Complying with NIST 800-171

Waide Jones, CISO, ExostarRoy Hu, Senior Manager, Accenture

Dan Vlacich, Manager, Accenture

• Cyber Threat• Incidents • Government Action Regulation Overview• Risk Based Approach - Cyber Security Risk Management • Survey Results • Resources - Build vs. Buy

Agenda

Advanced Persistent Threat

• Well-Funded• Professional

caliber attackers• Avoid detection

by industry standard tools

Targeting

• Anyone who has what they want• Smaller the

better• Intellectual

Property• Financial

Information

Economic/National Interests

• Competitive Advantage

• Shorten Creation Cycles (R&D)

• Shorten Technological Advantages

Cyber Threat

• Companies being targeted for information

• Many not prepared for the threat• Reports are that many

small to mid-sized businesses are not compliant

• Company size makes no difference • (Attackers hope for

smaller, unprepared companies)

Incidents

• US Overview• FAR 52.204-21: Basic Safeguarding of Covered Contractor Information

Systems• DFARS 252.204-7008-Oct2016: Compliance with Safeguarding Covered

Defense Information Controls• DFARS 252.204-7009-Oct2016: Limitations on the Use or Disclosure of

Third-Party Contractor Information• DFARS 252.204-7012-Oct2016: Safeguarding Covered Defense Information

and Cyber Incident Reporting• DFARS 252.239-7010-Oct2016: Cloud Computing Services

• UK • Cyber Essentials• Cyber Essentials Plus• Defence Cyber Protection Partnership

Government Action - Regulation

Governments will address threats; Industry can anticipate or react

FAR 52.204-21• Applicability

• On contracts/system with Federal Contract Information

• All federal contracts and subcontracts at any tier• Exclusion - COTS products

• Compliance • Mandatory flowdown at all tiers• Imposes 15 requirements that correlate to 17 NIST SP

800-171 security controls (limited subset)• Suppliers agree to controls by signing the contract

Federal Contract Information —“Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Websites) or simple transactional information, such as necessary to process payments.”

Immediate Action - Minimum NeedsFAR 52.204-21 MINIMUM

CONTROLS NIST 800-171 CONTROL

(i) Limit information system access toauthorized users, processes acting onbehalf of authorized users, or devices(including other information systems).

3.1.1

(ii) Limit information system access to thetypes of transactions and functions thatauthorized users are permitted to execute.

3.1.2

(iii) Verify and control/limit connections to and use of external informationsystems.

3.1.20

(iv) Control information posted or processed on publicly accessible information systems.

3.1.22

(v) Identify information system users, processes acting on behalf of users, or devices.

3.5.1

(vi) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

3.5.2

(vii) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

3.8.3

(viii) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

3.10.1

FAR 52.204-21 MINIMUM CONTROLS

NIST 800-171 CONTROL

(ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.

3.10.3, 3.10.4, 3.10.5

(x) Monitor, control, and protect organizational communications (i.e.,information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the informationsystems.

3.13.1

(xi) Implement subnetworks for publicly accessible system componentsthat are physically or logically separated from internal networks.

3.13.5

(xii) Identify, report, and correct information and information systemflaws in a timely manner.

3.14.1

(xiii) Provide protection from malicious code at appropriate locations within organizational informationsystems.

3.14.2

(xiv) Update malicious code protection mechanisms when new releases are available.

3.14.4

(xv) Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

3.14.5

C

C

H

P

C

C

P

P

P

H

C H

SC

S

C

C

Configuration

Hardware

Policy

Software

15 FAR controls For FAR and DFAR Compliance

Start here

• Applicability:• On contracts/systems where Covered Defense Information (CDI)

resides or operationally critical support• CDI identified by the Contracting Officer (CO), Prime Contractor, or

higher tiered subcontractor• CDI identified in Distribution Statement B-F & Section J of the contract &

markings on the data • If in doubt ask, before you sign the contract• Am I going to receive or create CDI in the execution of this contract

