Do you have government contracts or are looking to broaden your portfolio? Aggravated by acronyms like FISMA, DFARS or NIST? A new class was defined in 2015 as Controlled Unclassified Information (CUI) to add to the list of acronyms and as of January 1, 2018 its protection will be an integral piece of government contracts. In this session we'll cover the three steps to be complaint, and overview of the technologies required.
3. A little bit of Federal IT Security History
Three Steps to Compliance in the Cloud for the non-
security professional
Office 365 & Azure through the lens of NIST 800-171
(On-Premises Too)
Copyright 2018 Exostar LLC | All Rights Reserved 4
Agenda
4. The Federal Information Security Management Act (FISMA) is a United
States federal law passed in 2002 that made it a requirement for federal
agencies to develop, document, and implement an information security
and protection program.
Copyright 2018 Exostar LLC | All Rights Reserved 5
FISMA
5. Copyright 2018 Exostar LLC | All Rights Reserved 6
FISMA
NIST 800-53
This publication provides a catalog of security and privacy controls for
federal information systems and organizations to organizational
operations and assets, individuals, other organizations, and the Nation
from a diverse set of threats including hostile attacks, natural disasters,
structural failures, human errors, and privacy risks. The controls are
and customizable and implemented as part of an organization-
wide process to manage risk. … Addressing both functionality and
assurance ensures that information technology products and the
information systems that rely on those products are sufficiently
trustworthy.
6. Copyright 2017 Exostar LLC | All Rights Reserved 7
Time Out – What’s a Security Control?
Security controls are technical or administrative safeguards or counter
measures to avoid, counteract or minimize loss or unavailability due to
threats acting on their matching vulnerability, i.e., security risk.
Controls are referenced all the time in security, but they are rarely defined.
Stephen Northcutt , SANS Institute
https://www.sans.edu/cyber-research/security-laboratory/article/security-controls
7. Third Revision
A simplified, six-step risk management framework;
Additional security controls and enhancements for advanced cyber threats;
Organization-level security controls for managing information security programs;
Fourth Revision
Insider threats;
Software application security (including web applications);
Social networking, mobiles devices, and cloud computing;
Fifth Revision
Making the security and privacy controls more outcome-based by changing the structure of the controls;
Eliminating the term information system and replacing it with the term system so the controls can be
applied to any type of system including, for example, general-purpose systems, cyber-physical systems,
industrial/process control systems, and IoT devices;
De-emphasizing the federal focus of the publication to encourage greater use by nonfederal organizations;
Clarifying the relationship between security and privacy
Copyright 2018 Exostar LLC | All Rights Reserved 8
NIST 800-53 Over Time https://en.wikipedia.org/wiki/NIST_Special_Publication_800-53
8. Copyright 2018 Exostar LLC | All Rights Reserved 9
FISMA
NIST 800-53 - High, Medium, Low
FedRAMP
The Federal Risk and Authorization Management Program (FedRAMP)
is a government-wide program that provides a standardized approach
to security assessment, authorization, and continuous monitoring for
cloud products and services.
9. Copyright 2018 Exostar LLC | All Rights Reserved 10
FISMA
NIST 800-53 - High, Medium, Low
FedRAMP – High, Medium, Low
NIST 800-171
The protection of Controlled Unclassified Information (CUI)
resident in nonfederal systems and organizations is of
paramount importance to federal agencies and can directly
impact the ability of the federal government to successfully
conduct its assigned missions and business operations.
10. Defense Federal Acquisition Regulations Supplement (DFARS) 252.204-
7012, Safeguarding Covered Defense Information and Cyber Incident
Reporting requires contractors to implement NIST 800-171 to safeguard
covered defense information that is processed or stored on their internal
system or network.
Contractors self-attest to meeting these requirements.
Copyright 2018 Exostar LLC | All Rights Reserved 11
For Defense . . .
12. 100% Complete with Security Assessment
• Gap Analysis using NIST 800-171 controls (3.12.1)
• Plan of Action & Milestones (POA&M) (3.12.2)
• System Security Plan (SSP) (3.12.3)
Conduct Subcontractor Flow Down
Comply with Incident Reporting Requirement
Copyright 2018 Exostar LLC | All Rights Reserved 13
To be NIST 800-171 compliant
13. Cloud
Track
Everything
Know Your
Users
Protect Your
Content
14
Example Cloud Boundaries for NIST 800-171
CloudOn Premises
Control Families
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Physical Protection
- Personnel Security
- System and Communications Protection
- System and Information Integrity
Documents on Endpoints
Control Families
- Access Control
- Awareness and Training
- Audit and Accountability
- Incident Response
- Media Protection
- Personnel Security
- Risk Assessment
- Security Assessment
- System and Information
Integrity
Documents Stored in Cloud
Copyright 2018 Exostar LLC | All Rights Reserved
System and Communications Protection
Before you can build a house you must have roads, sewers, and electricity in place. The System and Communications Protection control family focuses on all the external infrastructure connections that will support the functions of your information system. Bringing this infrastructure to “code” for NIST 800-171 means that content is encrypted in transit, and at rest, using FIPS validated encryption. (See validated algorithms http://csrc.nist.gov/groups/STM/cavp/validation.html )
Most likely you are already using one of these cryptographic methods to secure inter-system communication. This requirement is so important that it repeats itself throughout several of the controls. After you’ve created the infrastructure, this section focuses on controlling inter-system communication by requiring a set time period for “terminating sessions.” By requiring systems to re-authenticate you reduce the risk of data leakage.
