonfederal information systems as they relate to work contracted by the US government.

The regulation anticipates the addition of these controls is not intended to impose a burden by requiring additional systems or incurring additional expenses in order to acquire government contracts. Although the 800-171 is derived from FIPS 200 and NIST 800-53; the new control set is intended to remove the overhead of the controls specifically geared toward federal agencies. It was expected the majority of contractors would only need to implement and update policies in order to comply. While this may be valid for contractors who have a security baseline implemented that includes many components of the recommendations of FIPS 200 or NIST 800-53, it may not be true for all. Unfortunately for those that do not, this regulation may prove to be a challenging and expensive endeavor.

One of the direct requirements imposed by the 800-171 is the need for Multi-Factor Authentication (MFA). This necessity applies to all privileged account access and users who access network resources where Controlled Unclassified Information (CUI) exists, or CDI as defined by the DFARS clause. Additionally, this applies to any users who access the network remotely by means of remote access connections. These are described in the following ‘derived security requirements’ from both the ‘Identification and Authentication’ and ‘Maintenance’ control families of the NIST 800-171:

3.5.3   Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts

3.7.5   Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete

This requirement should not come as a surprise to many. A significant and common attack vector exists when a user’s account is compromised and leveraged by a hacker who has successfully acquired that user’s password. This is even more detrimental when an account with enhanced privileges is compromised. Accounts which have been protected with multiple factors of authentication make hacking much more difficult. Research demonstrates amongst the majority of cyber-attacks, the weakest elements are users and their credentials. This was validated by Verizon’s’ 2016 Data Breach Investigations Report (DBIR). The most recent DBIR states ‘63% of confirmed data breaches involved weak, default or stolen passwords’.

So you may ask, what exactly is Multi-Factor Authentication?

The NIST 800-171 describes MFA as:

The requirement of two or more different factors to achieve authentication. Factors include:

(i) something you know (e.g., password/PIN);

(ii) something you have (e.g., cryptographic identification device, token); or

(iii) something you are (e.g., biometric).

In layman’s terms, Multi-Factor Authentication is combining more than one method or factor of authentication to verify your identity. It is critical to understand the NIST 800-171 requires a minimum of two factors of authentication to meet the requirements the MFA controls. This is commonly referred to as Two-Factor Authentication (2FA). Therefore, the use of two different passwords does not constitute multiple factors since they are both ‘something you know’ and do not include a second-factor type.

The most common factor, albeit the weakest is ‘something you know’. This is generally the password or PIN that most associate with their user account when logging into their computer systems. Passwords are commonly weak, used across many systems and also reused often by users. It is important to note, once a password is compromised by an attacker it is often unknown to the user.

‘Something you have’ is the most commonly implemented second factor and is often in the form of a uniquely generated One-Time Passcode (OTP). These OTP’s can be provided by several different methods including hardware tokens or fobs, software applications such as on a smartphone, or even provided by a USB hardware device such as a Yubikey. While this factor is more secure than the first, it is still open to compromise by loss or theft of the medium which provides the OTP. It is imperative for users to safeguard these devices in order to maintain system integrity.

The third factor described is, ‘something you are’. This factor is considered by many to be most secure, but also the most difficult to manage on a large scale. This can be satisfied by several different biometric identifiers but most commonly with the user’s fingerprints. While this authentication method is the least open to compromise, ensuring the hardware being used is hardened against common biometric vulnerabilities such as the ‘Gummi-Bear Hack’ is critical.

As mentioned above, while adherence to the 800-171 was not intended to impose an additional financial burden to contractors who seek government contracts; the implementation of an MFA solution can prove to be costly. The major expenses incurred involve the cost of third party software to manage the additional authentication factor and also hardware if choosing to utilize a biometric factor or hardware tokens (hard tokens).  If supported by the solution, software tokens (soft tokens) can be a less expensive method of providing OTP’s by leveraging users existing mobile devices. This can prove to be a large scale project depending on the size of the organization and the availability of the current IT staff. Many organizations may need to seek third party consultants who are experts in the deployment in order to streamline the process which can incur additional costs over the investment of the initial solution.

Based on the investment required, it is imperative to perform due diligence when choosing an MFA solution. The products currently available on the market vary widely with their offerings so it is important to consider the following to determine what solution is the best fit for your organization:

  • What is the ease of use for the end-users?
  • What is the additional burden to support the solution for IT staff?
  • Does the solution offer any administrative bypass to allow logins for users who have lost their hardware token or smartphone?
  • Is the solution cloud-based or internally hosted on your network? If internal, is additional hardware needed?
  • What operating systems are supported?
    • Server and Desktops
      • Windows, Linux, Mac?
    • What deployment options does it support for client installation?
    • Does it integrate with your current firewall VPN solution?
    • What happens when your machine is not able to contact the authentication server?
      • Is the client software capable of validating locally or does it deny access?
      • Does it bypass the MFA altogether?
    • What types of authentication mechanisms are supported?
      • One-Time Passcodes
        • Hard Tokens
        • Soft Tokens – what mobile operating systems are supported? (Apple, Android, Microsoft)
      • Push verification to a smartphone app
      • Biometric
    • What is the cost of ownership?
      • One-time purchase
      • Monthly based on user count

It soon becomes obvious that there is a lot to consider when choosing the best Multi-Factor Authentication solution for your business. It is important to realize the ‘true cost’ of implementation. This value factors in the cost of the system and of the resources required to successfully implement and support the solution across your firm. Following the saying, ‘Do it once and do it right’ it is a good idea with the deployment of this nature and could save you profusely in cost and resources invested.

Does your organization need assistance choosing and implementing the right solutions to become compliant before the December 2017 DFARS compliance deadline? CyberSheath has the expertise to provide you with leading solutions and give you the guidance you need. We have a specialized team of Cybersecurity Professionals who have proven industry experience to guide and assist your business in achieving compliance.

As part of an ongoing series on using privileged account management solutions to meet DFARS requirements, CyberSheath’s security consultants have explored technical controls in great detail, providing readers with real-world applications that make a meaningful impact. This week CyberSheath continues to explore NIST control 800-171, “separate the duties of individuals to reduce the risk of malevolent activity without collusion”.

Privileged account management solutions are valuable tools to meet the following NIST 800-171 controls:

  1. NIST 800-171 3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  2. NIST 800-171 3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. NIST 800-171 3.1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
  4. NIST 800-171 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
  5. NIST 800-171 3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
  6. NIST 800-171 3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.
  7. NIST 800-171 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
  8. NIST 800-171 3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts.

The fourth control, 3.1.4, is to “separate the duties of individuals to reduce the risk of malevolent activity without collusion”. In layman’s terms, organizations must segregate the duties and tasks that employees complete in order to minimize the chance that they could purposely plan and execute malicious activities.

