products:

Sorry,

there are no posts to show...


Helpful Resources

News:

As a subcontractor on a Department of Defense contract, you have likely had flow down requirements from your primes related to DFARS clause 252.204-7012, commonly referred to as NIST 800-171. Many subcontractors, as they scramble to secure their infrastructure to be in compliance before the December 2017 DFARS deadline, are also asking, “When should DFARS clause 252.204-7012 flow down to our subcontractors?”

To help you answer that question, here are some basics related to DFARS clause 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting (effective October 21, 2016) and NIST 800-171.

The Basics of DFARS Clause 252.204-7012

This clause is required in all contracts except for those contracts solely for the acquisition of COTS items. It requires contractors and subcontractors to:

  1. Safeguard covered defense information (CDI) that is resident on or transiting through a contractor’s internal information system or network.
  2. Report cyber incidents that affect covered defense information or that impact the contractor’s ability to perform requirements designated as operationally critical support.
  3. Submit malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center.
  4. If requested, submit media and additional information for damage assessment.

What is Covered Defense Information (CDI)?

This term is used to identify information that requires protection under DFARS Clause 252.204-7012. Covered defense information is unclassified controlled technical information (CTI) or other information as described in the controlled unclassified information (CUI) Registry that requires safeguarding or dissemination controls*, and is either:

  • Marked or otherwise identified in the contract, task order, or delivery order and provided to contractor by or on behalf of DoD, in support of the performance of the contract or
  • Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor, in support of the performance of the contract.

* Pursuant to and consistent with law, regulations, and Government-wide policies

Does DFARS clause 252.204-7012 flow down to subcontractors?

The clause impacts subcontractors when performance will involve operationally critical support or CDI. You should determine in consultation with your contracting officer if necessary, if the information required for subcontractor performance is or retains its identify as CDI, and requires safeguarding or dissemination controls. Flowdown is to be enforced by the prime contractor. If a subcontractor does not agree to comply with the clause, CDI should not be on that subcontractor’s information system.

What does DFARS Clause 252.204-7012 require?

Simply stated, this DFARS clause mandates adequate security. The contractor shall provide sufficient security on all covered contractor information systems. To provide satisfactory security for covered contractor information systems that are not part of an IT service or system operated on behalf of the Government, at a minimum, the contractor must implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017.

What is NIST SP 800-171?

This standard:

  • Enables contractors to comply using systems and practices likely already in place.
  • Significantly reduces unnecessary specificity, as requirements are performance-baseda, and more easily applied to existing systems.
  • Provides standardized, uniform set of requirements for all CUI security needs.
  • Allows non-federal organizations to consistently implement safeguards for the protection of CUI (i.e., one CUI solution for all customers).
  • Allows contractors to implement alternative, but equally effective, security measures to satisfy CUI security requirements.

If you are struggling with interpreting these requirements or need help implementing the security controls? CyberSheath can help you determine a path forward for achieving compliance by conducting a gap assessment of your compliance with NIST 800-171, writing the required System Security Plan (SSP) and leading your remediation efforts. Contact Us today to get started!

As a subcontractor on a Department of Defense contract, you have likely had flow down requirements from your primes related to DFARS clause 252.204-7012, commonly referred to as NIST 800-171. Many subcontractors, as they scramble to secure their infrastructure to be in compliance before the December 2017 DFARS deadline, are also asking, “When should DFARS clause 252.204-7012 flow down to our subcontractors?”

To help you answer that question, here are some basics related to DFARS clause 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting (effective October 21, 2016) and NIST 800-171.

The Basics of DFARS Clause 252.204-7012

This clause is required in all contracts except for those contracts solely for the acquisition of COTS items. It requires contractors and subcontractors to:

  1. Safeguard covered defense information (CDI) that is resident on or transiting through a contractor’s internal information system or network.
  2. Report cyber incidents that affect covered defense information or that impact the contractor’s ability to perform requirements designated as operationally critical support.
  3. Submit malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center.
  4. If requested, submit media and additional information for damage assessment.

What is Covered Defense Information (CDI)?

This term is used to identify information that requires protection under DFARS Clause 252.204-7012. Covered defense information is unclassified controlled technical information (CTI) or other information as described in the controlled unclassified information (CUI) Registry that requires safeguarding or dissemination controls*, and is either:

  • Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD, in support of the performance of the contract or
  • Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor, in support of the performance of the contract.

