DFARS UCTI 252.204-7012

DFARS UCTI 252.204-7012 DFARS, SMEAFARS and NIST, OH MY! J. Chandler Hall Cyber Security Evangelist Chandler.Hall@Sentar.com Innovate. Build. Secure. 1

Sentar CorporaJon Presenters: Chandler Hall, Program Manager & Cyber Evangelist Rick Koch, Sr. Analyst & SME for IA/CS IntroducJon Innovate. Build. Secure. 2

Our Quals Rick Koch 10 years specialized in Cyber Security design, assessment, and management & 30 years holisjc InformaJon Technology experience Cer$fica$ons: CISSP #98152 - CerJfied InformaJon Systems Security Professional from (ISC) 2 NSA IAM/IEM - NSA s INFOSEC Assessment / EvaluaJon Methodology MCSE: Security - Microso^ CerJfied Systems Engineer: Security on NT 2000/2003 MCT/MCP+IS - MS CerJfied Trainer / MS CerJfied Professional: Internet Specialist CNE/CNA - CerJfied Novell Engineer / CerJfied Novell Administrator Netware 5.0 CompTIA Linux+, Security+, A+, Network+, and Project+ Chandler Hall Co- Founded AnJ- DDoS Product Company that received Secure CompuJng Magazine s Editor s recommendajon Almost expelled from college hacking the registrajon system Has Rick s Phone Number Has stayed at Holiday Inn Express muljple Jmes Extensive reader & Internet hacker for decades Jailbreaks iphones & ipads for street cred Innovate. Build. Secure. 3

Security Soup Anyone? Back in the day DoD, Intel and Civil Agencies were all using different security controls DIACAP is used by DoD; ~100+ high- level security controls Intel has its own (and I can t tell you what they are HaHa) Civil agencies (NASA, etc) use NIST security guidelines and controls from NIST SP 800-53 (Rev 4 added DoD/Intel controls) DIACAP includes ~200+ NIST security controls NaJonal InsJtute of Standards & Technology (NIST) has a secjon of security controls, used by RMF, etc Innovate. Build. Secure. 4

Risk Management Framework Maybe you ve been hearing about this DIACAP replacement called RMF: Risk Management Framework (RMF) Also being adopted by more than DoD/DIACAP contracts DoD Contracts are now adding RMF requirements (includes 800+ NIST controls) Some agencies are in transijon, such as the Army. MDA has implemented it and makes it a contractual requirement. Innovate. Build. Secure. 5

DIACAP, RMF, NIST & DFARS DoD Contracts that require DIACAP or RMF compliance now or will include DFARS 252.204-7012 For example, if you re issuing a contract for development of a leading edge missile system, DFARS 252.204-7012 applies ProtecJon of CUI has always been required; this ~clarifies DFARS 252.204 is expected to apply to all DoD contracts and solicitajons (what about Intel ones?) Defense Federal AcquisiJon RegulaJon Supplement (DFARS) covers MANY areas DFARS requires meejng ~51 NIST Controls Innovate. Build. Secure. 6

Background on DFARS UCTI Clause Final Rule Issued November 18, 2013 New contracts and renewed contracts now contain compliance requirements Safeguarding of Unclassified Controlled Technical InformaJon imposed mandatory security controls and repor$ng obliga$ons on prime- and sub- contractors (DoD contracts) Innovate. Build. Secure. 7

What s this mean? ObligaJon: Contractors will now need to meet minimum cyber security requirements for non- classified informajon that may not have been previously controlled The DFARS 252.240-7012 requirement is expected to be in ALL DoD solicitajons and contracts going forward. SASC investigation finds Chinese intrusions into key defense contractors Report describes threats to transportation systems, gaps in reporting requirements Wednesday, September 17, 2014 WASHINGTON Hackers associated with the Chinese government successfully penetrated the computer systems of U.S. Transportation Command contractors at least 20 times in a single year, intrusions that show vulnerabilities in the military s system to deploy troops and equipment in a crisis, a Senate Armed Services Committee investigation has found. Innovate. Build. Secure. 8

What s GovcWiki.Org Say? EffecJve November 18, 2013 the Rule for Defense Federal AcquisiJon RegulaJon Supplement: Safeguarding Unclassified Controlled Technical InformaJon was published for inclusion into DoD contracts and Prime subcontracts [1]. With the new rule there are: DefiniJons for Controlled Technical InformaJon, Cyber Incident, & Technical InformaJon Reference to DOD InstrucJon 5230.24 DistribuJon Statements on Technical Documents Incident ReporJng Data Requirements Damage Assessment Process Requirements NIST 800-53 Controls Inclusion of the Clause to Subcontracts Innovate. Build. Secure. 9