Real-world examples of this scenario include ensuring an application development team does not have access to production code or compartmentalizing the information individuals on a team have access to, ensuring no one individual has access to everything. Separation of duties would prevent individuals from maliciously impacting production code or limit the fallout of an insider threat.

A privileged account management solution like CyberArk allows organizations to provision access to applications, operating systems, databases and many other devices through the use of the Enterprise Password Vault. Organizations can create a purpose built shared accounts for applications, systems, databases, etc., and grant access to those specific accounts based on the separation of duties. That way, when contractor one needs to access information, they use the shared account they have been provisioned access to, and contractor two uses a different account.

10-24-1.png

Before a contractor can even check out a credential, organizations have the ability to implement account access workflows. This workflow can require contractors to fill out a form that specifies a reason for access, how many times they will be accessing it, and the time frame they will access it. When the form is submitted, an authorized individual like a manager can approve the request, giving the contractor access to the password. This feature is called Dual Control, and by using this feature, organizations can ensure that managers or authorized individuals can grant access for specific duties or functions. Dual Control can be configured so that authorized individuals are only able to approve, but not access the account, ensuring separation of duties between roles. Dual Control can also be configured so that teammates can approve other teammate’s access ensuring that at least two people are aware of account access. This entire request and approval process leaves a full tamper-proof audit trail.

To further ensure that malicious activity is not taking place, organizations can implement a policy of “one-time-use” passwords, where after a given time period (say 24 hours for example) the password will be changed automatically. In combination with the CyberArk Privileged Threat Analytics (PTA) tool, organizations can detect suspicious credential activity usage, trigger an alert and automatically respond to the unauthorized access in real-time. For example, if contractor #1 normally uses an account between a certain time period or location, using that credential outside of the normal baseline would trigger an alert and response.

10-24-3.png

CyberSheath’s implementation engineers and security consultants have real-world experience assisting organizations to fulfill their DFARS and privileged account management needs. Download our security assessment datasheet to learn more about how CyberSheath can help your organization get ahead with privileged account management. Subscribe to our email updates to stay up to date with our DFARS series and other security posts.

CyberSheath’s security consultants and implementation engineers have previously written about utilizing privileged account management solutions to meet DFARS requirements, and this week we continue to explore DFARS control requirements in detail.

The latest post in the “In-Depth Look at PAM Controls for DFARS Requirements” series, CyberSheath reviews a third NIST 800-171 control that when utilizing a PAM solution like CyberArk, makes for very effective control. These NIST 800-171 controls include:

  1. NIST 800-171 3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  2. NIST 800-171 3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. NIST 800-171 3.1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
  4. NIST 800-171 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
  5. NIST 800-171 3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
  6. NIST 800-171 3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.
  7. NIST 800-171 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
  8. NIST 800-171 3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts.

The third control, 3.1.7, is to “prevent non-privileged users from executing privileged functions and audit the execution of such functions”. In layman’s terms, do not give users who do not need privileged access the ability to execute privileged tasks, as well as the ability to audit privileged tasks.

In CyberSheath’s previous posts, we have discussed the concept of least privilege and using tools like CyberArk’s On-Demand Privileges Manager (OPM) and Viewfinity to technically enforce the least privilege while allowing elevated privileges when necessary. As a refresher, a “least privilege” access model means that end-users are given the bare-bone access required to do their everyday basic job functions. When users need to execute privileged tasks, they can either check-out an account from a Password Vault database, use the OPM or use Viewfinity on their workstation.

The CyberArk Privileged Account Management suite includes the Privileged Session Manager, a component used primarily as a jumpbox to transparently connect to target machines using secured privileged accounts. Since all of the traffic is redirected through the PSM jumpbox, it is also possible to record the sessions and monitor them live.  Auditors and Investigators can search for users that retrieved a password (whether the action was to view or copy the password or connect to a system using the target account).  The audit capabilities can be further bolstered by requiring users to provide reasons as to why they need access to the privileged account, and even requiring correlation to a Service Desk ticket number.  Recordings of the sessions can be searched for titles of specific applications that may have been launched (such as gpedit or regedit) for Windows-type recordings, or any text for UNIX type recordings.

10_12_1.png

CyberSheath’s implementation engineers and security consultants are well versed in the practical application of NIST 800-171 controls, DFARS, and privileged account management. Download our security assessment datasheet to learn more about how CyberSheath can help improve your organization’s security posture and implement effective security controls. Subscribe to our email updates to stay up to date with our DFARS series and other security posts.

Last week CyberSheath began a new series, “In-Depth Look at PAM Controls for DFARS Requirements”, dedicated to providing a detailed analysis on how privileged account management solutions play an important role for organizations in meeting DFARS requirements.

In the series’ first post we detailed control 3.1.1, one of the eight NIST 800-171 requirements that Privileged Account Management solutions offer well-fitting controls for; these NIST requirements include:

  1. NIST 800-171 3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  2. NIST 800-171 3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. NIST 800-171 3.1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
  4. NIST 800-171 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
  5. NIST 800-171 3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
  6. NIST 800-171 3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.
  7. NIST 800-171 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
  8. NIST 800-171 3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts.

The second of these eight NIST 800-171 controls, 3.1.2, is to “limit information system access to the types of transactions and functions that authorized users are permitted to execute”. In layman’s terms, only give access to those that have permission or approval for specific task or purpose. The reason for this control is to ensure that users only access information systems for the specific tasks and functions they are supposed to execute and prevent them from completing transactions or functions they shouldn’t be doing.

Most Privileged Account Management solutions will offer a form of account vaulting that allows organizations to partition account access based on the need-to-know and least privileged access model. For example, with CyberArk, companies can organize safes by the various functional and transactional requirements of the accounts stored in them. An organization could create a safe called “North-America-Unix-Local” which would be used to store accounts for the Unix team based out of North America, and the company’s administrators in Europe wouldn’t be granted access.

 

JC1.png

While the basic privileged account vaulting model could potentially meet the NIST 800-171 3.1.3 requirement, CyberArk provides two additional solutions to ensure that Federal contracting companies can meet and exceed the NIST 800-171 3.1.3 requirement; the On-Demand Privileges Manager (OPM) for UNIX and Viewfinity for Windows. Both of these products enforce a least-privilege access methodology at the operating system level and allow escalation of privileges for approved actions.

On-Demand Privileges Manager (OPM):

OPM allows organizations to define a policy (a set of rules) that dictate what commands users can or can’t run when connected to a UNIX server. When an end-user connects to a UNIX server with OPM installed, they execute a privilege elevation tool called PIMSU (Privileged Identity Management Switch User, similar to SUDO). The elevation tool will validate that the user logged in as has permissions to perform the elevated task and store a recording of all the elevated commands they execute during the session. This set of rules can be configured to allow or deny various commands that are defined as “privileged”.

