was successfully added to your cart.

Government Vendors Beware, Are You Really Ready for NIST 800-171?

By | Cyber Security | No Comments

 

If you are service provider/vendor with government customers, then you need to know about the Defense Federal Acquisition Regulation Supplement (DFARS) 48 CFR 252.204-7012 – Safeguarding covered defense information and cyber incident reporting which requires compliance with NIST 800-171.

You have less than three months to be compliant with NIST 800-171.  For companies who have not started yet; you are way behind the times and have barely enough time to get everything up to speed if you deal with Confidential Unclassified Information (CUI) or Covered Defense Information (CDI).

As Cyber Self-Defense has heard from companies that they do not know where to go or how to accomplish this very daunting task, we felt that we should provide some guidance.  If this guidance still seems daunting, please let us know and we would be happy to assist your company in meeting these requirements.

Whatever you do, we suggest that you do take action and ensure that you are compliant; If you are not compliant by December 31st, it seems that you will be in breach of your contract with the government.

Cornell Law School publishes the regulation at; https://www.law.cornell.edu/cfr/text/48/252.204-7012; here are some key aspects of the law (please read the whole thing, on their site, if any of this applies to you);

(b)Adequate security. The Contractor shall provide adequate security on all covered contractor information systems. To provide adequate security, the Contractor shall implement, at a minimum, the you following information security protections:

(1) For covered contractor information systems that are part of an information technology (IT) service or system operated on behalf of the Government, the following security requirements apply:

(i) Cloud computing services shall be subject to the security requirements specified in the clause 252.239-7010, Cloud Computing Services, of this contract.

(ii) Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements specified elsewhere in this contract.

(2) For covered contractor information systems that are not part of an IT service or system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph (b)(1) of this clause, the following security requirements apply:

(i) Except as provided in paragraph (b)(2)(ii) of this clause, the covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (available via the internet at http://dx.doi.org/10.6028/NIST.SP.800-171) in effect at the time the solicitation is issued or as authorized by the Contracting Officer.

(ii)

(A) The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via email at osd.dibcsia@mail.mil, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award.

(B) The Contractor shall submit requests to vary from NIST SP 800-171 in writing to the Contracting Officer, for consideration by the DoD CIO. The Contractor need not implement any security requirement adjudicated by an authorized representative of the DoD CIO to be nonapplicable or to have an alternative, but equally effective, security measure that may be implemented in its place.

(C) If the DoD CIO has previously adjudicated the contractor’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Contracting Officer when requesting its recognition under this contract.

(D) If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (https://www.fedramp.gov/resources/documents/) and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.

(3) Apply other information systems security measures when the Contractor reasonably determines that information systems security measures, in addition to those identified in paragraphs (b)(1) and (2) of this clause, may be required to provide adequate security in a dynamic environment or to accommodate special circumstances (e.g., medical devices) and any individual, isolated, or temporary deficiencies based on an assessed risk or vulnerability. These measures may be addressed in a system security plan.

 

NIST has published a slide presentation that can be found here; https://interact.gsa.gov/sites/default/files/Wed%20AM1-SSCA-09-02-2015.pptx.pdf

NIST 800-171 can be found here;  http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf

 

 

Cybersecurity Leadership (CISO): A Modern Approach to Cybersecurity

By | CISO-as-a-Service, CISO/Management, Cyber Crime, Cyber Security, Defensive Tactics, Risk Management | No Comments

Businesses have a corporate responsibility to secure their own and the information they have been entrusted with. Many companies believe that this is expensive, not their responsibility, etc. They also assume (usually incorrectly) that the IT department is handling cybersecurity. Most companies lack the talent necessary to build a security  program that is cost-effective, enables the business for success, and has the necessary depth. When the Cyber Self-Defense team speaks with companies, they tell us they do not know where to begin. Our answer to this issue is always the same; start by hiring the right talent to make you successful. CISO-as-a-Service® might be your answer!

Talent

At Cyber Self Defense, we often hear that cybersecurity talent is becoming harder and harder to come by. With the increasing level and complexity of cyber attacks, companies are looking for cybersecurity teams to help them to build their programs, yet job requisitions remain unfilled.

