Zoom Logo

August 15 - Cybersecurity Workshop Training - DFARS 204.73 / NIST SP 800-171 - Bowie, MD - Shared screen with speaker view
CED Administrator
00:46
Good Morning! The event will begin at 8:30 AM
CED Administrator
28:59
Good Morning! We will begin at 8:30 AM. Please let me know if the sound is working. We tested it, and you can adjust your volums, but sometimes adjustments are needed as we begin.
Jonathan Lerner
29:36
We can hear folks talking in the background,
Christopher Gaeth
34:43
We are dialed in and can hear fine.
Paul Weekley
37:20
Sounds is working well.
Paul Weekley
49:21
Sounds better. Thank you.
Paul Weekley
51:13
Sound low - wrong mic
CED Administrator
53:08
How id Deepak sounding?
Michael Holmes
53:16
good
Jennifer Caron
53:20
Good. Loud.
CED Administrator
53:23
Thanks
Todd Graham
53:28
loud and clear
Jorge Vasquez
53:31
Loud and clear
Alva Orr
53:39
lc
george Duncan
53:45
Good
Eva Freund
53:59
did not hear anything...just tested my audio and it tested good
Robert Townsend
54:24
Loud and clear right now
Al Witkowski
54:42
Clear
Julia Henry-Curry
55:01
I tested my audio, and heard music, but I do not hear any speaking voice.
Eva Freund
56:05
I do not hear music either
Paul Weekley
57:34
Sounds is good.
CED Administrator
58:14
If you cannot hear, it is your computer - retest your sound.
CED Administrator
59:17
If you have not yet downloaded the slide deck. Here is the web address: https://sites.usc.edu/cyberworkshops/workshop-materials/ password: cyber
Eva Freund
59:19
I did the retest your sound and it all was good on the test just nothing in real life
Robert Townsend
01:21:34
Is there an incident if informatioon is compromised that was not identified by the prime?
CED Administrator
01:41:01
Can you hear us?
Borislava Peycheva
01:41:12
yes
James Foy
01:41:14
Yes
Christopher Wesley
01:41:14
yes
Michael Garman
01:41:18
Loud and clear
Kevin Davis
01:41:18
Yes
Brett Hahne
01:41:19
yes
Nestor Torres
01:41:21
yes
Roberta Comer
01:41:21
yes
Josh Bessicks
01:41:22
yes
Yevette Bratten
01:41:26
yes
Janette Kennedy
01:41:27
yes
Phyllis Puccio
01:41:28
yes
Hazjel Courtllandt
01:41:32
YES
Rickey Williams
01:41:42
yes, there was network latency earlier.
Johnson Sabariar
01:41:46
Yes
Eva Freund
01:41:50
I have your audio on my phone and the slides on my computer screen
CED Administrator
01:41:55
Very good. Thank you.
Al Witkowski
01:47:16
Will those of us online be able to access the slidedeck? (Or has a link been provided and I missed it?)
Brett Hahne
01:47:39
I received a link as part of the invite
Jessica Naylor
01:48:53
the link in the live feed and the link in the previously downloaded (posted) files are different, is there a better link (on one I should ignore)? Thanks!
CED Administrator
01:49:26
It was in the reminder emails, including trhis morning: sites.usc.edu/cyberworkshops password:cyber
Jessica Naylor
01:49:33
Answering in person, ignore last note!
Jason Gray
01:52:08
https://eca.orc.com/pricing/ $109 / year for the medium level assurance cert
Brett Hahne
01:53:04
thx for link
Jason Gray
01:54:59
You bet! The link provided on the slide takes you to the .gov site, which links to two external pages for purchase...pretty sweet deal to be one of two vendors authorized for sale
Paul Weekley
02:02:54
Many cloud information systems that state compliance may have controls capable but not necessarily implemented or activated. The controls are our (client) responsibility.
JC Herz
02:05:50
Re: AWS, region specification satisfies territorial requirement. Multiple US intelligence agencies are on AWS US-East.
Brandon Perkins
02:13:26
Is the PKI cert the same as the medium level assurance cert or different certs for different situations?
Paul Weekley
02:15:12
no audio
CED Administrator
02:15:32
There will be a BREAK for 15 minures until 10:15 AM.
James Foy
02:15:41
My audio is fine - they are just not talking into the mic.
