201117-NERDIC-Cybersecurity-Awareness-Webinar-Maine-MEP-final

NIST SP 800-160 volume 2 Definition of “Cyber Resiliency ” • Assess, manage, and remediate risks • Prepare the organization to manage its security and privacy risks: • Understand types

Maine MEP and Maine PTAC present:

Image used under license from Shutterstock.com

Today’s Objective:

• Share information

• Identify where to go for updates

• Introduce cybersecurity resources in Maine

• Discuss timelines

• Provide links to guidance documents

• Introduce cybersecurity terminology

• Introduce steps to take

Why are we all here?

• Threat Landscape

• Threats are constantly adapting

• Coordinated attacks on DOD information

• At sub Tier levels-not the primes!

• Phishing/Ransomware/Data loss

• Personal information compromised

• US enemies

• Hackers

Why are we all here?

• Cyber Resiliency

• The ability to anticipate, withstand, recover from, and adapt

to adverse conditions, stresses, attacks, or compromises on systems that include cyber resources NIST SP 800-160 volume 2 Definition of “Cyber Resiliency ”

• Assess, manage, and remediate risks

• Prepare the organization to manage its security and privacy risks:

• Understand types of risk;

• Understand risk effects;

• Identify information at risk;

• Develop policies / procedures / plans to reduce that risk

Cybersecurity Overview

Please welcome

Shanna from

Defendify

FARS & DFARS

FARS & DFARS

Controlled Unclassified Information

(CUI)

• CUI is unclassified information that requires safeguarding

or dissemination controls

• EO 13556 mandated a standard method of handling it

and placed the development under the National Archives and Records Administration (NARA)

• 32 CFR 2002 (2016) established the CUI program

• NARA CUI Registry categories include:

Critical Infrastructure Defense Export Control

Financial Immigration Intelligence

International Agreements Law Enforcement Procurement/Acquisition

Nuclear Patent Privacy

48 CFR 52.204–21 Basic Safeguarding of

Covered Contractor Information Systems

• Clause inserted into contracts

• Establishes 15 basic cybersecurity controls for contractor information systems that

process Federal contract information

Examples:

• Flows requirements down to subcontractors

 Only allow authorized users

 Use passwords

 Escort visitors

 Implement Firewalls

 Update software

 Use virus protection

 Control physical access

 Perform systems scans

48 CFR 252.204-7008 Compliance with

safeguarding covered defense information

controls

• Clause inserted into contracts

• Mandates 48 CFR 252.204-7012 for all “Covered Defense Information” on all contractor systems

• By submitting a bid contractors certify that they are applying NIST Special Publication 800-171

• Allows potential waivers to 800-171

48 CFR 252.204-7012 Safeguarding Covered

Defense Information and Cyber Incident

Reporting

• Clause inserted into contracts

• Mandates contractors provide “Adequate

Security” and requires “Cyber Incident Reporting”

• Requires NIST SP 800-171 to protect CUI

• Allows additional information systems security measures when necessary

• Contractor determines compliance

• Flows requirements down to subcontractors

Proposed DFARs Interim Rule

• “Assessing Contractor Implementation of

Cybersecurity Requirements”

• 85 FR 61505 published 29 Sep 2020

• Interim – Takes effect 30 Nov 2020

• Creates (3) new Clauses:

• 252.204–7019 Notice of NIST SP 800–171 DoD Assessment

Requirements

• 252.204–7020 NIST SP 800–171 DoD Assessment

Requirements

• 252.204–7021 Contractor Compliance with the Cybersecurity

Maturity Model Certification Level Requirement

Proposed DFARs Interim Rule (2)

• 252.204–7019 Notice of NIST SP 800–171 DoD

• 252.204–7021 Contractor Compliance with the

Cybersecurity Maturity Model Certification Level

Requirement

• CMMC at award - Maintain level for the duration of the contract

Proposed DFARs Interim Rule (3)

Link to interim rule:

https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.2.1%20%206.24.2 020.pdf