JC2.png

For example, there are two contractors that both need access to a UNIX device that contains Covered Defense Information, and both need elevated privileges to complete unique tasks, two different policies can be created for each user that allow or prevent them from executing certain commands. This ensures that the information system access is limited to the transactions and functions a user is permitted to execute.

Viewfinity for Windows:

The Viewfinity application for Windows works in a similar way to OPM for UNIX. Viewfinity allows organizations to remove users’ local admin privileges on endpoints and servers. Like in OPM, organizations can granularly define trusted actions for applications, scripts, and commands which are managed on role-based access. This means that those same two contractors that need access to a Windows device containing Covered Defense Information can both elevate their privileges to run applications when necessary, but also ensure that they are allowed to execute those functions (or deny them).

JC3.png

CyberSheath’s implementation engineers and security consultants are leaders in both DFARS and privileged account management. Download our security assessment datasheet to learn more about how CyberSheath can help enable your organization to meet DFARS requirements. Subscribe to our email updates to stay up to date with our DFARS series.

If you have been following the CyberSheath blogs, you might have seen an increased focus on the updated DFARS regulations. These protocols dictate the newly imposed federal requirement for compliance with the NIST 800-171 controls for government contractors who process, transmit or store controlled unclassified information (CUI). The December 2017 deadline for compliance is fast approaching and contractors are required to meet the requirements of the regulation or face possible penalties. The federal government has continued to prioritize its cybersecurity initiatives and isn’t slowing down.

Many government contractors have been using the NIST 800-53 and FIPS 200 as regulatory guidelines for their information security standards. While this is good practice and a great jump start toward a secure baseline, these guidelines are just recommendations, not actual requirements unless you are a federal agency. NIST 800-171 is derived from those standards, but dictates ‘requirements’ for compliance. Additionally, it is important to understand the focus of the NIST 800-171 differs in that it is more concentrated on the ‘Confidentiality’ of data, and less on the ‘Availability and Integrity’ of data as in NIST 800-53 and FIPS 200.

The regulation states that any government contractors that process, store or transmit CUI are in scope for compliance requirements. First, it is important to understand what CUI is.

Controlled Unclassified Information is defined as:

Information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information,
December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.

– Executive Order 13556

The National Archives and Records Administration defined several categories for designating CUI. It is important to understand that NIST 800-171 focuses on CUI in its entirety, while DFARS 252.240-7012(a) defines a subset of information that is the category of ‘Covered Defense Information’(CDI). The DFARS 252.240-7012(a) clause defines ‘Covered Defense Information’ as unclassified information that:

(i) Is-

  1. Provided to the contractor by or on behalf of DoD in connection with the performance of the contract; or
  2. Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract; and

(ii) Falls in any of the following categories:

  1. Controlled technical information.
  2. Critical information (operations security). Specific facts identified through the Operations Security process about friendly intentions, capabilities, and activities vitally needed by adversaries for them to plan and act effectively so as to guarantee failure or unacceptable consequences for friendly mission accomplishment (part of Operations Security process).
  3. Export control. Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual-use items; items identified in export administration regulations, international traffic in arms regulations and munitions list; license applications; and sensitive nuclear technology information.
  4. Any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies (e.g., privacy, proprietary business information).

You don’t need to a cybersecurity specialist, CISO or a contract attorney to realize that these definitions are expansive and open-ended, it is by design. In a general sense, we can take away from the definition that CUI is any information that relates to a government contract which is not intended for public release. These can include the following locations:

  • Email systems
  • Internal documentation stores
  • Engineering and design systems
  • Accounting systems
  • Contracts and Proposal stores

Considering common systems that contain CUI, the realization becomes there are several different media types where these systems may reside:

  • Internal servers
  • Workstations and Laptops
  • Cloud systems
  • Removable media
  • Mobile devices

While these locations and systems may seem fairly straightforward for some, they may not for others. Another consideration is for contractors in a specialized industry vertical. What additional considerations do you need to be aware of? What other systems and locations are you responsible for safeguarding this protected information based on the regulations?

Let’s use a specific defense contractor vertical, the aviation industry as an example.

The US Government Accountability Office stated, “Modern aircraft are increasingly connected to the internet” and “interconnectedness can potentially provide unauthorized remote access into avionics systems.”

This brings to light may new technological systems that these contractors rely on that additionally contain CUI which needs to be protected. Both ground and flight operations depend on these systems to provide interconnectedness which boosts operational efficiency and safety in many instances. Many of these new avionics rely on internet connectivity which in turn allow an entry point for malicious attacks. Some of these systems include the following:

  • Flight Planning systems
  • Electronic Flight Bags
  • Flight Control Systems
  • Navigation systems
  • Communication systems
  • Satellite communications (specifically internationally where they are knowingly intercepted by foreign governments)

What this demonstrates is that while NIST 800-171 applies to many government contractors in a similar fashion, it can vary greatly by industry. It is important to recognize the true definition of what CUI is and how your company and industry transmit, store and process it in order to safeguard it correctly.

Understanding what needs to be protected is only the basis for complying with the regulation. Defining and implementing policies and systems to meet the compliance controls can be the bulk of the burden of meeting the requirements. This may seem like an overwhelming undertaking for many contractors who focus their primary energies on producing the quality products and services that they are known for in their industry. If you have a concern about the December 2017 DFARS compliance deadline and are lacking the resources to address your information security obligations, let CyberSheath be your trusted partner in navigating the NIST 800-171 gauntlet. We have a specialized team of Cybersecurity Professionals who have proven industry experience to guide your corporation to compliance.

In previous blogs, CyberSheath security analysts have identified new cybersecurity requirements from the recent changes to DFARS and have provided solution overviews for meeting those requirements and regulations. The series “In-Depth Look at PAM Controls for DFARS Requirements” will expand on previously mentioned regulations and provide a more granular look at how privileged account management solutions can play an important role in meeting DFARS requirements.

Back in March, we identified eight NIST 800-171 requirements where PAM suites can provide an ideal solution. These requirements include:

  1. NIST 800-171 3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  2. NIST 800-171 3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. NIST 800-171 3.1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
  4. NIST 800-171 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
  5. NIST 800-171 3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
  6. NIST 800-171 3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.
  7. NIST 800-171 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
  8. NIST 800-171 3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts.

The first of these eight NIST controls is to “limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)”. In layman’s terms, only give access to those people, processes or devices that have permission or approval. As Yanni previously mentioned, this is the most basic functionality and purpose of a privileged account management solution. What may seem basic to some, it may be complex to others, so let’s break down what limiting access to authorized users looks like using the CyberArk Privileged Account Management solution.