* Pursuant to and consistent with law, regulations, and Government-wide policies

Does DFARS clause 252.204-7012 flow down to subcontractors?

The clause impacts subcontractors when performance will involve operationally critical support or CDI. You should determine in consultation with your contracting officer if necessary if the information required for subcontractor performance is or retains its identify as CDI, and requires safeguarding or dissemination controls. Flowdown is to be enforced by the prime contractor. If a subcontractor does not agree to comply with the clause, CDI should not be on that subcontractor’s information system.

What does DFARS Clause 252.204-7012 require?

Simply stated, this DFARS clause mandates adequate security. The contractor shall provide sufficient security on all covered contractor information systems. To provide satisfactory security for covered contractor information systems that are not part of an IT service or system operated on behalf of the Government, at a minimum, the contractor must implement NIST SP 800-171, as soon as practical, but no later than December 31, 2017.

What is NIST SP 800-171?

This standard:

  • Enables contractors to comply using systems and practices likely already in place.
  • Significantly reduces unnecessary specificity, as requirements are performance-based, and more easily applied to existing systems.
  • Provides a standardized, uniform set of requirements for all CUI security needs.
  • Allows non-federal organizations to consistently implement safeguards for the protection of CUI (i.e., one CUI solution for all customers).
  • Allows contractors to implement alternative, but equally effective, security measures to satisfy CUI security requirements.

If you are struggling with interpreting these requirements or need help implementing the security controls, CyberSheath can help you determine a path forward for achieving compliance ahead of the December deadline by conducting a gap assessment of your compliance with NIST 800-171, writing the required System Security Plan (SSP) and leading your remediation efforts.

Security products, or tools, are an important part of the three-legged stool of people, processes, and technology. My experience has been that the technology portion of the equation gets most of the attention and a large share of the budget. There are many reasons for this not the least of which is product vendors spending significant money marketing their tools as solutions to the CISO’s problems.

Despite all of the money that swirls around tool procurement, success is elusive. Discarded Data Loss Prevention (DLP) investments, over budget identity and access management projects, and underutilized Security Information and Event Management (SIEM) platforms are common outcomes when the focus is exclusively on the technology without consideration of people and processes.

3 Keys to Enable Your Technology Investments and Succeed for the Long Term

1: Execute a Staffing Plan to Utilize the Product

The operation and maintenance of a security tool procurement are almost never included in the planning or purchasing process. Typically the same number of engineers continue to be stretched across more tools until only the most critical tools can be sustained. Often, other tools may sit neglected operationally despite the annual maintenance bill from the vendor. To avoid this pitfall, be realistic about the minimum staffing requirements needed to reap the original benefits that drew you to the tool. Have a conversation with the engineers that will support it to establish service level agreements and metrics that everyone can live with. Be skeptical of thinking you can send someone from your team to the vendor’s 3-5 day training class and assume that will suffice. It won’t. These classes tend to cover a high-level overview of the tool’s capabilities, often time burning precious hours on modules you have yet to purchase.

Be honest about how thin you can stretch your team and make the business case for additional staff if that’s what is required for success.

2: Formally Integrate the Product Into Existing Operational Processes

To support the team operating the tool, procedures should be formal, documented, and repeatable. Ideally, if some process already exists, for example, incident response, fold the new product purchase into the existing operating procedures if appropriate. If you have already spent the time and investment in creating a mature cybersecurity program, then take full advantage of your good work and integrate the new product into your program. If you have a Governance, Risk, and Compliance (GRC) solution be sure to add a data feed for the new product or find some other way to leverage existing investments to make the new product a part of the current environment at a minimum.

3: Continuously Measure the Effectiveness of Your Investment

Deploying a recently purchased technology should not be your end game. Deployment does not equal victory, it’s often just where the hard work begins. Cybersecurity is fast-paced and dynamic so by the time you finish negotiating a price with your vendors there will likely be a new number one priority. Even with that reality, and in fact because of it, having metrics to measure the effectiveness of your new product is critical. Force the selling vendor to come up with a way for you to continuously measure the tool they are selling over time if they want the sale they will do the work. These metrics will keep you from being in the position of paying annual maintenance for tools that have long outlived their utility.

Buying security tools is easy, optimizing them for long term success is not. These three keys will enable you to better measure and manage your technology investments for the long term.

Did You Like This Post?  

Subscribe to CyberSheath’s blog today to receive email updates as new posts become published.