CMMC

CMMC (Cybersecurity Maturity

Model Certification)

• CMMC is a DoD cybersecurity assessment

model and certification program

• Five levels; from 1 (basic cyber hygiene) to 5

(ultra sophisticated control)

• Multiple unified cybersecurity standards

• John Hopkins University Applied Physics Laboratory (APL), Carnegie Mellon University Software Engineering Institute (SEI), NIST and others

• DFARS 252.204-7012 is post award CMMC

certification is pre-award

CMMC (Cybersecurity Maturity

Model Certification)

• Third-party firms will conduct certifications

• No Self-Certifications

• Will apply to Everyone in the Defense supply

chain, whether you process CUI or not

• The higher your company certifies, the more

contracts you will be eligible to bid on

• If a contract or subcontract requires CUI, a Level

3 minimum certification will be required

• Certification good for 3 years

• Pathfinder Projects to test approach – 10

selected contracts w/approx 150 subcontractors

• DoD has stated it will be an allowable cost

• PTACs will be officially trained to assist –

emphasis on Level 1

CMMC (Cybersecurity Maturity Model Certification)

• Program has the highest level of support from DoD – USD A&S Ellen Lord

• Considered critical to securing the Defense Industrial Base as part of DoD’s “Adaptive Acquisition Framework”

• Ver 1.02 is current release

• DoD Press Conf (Jan 2020)

•

https://www.defense.gov/Whats-New/videoid/737134/#DVIDSVideoPlayer2435

CMMC – Initial Timeline

• Jan 2020

• Version 1.0 released – Accreditation Body stood up

• Version 1.02 released March 18, 2020

• Aug 2020 – Feb 2021 (delayed)

• Initial batch of certifier firms trained

• Aug – Dec 2020 (delayed)

• DOD releasing (10) RFIs (Request for Info) and (10) RFPs (Request for Proposal) with CMMC requirement – Pathfinder Projects

• DoD will prioritize implementation

• Required on all DoD contracts by FY2026

• Only with DoD A&S approval until 30 Sep 2025

CMMC - Assessment Organization

• Accreditation Body created Jan 2020

• https://www.cmmcab.org/

Assessment Organizations (C3PAO)

• C3PAOs will be commercial, not gov’t and will not have gov’t contracts to conduct

assessments – private contracts

• Assessment currently under development

CMMC - Level 2

• Intermediate Cyber Hygiene

• 72 practices

• Subset of 48 practices from 800-171

• Each practice is formally documented

(maturity)

• Establish and document standard operating procedures, policies, and strategic plans

• Required level to process CUI

• Adequately resource activities and review adherence

to policy and procedures, demonstrating management

of practice implementation

• Faces challenges defending against advanced

persistent threats (APTs) – stealthy, smart bad guys

Small Businesses

Small Business Focus

• It’s not just about your IT security.

• Follow a cybersecurity model

• NIST Cybersecurity Framework

Small Business Focus Priorities

• * Top 5 things to reduce our cyber risk:

• (1)Strong passwords and multi-factor

• (2)Email controls and (3)employee training

• (4)Lockdown/monitor/patch vulnerabilities in

*From “The Fifth Domain” 2019 page 46

Cybersecurity Framework functions

Cybersecurity Framework resources

• More in depth than the preceding slides

NIST 800-171

NIST 800-171

• DOD requirement where CUI is applicable

• Controlled Unclassified Information

• Has 110 controls to follow

• Self Assessment

• Policies & Procedures

• System Security Plan(SSP)

• Risk analysis

• Incident Response plan

• Plan of Action and Milestones(POAM)

NIST 800-171-Timeline

• Assessment, Documentation, & POAM by

December 2017

• DFARS cybersecurity clause requirement

• Stay on top of revisions (Rev 2 no content changes)

• As of October 2020-NIST 800-171 is at Rev 2

• 800-171A-is for assessment guidance

• 800-171B-has Enhanced Security Requirements

• Visit NIST website for latest version

•

https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final

NIST 800-171- 14 Control Families

• AC-(22)-Access Control

• AT-(3)-Awareness & Training

• AU-(9)-Audit & Accountability

• CM-(8)-Configuration Management

• IA-(11)-Identification& Authentication

• IR-(6)-Incidence Response

• MP-(9)Media Protection

NIST 800-171- 14 Control Families

• PS-(2)-Personnel Security

• PP-(6)-Physical Protection

• RA-(3)-Risk Assessment

• SA-(4)-Security Assessment

• SC-(16)-System & Security Protection

• SI-(7)-System & Information Integrity

NIST 800-171- Document System

• SSP-System Security Plan

• How you meet the 110 controls

• Risk assessment/Incident response plan

NIST 800-171- POAM

• Plan of Action and Milestones

• What controls need remediation

• Who responsible

• Planned date for completion

• Periodic status update

Cybersecurity

Resources

Cybersecurity Support Resources

• Maine PTAC

• Training and contract assistance

• CMMC trained counselor(s)

• Maine MEP

• Awareness, training, and assessments

• Private cybersecurity/IT/MSP companies

• Awareness, training, and assessments

• Ongoing training/penetration testing

• Cybersecurity consulting services

Cybersecurity Knowledge

https://www.archives.gov/cui/training.html#cui-Cybersecurity & Infrastructure Security Agency(CISA)-emails

Cybersecurity Knowledge

Resources-Small Business & General

• Small Business Cybersecurity Corner

• https://www.nist.gov/itl/smallbusinesscyber

• NISTIR 7621(Small Business Information Security:

The Fundamentals)

• 1/final

https://csrc.nist.gov/publications/detail/nistir/7621/rev-• NIST Computer Security Resource Center

• https://csrc.nist.gov/ NIST publications found here

• NIST MEP Cybersecurity self assessment handbook

• assessment-handbook-assessing-nist-sp-800-171-security

https://www.nist.gov/publications/nist-mep-cybersecurity-self-Cybersecurity Knowledge

Resources-Glossary/Abbreviations/Guidance

• NIST 800-171 Rev 2

• Appendix B has a glossary of common terms and definitions

• Appendix C has a list of common abbreviations

• Appendix D has a table that maps to NIST SP 800-53 and ISO/IEC 27001

• CMMC Model v1.02 appendices(Great Resource!!)

• Appendix B: Process and Practice Descriptions and

Clarifications

• Appendix C: Glossary

• Appendix D: Abbreviations and Acronyms

• Appendix E: Mapping table (to 800-171 plus others)

Cybersecurity Knowledge

Resources-DOD contractors and sub-contractors

• Companies working with DOD

• Center for Development of Security Excellence

• https://securityawareness.usalearning.gov/cyberse curity/index.htm

• DOD supply chain education and training focus

NERDIC Cybersecurity Assessment

• Must be a manufacturer in the DOD supply

chain!

• Assessment deliverables:

• Gap Analysis

• Plan of Actions with Milestones

• Assistance creating Policy & Procedure

• Assistance creating System Security Plan

• Assistance creating Incident Response Plan

• Sign up before January 2021

• Contact Maine MEP

• Bob Doiron: bobd@mainemep.org

New England Regional Defense

Industry Collaboration (NERDIC)

About the New England Regional Defense Industry Collaboration (NERDIC): NERDIC is a partnership of

the state economic development organizations of Connecticut, Maine, Massachusetts, New Hampshire, Rhode Island, and Vermont, working to support Small and Medium-Sized Enterprises (SMEs) that provide parts, assemblies, to Tier One providers working with the U.S Department of Defense NERDIC has financial support from the Office of Economic Adjustment, U.S Department of Defense The content reflects the views of the New England Collaborative and does not necessarily reflect the views of the Office of Economic Adjustment, the U.S Department of Defense, or the participating states.

Thank you for attending

• Planned Fall/Winter 2020/2021 cyber awareness events:

• October 21-Completed

• November 18

• December 16

• January 13, 2021