1 / 76

Cybersecurity: Secure Today To flourish tomorrow

Cybersecurity: Secure Today To flourish tomorrow. New Cybersecurity Requirements for Government Contractors and What They Mean For Your Organization. Ryan C. Bradel Associate, Greenberg Traurig. The Need for Cybersecurity. The Need for Cybersecurity. Cyber Attacks.

stephen-black
Download Presentation

Cybersecurity: Secure Today To flourish tomorrow

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cybersecurity: Secure Today To flourish tomorrow New Cybersecurity Requirements for Government Contractors and What They Mean For Your Organization Ryan C. Bradel Associate, Greenberg Traurig

  2. The Need for Cybersecurity

  3. The Need for Cybersecurity

  4. Cyber Attacks

  5. “This is a very major security compromise that has possibly put at risk numerous sensitive government sites and private industry as well.” - Former U.S. National Security Advisor Richard Clarke

  6. Hackers reportedly exploited Lockheed's VPN access system, which allows employees to log in remotely by using their RSA SecurID hardware tokens. Attackers apparently possessed the seeds--factory-encoded random keys--used by at least some of Lockheed's SecurID hardware fobs, as well as serial numbers and the underlying algorithm used to secure the devices. In 2011, a major online attack was launched against the networks of Lockheed Martin, the country's largest defense contractor.

  7. Anonymous Hacks ManTech, a FBI Cybersecurity Contractor Anonymous acquired and released to the public, a list of approximately 90,000 military emails and Base64 password hashes, after hacking into systems from Booz Allen Hamilton, the large government contractor that works closely with many defense, intelligence, and civil sectors on cybersecurity.

  8. Heady times in Cybersecurity… • The last couple of years have seen a flurry of activity, primarily from the Obama Administration, but also from Congress, working to stay ahead of the cybersecurity curve. • Today we will be focusing on two “items” that are likely to have the most impact for government contractors: • The NIST Draft of the Preliminary Cybersecurity Framework. • The Proposed FAR Rule “Basic Safeguarding of Contractor Information Systems.” • Both of these “items” are in draft/proposed form so the situation is very fluid.

  9. The $64,000 Question(s): • Will the Government establish mandatory, uniform cybersecurity standards for government contractors across agencies and industries? • If so, what are they likely to look like? How will it be accomplished?

  10. Roadmap • Brief history of the cybersecurity regime • FISMA • NIST Special Publications 800-37 / 800-53 • Recently enacted laws affecting government contractors: • DOD Instruction 8582.01 • GSAR Case 2011-G503 • Executive Order 13636 / Presidential Policy Directive 21 • The latest NIST guidelines • Draft NIST Cybersecurity Framework (direct response to EO 13636) • The future: implications for government contractors • Proposed Changes to the FAR • General Services Administration RFI – more changes to the FAR?

  11. Roadmap • The focus of today’s conversation will be on cybersecurity requirements for government contractors. • Many of the laws and guidelines that we discuss today are also or primarily applicable to government agencies or commercial companies. But we are going to focus in on the elements that are applicable to government contractors.

  12. Roadmap • Approaching the issue from a legal perspective: focusing on the institutions and entities that have been involved and the work they have done as well as complying with the legal requirements.

  13. Relevant Laws/Guidelines • In place: • FISMA • NIST Special Publications 800-37, 800-53 • GSA Cybersecurity Regulation GSAR 552.239-71 • DoD Instruction 8582.01 • Executive Order 13636 • Presidential Policy Directive 21 • Pending: • NIST Draft Cybersecurity Framework • Proposed FAR Rule—77 Fed. Reg. 51496 • Proposed: • GSA RFI 78 Fed. Reg. 27966 • CISPA

  14. The cybersecurity regime for contractors has been…

  15. The state of the cybersecurity regime for contractors… • If the past has been haphazard, ad hoc and piecemeal, the present has been characterized by a move—somewhat—towards uniformity and clearer standards. • For example, Executive Order 13636 which sought to “harmonize and make consistent existing procurement requirements related to cybersecurity.”

  16. Federal Information Security Management Act of 2002 (FISMA) Stated purposes • Provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets. • Provide for the development and maintenance of minimum controls required to protect Federal information and information systems. • Recognize that selection of specific technical hardware and software information security solutions should be left to individual agencies from among commercially developed products.