CED Administrator
02:18:04
When you had no audio - we were informing the local audience of non-workshop logistics information.
Reid Spearman
02:23:12
Those of us online cannot hear the questions or comments from the audience. Would the facilitator please repeat the question before answering?
Heidi Garvin
02:24:20
I believe that’s because we’re technically on break, and the presenter is just chatting with participants in between.
Quentin Sligh
02:27:57
Will there be a recording of this session for us to view later?
Rachael Trudell
02:28:20
I am sorry if I missed this question being asked/answered already. Will we be sent a link to the recorderd session or do we need to submit a request to someone?
CED Administrator
02:33:41
The slides are available but not the video recording.
Brandon Perkins
02:35:27
Thanks
Quentin Sligh
02:40:56
Once the 110 controls have been satisified, who will decide how a contracor is certified?
Jason Gray
02:41:29
Self attestation, I believe. Until audited
Quentin Sligh
02:42:47
Thanks!
Reid Spearman
02:45:38
More information on CMMC can be found at https://www.acq.osd.mil/cmmc/index.html
Paul Weekley
02:47:55
We perform a self audit and review annually. Technology changes and we need to enhance our environment protection as needed. Consider these controls as a living, always changing system.
Paul Weekley
02:49:36
Comment: Controls may be accepted by one contract, and rejected or requires enhancement from another. They can be very subjective.
Todd Graham
02:55:03
Question: How do we get clarity and truly know what is CDI or CUI...will the DD254 state this? Who can clarify this for us to be sure to know if we need to implement this?
Trevor Vaughan
02:55:36
The links to those are in the slides. CUI is defined on the NIST pages and CDI is a derivation through the DFARS.
Trevor Vaughan
02:57:06
CUI is easy. CDI is...unclear. As far as I can tell, it comes down to following the markings. The place where I'm unclear is that it *seems* that the data must originate from the Government and be properly marked to count as either one. Contractors can't randomly decide that something is CUI or CDI without approval from a CO.
Trevor Vaughan
02:57:45
This also means that pretty much everything is marked incorrectly on every contract ever but that's a CO issue since they're the specification originator ( I think ).
Tam Gregersen
02:58:12
Federal contracting officers are required to provide in each work statement or specification the identification of any covered defense information (CUI, CDI).
Tam Gregersen
02:59:22
In other words check your contracts, if not in your contract insist that it is.
Yevette Bratten
02:59:28
From my experience it should be on the DD254 which flows down to the subcontrators if you are Prime
Todd Graham
02:59:48
ok....so if we do NOT have a contract with any CDI or CUI markings, then we do not need to have these controls in place or self certify? But once we get a contract, then we need to ensure we comply?
Paul Weekley
03:00:10
CUI covers a very wide scope. includes accounting, contract information to agriculture and other environmental systems. think CDI as defense related material.
Trevor Vaughan
03:01:07
Paul is correct BUT, from my reading, it's Government sourced. PII that is not Government sourced is not CUI because it is not "Federal Data" (it's company data for insurance or whatever). Without this, these requirements would creep across the either US Business landscape.
Yevette Bratten
03:01:08
I recommend you have them in place. In order to apply or recieve a government contract you must be in compliance with the 10 but should be incompliance with the 110 NIST requirements else have and plan of how you will manage it and moved forward towards compliance
Trevor Vaughan
03:01:54
I agree with Yevette but I think that everyone should start asking their CO about proper markings since contractors cannot randomly mark things just because they "think" it's missing.
Yevette Bratten
03:02:15
For small businesses - now days most primes NG, GDIT etc... make you self certify to receive and subcontract
Trevor Vaughan
03:02:23
Yup
Yevette Bratten
03:02:28
this also applies to idenpendent consultants
Paul Weekley
03:02:30
Todd: A company may not win a contract if these controls are not already in place for segregation and protection.
Trevor Vaughan
03:03:33
But (and this is important for subs), the primes *MUST* ensure that all data is properly marked. The subs cannot assume anything in particular and mismarked data is the problem of the originator, not the receiver.
Phyllis Puccio
03:03:37
True paul, either as a sub or a prime.
Quentin Sligh
03:04:38
As a prime, it maybe beneficial to do spot checks on subs in order to verify controls are in place. Even though the subs have signed documents stating that they are in compliant, it still will fall upon the prime in the end, I think.