In the context of DFARS, all accounts that provide access to “Covered Defense Information” should be considered privileged and be “vaulted” or stored within the hardened CyberArk database. These accounts are stored in various “safes” according to who should have access to them. For example, anyone with access to “Safe 1” in the image below, will have access to all the accounts within the safe. Safes 2, 3 and 4 would be provisioned separately.

09_12-1.png

With CyberArk, organizations can provision their employees access to these safes and accounts either directly using their preexisting account such as a personal Windows AD account, or provision an LDAP group of users instead, giving the entire group access. Organizations can implement their own internal approval system so that when a request is complete, it would automatically provide access to CyberArk and the credentials, and subsequently, the Covered Defense Information.

Additional controls can be implemented to lock down authorized access further, including ticketing system integration and time-restrictions. Ticketing system integration adds an additional layer of authorization by ensuring that those employees who have access to accounts can only use them when they have a valid ticket or reason (see example 1 below). Time-restrictions can limit the hours in which employees can access privileged accounts. If an employee attempts to access an account outside of the allowed time frame, they will be unable to access it, and a fully auditable event will be logged (see example 2 below).

09_12-2.png

Example 1: Ticket Integration

09_12-3.png

Example 2: Time-Restriction

 

There are advanced features in the CyberArk suite such as privileged session recording and transparent connections (using credentials without ever seeing them), and they all work on the basic foundation of limiting access to authorized users.

CyberSheath’s security consultants and implementation engineers are well versed in DFARS and privileged account management. Download our security assessment datasheet to learn more about how CyberSheath can help enable your organization to stay productive while meeting DFARS compliance. Subscribe to our email updates to stay up to date with our DFARS series.

This is part two of a continuing series on the Federal Acquisition Register ruling 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.  If you haven’t read part one, please take a few minutes to read it before continuing.

In May, the federal government announced an update to FAR 52.204-21 that would impose similar rules and requirements to the Defense Federal Acquisition Register rule 252.204-7012, Safeguarding Covered Defense Information. These requirements, although not explicitly tied to NIST 800-171, are characterized as comparable.  NIST 800-171 has been implemented as the requirements for DFARS.  These new regulations apply to contractors that are not part of the Department of Defense.

The new cybersecurity requirements, which are described below, are very similar to the 14 control families of NIST 800-171, however, these are the 15 requirement categories that federal contractors will be required to meet.

  1. Limit access to authorized users.
  2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. Verify controls on connections to external information systems.
  4. Impose controls on information that is posted or processed on publicly accessible information systems.
  5. Identify information system users and processes acting on behalf of users or devices.
  6. Authenticate to verify the identities of users, processes, and devices before allowing access to an information system.
  7. Sanitize or destroy information system media containing Federal contract information before disposal, release, or reuse.
  8. Limit physical access to information systems, equipment, and operating environments to authorized individuals.
  9. Escort visitors and monitor visitor activity, maintain audit logs of physical access, control and manage physical access devices.
  10. Monitor, control, protect organization communications at external boundaries and key internal boundaries of information systems.
  11. Implement subnetworks for publically accessible system components that are physically or logically separated from internal networks.
  12. Identify, report, and correct information and information system flaws in a timely manner.
  13. Provide protection from malicious code at appropriate locations within organizational information systems.
  14. Update malicious code protection mechanisms when new releases are available.
  15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

These categories can apply to any solicitation and contract when the contractor or a subcontractor may have federal contract information residing in or transiting through its information system.  It does not apply to contracts for Commercial Off the Shelf (COTS) items.

One surprising item of note on the updated rules is that there were no reporting requirements to the Government mentioned anywhere in the clause.  Unlike DFARS, where a contractor has 72 hours to report an incident after discovery, the FAR rule does not impose any type of requirement.  However, this may change in the future because reporting incidents helps other organizations be on the lookout for similar suspicious activity or incidents within their own.

As more information becomes available, CyberSheath will be there to help you navigate your regulatory requirements.  Contact us today to learn how we can help you.

 * This is the first in a multi-part series on the new FARS 4.19 clause.

Recently, the US Government issued a final rule to the Federal Acquisition Regulations (FAR) to “add a new subpart and contract clause for the basic safeguarding of contractor information systems that process, store, or transmit Federal contract information”.  This is a new mandatory regulation, similar to the requirements established by the US Department of Defense with the Defense Federal Acquisition Regulation Supplement (DFARS).

On May 16, 2016, the final FAR ruling was issued, 48 C.F.R. Part 4.19 establishing minimum safeguarding requirements for federal contractor information systems and expressly provide that Federal agencies and departments may impose additional specific requirements.  The new FAR regulation goes into effect on June 16, 2016.  DoD, as mentioned in previous blogs has already amended its regulations to require covered contractors to comply with DFARS 252.204-7012. The new FAR 4.19 clause applies to all federal contractor information systems that are owned or operated by a contractor that processes, stores, or transmits Federal contract information.  While the new regulation does not require compliance with any specific NIST standards, unlike the DFARS regulation that requires NIST SP 800-171 compliance, the new regulation lists many of the same 14 control families detailed in 800-171.

CyberSheath can help you meet your compliance objectives and requirements, contact us today.

DFARS Terms

Navigating DFARS clause 252.204-7012 can be a daunting task when your organization has never seen this clause before.  Not to mention the recent updates changed some of the language and expanded the scope to more broadly apply protections for certain sensitive information.  This post, which is an add-on to the three-part series over the last several weeks on changes to DFARS clause 252.204-7012, will provide some additional details about the confusing terms in the clause.  If you haven’t read any of the other posts, please take a few minutes to do so, and then come back to this post.

Clause 252.204-7012 is titled “Safeguarding Covered Defense Information and Cyber Incident Reporting”.  As reported on over the last three weeks, the Department of Defense has expanded the scope of the clause, updated the security control requirements, and broadened the categories for which Controlled Unclassified Information falls into.  The following are important terms and information categories that your organization should be familiar with and look for on your next contracting engagement with the Department of Defense.  Unless otherwise noted, all definitions and terms are directly from clause 252.204-7012.

Covered Defense Information: This is an umbrella term covering unclassified information that is 1.) provided to the contractor by or on behalf of DoD in connection with the performance of a contract; or 2.) collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

This means that any information given to your organization by the DoD for the contract is considered covered defense information.  Furthermore, any unclassified information that your organization develops, collects, transmits, and stores for the contract is also covered defense information. Covered defense information should be protected according to clause 252.204-7012.

Controlled Technical Information: This term falls under the covered defense information category and is technical information with military or space application that is subject to controls on the access, use, reproduction, medication, performance, display, release, disclosure, or dissemination. It is important to note that the controlled technical information category does not apply to information that is lawfully and publically available without restrictions.

Export Control: This term is a covered defense information sub-category that means certain unclassified information that deals with specific items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the national security of the United States and no proliferation objectives.  This also includes dual-use items, items identified in export administration regulations, international traffic in arms regulations (ITAR), munitions list, license applications, and sensitive nuclear technology information.