• Compliance • Compliance = Implementation of NIST SP 800-171• Implementation = self assessment + SSP & POA&M• A Systems Security Plan (SSP) to include a remediation plan is required

for all controls not implemented by December 31, 2017

DFARS - Key Points

Be aware of fear marketing; No certification Vendors

• Audit • There is no audit, this is only self attestation• DCMA can ask about NIST 800-171 applicability and compliance but NIST

800-171 compliance will not be the driver of why they are there• DCMA will verify Systems Security Plan (SSP), 30 day notices, & ECA Cert for

reporting incidences

• Incident Reporting:• Must report cyber incidents

• Upon discovery must conduct a review for evidence of compromise• Report within 72 hours directly to DoD https://dibnet.dod.mil/portal/intranet/• Must have a DoD approved medium Assurance Certificate

• Must provide DoD-assigned incident report number to prime/higher tiered subcontractor• Must preserve and protect images of known affected images and systems for 90 days• Must provide DoD access to additional information or equipment necessary to conduct forensics

analysis• Must submit any malicious software uncovered to DC3

DFARS - Key Points

System Security Plan (SSP) & Plan of action & Milestones POA&M• Describe system boundaries • System environments of operation• How security requirements are implemented• Connections to other systems• Periodically update

NIST SP 800-171, Security Requirement 3.12.4 —Develop, document, and periodically update, system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

• Compliance questionnaire helps but is insufficient

•Network Diagrams• Risk Assessment

• Plan• Milestones• Tracking & Reporting tool

• Tasks• Responsible•Dates • Status

SSP

POA&M

If requested, DOD may utilize the System Security Plan by • Requiring that proposals

i) identify any NIST SP 800-171 security requirements not implemented at the time award and ii) include associated plans of action for implementation

• Identifying in the solicitationthat all security requirements in NIST SP 800-171 must be implemented at the time of award

• Identifying in the solicitation that the contractor’s approach to providing adequate security will be evaluated in the source selection process for award

NIST 800-171 System Security Plan (SSP) Examples

Source: DOD FedRamp Template

Source: DHS CSET Security Plan Report

Source: A&D Company System Security Plan Excerpt Source: Exostar Risk Management Solution

• My read of the Government is….• They need everyone to know:

Threats are Real, You are a Target

• Each of us have to get in the game• Manage cyber risk like any other business risk

• Regulation is the minimum bar & will drive compliance BUT • Recognize good cyber security risk management is the long term fix

• Allowing System Security Plan (SSP) & Plan of Action & Milestones (POA&M) to comply

• No set SSP template

Government Implementation - Risk Based

Highest Concerns – AIA Cyber Survey 20% response rate

Exostar NIST 800-171 Questionnaire Results

• Exostar Partner Information Manager (PIM) data from suppliers of multiple large A&D buying organizations

• Random sample of approximately 800 suppliers completing the Exostar NIST self-assessment questionnaire

• Percentage of organizations claiming they have implemented or not the control

• Ten lowest percent implemented controls • Consistent ratings for 12 months

Control % Implemented Control Description3.5.3 38% Use multifactor authentication for local and network access to privileged accounts a...

3.13.11 42% Employ FIPS-validated cryptography when used to protect the confidentiality of CUI…3.12.4 46% Develop, document, and periodically update system security plans that describe system …3.3.6 47% Provide audit reduction and report generation to support on-demand analysis and repo…3.6.3 47% Test the organizational incident response capability.

3.1.19 47% Encrypt CUI on mobile devices.3.3.5 48% Use automated mechanisms to integrate and correlate audit review, analysis, and repo...

3.13.13 49% Control and monitor the use of mobile code.3.7.5 50% Require multifactor authentication to establish nonlocal maintenance sessions via ex...

3.13.10 54% Establish and manage cryptographic keys for cryptography employed in the information...