  17. Federal Information Security Management Act of 2002 (FISMA) Basic Requirements • FISMA requires each agency’s program officials, chief information officers and inspectors general to conduct annual reviews of the agency’s information security program and report the results to the Office of Management and Budget.

  18. Federal Information Security Management Act of 2002 (FISMA) Basic Requirements • FISMA requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information systems that support the operations and assets of the agency, including those provided or managed by contractors.

  19. Federal Information Security Management Act of 2002 (FISMA) FISMA for Government Contractors • FISMA really only has direct application to the agencies themselves; it puts the onus on the agency to ensure compliance. • Agencies can and will conduct FISMA audits of government contractors. • However, once again, the standards under which a FISMA audit is conducted will often be very agency specific and, for a contractor undergoing a FISMA audit for the first time, it can be difficult to figure out what the standards will be.

  20. Federal Information Security Management Act of 2002 (FISMA) • Roadmap that we recommend contractors should follow to comply with FISMA: • Categorize the information to be protected. • Select minimum baseline controls. • Refine controls using a risk assessment procedure. • Document the controls in the system security plan. • Implement security controls in appropriate information systems. • Assess the effectiveness of the security controls once they have been implemented. • Determine agency-level risk to the mission or business case. • Authorize the information system for processing. • Monitor the security controls on a continuous basis.

  21. The Role of the National Institute of Standards and Technology (NIST) • Founded in 1901 and now part of the U.S. Department of Commerce, NIST is one of the nation’s oldest physical science laboratories. Congress established the agency to improve the U.S.’s industrial competitiveness globally. • FISMA tasked NIST with developing the basic standards for cybersecurity. • The result is, as is most relevant here, the NIST Special Publication 800-53, the Federal Government’s foundational cybersecurity document. It has been evolving ever since its inception with the most recent iteration published in May 2013. • The standards are designed to have broad applicability and be useful for agencies, government contractors and commercial businesses.

  22. NIST Special Publication 800-37 • The Guide for Applying the Risk Management Framework to Federal Information Systems. • A structured process that integrates information security risk and risk management activities into a system development life-cycle.

  23. NIST Special Publication 800-37

  24. NIST Special Publication 800-37 • Six Risk Management Framework steps: • Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis. • Select an initial set of baseline security controls for the information system based on the security categorization, tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions. • Implementthe security controls and describe how the controls are employed within the information system and its environment of operation.

  25. NIST Special Publication 800-37 • Six Risk Management Framework steps (cont’d): • Assessthe security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. • Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable. • Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials.

  26. NIST Special Publication 800-53 • NIST Special Publication 800-53 is the meat on the bones of the FISMA cybersecurity regime. • It is effectively a “menu” of cybersecurity control guidelines and a process for selecting an initial set of baseline security controls, tailoring the baseline security controls, and supplementing the security controls based on an organizational assessment of risk. • The security rules cover 17 areas including access control, incident response, business continuity, and disaster recoverability.

  27. NIST Special Publication 800-53 Recent revisions to 800-53 addressed: • Additional security controls and enhancements for advanced cyber threats; • Recommendations for prioritizing security controls during implementation or deployment; • Guidance on using the risk management framework for legacy information systems and for external information system services providers; • Updates to security control baselines based on current threat information and cyber attacks; • Guidance on the management of common controls within organizations; • Strategy for harmonizing FISMA security standards and guidelines with international security standard ISO/IEC 27001; • Dealing with insider threats; • Software application security (including web applications); • Social networking/mobile devices, • Cloud computing; • Advanced persistent threats; • Supply chain security; and • Privacy/civil liberties concerns.

  28. The FISMA Regime Criticisms of FISMA • Some have criticized FISMA as a well-intentioned but fundamentally flawed tool because it measures “security planning” rather than actually measuring the security of the information. • In other words, it assigns tasks and responsibilities for oversight and recommends processes but doesn’t establish clear benchmarks that organizations must meet. • Some have said that the FISMA enforcement regime doesn’t do a realistic analysis of actual threats and effective responses but merely encourages box checking to please agency auditors.

  29. The FISMA Regime Examples of Agency-Specific Rules Under FISMA • Two very recently enacted regulations are prime examples of how the FISMA regime can be very agency-specific and very different from agency to agency: • Department of Defense Instruction 8582.01 • General Services Administration GSAR 552.239-71

  30. DOD Instruction 8582.01 Designed primarily to apply to contractors: • Establishes policy for managing the security of unclassified DOD information on non-DOD information systems. • Applies to all unclassified DOD information in the possession or control of non-DOD entities on non-DOD information systems. • Appropriate requirements shall be incorporated into all contracts with non-DOD entities.