Do a search for video games and information security and you will find countless comparisons to how these two seemingly disparate fields go hand-in-hand.  I really like this article from last summer, as it examined not just video games, but organized sports and their influence on information security experts.  In today’s world, video gaming is a billion-dollar industry, there are professional video gamers, amateur video gamers who record their reviews, critiques, and tips and put them on YouTube, and then there are the professionals (like me) who unwind from their day by playing a few rounds of Turning Point in Star Wars Battlefront.

While video games may heavily influence the world we live in, there are two specific video games that I think will help make your security program stronger.  I will now explore how these can relate to your organization.

First: The Games

There are two specific games that I am going to be referencing.  If these aren’t your cup of tea, no problem; they follow the same basic elements of many of the first-person shooter multiplayer games.  Substitute your favorite.

EA/DICE’s Star Wars Battlefront

This game, released last November is a major hit wit 13 million units sold worldwide by the end of the 2015 quarter,  allows players to play as rebel soldiers or storm troopers who square off against each other in a massive Star Wars environment.

EA/DICE’s Battlefield 4

This game, released in 2013, is one of the more popular military simulation first-person shooter games.  Players assume the role of a soldier and face opponents kitted out with similar equipment.  The in-game environment is set in a fictional conflict between China, Russia, and the US in the near future.

Second: How this Relates to Your Security Program

Both of these games, while simple in concept, require quite a bit of strategy and maneuvering of your in-game character to get a better position, a better vantage point, that puts you in control of the board.   To do that, you need a roadmap and some general tips.  Here are three tips and how they relate to your security program:

Playing the Objective/Security is Everyone’s Responsibility

In multiplayer games, especially Battlefront and Battlefield 4, there is a term that is commonly used: PTFO.  PTFO if you haven’t guessed it, is Play the [EXPLETIVE] Objective.  What this means is work with your team to take over control points to gain a stronger position within the board.
As security professionals, we understand, live, and breathe security.  Our teammates in IT, HR, and accounting might not have that same deep understanding.  Our desire is for everyone to play the objective, ensuring customer data, corporate data, assets and the network are secure.  This is how security programs should be built, with a common objective in mind that all players can strive to capture.
Playing the objective requires teamwork.  It is near impossible to be successful in Battlefront and Battlefield without the support of your team.  Security for your organization is not possible without cooperation and teamwork.  Security is everyone’s responsibility.  As such, it is important to have a robust awareness and training program to drive home the concept of security.  With security awareness, your teammates in HR, IT and accounting will receive the same basic security knowledge, understand what the threats are to your organization and what to do about it when an attempted intrusion occurs.

Know Your Strengths and Weaknesses

In Battlefield 4, you are given the option to play as an assault class, engineer class, support class or recon class.  Each class has its own strengths and weaknesses, but choosing your character should be done for the good of the team.  The assault class has the ability to provide revives and medical kits, while the engineer is great at repairing and destroying vehicles.  Support players have the ability to supply other teams with ammunition and recon provides the ability to play overwatch and spot enemy targets.
In security, it is essential to know your strengths and weaknesses.  Every decision and choice around security has to keep two things in mind: How does it improve security and how does it impact the business?  In Battlefield 4, your character class choice should both benefit the team and draw upon its strengths.  Are you playing a map with lots of vehicles?  Then the engineer is your best choice.  Lots of assault class characters on your team?  Then support class is the way to go so they don’t run out of ammo.  In security, your ability to build a functional security program relies on knowing which tools are weak, who among your personnel are strong in security and how the general corporate populace feels about security initiatives.  To help identify the strengths and weaknesses, it is best to utilize an information security assessment.  This will identify where you stand against a security framework and give you something to work towards and shore up those weaknesses and begin playing the objective.

Avoid Camping and Tunnel Vision/Avoid Security Complacency

Battlefront and Battlefield 4 are extremely active games.  Everyone is moving about.  Stand in one place for too long and an enemy sniper will take you out.  Stare down your scope and get tunnel vision, you are likely to miss the enemy storm trooper sneaking up on your right.  Camping is a term that is used in these games for players who sit in one spot.  It can detrimentally affect the game, especially if the camper is sitting near a spawn location.  In security, organizations have to avoid camping out and becoming complacent.  Complacency is dangerous.  Organizations who only check the box and rely on tools, or focus all their efforts only on meeting regulatory requirements are at risk of developing security complacency.  For example, all of your attention is focused on meeting PCI needs, but you forgot about these two hundred other non-PCI systems that are just as vulnerable.