NIST Controls least

implemented by suppliers

Build vs. Buy

• Various company situations

• Varied Experience Level

• Two paths to compliance

Build – Resources

• Policy

• Security

• Controls

3rd Party Tools: AIA Cyber Security Survey

• Assessment:• CSET• Archer Database• CIS-Configuration Assessment Tool• Exostar• Nexpose, CIS Benchmarks• SANS “Top 20” CSC and ISO 27002 Framework

• Technical Controls:• SCM, Zscaler, Carbon Black, Sophos• AlienVault Unified Security Management• Splunk, Microsoft System Center• DarkTrace and BeyondTrust• FPA Technology Services, Inc.

Build - Resources• AIA Cyber Security Committee - http://www.aia-

aerospace.org/committee/cyber-security-committee/• Northrop Grumman – NIST 800-171 Controls Guidance -

http://www.northropgrumman.com/suppliers/Pages/CybersecurityControlsLanding.aspx

• Lockheed Martin – Adhering to DoD Cybersecurity Requirements -http://www.lockheedmartin.com/us/suppliers/cybersecurity/dfars.html

• Exostar – NIST 800-171 Controls Guidance -https://exostar.atlassian.net/wiki/spaces/EN8/overview

• DoD Procurement Toolbox - http://dodprocurementtoolbox.com/site-pages/cybersecurity-policy-regulations

Buy – Resources

• Use a trusted service provider

• Compliance cannot be done only by a service provider

• You still have a responsibility

Recognized leader for identity and access management and secure enterprise collaboration

Exostar Solutions – NIST 800-171 Compliant

IDENTITY MANAGEMENT

Improve the managementof employee and partner identities

and access privileges

Meet NIST 800-171 multi-factor authentication requirements

SECURE COLLABORATION

Securely and compliantly share sensitive information internally and

with external partners

RISK MANAGEMENT

Assess, measure, and mitigate risk across multi-tier partner community

networks

Store, share, protect, and mark Covered Defense Information (CDI)

Qualify and manage suppliers & eProcurement efficiently and compliantly

Manage and validate supplier readiness & guide System Security Plan (SSP) and Plan of Action & Milestone (POA&M) development

SUPPLY CHAIN MANAGEMENT

Visualize, track, and manage the enterprise sourcing and

procurement process, with improved visibility

Copyright 2017 Exostar LLC | All Rights Reserved

Accenture

Contents• DFARS Compliance Challenges• DFARS Compliance Lifecycle• Example Timeline for DFARS Compliance• Security Reference Architecture• DFARS Assessment Gap Analysis Example• Cyber Value Chain• End-to-End View of Cyber Defense• Example Solutions: DevSecOps and NIST Enabled Infrastructure

Common DFARS Compliance ChallengesMOVE FROM:

• Partial strategy and plan to address and maintain DFARS compliance standards

• Unknown state of compliance across multiple groups, business units, subsidiaries, and suppliers

• Lagging security defenses

• Limited information on asset inventory for on premise and cloud applications

• Lack of dedicated resources to identify and remediate compliance issues

• Limited automation in the tools to provide real-time compliance validation and reporting

DESIRED OUTCOMES:

• Full compliance against NIST SP 800-171 and DFARS

• Established and Mature Cyber Security Program that incorporates standardized security processes and solutions such as DevSecOps to maintain compliance

• Mapping and protection of critical assets and sensitive data

• Situational awareness of the security compliance across the entire organization

• Automated reporting and continuous security monitoring

MOVE TO:

• CUI/CDI discovery

• Compliance Self-Assessment

• Compliance Strategy/Roadmap

• Asset inventory

• Controls mapping

• Allocation of resources

• Security validation

• Post audit remediation

• Continuous monitoring

• Vulnerability assessment

• Penetration testing

• Assessment of controls

• Documentation

• Audit and report preparation

• DFARS Training

• Security automation

SECURITY RISK AND COMPLIANCE

UP FRONT

ONGOING DEVELOPMENT

ONGOING OPERATIONS

Internal Requirements • Security Policies• Security Guidelines• DevSecOps Standards

External Requirements• NIST SP 800-171 and

DFARS• NIST SP 800-53

DFARS Compliance LifecycleSecurity Compliance Methodology supports identification, analysis, remediation and mitigation of security risks for an organization’s environment