Cyber Incident: Clause 252.204-7012 defines a cyber incident as actions taken through the use of computer networks that result in a compromise or potentially adverse effect on an information system and/or the information residing therein. Essentially any compromise of information resulting from a breach of the contractor’s computer network is considered a cyber incident.

Operationally Critical Support (OCS):  OCS is a term that means the contractor supplies services designated by the government as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation. It is important to note that any contractor providing these services to the government must protect all information and systems that support OCS activities.

Technical Information: Technical data or computer software defined in DFARS 252.227-7013, Rights in Technical Data – Non Commercial Items, regardless of whether or not the clause is incorporated into the solicitation or contract. Technical data includes research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses, related information, computer software executable code, and source code.

Adequate Security: This term is defined as providing reasonable protections for all covered defense information on all covered contractor information systems that support the performance of work under the contract. This means that contractors must provide safeguards according to the defined security control standards outlined in Clause 252.204-7012, which are controls from NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.  In order to be compliant, contractors must implement the controls, or identify alternative but equally effective security measures.

Rapid(ly) Report(ing):  This is defined as reporting a cyber incident within 72 hours of discovery. All reporting must be to the DIBNet and requires a medium assurance certificate.

Whether your organization is navigating the DFARS compliance requirement for the first time, or you are updating your security controls to be compliant, CyberSheath can help you sort out the confusing landscape of DFARS Clause 252.204-7012.  Don’t wait to begin your path to compliance, contact us today.

In August and December 2015, the Defense Federal Acquisition Register Supplement (DFARS) received updates that are crucial for the 10,000-plus defense contractors.  If you have been following our blog, we first reported on the changes back in January.  It is important to understand these changes and how they will affect your organization. These next series of blogs will attempt to view the DFARS updates from a high level.  If you haven’t read last week’s post, you can do that here.

This week’s post will attempt to boil down the primary differences between NIST 800-53 r4 and 800-171.  For starters, both documents are a set of standards published by the Nation Institute of Standards and Technology (NIST), a federal government organization that produces standards on a variety of topics, including information security.  Back in 2013, when DFARS 252.204-7012 was issued as a final rule, it relied on NIST 800-53 r4 to be the de-facto standard that contractors must adhere to in order to meet DFARS compliance objectives of safeguarding Controlled Unclassified Information (CUI).   In August of 2015, DFARS was updated and replaced its security control requirements.  NIST 800-53 r4 was swapped out with NIST 800-171.

NIST 800-53 r4

The Department of Defense (DoD) chose NIST 800-53 r4 for its DFARS standard set of controls for a reason.  Its broad set of security controls cover many facets and areas of an organization and relates those areas to protect CUI.  NIST 800-53 r4 is a large set of security controls.  With 303 requirements categorized into 18 control families, it is difficult for any organization to meet all of them.  When DFARS adopted 800-53, they narrowed it down to a set of 51 specific controls sets that would be effective in safeguarding CUI.  I won’t go into each of the 51 questions, but the table below shows the controls families that are specific to DFARS:

NIST-tables-blog-post-800-53r4.jpg

Within each control family are several controls.  For example, access control has twelve controls and sub controls.   Each control is very detailed and in order to be compliant, the defense contractor must meet all of the requirements of the control.  In control AC-2, Account Management, there are 11 requirements within the control, from monitoring system accounts to notifying account managers when access is no longer required (see the full NIST 800-53 here).  The point that I am making here is the level of detail in 800-53 tended to be overkill for defense contractors.  Trying to make their current security initiatives fit within the framework of NIST 800-53 left a lot of room for improvement.  800-53 offered a lot of flexibility from the list of security controls, but very little when it comes to using systems and practices defense contractors already had in place.

Because of this and some other issues, such as applicability or overkill of controls, the solution was to streamline the requirements needed to protect CUI.  Not only that but also make them applicable and standard, regardless of the size of your organization.  The result of this is NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, released in June 2015.

NIST 800-171

The primary difference between NIST 800-53 and 800-171 is that 800-171 was developed specifically to protect sensitive data on contractor and other nonfederal information systems.  The set of controls outlined in 800-171 is designed to protect CUI and eliminate the built-in overhead that was geared mostly toward federal agencies.  NIST 800-171 requirements have a total of 109 requirements that are simplified to a basic level of understanding.  The 109 controls are spread across 14 control families:

NIST-tables-blog-post-800-171v1.jpg

Additionally, NIST 800-171 has been derived from NIST 800-53 and FIPS 200.  Many procedural elements have been removed altogether to focus on the most applicable moderate baseline controls.

It is important to note that contractors, under DFARS 252.204-7012, can deviate from the 800-171 control requirements.  The only stipulation is that the DoD CIO’s authorized representative must approve the deviation.  This allows contractors to build on or enhance any security programs that are currently in place, without having to re-invent the wheel and not acquire new systems just to process, store or transmit CUI.

NIST 800-171 has also streamlined its control set.  As in NIST 800-171 3.1, Access Control, the following requirement states:

3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

This covers account management and access enforcement.  The contractor will have to show how they limit the access and enforce it.

Aside from the structural differences between 800-171 and 800-53, the intent is the same.  Contractors are required to protect Controlled Unclassified information.  With 800-171, how the organizations protect the information is now a little more clear.  800-53 was incredibly wordy and often made it difficult for non-security individuals to understand what the requirement is, regardless of whether or not you are a security person or an IT person performing a security function.

How can CyberSheath Help Your Organization?

Whatever your security requirements are, CyberSheath can help.  As a leader in helping customers meet DFARS 252.204-7012 compliance requirements, CyberSheath is the place to start.  Begin with a NIST 800-171 assessment to measure your effectiveness and see where to begin.  CyberSheath can help you remediate any controls that are not effective and build out your security program to meet compliance requirements.

In August and December 2015, the Defense Federal Acquisition Register Supplement (DFARS) received updates that are crucial for the 10,000-plus defense contractors.  If you have been following our blog, we first reported on the changes back in January.  It is important to understand these changes and how they will affect your organization. These next series of blogs will attempt to view the DFARS updates from a high level.

When we talk about DFARS, which in and of itself is a very large “document,” we are focusing on a specific clause – 252.204-7012.  This is the clause that underwent a major surgery starting in August 2015 with the first interim rule that was released. That rule effectively expanded the scope of protection by defining “Covered Defense Information.”  In this blog post, we will cover the expanded scope and go into a little more detail about the definitions.