Access Control
When you design a house, you must decide where the doors and windows will be. If security is a top requirement, you must consider how to control access, and who gets the keys. When protecting Covered Defense Information (CDI) or Covered Technical Information (CTI) information the door is for both internal and external processes. The Access Control family focuses on separating the access of standard users vs. administrators within your network, and ensuring that these accounts have “least privilege.” This has been a standard for many years, so it should only require that you document your processes.
Additionally this control family requires appropriate privacy notices to users entering the system, and limits both the number of logon attempts and the time a user can be connected within a session. Finally, you must encrypt your communications with the outside world, whether via internet, Wi-Fi, or on a wireless device.
Physical Protection
Once your home is built, you’ll need to protect it. A complete security system logs when doors open and close, alerts you when motion sensors are triggered, and has security cameras for additional monitoring. Similarly, the Physical Protection control family tracks visitors, restricts physical access to sensitive areas, and monitors all community space. Yes, servers do exist, so it’s recommended that you have a method to track access to their data center, racks, and the servers themselves. Digital keycards, video cameras, and controlled access to each section of the facility are highly recommended.
Media Protection
Even with your doors locked and security system running, you should still keep valuables and important documents in a safe. Similarly, NIST 800-171 recognizes that not all content in your system is created equal. The Media Protection control family requires that CDI is marked at the document level, and if it is stored on any external media. Media includes both physical servers that need to be protected as well as printed materials, and the controls cover how they’re stored and destroyed when no longer needed.
Encryption of CDI content is reinforced on digital transport methods, CD/DVD to thumb drive, and within back-up systems. Another key concern is the ability to use removable devices to download and store CDI data. While turning off all USB ports on laptops might solve that issue, users should also be trained not to transport CDI on external devices.
Configuration Management
Now that your house is built and secure, let’s talk about decorating. How do you decide where to put your furniture and decorations? The Configuration Management control family is focused on the detailed software level and is about the processes and procedures you take to make sure logical security is in place. It again reaffirms access restrictions from the Access Control family.
Do you restrict what software is installed on servers and/or on staff’s laptops? Record it here, and describe the process that you take to make sure any new software that is added does not affect security and stability of your information system.
System & Information Integrity
When you have a new home, you want to fill it with safe, high-quality materials. This is similar to the System and Information Integrity control family, which focuses squarely on your information system, and even more specifically on the code within it. You should monitor, identify, and take action if you find flaws in the system, or malicious code from outside parties.
What process do you have in place for responding to these errors? If you have one, formalize it and you are one step closer to fulfilling the NIST 800-171 System Security Plan (SSP).
Maintenance
Your house, or information system, is no good without constant upkeep. Follow best practices to make sure the hardware and software supporting your information system is in good shape. Make sure you know who is working on your system and what tools (physical or digital) they’re using when performing maintenance. Make sure your processes are in place for internal and external personnel to keep the system at its best.
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
Use non-privileged accounts or roles when accessing non-security functions.
Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems.
Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
Provide security awareness training on recognizing and reporting potential indicators of insider threat.
Personnel Security
3.9.2
Ensure that CUI and information systems containing CUI are protected during and after personnel actions such as terminations and transfers.
Physical Protection
3.10.3
Escort visitors and monitor visitor activity.
Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
Supervise the maintenance activities of maintenance personnel without required access authorization.
Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital.
Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.
Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
Review and update audited events.
Alert in the event of an audit process failure.
Use automated mechanisms to integrate and correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity.
Provide audit reduction and report generation to support on-demand analysis and reporting.
Provide an information system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
Protect audit information and audit tools from unauthorized access, modification, and deletion.
Limit management of audit functionality to a subset of privileged users.
Risk Assessment
3.11.1
Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of CUI.
Security Assessment
3.12.4
Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
Identify, report, and correct information and information system flaws in a timely manner.
Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
Track, review, approve/disapprove, and audit changes to information systems.