• Map and Focus on Derived Controls: Organizations may already have mapping of standards to ISO or NIST SP 800-53. Each NIST SP 800-171 control family has high level basic controls supported by more detailed derived controls. Determine an approach which confirms alignment with derived controls which then aligns with basic controls

• Determine Application of Control Level: Based on the solution in place, controls could be applied at different levels:

– Enterprise Level

– Application Level

– Location/Facility Level

– Client Data Protection Level

• Locate CUI/CDI: Identify which information systems areas store, or likely may store, sensitive client information

• Assess Compliance: Conduct interviews with key stakeholders and assess controls based on the processes and technology solutions currently in place to meet the objective of each control

• Generate Report and Documents: Develop compliance readiness reports, remediation plans, System Security Plan (SSP), etc.

Source: Accenture

Example Timeline for DFARS Compliance

Key Activities

CUI Discovery

Initial Assessment Documentation and POA&M Development

Schedule

Implementation of Controls and Address POA&MPhased Approach

Assess Compliance

Controls Mapping

Security Solutions Assessment Solution/Tools Modernization

Vulnerability Assessment

SSP Development/Updates

Security Solution Development

TCPs and SOPs Development/Updates

Technical Controls Validation

NIST/DFARS POA&M Development

Policy Updates

2018 +

Deadline12/31/2017

October 2017September 2017 November 2017 December 2017

Mapping of Derived Controls

Determine Application Level Controls

Remediation Activities

Control Assessments / Penetration Testing

Continuous Monitoring of Compliance

Ongoing Updates of TCPs and SOPs

Ongoing Updates of TCPs and SOPs

Security Awareness Training on DFARS Compliance

Preparation of Internal and External AuditsSecurity Strategy Develop

Tools Rationalization

Asset Inventory

Accenture’s Security Reference Architecture

Identity & Access Management

Identity Management

Access Management

Directory Services

Authorization Enforcement

Authentication Enforcement

Data Security

CryptographyData Privacy / Protection

Data Loss PreventionBusiness Proc. Security

Software and Application Security

Web App Security

Desktop App Security

Mobile App Security

Enterprise App Security

Secure Development Lifecycle

Extended Enterprise Security

Cloud Security

Mobile Security

IIoT/IoT Security

Social Media Security

Supply Chain SecurityInfrastructure Security

Platform SecurityNetwork Security

Endpoint Management

Voice/VoIP Security

Cyber Security

Threat ResponseThreat Detection

Threat IntelligenceVulnerability Management

Security Analytics

Enterprise Security Operations

Security Log Management

Business Continuity Ops

Update Management

Disaster Recovery Ops

Security Patch Mgmt Compliance Monitoring

User & Identity AdminThreat Hunting and Analysis

SOC Operations

GovernanceSecurity Strategy

Security Governance Security Architecture Risk Management Compliance ManagementSecurity Policies

Access Control Audit & Accountability

Awareness &Training

ConfigurationManagement

Identification &Authentication Incident Response Maintenance

Media Protection Personnel Security PhysicalProtection Risk Assessment Security

AssessmentSystem & Comm.

ProtectionSystem & Info

Integrity

NIST SP 800-171 Controls

Source: Accenture

DFARS Assessment – Gap Analysis Example

Difficult Ease of deployment Easy

Low

Va

lue

Hig

h

High-Priority Long-term Initiatives

High-Priority Quick Wins

Low PriorityInitiatives Quick Wins

Access Control Audit & Accountability

Awareness & Training ConfigurationManagement

Identification &Authentication Incident Response

Maintenance Media Protection

Personnel Security Physical Protection

Risk Assessment Security Assessment

System & Comm. Protection System & Info Integrity

Capability Family Legend:

Cyber Value Chain

Source: Accenture

End-to-End View of Cyber Defense

29

Source: Accenture

Example Solution: Compliance via DevSecOps

WHAT DOES IT MEAN FOR NIST SP 800-171 COMPLIANCE?Security needs to evolve, and become a support partner in the equation leveraging everything DevOps has to offer to:• Address all of the required NIST SP 800-171

security controls within the SDLC to prevent issues in the production environment