Trends

This is what we know;

  • Cybersecurity professionals are demanding more money.
  • Companies are creating positions that are vague, all-encompassing, and that fail to help them to build a comprehensive cybersecurity program.
  • Companies are electing to hire junior professionals who are unqualified to lead the program; with no strategic or leadership experience.
  • Companies are compromising on experience, qualifications, and other critical knowledge factors, just to get someone in the role.
  • Companies are over-spending on technology because they do not have the strategic outlook and risk-based approach which is so critical to any cybersecurity program.
  • Audit Pleasing- many companies build their cybersecurity programs to please auditors; they fail to see the need for true security. They also fail to see that a properly built program can be done at about the same cost of program meant only to “check the box”.
  • Companies add technologies that are just sitting in the racks.; we have seen situations where systems are installed with less than 10% of the features configured and used. Please see my article on “Blinky Light Syndrome”.
Common fears of hiring a CISO-as-a-Service®

1. Is the CISO-as-a-Service® a group of professional consultants who have no real-world experience?

  • The one thing we hear from our customers, when wanting to hire a CISO-as-a-Service® is that they tend to get “professional consultants”. It is important to hire companies who hire individuals with real leadership level experience building cyber security programs, while an employee of the company.
  • Professional consultants are great, but unless they have the practical experience of managing a program for an organization, they will struggle finding the correct balance between security and operations. They will also struggle with the political aspects of building a program.
  •  Any leader can tell you that there is a huge gap between the professional consultant and someone with full-time experience.
  • You should interview YOUR CISO and determine if he/she has the requisite knowledge and skills to make you successful. We enjoy having people interview us, as they would an internal employee. We would be glad to provide you with a resume of your CISO to show their qualifications.

2. Is there a conflict of interest, when a company comes in as a CISO and then sells us their other products and other non-related services?

  • It can be a conflict of interest if your CISO-as-a-Service® professional is a part of a large firm that sells products and other services; occasionally, they tend to push you to purchase their products, meaning the CISO might have not have your best interest at heart. Instead of being fully vested to ensure a purpose fit program for the company, he/she might be forced to push product and services.

3. How can a part time company build a program faster and cheaper than our internal employee?

  • A CISO-as-a-Service® professional hits the ground running with the tools, tricks of the trade, and other pieces of information that can make a huge difference in the overall successful delivery.
  • We have discovered that being a third party, your professional opinions are more likely to be considered. Many times, an internal person must deal with too many internal politics.
  • With a professional company, you do get the collective knowledge of the team. This benefit is critical to your success.

4. I am the acting CISO or want that job; I am the CIO and do not want to look bad; or I have other fears that this company will displace me, my team, or others and or damage my reputation.

  • As a consultant with experience performing in this capacity, it is our job to make you successful, based on your definition of success. Your CISO should ensure that your company is highly successful in all aspects of the process.
  • It is also our responsibility, as it would be in a full-time CISO, to ensure that we mentor staff and prepare them to take over for us.
  • We should be a core part of the TEAM that is designed to enable the company to succeed.

5. Is a CISO-as-a-Service® just going to come in, drop templates on my desk and have me implement them?

  • No unless they don’t want to succeed! This person should be YOUR CISO and perform is the SAME capacity, just on a part time basis.
  • Any templates or other tools that are brought in should be used as a starting point, above ground level, to allow a faster (controlled) implementation; No template is a one size fits all, it must be molded to your company. It must have an implementation strategy. It must be your company’s established program that is implemented through a formal process that follows your company’s normal flows.
Conclusion

A responsible company knows that to run their company correctly, they must have the correct leadership! Most companies would never ask corporate attorney to lead the IT department. At the same time, most companies would never place a paralegal into the corporate counsel position.

We believe that the same is true for companies who make the Chief Information Officer (CIO) in direct charge of cybersecurity. Most Chief Information Officers (CIOs) will tell you that they are not comfortable managing cyber security and IT at the same time; these can be conflicting. We’ve also found that companies who place a Security Analyst into the position of strategically building a cybersecurity program will fail to recognize a comprehensive, risk-based, and cost-effective solution that truly enables the business to succeed. Hire the right person for the job and you will reap the rewards of your decision.

We look forward to your feedback on our website; www.cyberselfdefense.org

CISO-as-a-Service®

Cyber Self-Defense was built as a result of a growing demand in the marketplace seeking out knowledge, expertise, and leadership in cybersecurity and risk management.  Our clients wanted us to bring in our templates, processes, experiences, and our collective knowledge and put it to work for them.  They wanted people who had built programs from the organically — from the ground-up. They wanted people who were known for enabling the business through cybersecurity efforts, not people who shut the business down with high costs and inappropriate rules. This is how we grew into a full-time business which has positively and directly contributed to the success of our clients.