  31. DOD Instruction 8582.01 Information Safeguards • Do not process unclassified DOD information on publically available computers (e.g., those available for use by the general public in kiosks or hotel business centers). • Protect unclassified DOD information by at least one physical or electronic barrier (e.g., locked container or room, logical authentication or logon procedure) when not under direct individual control of an authorized user. • At a minimum, overwrite media that have been used to process unclassified DOD information before external release or disposal.

  32. DOD Instruction 8582.01 Information Safeguards (cont’d) • Encrypt all information that has been identified as controlled unclassified information (CUI) when it is stored on mobile computing devices such as laptops and personal digital assistants, compact disks, or authorized removable storage media such as thumb drives and compact disks, using the best encryption technology available to the contractor or teaming partner. • Limit transfer of unclassified DOD information to subcontractors or teaming partners with a need to know and obtain a commitment from them to protect the information they receive to at least the same level of protection as that specified in the contract or other written agreement.

  33. DOD Instruction 8582.01 Information Safeguards (cont’d) • Transmit e-mail, text messages, and similar communications containing unclassified DOD information using technology and processes that provide the best level of privacy available, given facilities, conditions, and environment. Examples of recommended technologies or processes include closed networks, virtual private networks, public key-enabled encryption, and transport layer security (TLS). • Encrypt organizational wireless connections and use encrypted wireless connections where available when traveling. If encrypted wireless is not available, encrypt document files (e.g., spreadsheet and word processing files), using at least application-provided password protected level encryption. • Transmit voice and fax transmissions only when there is a reasonable assurance that access is limited to authorized recipients.

  34. DOD Instruction 8582.01 Information Safeguards (cont’d) • Do not post unclassified DOD information to website pages that are publically available or have access limited only by domain or Internet protocol restriction. Such information may be posted to website pages that control access by user identification and password, user certificates, or other technical means and provide protection via use of TLS or other equivalent technologies during transmission. Access control may be provided by the intranet (via the website itself or the application it hosts). • Provide protection against computer network intrusions and data exfiltration, minimally including: • Current and regularly updated malware protection services, e.g., anti-virus, anti-spyware. • Monitoring and control of both inbound and outbound network traffic (e.g., at the external boundary, sub-networks, individual hosts), including blocking unauthorized ingress, egress, and exfiltration through technologies such as firewalls and router policies, intrusion prevention or detection services, and host-based security services. • Prompt application of security-relevant software patches, service packs, and hot fixes.

  35. DOD Instruction 8582.01 Information Safeguards (cont’d) • Comply with other current Federal and DOD information protection and reporting requirements for specified categories of information (e.g., medical, proprietary, critical program information (CPI), personally identifiable information, export controlled) as specified in contracts, grants, and other legal agreements. • Report loss or unauthorized disclosure of unclassified DOD information in accordance with contract, grant, or other legal agreement requirements and mechanisms. • Do not use external IT services (e.g., e-mail, content hosting, database, document processing) unless they provide at least the same level of protection as that specified in the contract or other written agreement.

  36. DOD Instruction 8582.01 Take Home Message • DOD Instruction 8582.01 is very specific and tangible with regard to its cybersecurity requirements. • Contrast this with NIST Special Publication 800-53 which focuses on processes and methods for establishing cybersecurity protocols. • Query: is DOD Instruction 8582.01 any less universal or adaptable? Could it not also be used for just about any agency or any context?

  37. GSAR Case 2011-G503 • Instigated by a GSA internal investigation which found that the GSA’s IT systems failed to comply with FISMA, primarily because its contractors’ IT systems were not in compliance. • In response GSA adopted a regulation which, among other things, required GSA IT contractors to submit an IT Security Plan and a Continuous Monitoring Plan outlining compliance with Federal cybersecurity regulations. The regulation became final on January 6, 2012. • Only applies to GSA contracts but could be a roadmap for other agencies.

  38. GSAR Case 2011-G503 The IT Security Plan • Contractors must develop, provide, implement and maintain an IT security plan. • The plan shall describe the processes and procedures that will be followed to ensure appropriate security of IT resources. • The plan shall comply with FISMA. • The plan must be consistent with and further detail the approach contained in the contractor’s proposal that resulted in the award.