• Build on existing people, processes and tools to successfully drive security requirements in solutions

• Enable development teams to succeed in creating secure applications with an understanding of compliance goals

• Secure applications from planning and design phases to on-going operations and retirement

• Adapt to and secure new technologies

DevOps

CULTURETighter communication and integration between systems engineering and development teams

PROCESSESAutomated deployment pipeline integrated with security reviews and testing with strong feedback loop to operations and development teams

TECHNOLOGIESAdvanced combination of open source and commercial tools assessing various aspects of application (requirements, code, deployment, etc.)

Agile Development

SHORTER RELEASE CYCLESShift work “to the left” as much as possible, to ensure no major issues or defects are found late in the release cycle

SMALLER BATCH SIZESReviews and tests should be able to evaluate small portions of the application while ensuring all dependencies are also covered

CROSS-FUNCTIONAL TEAMSCross-functional teams are the norm, to ensure up-to-date information on project milestones and activities in agile development are tracked and used to inform actions

Example Solution: NIST Enabled InfrastructureHPE NIST Enabled Infrastructure (NEI) addresses specific agency needs providing location agnostic cloud and compute resources prepared for rapid ATO adoption

Benefits:• Faster path to ATO for Suppliers: NEI can provide up to

85% of the required NIST controls (SP 800-53 / SP 800-171)

• Flexible capacity• Repeatable infrastructure to drive down cost• Architected to easily convert to OpenStack in the future

to drive down OPEX

HPE NIST Enabled Infrastructure

Security Controls, Baselines, Standards,

ATOs

Regardless of the infrastructure (NEI or

FedRAMP), the security controls are “accepted” to

become part of the ATO

pATOAgency requiring

ATO/NIST Controls

The Agency will accept, reject, or mitigate

controls to produce the final “system” that will

become part of the ATO

FedRAMP Cloud

Material References

• DFARS Compliance through DevSecOps – http://www.aia-aerospace.org/wp-content/uploads/2016/05/DevSecOps-Acceleration-of-800_171-Compliance.pdf

Backup

DFARS Subcontractor Flowdown• The clause is required to flow down to

subcontractors only when performance will involve:• Operationally critical support • Covered defense information

• The contractor shall determine if the information required for subcontractor performance is, or retains its identify as, covered defense information and requires safeguarding

• Flowdown is a requirement of the terms of the contract with the Government, which must be enforced by the prime contractor as a result of compliance with these terms• If a subcontractor does not agree to comply with

the terms of DFARS Clause 252.204–7012, then covered defense information shall not be shared with the subcontractor or otherwise reside on it’s information system

Be clear what information and support is needed for contract; push back if you really don’t need the CDI

“Operationally critical support’’ means supplies or services designated by the Government as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.

Covered Defense Information (CDI)

• CDI is unclassified controlled technical information or other information (as described in the Controlled Unclassified Information (CUI) Registry at https://www.archives.gov/cui/registry/category-listthat requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is—• (1) Marked or otherwise identified in the contract, task order, or delivery

order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or

• (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

Covered Defense Information (CDI) -Examples• Technical information with a military or space application • Examples of technical information

• Research and engineering data• Engineering drawings, and associated lists, specifications and standards• Process sheets, manuals, technical reports, technical orders • Catalog-item identifications, data sets, studies and analyses and related

information • Computer software executable code and source code

Must be a DoD contract & applicable to DFARS regulation to apply

- Download at https://ics-cert.us-cert.gov/Downloading-and-Installing-CSET

- Select “Advanced Mode” which will provide the option to select NIST 800-171

• Application to Evaluate a Company’s Cybersecurity Posture

• Department of Homeland Security (DHS) No Cost Software Download

• Includes a Step by Step Q&A Interface

• Reports Generated include an Executive Summary and a Security Plan

• DOD Recommended

Cybersecurity Evaluation Tool (CSET)

Source: DHS CSET Tool User Screens