Expanded Scope

DFARS clause 252.204-7012 was issued as a final rule in November 2013.  Under that ruling, contractors had to protect information that was deemed Controlled Unclassified Information, or CUI.  CUI had a subcategory that referred to Unclassified Controlled Technical Information.   The safeguarding ruling applied to defense only if a contractor had UCTI resident or transiting through its information system.  Even though an organization might not have to adhere to DFARS 252.204-7012 requirements because they do not handle or process UCTI, the language was still present in all Department of Defense (DoD) contracts. In August 2015, DFARS was updated to broaden the scope to include covered defense information to apply to all contracts.  The August 2015 interim ruling provides narrow exceptions to the DFARS safeguarding requirements for information not marked or identified in the contract which does not fit into one of the four categories (see below) of covered defense information.

Under the previous November 2013 ruling, contractors only had to report cyber incidents that affected the UCTI category of information.  Under the new ruling, any cyber incident affecting Covered Defense Information, contractor information systems that contain covered defense information, or information that affects the contractor’s ability to provide operationally critical support.  What this means is that any incident that affects the contractor’s information system that stores covered defense information must be reported, even if the data itself was never compromised.

This is one of the critical difference between the November 2013 and August 2015 ruling.

Another way the scope was expanded was in the origination of the covered defense information.  Under the November 2013 regime, the information may have had to originate or transmitted from the DoD to be considered protected under the DFARS clause.  In the August and December 2015 rulings, the information can originate by the DoD, or collected, developed, received, or used by the contractor.  It is important to note, as mentioned earlier, that the information also has to fall within one of the four categories (defined below).

The August 2015 ruling also changed how defense contractors will safeguard the information systems.  The differences will be discussed in next week’s blog post, however, it is important to note that under the interim rule, safeguarding covered defense information requires contractors to adhere to NIST 800-171, or seek approval to use equally but effective controls.

Covered Defense Information

With this term, the DFARS clause 252.204-7012 expanded the scope of protection.  Before the first interim rule, defense contractors were familiar with CUI, or Controlled Unclassified Information.  In the past, CUI meant data and information that while unclassified, should be protected, controlled and disseminated only to individuals who require the information for an authorized mission purpose.  It could contain technical data, information about a vulnerability that affects a system, information about critical infrastructure, foreign government information, etc.  While CUI has not gone away, there have been efforts to broaden the scope with Covered Defense Information.

The DFARS clause 252.204-7012 has been expanded to include several additional categories of information such as Covered Defense Information, or CDI.  CDI can be information that is provided to the contractor by or on behalf of the DoD in connection with the performance of the contract.  Additionally, it is any information collected, developed, received, transmitted, used or stored by or on behalf of the contractor in support of the DoD customer. CDI should fall into one of the following categories:

  • Controlled Technical Information – Any information with military or space application that is subject to controls on the access, use, reproduction, performance, display, release, disclosure, or dissemination.
  • Critical Information (operations security) – Specific facts identified through the operations security process about friendly intentions, capabilities, and activities vitally needed by adversaries for them to plan and act effectively so as to guarantee failure.
  • Export Control – Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably expect to adversely affect the United States national security and nonproliferation objectives. Dual-use items  (military and commercial applications), items identified in export administration regulations, international traffic in arms regulation (ITAR), license applications and sensitive nuclear technology information are considered exported controlled.

There is also an “other” category where any information marked or otherwise identified in the contract that requires safeguarding or dissemination controls such as proprietary business information or privacy controls and policies.

Contractor Attributional/Proprietary Information

Another category of information that falls under the scope of 252.204-7012 is Contractor attributional/proprietary information.  This category covers information that identifies the contractor, whether directly or indirectly, by the grouping of information that can be traced back to the contractor, personally identifiable information, trade secrets, commercial or functional information or other commercially sensitive information that is not customarily shared outside the company.

Next week, we will examine the significant changes in providing adequate security to safeguard covered defense information, which changed with the August 2015 interim ruling.  The post will look at the major differences between NIST 800-53 r4 and NIST 800-171.   While both rulings required the protection of information using a formal control set, 800-171 was paired down to be more applicable to defense contractor systems.

How can CyberSheath Help Your Organization?

Whatever your security requirements are, CyberSheath can help.  As a leader in helping customers meet DFARS 252.204-7012 compliance requirements, CyberSheath is the place to start.  Begin with a NIST 800-171 assessment to measure your effectiveness and see where to begin.  CyberSheath can help you remediate any controls that are not effective and build out your security program to meet compliance requirements.

On June 18, 2015, NIST released the final version of SP 800-171, which provides guidance for protecting the confidentiality of Controlled Unclassified Information (CUI) residing in nonfederal information systems. In August 2015, DFARS clause 252.204-7012 replaced the original NIST 800-53 r4 controls with NIST 800-171, which we detailed earlier here.  CyberSheath has integrated the requirements laid out in NIST 800-171 into our security assessment process that included all NIST 800-53 controls and in-depth reporting on the DFARS-specific controls.
Out of the new 800-171 controls, a handful deal specifically with privileged access.  Privileged Account Management (PAM) is a way for organizations to manage credentials with administrative rights to ensure the accounts stay safe.  CyberArk, a PAM solution and trusted CyberSheath partner, offer a suite of products designed to optimize privilege account creation while keeping the keys to the kingdom safe.  The following is a list of top 7 ways in which CyberArk’s PAM solution can help an organization meet the SP 800-171 guidelines:

7 Ways a PAM Solution Can Help You Achieve DFARS Compliance

NIST 800-171 Requirements for Access Control

Number one

NIST 800-171 3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

At its core, CyberArk is a system that was designed from the ground up to be a comprehensive PAM solution. The most basic functionality of CyberArk is the ability to create generic privileged accounts on target systems, provision those accounts within CyberArk, and subsequently allow specific users or groups to access those accounts.

Number two

NIST 800-171 3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute AND 3.1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions.

In addition to identifying, securing, and monitoring privileged accounts, CyberArk has a component called “On-Demand Privileges Manager” or OPM for short.  Using the OPM component, organizations can limit the commands that individuals are able to execute on Unix/Linux systems and even Windows. For example, the OPM solution replaces the Unix sudo command with a PIMSU command which requires the user to authenticate against their credentials in the Vault, checks if they’re allowed to execute the command, and can allow instant execute permissions while at the same time starting a recording and alerting a security officer about the transaction.

Number three

NIST 800-171 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

The basic CyberArk architecture helps to address this control because access to various system accounts can be segregated by safes, and only certain users or groups would have additional access to those safes. In addition, CyberArk comes with an out-of-the-box account access workflow capability called “Dual Control.” Using Dual Control policies, even an individual has full permissions to access an account; they would need a confirmation from a colleague with similar access before they can use an account. The ability for everyone in the group to see that that the request and approval workflow, diminishes the opportunity for malevolent collusion between rogue individuals.