  39. GSAR Case 2011-G503 The Continuous Monitoring Plan Contractors must develop a continuing monitoring strategy that includes: • A configuration management process for the information system. • A determination of the security impact of changes to the information system and environment of operation. • Ongoing security control assessment. • Reporting the state of the system to GSA officials.

  40. GSAR Case 2011-G503 Take Home Messages • Contrast the GSAR regulation with the DOD Instruction—it doesn’t contain the same tangible prescriptions for cybersecurity; rather, in the spirit of FISMA, it requires the implementation of processes and protocols for assessing and implementing cybersecurity prescriptions.

  41. A cybersecurity joke…

  42. Executive Order 13636 Background • Promulgated in response to “repeated cyber intrusions into critical infrastructure.” • More of a focus on the cybersecurity of non-governmental entities that could nonetheless have a profound impact on the economy. • Defines “critical infrastructure” as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems would have a debilitating impact on security, national economic security, national public health or safety, or any combination of these.”

  43. Executive Order 13636 Two key provisions for government contractors: • Ordered the NIST to produce a baseline framework to reduce cyber risks to critical infrastructure. • Ordered the DOD, the GSA and FAR Council to study and make recommendations to the President on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.

  44. Executive Order 13636 New NIST Cybersecurity Baseline Framework The E.O. said that the Framework “shall provide a prioritized, flexible, repeatable, performance-based and cost-effective approach” and “shall focus on identifying cross-sector security.”

  45. NIST “Discussion Draft of the Preliminary Cybersecurity Framework” Impetus • Produced in direct response to the mandate of E.O. 13636 that “NIST lead the development of a framework to reduce cyber risks to critical infrastructure (the ‘Cybersecurity Framework’). The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.”

  46. NIST “Discussion Draft of the Preliminary Cybersecurity Framework” Posture • The Draft has been developed in concert with several “workshops” that NIST has hosted throughout the spring and summer for stakeholders to discuss and comment on the framework in light of industry best practices. • The most recent draft of the Draft was published on Aug. 28 in advance of the fourth workshop which will be held in Dallas on Sept. 11 – 13.

  47. NIST “Discussion Draft of the Preliminary Cybersecurity Framework” Framework Development Methodology • In February, 2013, NIST issued an RFI to industry and stakeholders designed to identify existing cybersecurity standards, guidelines, frameworks and best practices. 245 responses to the RFI were submitted. • On April 3, 2013, NIST hosted an initial workshop with industry and stakeholders to identify existing resources and gaps. • NIST analyzed the responses to the RFI and shared initial findings on May 15, 2013.

  48. NIST “Discussion Draft of the Preliminary Cybersecurity Framework” Framework Development Methodology (cont’d) • A second workshop was held on May 29, 2013 to discuss the foundations of the framework and the initial analysis of the RFI responses. • This led to the development of the first draft on July 1, 2013. • A third workshop was held on July 10, 2013 to review the first draft.

  49. NIST “Discussion Draft of the Preliminary Cybersecurity Framework” Framework Development Methodology (cont’d) Throughout this process, the following goals were developed for the Framework: • Be an adaptable, flexible, and scalable tool for voluntary use; • Assist in assessing, measuring, evaluating, and improving an organization’s readiness to deal with cybersecurity risk; • Be actionable across an organization; • Be prioritized, flexible, repeatable, performance-based, and cost-effective; • Rely on standards, methodologies, and processes which align with policy, business, and technological approaches to cybersecurity; • Complement rather than conflict with current regulatory authorities; • Promote, rather than constrain, technological innovation in this dynamic arena; • Focus on outcomes; • Raise awareness and appreciation for the challenges of cybersecurity but also the means for understanding and managing the related risks; • Be consistent with voluntary international standards.

  50. NIST “Discussion Draft of the Preliminary Cybersecurity Framework” Questions for Stakeholders and Reviewers How can the preliminary framework: • Adequately define outcomes that strengthen cybersecurity and support business objectives? • Enable cost-effective implementation? • Appropriately integrate cybersecurity risk into business risk? • Provide the tools for senior executives and boards of directors to understand risks and mitigations at the appropriate level of detail? • Provide sufficient guidance and resources to aid businesses of all sizes while maintaining flexibility?

More Related