Yevette Bratten
03:04:57
correct
Trevor Vaughan
03:05:29
Quentin: How would you suggest that work. I'm certainly not giving anyone outside of my company, or authorized Government personnel, access to any of my systems.
Phyllis Puccio
03:05:31
True and the primes I ahve worked with do check and make the sub compliant.
Trevor Vaughan
03:05:58
Also, my internal policies are proprietary.
Yevette Bratten
03:06:25
Trevor then you may become an unfavorable subcontractor
Yevette Bratten
03:06:58
Some primes require you to perform work on their systems in which they provide a key for you to use to log into their system
Quentin Sligh
03:07:22
Trevor, think about it, in the end, you will give a thrid party access to your systems to preform an audit, right? If we've signed a teamig agreement, then one would think that we have a relationship that would cover such.
Trevor Vaughan
03:07:35
Working on someone else's system is easy because I agree to abide by their policies. Giving someone access to *my* systems, is interesting.
Trevor Vaughan
03:07:46
Obviously, I would comply with any agreement that has been signed. That's easy.
Trevor Vaughan
03:08:14
I haven't seen many agreements that allow access to *non-contract* systems in any TA though.
Quentin Sligh
03:08:32
Trevor, what I'm suggesting is showing me how you have policies in place, not to actually log onto your systems.
Trevor Vaughan
03:08:57
Ah, that one is certainly easy enough but doesn't really validate that anyone is doing anything in particular.
Trevor Vaughan
03:09:06
A curious problem.
Quentin Sligh
03:10:45
Trevor, if I say, "can you produce GPOs that show your password change history" you should be able to produce such. This would tell me that you have controls inplace to govern password changes.
Yevette Bratten
03:11:41
I am sure you are experienced in the accounting survey which asks if you would allow the prime to review your system. Of course you say no but will allow the government. I think that this is coming.
Trevor Vaughan
03:12:12
Alternatively, each prime gets a pass-through cost for full isolation. Doesn't seem ideal.
Trevor Vaughan
03:12:42
Quentin: You assume that I use Windows ;-). This is also going to be an interesting sitution for people auditing things that they don't understand.
Yevette Bratten
03:12:52
your cost can be recovered in your indirects
Quentin Sligh
03:13:18
Yevette, you are correct, I believe it is coming as well.
Trevor Vaughan
03:13:24
Yevette: Not at the LoE that would actually be required to get approved by anyone.
Trevor Vaughan
03:14:05
Small companies can be as tiny as a handful of people and the rates get astronomical when they need to do this type of split effort.
Trevor Vaughan
03:14:21
Meeting. Good conversation though.
Quentin Sligh
03:14:26
Trevor, the same type of questions can be applied to Linux as well. The point of the exercise is as a prime, to cover your six.
Yevette Bratten
03:14:42
I think it will especially with the new requirements coming down for security clearances and contracts containing TS/SCI
Trevor Vaughan
03:15:50
Quentin: I know, I build a platform for automated compliance on Linux systems. But I've found few people that can actually dig into any given set of systems beyond window dressing in a timely manner. Technially, we have to be fine with whatever level gets set but most scanning tools are...lacking.
Yevette Bratten
03:16:56
red seal? cloud strike?
Quentin Sligh
03:17:56
Trevor, I agree...
Yevette Bratten
03:18:41
sorry sylvia corrected me crowdstrike
John Aron
03:23:13
Yes
John Aron
03:23:16
My hand goes up
Paul Weekley
03:23:26
yes to public website
Paul Weekley
03:23:50
container.. ha
Paul Weekley
03:24:16
no. public system has no cui
Quentin Sligh
03:24:19
Hopefully no one...
Roberta Comer
03:27:46
What is a separate "system"? Is this a separate cloud account? or a partitioned directory?
Quentin Sligh
03:28:32
A seperate system is one that is seperated from your internal system via a firewall.
Paul Weekley
03:35:11
BYOD is an issue and should be controlled by mobile device management (MDM) controlling types of access like download, copy, encryption-at-rest, etc
Paul Weekley
03:37:13
devices can be identified by several things, MAC (faked) certificates (can be stolen), IP addresses - 2FA (two-factor authentication) should be employed to strengthen.