Number four

NIST 800-171 3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
With CyberArk it is possible to enforce the least-privileged access model using the safe permissions. In addition there is quite a bit of transparency and ease of running audits, to confirm that this control hasn’t become lax. It’s possible for managers to be able to see which users have accessed an account, without granting the managers the permissions to use the actual account.

Number five

NIST 800-171 3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.

Using CyberArk, it may be easier to separate the “daily” accounts from “secondary accounts.” In fact, the need to create a second account for privileged access can be eliminated using the idea of a “shared” account. The idea of having “shared” accounts was frowned upon in previous access models, however, when accessing those accounts through CyberArk it is possible to have full attribution because shared accounts are mapped to CyberArk user accounts. A user could safely use a non-privileged account to access their email, and use the same account to access CyberArk, where they would be able to check-out privileged accounts. Note, in this model, it is highly recommended to have two-factor authorization of the user’s daily account into CyberArk.

NIST 800-171 Requirements for Identification and Authentication

Number six

NIST 800-171 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

Out of the box, CyberArk supports RADIUS, RSA Token, SAML, and PKI authentication. These multi-factor authorizations can help an organization not just with the CyberArk accounts, but in effect all of the organization’s privileged accounts. For example, if all of the organization’s privileged accounts are protected by CyberArk, a user would be required to use multi-factor authentication to log into CyberArk, thereby expanding the multi-factor protection to the privileged accounts.

Number seven

NIST 800-171 3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts.

CyberArk’s ability to automatically change passwords, based on policy, on individual accounts helps to prevent this “pass-the-hash” attack. Each account, on each server, can have its own unique password which is regularly changed. This acts as a “replay-resistant” authentication method by keeping a potential attacker from moving through the organization by hopping to different servers using compromised credentials.

With these seven tips, you can effectively manage your privileged access within your organization while gaining DFARS compliance.  With a vast majority of APT using privileged accounts to traverse your network, it is imperative that you protect your privileged accounts. CyberSheath’s engineers are well versed in fine-tuning the configuration of the Privileged Account Management suite; providing an automated, monitored, and controlled elevated privileged access.  You can learn more about our approach by viewing our Privileged Access Management service area.

Recent updates from the FDA on securing network-connected medical devices show that there is a growing concern for security surrounding the medical industry.  Hospital networks, medical devices, and other critical infrastructure are all at risk.  An article from Threatpost.com last week covered the Kaspersky Lab Security Analyst Summit, in which a researcher from Kaspersky Lab was able to breach a Moscow hospital network.  What did he find?  According to the article, “…a shocking array of open doors on the network and weaknesses in medical devices and applications crucial not only to the privacy of patients but also their physical well-being.”

While this may or may not be surprising, I do find it concerning that security appears to be an afterthought for the medical device industry.  Protecting patient information, ensuring wearable medical technology is secure and shoring up defenses for medical devices should be paramount.  As FierceMobile Healthcare predicted in late-December 2015, the Internet of Things will play an increased role in healthcare in 2016.  Security should be incorporated at the start of the process, rather than strapping it on at the end and hoping that the security features do their job.  By working security into the process,  medical device manufacturers are taking the time to ensure software and applications within these devices are developed using secure standards, as this one proposed by the IEEE.

In the previous example of the Moscow hospital network, backdoors, vulnerable software, and poorly secured configurations – all can be mitigated with regular vulnerability management.  Instituting scans, remediation plans, mitigating vulnerabilities, and patching out of date software are all part of a robust vulnerability management program.  This type of program makes your organization more proactive, rather than reactive.  Planning for routine updates and fixes to your devices will keep your patient and data safe.

It is good business and best practice to secure medical devices, hospital networks, and patient healthcare information. It is also important for medical device manufacturers to understand their vulnerabilities to know where you stand.  If your organization hasn’t conducted a security assessment to review your security program, that would be the place to start.  With a roadmap in hand, your next step is to begin identifying and remediating the risks.  Where are your gaps?  Do you have a vulnerability management program?  Do you know what medical devices connect to your network regularly?  All of these questions will help you develop a stronger security program.

How CyberSheath Can Help You Manage Your Risk

Taking the defense-in-depth approach to securing your network is effective at managing risks. In order to manage these risks, a picture of your network must first be obtained.  Whatever your security needs are, CyberSheath can assist you along the way.  From conducting an information security assessment to building a security program, let us help you secure your data.

I recently uncovered an interesting statistic from CMO.com that says: “…Right now, most IoT smart devices aren’t in your home or phone; they are in factories, businesses, and health care…”  IoT stands for Internet-of-Things and is a way to categorize devices that are networked together over the Internet.  This statistic which comes from an Intel info graphic hit the mark, especially with health care.  Networked medical devices have been around for years now and their usage is increasing.  The threat to them is also increasing.  In fiction, a hacker on Homeland assassinated the fictional vice president of the United States by hacking his pacemaker.  While that was television, the threat is real.  In 2012, a researcher was able to adjust the dosage of insulin by reprogramming an insulin pump and delivered a fatal dose.   Upon reading this and other articles, it came as no surprise that the US food and Drug Administration has decided to do something about it.

The US FDA recently issued draft guidance for medical device manufacturers to address cybersecurity risks associated with such devices.  Although the guidelines are still in draft, threats to medical devices are growing and can potentially put the public’s health at risk.   It is important to note that the draft guidance is not a response to any particular specific threat; however, cybersecurity companies have shown how vulnerable networked medical devices can be.  The FDA also encourages medical device manufacturers to address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment, and maintenance of the device.

What Does it Mean for Your Organization?

If you are a medical device manufacturer, the FDA is making post-market recommendations to monitor, identify and address cybersecurity vulnerabilities and exploits as part of your post-market management activities of these devices.   Your organization should proactively plan for and assess cybersecurity vulnerabilities.  Additionally, the guidance recommends you share information via the Information Sharing Analysis Organization (ISAO), which is a collaborative group of public and private sector entities that share cybersecurity intelligence.  By sharing information, members of the ISAO can quickly identify risks that may not have been visible in the past.

The draft guidance is also recommending manufacturers align themselves with a risk management program and adopt the 2014 NIST Cybersecurity Framework as the standard to measure security maturity against.  A risk management program will help your organization manage the risks associated with vulnerabilities and exploits identified in the devices.  Manufacturers can be proactive, as the risk management program will ensure there is a vulnerability management program in place to handle and mitigate discovered vulnerabilities.

The draft guidance explains that for a small subset of cybersecurity vulnerabilities and exploits that may compromise a device and present a reasonable probability of serious adverse health consequences or death, the FDA requires manufacturers to notify the agency under 21 CFR 806.10.  What this means is that the manufacturer has 10-working days to notify the FDA in writing of any correction  (e.g. repair, modification, adjustment, relabeling) or removal of a device.  In other circumstances, the vulnerabilities may not present a reasonable probability of death, and the manufacturer is not required to notify the FDA under 21 CFR 806.10.  The draft guidance identifies this as cybersecurity routine updates or patches, and as such, should increase device security and/or remediate vulnerabilities associated with controlled risk.