Cyber Self-Defense has years of experience in reducing your cybersecurity risk and we would love to work with you on all your cyber risk needs. We make cybersecurity attainable for all organizations, without inhibiting your ability to work and make a profit. Cyber Self-Defense can be reached at: (866) CYBER-96 or on our website: www.cyberselfdefense.org

Life Imitating Art

By | Cyber Crime, Cyber Security, Defensive Tactics | No Comments

Years ago I remember Hollywood producing attempts at riveting yet profitable on-screen dramas which involved plot-centric cyber security elements resulting only in disappointment as they bore no resemblance to actual reality. Today as InfoSec becomes more mainstream there are now big and small screen serials involving a hacker protagonist or a cyber victim heroine. What I like about modern-day renditions is the themes and dialogue are no longer technically fictional. We live in the age of information and war is fought on the cyber battleground. Nothing is more relevant than the context of a personally identifiable subject. Still the Hollywood dramas, as realistic as they are, still leave a lot to roll your eyes at (or to cover your eyes at). Read More

Blinky Light Syndrome

By | CISO/Management, Cyber Crime, Cyber Security, Defensive Tactics, Risk Management, Tutorials | No Comments

Far too often, I meet companies who are excited when I arrive. They pull me into their data center and show me their new KYZ 5000 and go on to explain that it has ended all of their cyber security concerns. I review the device and find out that it is plugged in and has a flashing light somewhere in the front and that is the end of the story. Other times, I go to a site and find that the company has just purchased an ABC 1000; plugged it in, turned it on, and perhaps even configured it.

In both cases, I tend to ask what problem(s) the piece of equipment is solving. Most of the time, I hear a story like; “Mike, you don’t understand, Joe down the street just bought one and it has solved all of his problems!”

Unfortunately, I find that these are simply impulse buys or worse, auditor pleasers. When we actually take a look, they are not working the way the purchasing company believes they are working. I frequently ask the company’s representative how this purchase has helped to lower the company’s risk. They usually give me a blank stare and asked what I mean. I usually ask to see the company’s risk assessment. The person then goes into panic mode and begins a hunt for the risk assessment. After finding the risk assessment (and knocking a year’s worth of dust buildup off), I ask how the purchase has reduced the risks listed in the assessment.

Risk Assessment

It is usually at this point that I must explain that the risk assessment is designed to help organizations manage their security spend, the effects of security on the end user, and the true need for security. After reviewing the risk assessment together, we usually agree that had the organization used the assessment as it was intended, the same spend would have reduced risk a great deal more than the purchase of the equipment; perhaps the piece of equipment reduced the risk by .5% and spending the money wisely would have reduced risk by 30%.

Cybersecurity experts MUST be risk managers. They MUST ensure that the security program is being managed to enable the success of the business. When we do not use our risk assessment to perform our duties, we run the risk of over spending, over protecting, or simply wasting time, money, and resources. It is also crucial for us to understand that our roles require that we understand all methods of treating risk. Many, in our community, believe that we must throw technology at everything and that it will solve all. Even the vendors (at least the honest ones) will tell you that their technology is one part of an overall strategy.

Many would agree that their technology must be fully implemented from a technology configuration, policy, procedure, and corporate strategy standpoint; having the equipment plugged in, whether configured or not, is only one piece. On that same note, the technology MUST work in harmony with all other security strategies. I have yet to find a tool that will solve all Information security problems; as cybersecurity experts we must layer our approach to cybersecurity. Our approach MUST include training, risk management, policy procedure, company buy-in, and technology. Note that technology is last; without the first pieces, you have (BLS) Blinky Light Syndrome.

Blinky Light Syndrome (BLS) describes a device that is plugged in, turned on, but not doing what the owner thinks it is doing or what the owner wants it to do. It can be used to describe either of the scenarios I covered at the beginning of this article.

Conclusion

In conclusion, a risk assessment is not just used once a year, to show auditors that you have it. It is a tool that takes on a living role in your success as a cybersecurity expert. It grows with you, as you add new processes, technologies, or the business changes; the risk assessment grows. As your company divests, the risk assessment should be consulted and adjusted to reflect the changes. When you purchase new security tools, your risk assessment should aid you in determining exactly how the solution will need to be set up and configured. At Cyber Self-Defense, we make it our business to help your organization to steer clear of Blinky Light Syndrome and equip you to truly be secure!

 

Your Board May Need a Cybersecurity Expert

By | Cyber Security, Risk Management | No Comments

The Cybersecurity Act of 2017 introduced in March sponsored by three bipartisan senators applies pressure to organizations by requiring disclosure of cybersecurity expertise serving on the board of directors. The legislature, if enacted, would enforce this disclosure first to public companies but sends a clear message that information security and cyber risk management is a much needed, but lacking, skill for global commerce. Read More