I see this quite frequently in a game mode in Star Wars Battlefront called Walker Assault.  The premise of the game mode is simple; rebels have to activate uplink stations to call in a bombing run against the AT-AT Imperial Walkers, while the stormtroopers have to shut them down.  Typically what happens in game, all the focus and attention is directed at one uplink station, leaving the other unguarded and vulnerable.  While it may feel like you are playing the objective, in reality, it is only partially playing the objective.  In real life, security should be applied across the board.  While there might be critical systems that get addressed first, every system should initially be treated equally at a base level.  In Walker Assault, players should really team up and defend or attack the uplink stations equally.

Knowing how and when to apply security across your organization is key to having a strong program.  Planning goes a long way, identifying which systems are critical, which tools should be applied and how to implement security tools with minimal impact to business function are issues that security professionals tackle every day.  This keeps your security organization moving and active.  No camping and no complacency.  The security team should be following a daily plan to ensure the success of the program.

Whether you are an active gamer or haven’t picked up a controller, the security principles described in this post apply broadly.  Making security relatable, and accessible will drive home the importance of it.  As I have said, security is everyone’s responsibility.  Your program has to give the teammates the tools to be successful.  Whatever state your security program is in, CyberSheath can help you capture the objective and secure your assets.

How Can CyberSheath Help Your Organization?

CyberSheath will work with your organization, large or small, to help secure your valuable assets. CyberSheath offers security assessments to help your organization begin with a clear understanding of where you stand in regards to industry standards and regulations.

In the years before business leaders truly understood cyber risk, requested budgets for cybersecurity departments were often approved without thoughtful consideration or review.  There was a day when CISO’s could basically say to a CIO, “I can’t tell you how much safer this will make us, and I can’t say we absolutely won’t have a data breach, but I need 3.5 million dollars.”  Most of those inflated numbers were driven by the desire to buy the latest security tools that vendors promised would solve all security problems.  The funds were to be spent, generally, on products and the staff to support them.

CISO’s can no longer expect to have large annual budgets approved without tangible, quantified data to back up the necessity.  The days have passed when budgets were built on fear, uncertainty, and doubt (FUD), empire-building, or opportunities to buy the trending tools.  Security funding needs to produce measurable results, or at a minimum, be supported by credible metrics that validate the business needs.

Two Components of a Successful Budget Request 

1: Funds to Close Compliance Gaps

Businesses understand the language of compliance.  Regulatory gaps and deficiencies can prevent companies from entering markets, and have a real impact on the organization’s ability to win and retain contracts.  By tying budget line items to specific compliance gaps, CISO’s can implement short and long-term projects to remediate the deficiencies and show actual value through compliance achievements.  If in addition to compliance gains, those funds also help grow the maturity of the security organization as a whole, great.  Use compliance requirements to make smart budgeting requests that both close gaps and advances the security mission.

2: Operational Metrics and Staff Utilization

You cannot request additional funds to hire more full-time security employees without data to substantiate them.  Imagine a CIO replying to your ambiguous request for staff with, “You already have 6 people, why should I give you money to hire 4 more?”  Smart CISO’s measure the workload of their employees through metrics and reporting to justify the need for more support. By tracking the number of incidents an analyst investigates daily, hours supporting business initiatives, or vulnerability tickets closed per month, a security organization can prove, empirically, that they are understaffed for the processes they need to support.  By measuring full-time employees vs. the tools and tasks they are assigned to daily, the conversation now changes to, “We have requirements and tasks for a staff of 10, and I only have 6.”

The data that you are collecting this year will support your budget request in the upcoming fiscal year. Security budget requests demand a level of rigor and proof commensurate with other parts of the business.  Security assessments and security program development help you obtain and understand your compliance gaps as well as your staffing utilization and operational needs.  Take the time this year to independently assess your organization against industry standards and submit a security budget next year based on facts.

Don’t Know Where To Start?

CyberSheath’s Strategic Security Planning service offering can help you plan, build, and manage a strategic information security organization that enables your business. Our operational strategy and budgeting plans aggressively drive security organizations towards pursuing higher levels of performance.  Our Strategic Security Planning service will enable you to successfully create a security budget that directly matches your business needs and goals.