Simplified PerspecJve Requires DoD Contractors and subcontractors: Safeguard Unclassified Controlled Technical InformaJon (UCTI), somejmes called Controlled Unclassified InformaJon (CUI) Report cyber security incidents within 72 hours Issue: Prime vs Sub: Who reports what? Who polices? (Answers vary) Who is responsible? Safe Answer: The Prime Contractor Innovate. Build. Secure. 10

UCTI DefiniJon Controlled Technical InformaJon is defined as technical data or computer so^ware (as defined in DFARS 252.227-7013) with military or space applicajon, modificajon, performance, display, release, disclosure or disseminajon Contractors that have UCTI resident on, or transijng through, their unclassified systems must comply with certain safeguarding protecjons selected using risk- based processes FINAL RULING: regardless of whether or not the clause is incorporated in this solicitajon or contract. Innovate. Build. Secure. 11

UCTI Exposure Where do you think it may reside? On laptop, on phone; email within in- house server, in Dropbox, icloud, Skydrive SNAPCHAT? Bring Your On Device (BYOD) creates exposure UCTI specificajons clarificajon is requested in email; email is on phone; phone is backed- up to home computer or icloud Examples: Contracts, Cost Data, Technical reports & orders; Research & Engineering data; Computer s/w & source; Engineering drawings; SpecificaJons; Data sets; and Studies or Analyses Innovate. Build. Secure. 12

NIST controls The DFARS UCTI requirement is based on exisjng NaJonal InsJtute of Standards and Technology (NIST) controls What controls must be used? Contractors must meet a subset of 51 controls from NIST SP800-53 (Rev. 4) DFARS defines parts of the 51 that must be evaluated; these are the minimum requirements They do not have to do the full Risk Management Framework (RMF) exercise (such as categorizing and serng the security controls) Innovate. Build. Secure. 13

NIST 51 controls CNTL NO. AC-2 AC-3 AC-4 AC-6 AC-7 AC-11 AC-17 AC-18 AC-19 AC-20 AC-22 CNTL NO. ACCESS CONTROL Account Management Access Enforcement Information Flow Enforcement Least Privilege Unsuccessful Logon Attempts Session Lock Remote Access Wireless Access Access Control for Mobile Devices Use of External Information Systems Publicly Accessible Content AWARENESS & TRAINING CNTL NO. AU-2 AU-3 AU-6 AU-7 AU-8 AU-9 CNTL NO. CM-1 CM-6 CM-7 CM-8 CNTL NO. CP-9 AUDIT AND ACCOUNTABILITY Audit Events Content of Audit Records Audit Review, Analysis, and Reporting Audit Reduction and Report Generation Time Stamps Protection of Audit Information CONFIGURATION MANAGEMENT Configuration Management Policy and Procedures Configuration Settings Least Functionality Information System Component Inventory CONTINGENCY PLANNING Information System Backup CNTL NO. IR-2 IR-3 IR-4 IR-5 IR-6 CNTL NO. MA-4 MA-5 MA-6 CNTL NO. MP-4 MP-6 CNTL NO. INCIDENT RESPONSE Incident Response Training Incident Response Testing Incident Handling Incident Monitoring Incident Reporting MAINTENANCE Nonlocal Maintenance Maintenance Personnel Timely Maintenance MEDIA PROTECTION Media Storage Media Sanitization PHYSICAL AND ENVIRONMENTAL PROTECTION CNTL NO. PM-10 PROGRAM MANAGEMENT Security Authorization Process CNTL RISK ASSESSMENT NO. RA-5 VULNERABILITY SCANNING UPDATE TOOL CAPABILITY CNTL NO. SC-2 SC-4 SC-7 SC-8 SC-13 SC-15 SC-28 SYSTEM AND COMMUNICATIONS PROTECTION Application Partitioning Information in Shared Resources Boundary Protection Transmission Confidentiality and Integrity Cryptographic Protection Collaborative Computing Devices Protection of Information at Rest AT-2 Security Awareness Training CNTL NO. IA-2 IA-4 IA-5 AUTHENTICATION Identification and Authentication (Organizational Users) Identifier Management Authenticator Management PE-2 PE-3 PE-5 Physical Access Authorizations Physical Access Control Access Control for Output Devices CNTL NO. SI-2 SI-3 SI-4 SYSTEM AND INFORMATION INTEGRITY Flaw Remediation Malicious Code Protection Information System Monitoring Innovate. Build. Secure. 14

Example of Assessment Access Control Audit & Accountability Iden$fica$on and Authen$ca$on Media Protec$on Program Management AC- 2 AU- 2 IA- 2 MP- 4 PM- 10 AC- 3(4) AU- 3 IA- 4 MP- 6 AC- 4 AU- 6(1) IA- 5(1) Physical and Environmental Protec$on System & Informa$on Integrity AC-3(4) means only paragraph 4 of AC-3 must be met AC- 6 AU- 7 Incident Response PE- 2 SI- 2 AC- 7 AU- 8 IR- 2 PE- 3 SI- 3 AC- 11(1) AU- 9 IR- 4 PE- 5 SI- 4 AC- 17(2) AC- 18(1) Configura$on Management IR- 5 System & Comm Protec$on IR- 6 Maintenance SC- 2 AC- 19 CM- 2 Con$ngency Planning MA- 4(6) SC- 4 AC- 20(1) CM- 6 CP- 9 MA- 5 SC- 7 AC- 20(2) CM- 7 Awareness & Training MA- 6 SC- 8(1) AC- 22 CM- 8 AT- 2 Risk Assessment SC- 13 System Interconnec$ons RA- 5 SC- 15 CA- 2(5) SC- 28 Innovate. Build. Secure. 15

How Hard is This? You only have to do certain secjons within each control Compliance audit takes less than a week if you have experience understanding the controls and what they mean Reminder: MeeJng this Requirement doesn t guarantee you re protected Be Ready to Report! Are you Set Up? How about the Sub- Contractors? AlternaJve Controls or ProtecJve Measures may be allowed; must be submited in wrijng Innovate. Build. Secure. 16

Compliance with Holes? Minimal: perform the compliance audit and idenjfy holes or weakness in a POA&M (Plan Of AcJon and Milestones) Some contracts have stronger wording, stajng they must be compliant with the controls TEAMS (MiDAESS) Industry Day stated they will require contractors that submit PROPOSALs to submit a DFARS UCTI Compliance Report included in a Cyber Security Plan We believe meejng a defined maturity level with proof points is the Best PracJces goal and beter than merely a Pass Fail score Should you request that the contractor provide evidence of compliance or audit? Can You? Its Seems You Should Be Better Safe than Sorry Innovate. Build. Secure. 17

Clause & Proof Examples ExisJng Contract Updated: MDA TEAMS Proposals Requirement (Feb 11, 2014): Stated at Industry Day: Bidders must provide a cyber security plan that includes DFARS UCTI Industry Day PowerPoint: TEAMS Performance Work Statements will contain specific Cybersecurity requirements (Must be flowed- down to subs) that addresses Contractor s Compliance with DFARS UCTI Innovate. Build. Secure. 18

Incident ReporJng Incident ReporJng is required within 72 hours of a cyber incident that affects DoD UCTI ExfiltraJon, manipulajon or compromise of UCTI resident on, or transipng through, a contractor s or its subcontractors unclassified informajon systems Set Up Your ReporJng Account before it s needed What is a reportable incident? Web server hacked? Email server compromised! Router is hacked! Innovate. Build. Secure. 19

We re an Easy Target Due to our policies and freedom, our society is much more dependent on the Internet Many of the cyber- atacking najon state sociejes could survive Internet outages for longer, it is believed Innovate. Build. Secure. 20

Cyber Atacks Are Rampant Nov 6, 2014 Nov 6, 2014 Oct 13, 2014 Innovate. Build. Secure. 21

Summary It s about NaJonal Security and the Time is Now! To be compliant with DFARS 252.204 7012, contractors must establish repor$ng and accountability requirements and flow UCTI requirements to subcontractors. Contractors must also maintain knowledge of the company s and subcontractors current state of compliance, including gaps to the required controls and documented mijgajng controls. Finally, contractors must ac$vely monitor all systems that store, manipulate or transmit UCTI for cyber events You Have to Report within 72 Hours As a Prime, you may be held responsible for monitoring and reporjng sub- contractor breeches It s becoming a requirement for submirng bids Innovate. Build. Secure. 22

What to do Now? Determine if you have or expect to have any DoD contracts with this clause Will there be any UCTI residing or transijng through your IT system IF so, determine if they comply with the NIST standards, modify if not or request an excepjon Develop a process/protocol for responding to any IOC Determine what conjnuous review is required (especially if RMF will be a requirement) Innovate. Build. Secure. 23

Help is Available Sentar (Hey boss, here s the Shameless Plug!) Defense Industrial Base Cybersecurity & InformaJon Assurance Program (DB CS/IA) This program allows eligible DIB companies to receive U.S. Government (USG) threat informapon and to share informa6on about network intrusions that could compromise DoD programs and missions. [ ]Furthermore, the informapon sharing arrangements are memorialized in a standardized bilateral agreement, known as a Framework Agreement (FA), signed by the parpcipapng DIB company and the Government. htp://goo.gl/ixvy4b Innovate. Build. Secure. 24

Who You Gonna Call? Contractor shall report as much of the following informajon as can be obtained to the DoD within 72 hours of discovery: (i) Data Universal Numbering System (DUNS). (ii) Contract numbers affected unless all contracts by the company are affected. (iii) Facility CAGE code if the locajon of the event is different than the prime Contractor locajon. (iv) Point of contact if different than the POC recorded in the System for Award Management (address, posijon, telephone, email). (v) ContracJng Officer point of contact (address, posijon, telephone, email). (vi) Contract clearance (vii) Name of subcontractor and CAGE code if this was an incident on a subcontractor network. (viii) DOD programs, pla{orms or systems involved. (ix) LocaJon(s) of compromise. (x) Date incident discovered. (xi) Type of compromise (e.g., unauthorized access, inadvertent release, other). (xii) DescripJon of technical informajon compromised. (xiii) Any addijonal informajon relevant to the informajon compromise. Innovate. Build. Secure. 25

Is this the Org You Seek? DSIE.net is the Defense Industrial Base InformaJon Sharing & Analysis OrganizaJon (see later slide). It is now incorporated into the DIB ISAO/DSIE dibnet.dod.mil ; uses DoD- approved PKI CerJficates to exchange encrypted info (iase.dod.mil/pki/eca) DiBISAC.net: located in Huntsville; alternajve to DSIE.net Innovate. Build. Secure. 26

Other Resources Federal Register Final Ruling Language: htps://www.federalregister.gov/arjcles/ 2013/11/18/2013-27313/defense- federal- acquisijon- regulajon- supplement- safeguarding- unclassified- controlled- technical http://www.dtic.mil/whs/directives/corres/ pdf/523025p.pdf Nice brochure that captures the basic facts: htp://goo.gl/djvlqb (aia- aerospace.org ; look for Def & Security) Innovate. Build. Secure. 27

Any QuesJons? Sentar provides a DFARS UCTI compliance service. It typically takes less than four days onsite. Your report will be provided within two weeks of the on-site service. You ll be given the tools and training to perform annual compliance updates on your own. Please contact me today if you are interested in learning more: Chandler.Hall@Sentar.com 256.430-0860 Innovate. Build. Secure. 28

QuesJon: Who Decides? Another thing the clause states is if you cannot meet a required NIST control; or if it doesn t apply to you, you must submit it in wrijng to the contract officer. Are contracjng officers supposed to make a technical, informed decision on whether or not an alternate control is adequate? Do they have a guideline; or training that states how they assess an alternate control? Or is it similar to that of a DSS rep; that a system could pass under one rep? Innovate. Build. Secure. 29

Q: How to register for reporjng? DSIE? DIB ISAO? DIB ISAC? The Defense Security InformaJon Exchange (DSIE) is (WAS?) an NDIA membership- based cyber informajon- sharing body focused on protecjng and defending the Defense Industrial Base (DIB) crijcal cyber networks and systems, and the informajon residing thereon. For more informajon email membership@dsie.net Was a sub- org under NDIA, but is now incorporated to the DIB ISAO and is now a single enjty The DFARS clause requires you to report incidents into the DOD DIB portal. RegistraJon at dibnet.dod.mil Contact: Saundra Sandee Throneberry for more info. (saundra.throneberry@lmco.com) Innovate. Build. Secure. 30

Q: Marked Documents What about the technical data transijng around the IT system prior to the official marking of the document done when provided formally to the DoD? We believe the exposure and responsibility exists even if all the informajon isn t marked accordingly DoD Directive 5230.25 Withholding of Unclassified Technical Info from Public Innovate. Build. Secure. 31

QuesJon on NIST 800-53 A quesjon regarding the 51 controls: The DFARS table somejmes specifies certain segments of the control; such as AC- 3 (4); which I read as the minimum requirement is AC- 3 (4), and AC- 3 (1), (2), etc are opjonal. For other controls, segments are not specified, such as AC- 2. My quespon is, for the unspecified control segments, are we expected to meet NIST 800-53 Low, Moderate, or High; or should we assume all segments for these controls? Innovate. Build. Secure. 32