Paul Weekley
03:42:22
Dont recommend Google services
Paul Weekley
03:42:30
personal opinion
Todd Graham
03:43:27
But a lot of small busineeses use GSuite for business....so need clarity on that
Edward Bonner
03:43:50
what about office 365 email?
Paul Weekley
03:46:56
Core business for google is data collection. Im sure that the business services are fine, just my personal preferrance. Microsofts Office 365 can also work and be compliant only if proper controls are applied in the Azure archetiture. I do not know the security details of Google GSuite.
Paul Weekley
03:48:46
Yes to using laptop at airport, but not on Wifi.
Jessica Naylor
03:50:06
emails! (something you know
Paul Williams
03:50:16
Tough to get the required controls and meet DFAR requirements in the Enterprise level of Office 365. But they recently removed the 500 seat minimum requirement for Office 365 GCC.
Joseph Karolchik
03:51:16
we had to get a sponsor for Office 365 GCC. One of our primes wrote a letter to submit to Microsoft.
Paul Weekley
03:51:32
Edward - A company can be NIST compliant under Office 365 Enterprise E1,E3 and E5. Government is better, but not necessary for compliance. If a contracter requires it, then that direction need to be followed. Please note that just being on O365 Enterprise, that does not make you compliant. Enterprise is FEDRAMP compliant and is control capable.
Paul Weekley
03:54:21
Edward: Additonally, control where your data is located is also a control for CUI. Microsoft and Google would not be compliant for ITAR support under their genernal commercial services. That would require government cloud ready system.
Jessica Naylor
03:54:46
@Paul Weekley, do you have any documetnation for this? In the secure trust portal Microsoft previously stated that only GCC and GCC high were capable of meeting the NIST requirements.
Edward Bonner
03:57:26
Jessica, that is what I see when I go to the compliance center. It says that only the GCC options are capable of compliance.
Paul Weekley
03:59:32
I would have to look that up but it likely is referring to specifc data like ITAR. Yes, it would also support CUI, etc. As long as your can meet the control requirements, you can be compiant under the NIST 800-171 controls. Enterprise is Fedramp, supports access control restrictions, encryption at rest (you can control the encryption keys) and additional controls restriction access like multi-factor authentication and so on. Feel free the reach out if you would like paul.weekley@lajollalogic.com . I dont want to pull away from this workshop. He has great information.
Edward Bonner
04:00:13
Thanks...will do
Paul Weekley
04:01:08
Feel free to ask the question to the presenter of using non-government cloud services being compliant. I would be interested in the response.
Todd Graham
04:01:35
me too
Paul Weekley
04:02:24
I believe the GCC high support the ITAR level. US soil US people.
Jonathan Frank
04:02:27
Enterprise O365 allows foreign nationals to access data (e.g. tech support). I believe this is the major point where non-GCC tenants would fail compliance.
Paul Weekley
04:03:24
Office 365 has a control called lock-box to block access to techs without permission from company admin that is estab lished. This is off by default.
William Wilkinson
04:05:04
I think I missed what he just said. But is MFA only required for accounts with Privledged access?
Felece Whitfield
04:06:11
This is going to have sweeping impacts for small business + Cybersecurity Maturity Model Certification (CMMC) requirement that ties this all in is an unknown. Never ends...
William Wilkinson
04:06:47
Thanks!
Paul Williams
04:07:33
Regarding "local" and "remote"--are all managed service providers (like Office 365) by defintion "remote"?
Brett Hahne
04:07:42
William, what was that conclusion on MFA> Missed part of it?
Joseph Karolchik
04:07:57
@Felece - you will need to have a CMMC rating to qualify as a Government contractor in the future
Paul Weekley
04:08:36
I asked the presenter the question about using gsuite or microsoft, not government cloud, and still be compliant.
Paul Williams
04:08:37
Brett, that's why I asked my question. He said that local privledged access requires MFA and remote by all requires MFA.
William Wilkinson
04:09:14
MFA is required for Privledged access locally. Non privledged access does not need it.MFA is required for Privledged and non privledged when accessing remotley.
Brett Hahne
04:09:16
Yep, understood. I just missed part of the answer he gave. Thanks. Appreciate it.
John Aron
04:10:17
No, repeat yourself please.
Paul Weekley
04:10:41
password blocking would include web portals extra.