A trend that I have picked up on in conversations with CIO’s, CISO’s and other leaders responsible for securing the enterprise is the huge gap between what they need and what many vendors are marketing. Security leaders in the trenches need solutions to optimize and integrate existing tool investments, manage security capabilities in a coordinated way, and a means for engaging in business conversations about the security they deliver. Vendors seem focused on marketing the future and selling more capability into already resource-strapped security teams that can’t even effectively use the tools they already own due to an under-investment in people and process.

Instead of buying more “stuff”  to manage I’d suggest finding a way to measure and manage what you already own. What’s that look like?

Focus on the things you have control over, for example, privileged accounts. Instead of academic discussions around data classification (you know with all the re-organizations and M&A activity you are never going to get there) put your energy into identifying, reducing and then managing your privileged accounts. You own and control your privileged accounts and they are exploited in 100% of the attacks you are most worried about so before you buy that next-generation firewall make sure you’ve taken care of the fundamentals.

Another opportunity to seize today in lieu of investing in the unknown future is vulnerability management. Your effectiveness at vulnerability management has a direct impact on nearly every other part of the security organization you manage. No process for patch management:  expect to spend more on incident response. Scanning only a portion of your environment: expect more alerts for your Security Operations Center team to manage. There is a direct correlation between resources consumed in other areas of security and your investment in vulnerability management. It’s another example of managing what you already own before you try to ingest another tool without adding any engineers or process.

I’m not suggesting that CIO’s and CISO’s shouldn’t be trying to “see around corners” and prepare for the future but the amount of hype about what’s next taking away the focus from managing today.

I’ve spent the week here at RSA talking with current and future customers and a great question I get from customers looking for a trusted security partner is “So what exactly is it you do?” It seems like a simple question but what it usually implies is some level of “consultant fatigue”, CISO’s have had enough assessments, reports and outsiders telling them what their problems are. They want solutions and partners who do real work. Here’s what CyberSheath does to add value …guaranteed.

What We Do

We integrate your compliance activities with security activities and measureably reduce your risk.

How We Do It

Set a security strategy, select standards, implement controls, measure effectiveness.

What Results Look Like

A recent engagement for a customer led us to design and deploy an incident response and management plan. This particular security control happens to be Critical Control 18: Incident Response and Management from the CSIS: 20 Critical Security Controls list. Implementing all 20 controls would have been ideal but we are realists not idealists. The customer had suffered a significant attack where the APT had been embedded for over two years and the lack of process to contain and expel attackers directly contributed to massive amounts of data loss.

What We Did

Documented written incident response procedures that included specific roles and responsibilities for both management and technical personnel during each phase on an incident.

Documented and implemented organization wide service level objectives (SLO’s) related to mitigation of an incident.

The Results

Customer has a documented, repeatable and measureable incident response and management plan for cyber-attacks and mitigates attacks on average in less than 2 hours once discovered.

Our focus is on implementing real results that make you more secure, we guarantee it.

The Keynote sessions here at RSA 2013 kicked off yesterday and Art Coviello, RSA Executive Chairman, focused on the importance of big data and the opportunities that it presents security teams from an intelligence perspective. He’s right, the opportunities are tremendous and customers are anxious to better leverage “big data” but documented and repeatable process along with baseline implementation of critical controls are prerequisites for taking advantage of “big data”.

The actionable intelligence that can be gained from big data is only useful if it causes an organization to take the RIGHT actions in the correct sequence with measurable outcomes. Conceptually leveraging big data makes perfect sense but the implementation will yield more of the same firefighting that bogs down security organizations today if it’s not part of a documented strategy with measurable outcomes enabled by rigorous process and a thorough understanding of the controls you currently have in place.

The actionable intelligence that big data can provide could very well enable an organization to quickly and efficiently mitigate an attack by correlating unstructured data in a context that directs an SoC analyst to take appropriate action. Attack mitigated, the good guys win right? Maybe not…are we really still just addressing the symptoms and not the root cause? The attack is a result of a vulnerability that was exploited and resources are being expended on the incident response because resources were not expended on preventative maintenance. Perhaps if the control to prevent the attack in the first place had been documented, implemented and measured the attack would never have happened.

I realize that implementing critical controls won’t stop every attack but there is such a great opportunity to do some fundamental and meaningful work around implementing critical controls to stop attacks that get overlooked.

It’s just good hygiene. Would rather brush your teeth, floss and get regular dental examinations or be really good at getting fillings?

FAQs:

Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Trace Security