How Can CyberSheath Help Your Organization?

CyberSheath recommends beginning with an assessment to measure your maturity against the 2014 NIST Cybersecurity Framework.  An assessment will identify gaps in coverage for the security controls.  By starting now, it puts your organization ahead of the curve for when the final FDA guidance drops, leaving your competition to play catch up.

The push to formalize cybersecurity controls via the DFARS started in 2007/2008 with the initial Defense Industrial Base (DIB) framework agreements being negotiated and signed on a company by company basis with the Department of Defense (DoD). This work matured to what became DFARS 252.204-7012 issued in 2013.

In July 2015, CyberSheath published the post “DFARS Cyber Security Requirements Growing Clearer.”  Since that posting there has been additional guidance and interim rules established by the DoD.  The interim rule, released in August 2015 amended 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls, and DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting which provided additional guidance and established NIST 800-171 as the standard by which defense contractors must adhere to the security requirements identified therein.

Recent DFARS Update

As recent as December 30, 2015, the DoD issued a second interim rule that extends the timeframe for implementation.  While the expectation was that contractors implement the cybersecurity controls as soon as possible, the public concern on the interim rules was that there was no reasonable amount of time to meet the requirements.   In response, the second interim rule gives defense contractors until December 31, 2017, to implement security control requirements specified in NIST 800-171.

What this Means for Your Organization

While this is a much more agreeable timeframe, it should not be viewed as a grace period.  Some of the controls outlined in 800-171 require substantial time, effort and budget cycles to implement.  The December 2017 deadline provides defense contractors with more breathing room but contractors are advised not to procrastinate, as this is an opportunity to implement the controls in a timely fashion, with compliance becoming an outcome of security rather than a separate checklist activity.

In reality, the “grace period” clock started ticking in 2008 and since then the requirements have steadily become more clear and enforceable. The time to act to achieve compliance by 2017 is now!

Don’t Know Where to Begin?

CyberSheath will work with your organization, large or small, to meet the regulatory requirements and be compliant by the December 2017 deadline.  CyberSheath offers security assessments to help your organization begin with a clear understanding of where you stand in regards to industry standards and regulations.

“There is nothing noble in being superior to your fellow man; true nobility is being superior to your former self.” – Ernest Hemingway

When planning for a security maturity assessment by an independent third party, many organizations often ask if their results can be compared to other companies in their specific industry.   On the surface, this “benchmarking” seems to be a reasonable request.  CIOs want to spend as much on security as their peers;  CISOs want to be “as secure” as their competitors.  Nobody wants to devote wildly more or less resources to the effort than those in their industry.  However, the request to see your company’s security maturity “score” stacked side-by-side with other companies is not attainable for two reasons.

First, the results of an organization’s security maturity assessment is very rarely shared or made public.  The report and its associated gaps are often treated as highly sensitive, with some deficiencies even qualifying as vulnerabilities that are very tightly controlled.  No company, no matter how glowing the results, would readily share the results of a security maturity assessment with competitors without significant legal review. There may be some research reports available that poll CISOs anonymously that might include spending statistics, but the level of detail on control compliance is never meaningful enough to compare security posture.

The second and more important reason to not want to compare your security maturity against competitors is that it is not a meaningful or actionable metric.  Your level of compliance as compared to another company is irrelevant to you, your customers, and your vendors.  It’s the same logic used by a child trying to convince his parents to allow him to do something “because everybody else is doing it”.  Security assessments measure compliance and maturity against a structured control framework such as NIST 800-53, ISO 27001, or the 20 Center for Internet Security (CIS) Controls for Effective Cyber Defense.  Security assessments should strive for excellence, measuring against an industry-accepted set of best practices. Information Security maturity is a journey, measured through continuous assessment, remediation, and improvement. Measurement of that journey is only applicable to you and your organization.

There is value in information sharing consortiums and through CISO networking to get a feel for how other companies in your industry are addressing cybersecurity.  And it is ok to want to be better than our peers.  But the security assessment of your efforts should be your own, measured against a recognized standard of excellence by an independent cybersecurity firm with real-life experience.

In November of 2013, the Department of Defense released DFARS clause 252.204-7012, which required defense contractors and subcontractors to provide adequate security to safeguard DoD unclassified controlled technical information resident on or transiting through their unclassified information systems from unauthorized access and disclosure.

Since the publication of the regulations, some defense contractors have struggled to define how to comply.  Is there an assessing or auditing entity in the government?  Is there a “passing” score?  Can I be certified as compliant?   All of these questions remained somewhat unanswered and it was up to the organization to do their best to show some kind of evidence to their prime contractors and customers that they were satisfying the DFARS regulations.

CyberSheath was one of the first independent security consultants to offer an assessment that measures and documents a company’s DFARS compliance, providing pragmatic recommendations and a clear roadmap to obtain compliance.  And we know that basing an organization’s compliance program on only the 51 DFARS controls is not enough.  We have always considered the full list of NIST 800-53 Low and Moderate controls to be the standard by which organizations should measure their maturity, and we specifically call out the DFARS 51 controls during a larger NIST assessment effort, demonstrating adherence to the regulation while also gaining a true picture of the security posture of the company.

On June 18, 2015, NIST also released the final version of SP 800-171, which provides guidance for protecting the confidentiality of Controlled Unclassified Information (CUI) residing in nonfederal information systems.  This is exactly the kind of additional, focused guidance defense contractors have been looking for since the concept of CUI was defined.  The 800-171 controls are still a subset of the full list of 800-53 controls, but this additional guidance is really going to help prioritize security efforts, spending, and resources for defense contractor’s compliance programs.

The government anticipates establishing a single Federal Acquisition Regulation (FAR) clause in 2016 to apply the requirements of NIST Special Publication 800-171 to the contractor environment as well as to determine oversight responsibilities and requirements.  Although it’s not yet mandated, CyberSheath has already integrated the requirements laid out in NIST 800-171 into our security assessment process that included all NIST 800-53 controls and in-depth reporting on the DFARS-specific controls.  Defense contractors undergoing security assessments today are benefiting from the clearest direction and best-defined requirements to date.

Compliance with DFARS is emerging as a business discriminator for defense contractors.  Organizations that can demonstrate the implementation of the required controls can gain a competitive advantage over other companies that do not assess and document their security posture.  Similarly, if companies pay close attention to the new 800-171 controls and integrate them into a security program that includes the full list of 800-53 controls, they can see measurable, actionable results that can be implemented to show compliance, stop attacks, and build a world-class security organization.

* Since this post we have written an update with the latest DFARS requirements as of December 30, 2015.

FAQs:

Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft