Understanding Federal IT Compliance in Three Steps - SharePoint Fest DC
•Download as PPTX, PDF•
0 likes•114 views
Do you have government contracts or are looking to broaden your portfolio? Aggravated by acronyms like FISMA, DFARS or NIST? A new class was defined in 2015 as Controlled Unclassified Information (CUI) to add to the list of acronyms and as of January 1, 2018 its protection will be an integral piece of government contracts. In this session we'll cover the three steps to be complaint, and overview of the technologies required.
Recommended
More Related Content
What's hot
What's hot (19)
Similar to Understanding Federal IT Compliance in Three Steps - SharePoint Fest DC
Similar to Understanding Federal IT Compliance in Three Steps - SharePoint Fest DC (20)
More from Adam Levithan
More from Adam Levithan (20)
Recently uploaded
Recently uploaded (20)
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DC
- 1. Understanding Federal IT Compliance In 3 Steps Adam Levithan March 28, 2018
- 2. Community Member Since 2007 @collabadam Adam Levithan Group Program Manager Secure Collaboration Copyright 2018 Exostar LLC | All Rights Reserved 3
- 3. A little bit of Federal IT Security History Three Steps to Compliance in the Cloud for the non- security professional Office 365 & Azure through the lens of NIST 800-171 (On-Premises Too) Copyright 2018 Exostar LLC | All Rights Reserved 4 Agenda
- 4. The Federal Information Security Management Act (FISMA) is a United States federal law passed in 2002 that made it a requirement for federal agencies to develop, document, and implement an information security and protection program. Copyright 2018 Exostar LLC | All Rights Reserved 5 FISMA
- 5. Copyright 2018 Exostar LLC | All Rights Reserved 6 FISMA NIST 800-53 This publication provides a catalog of security and privacy controls for federal information systems and organizations to organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile attacks, natural disasters, structural failures, human errors, and privacy risks. The controls are and customizable and implemented as part of an organization- wide process to manage risk. … Addressing both functionality and assurance ensures that information technology products and the information systems that rely on those products are sufficiently trustworthy.
- 6. Copyright 2017 Exostar LLC | All Rights Reserved 7 Time Out – What’s a Security Control? Security controls are technical or administrative safeguards or counter measures to avoid, counteract or minimize loss or unavailability due to threats acting on their matching vulnerability, i.e., security risk. Controls are referenced all the time in security, but they are rarely defined. Stephen Northcutt , SANS Institute https://www.sans.edu/cyber-research/security-laboratory/article/security-controls
- 7. Third Revision A simplified, six-step risk management framework; Additional security controls and enhancements for advanced cyber threats; Organization-level security controls for managing information security programs; Fourth Revision Insider threats; Software application security (including web applications); Social networking, mobiles devices, and cloud computing; Fifth Revision Making the security and privacy controls more outcome-based by changing the structure of the controls; Eliminating the term information system and replacing it with the term system so the controls can be applied to any type of system including, for example, general-purpose systems, cyber-physical systems, industrial/process control systems, and IoT devices; De-emphasizing the federal focus of the publication to encourage greater use by nonfederal organizations; Clarifying the relationship between security and privacy Copyright 2018 Exostar LLC | All Rights Reserved 8 NIST 800-53 Over Time https://en.wikipedia.org/wiki/NIST_Special_Publication_800-53
- 8. Copyright 2018 Exostar LLC | All Rights Reserved 9 FISMA NIST 800-53 - High, Medium, Low FedRAMP The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
- 9. Copyright 2018 Exostar LLC | All Rights Reserved 10 FISMA NIST 800-53 - High, Medium, Low FedRAMP – High, Medium, Low NIST 800-171 The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its assigned missions and business operations.
- 10. Defense Federal Acquisition Regulations Supplement (DFARS) 252.204- 7012, Safeguarding Covered Defense Information and Cyber Incident Reporting requires contractors to implement NIST 800-171 to safeguard covered defense information that is processed or stored on their internal system or network. Contractors self-attest to meeting these requirements. Copyright 2018 Exostar LLC | All Rights Reserved 11 For Defense . . .
- 11. Protect Information Create effective security for the future Copyright 2018 Exostar LLC | All Rights Reserved 12 Purpose for the requirements?
- 12. 100% Complete with Security Assessment • Gap Analysis using NIST 800-171 controls (3.12.1) • Plan of Action & Milestones (POA&M) (3.12.2) • System Security Plan (SSP) (3.12.3) Conduct Subcontractor Flow Down Comply with Incident Reporting Requirement Copyright 2018 Exostar LLC | All Rights Reserved 13 To be NIST 800-171 compliant
- 13. Cloud Track Everything Know Your Users Protect Your Content 14 Example Cloud Boundaries for NIST 800-171 CloudOn Premises Control Families - Access Control - Awareness and Training - Audit and Accountability - Configuration Management - Identification and Authentication - Incident Response - Maintenance - Media Protection - Physical Protection - Personnel Security - System and Communications Protection - System and Information Integrity Documents on Endpoints Control Families - Access Control - Awareness and Training - Audit and Accountability - Incident Response - Media Protection - Personnel Security - Risk Assessment - Security Assessment - System and Information Integrity Documents Stored in Cloud Copyright 2018 Exostar LLC | All Rights Reserved
- 14. Three Steps 15Copyright 2018 Exostar LLC | All Rights Reserved
- 15. 16 Controls System and Communications Protection External Connections Encrypt Copyright 2018 Exostar LLC | All Rights Reserved
- 16. 17 Controls Access Control Internal & External Processes Users vs. Administrators Encrypt Copyright 2018 Exostar LLC | All Rights Reserved
- 17. 18 Controls Physical Protection Physical Access Servers Copyright 2018 Exostar LLC | All Rights Reserved
- 18. 19 Controls Media Production Mark Documents Encrypt Beyond USBs Copyright 2018 Exostar LLC | All Rights Reserved
- 19. 20 Controls Configuration Management Process & Procedure Copyright 2018 Exostar LLC | All Rights Reserved
- 20. 21 Controls System & Information Integrity Code Flaws Malicious Code Copyright 2018 Exostar LLC | All Rights Reserved
- 21. 22 Controls Maintenance Internal Connections Process Copyright 2018 Exostar LLC | All Rights Reserved
- 22. Protect Your Content Track Everything Three Steps 23Copyright 2018 Exostar LLC | All Rights Reserved
- 23. Controls 24 Access Control Privileged Responsibilities Non-Privileged Copyright 2018 Exostar LLC | All Rights Reserved
- 24. Controls 25 Identification & Authentication Multi-Factor Enforce best practices Copyright 2018 Exostar LLC | All Rights Reserved
- 25. Controls 26 Awareness & Training IT Best Practices Annual Training Stop Insider Threats Copyright 2018 Exostar LLC | All Rights Reserved
- 26. Controls 27 Media Protection Personnel Action Visitors Copyright 2018 Exostar LLC | All Rights Reserved
- 27. Controls 28 Maintenance Multi-Factor Supervise Physical Access Copyright 2018 Exostar LLC | All Rights Reserved
- 28. Protect Your Content Know Your Users Three Steps 29Copyright 2018 Exostar LLC | All Rights Reserved
- 29. Controls 30 Audit & Accountability Record Correlate Alert Copyright 2018 Exostar LLC | All Rights Reserved
- 30. Controls 31 Security Assessment & Risk Assessment Situational Awareness Document How Copyright 2018 Exostar LLC | All Rights Reserved
- 31. Controls 32 System & Information Integrity Errors Report Correct Copyright 2018 Exostar LLC | All Rights Reserved
- 32. Controls 33 Configuration Management Baseline Process to Approve Record Copyright 2018 Exostar LLC | All Rights Reserved
Editor's Notes
- System and Communications Protection Before you can build a house you must have roads, sewers, and electricity in place. The System and Communications Protection control family focuses on all the external infrastructure connections that will support the functions of your information system. Bringing this infrastructure to “code” for NIST 800-171 means that content is encrypted in transit, and at rest, using FIPS validated encryption. (See validated algorithms http://csrc.nist.gov/groups/STM/cavp/validation.html ) Most likely you are already using one of these cryptographic methods to secure inter-system communication. This requirement is so important that it repeats itself throughout several of the controls. After you’ve created the infrastructure, this section focuses on controlling inter-system communication by requiring a set time period for “terminating sessions.” By requiring systems to re-authenticate you reduce the risk of data leakage.
- Access Control When you design a house, you must decide where the doors and windows will be. If security is a top requirement, you must consider how to control access, and who gets the keys. When protecting Covered Defense Information (CDI) or Covered Technical Information (CTI) information the door is for both internal and external processes. The Access Control family focuses on separating the access of standard users vs. administrators within your network, and ensuring that these accounts have “least privilege.” This has been a standard for many years, so it should only require that you document your processes. Additionally this control family requires appropriate privacy notices to users entering the system, and limits both the number of logon attempts and the time a user can be connected within a session. Finally, you must encrypt your communications with the outside world, whether via internet, Wi-Fi, or on a wireless device.
- Physical Protection Once your home is built, you’ll need to protect it. A complete security system logs when doors open and close, alerts you when motion sensors are triggered, and has security cameras for additional monitoring. Similarly, the Physical Protection control family tracks visitors, restricts physical access to sensitive areas, and monitors all community space. Yes, servers do exist, so it’s recommended that you have a method to track access to their data center, racks, and the servers themselves. Digital keycards, video cameras, and controlled access to each section of the facility are highly recommended.
- Media Protection Even with your doors locked and security system running, you should still keep valuables and important documents in a safe. Similarly, NIST 800-171 recognizes that not all content in your system is created equal. The Media Protection control family requires that CDI is marked at the document level, and if it is stored on any external media. Media includes both physical servers that need to be protected as well as printed materials, and the controls cover how they’re stored and destroyed when no longer needed. Encryption of CDI content is reinforced on digital transport methods, CD/DVD to thumb drive, and within back-up systems. Another key concern is the ability to use removable devices to download and store CDI data. While turning off all USB ports on laptops might solve that issue, users should also be trained not to transport CDI on external devices.
- Configuration Management Now that your house is built and secure, let’s talk about decorating. How do you decide where to put your furniture and decorations? The Configuration Management control family is focused on the detailed software level and is about the processes and procedures you take to make sure logical security is in place. It again reaffirms access restrictions from the Access Control family. Do you restrict what software is installed on servers and/or on staff’s laptops? Record it here, and describe the process that you take to make sure any new software that is added does not affect security and stability of your information system.
- System & Information Integrity When you have a new home, you want to fill it with safe, high-quality materials. This is similar to the System and Information Integrity control family, which focuses squarely on your information system, and even more specifically on the code within it. You should monitor, identify, and take action if you find flaws in the system, or malicious code from outside parties. What process do you have in place for responding to these errors? If you have one, formalize it and you are one step closer to fulfilling the NIST 800-171 System Security Plan (SSP).
- Maintenance Your house, or information system, is no good without constant upkeep. Follow best practices to make sure the hardware and software supporting your information system is in good shape. Make sure you know who is working on your system and what tools (physical or digital) they’re using when performing maintenance. Make sure your processes are in place for internal and external personnel to keep the system at its best.
- Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Use non-privileged accounts or roles when accessing non-security functions. Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
- Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems. Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities. Provide security awareness training on recognizing and reporting potential indicators of insider threat.
- Personnel Security 3.9.2 Ensure that CUI and information systems containing CUI are protected during and after personnel actions such as terminations and transfers. Physical Protection 3.10.3 Escort visitors and monitor visitor activity.
- Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. Supervise the maintenance activities of maintenance personnel without required access authorization. Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital.
- Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. Review and update audited events. Alert in the event of an audit process failure. Use automated mechanisms to integrate and correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity. Provide audit reduction and report generation to support on-demand analysis and reporting. Provide an information system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. Protect audit information and audit tools from unauthorized access, modification, and deletion. Limit management of audit functionality to a subset of privileged users.
- Risk Assessment 3.11.1 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of CUI. Security Assessment 3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
- Identify, report, and correct information and information system flaws in a timely manner.
- Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Track, review, approve/disapprove, and audit changes to information systems.