Paul Williams
04:13:45
Would be interesting to poll the audience--both there are online--how many small businesses are running their own network vs. using managed service providers (like Office 365)
Trevor Vaughan
04:15:57
My guess is that smalls/mediums are using managed services and bigs are using their own network in general.
Paul Weekley
04:16:14
I am a "My own servers" guy, but industry, busdgets and costs is forcing away from local to 'cloud' services.
Edward Bonner
04:16:21
@PaulWilliams...We use both but for CUI we use the managed services
Jason Gray
04:16:33
Absolutely! Feel like so much of this is targeting medium - large sized companies. Can't imagine many <10 outfits are setting up their own physical infrastructure to meet these
Rachael Trudell
04:16:56
can we log off and then rejoin at 1?
Jonathan Frank
04:16:58
We are also hybrid, with CUI being on managed services (GCC)
Lisa Rhyner
04:17:06
we are technically a micro-business ( <10) and are primiarly managed services
Trevor Vaughan
04:17:08
Yep. The OH cost of a 10 person outfit with 2 additional people dedicated to infrastructure would take your OH costs through throof.
CED Administrator
04:17:17
Lunch.. We will reconvene at 1 PM.
Jonathan Varela
04:17:20
Yup
Mark Evans
04:17:36
can you please have the speaker define “authorized user”
Trevor Vaughan
04:17:54
And OH costs == higher rates which equate to primes not hiring you and/or the Government not approving your rates.
Paul Williams
04:18:07
That's kinda my point--and my biggest complaint about the 180-171 controls. They're written from a perspective of running your own network and have little "tranlation" for that that means for MSP.
Jonathan Varela
04:18:11
That;s where I'm at. We have 20 people with only a total of 6 having access to our local server running Freenas. This is not going to be fun.
Paul Weekley
04:18:20
I will pose the question again to the presenter about the commercial suites vs GCC government services upon return from break.
Trevor Vaughan
04:18:36
Paul: I disagree actually. But you have to know what you're responsible for and inherit the underlying controls.
Trevor Vaughan
04:18:47
This is non-trivial but doable (if excessively tedious)
Trevor Vaughan
04:19:19
Pretty sure that FedRAMP == evaluated and non-FedRAMP == do your own homework (AKA, probably not worth is)
Trevor Vaughan
04:19:21
*it
Trevor Vaughan
04:20:43
Ugh, this chat system is just the worst
Bayo Olubimo
04:22:36
Good time for Lunch Break!
ATOSSA ALAVI
04:22:36
Sound just cut out.
CED Administrator
04:22:38
Lunch Break -We will resume at 1 PM.
Paul Weekley
05:03:55
Trevor: This is definitely doable and a government cloud is better. I only state that compliance should be able to be met under other systems. Control is the key and it takes additional steps. This would require multiple policies and controls to be in place and may require multiple products or vendors. You must know were your data is and who can access it. Personally, I prefer controlling a data center and perimeter but that is not always an option for small sized companies. We have a hybrid at the moment and are continually adjusting and adding enhancement. (Zoom Please add spell check)
Thomas Shaefer
05:07:21
Does anyone have a favorite make of UBA card reader?
Paul Weekley
05:08:01
Thats not made and controlled in a foreign country?
Paul Weekley
05:08:30
supply chain control is insane
Thomas Shaefer
05:15:09
Maybe we should go back to Morse Code? No one even remembers what that's about anymore. Just kidding...sort of.
Jonathan Lerner
05:15:14
ZZZZZZZZZZZZzzzzzzzzzzzzz
CED Administrator
05:15:38
We have started! Hope you can hear Dr. Neuman fine.
Reid Spearman
05:16:06
I'm online and can hear him 5 x 5.
Jorge Vasquez
05:16:11
Loud and clear
Lisa Rhyner
05:16:17
good to go
CED Administrator
05:16:18
Thanks
Richard Abel
05:16:34
Loud and clear
gbenga oyedele
05:16:51
yes and clear
Paul Weekley
05:17:14
Drives in copiers are concern too
Elizabeth CAMPBELL
05:17:39
Great, thanks!
Trevor Vaughan
05:17:56
And memory cards in routers and switches
Clay White
05:18:10
Cellphones? hadn't thought of that with email
Paul Weekley
05:30:45
Windows bitlocker is FIPS 140-2 compliant
Paul Weekley
05:32:06
Servers are restricted, but user workstations are another story
Reid Spearman
05:32:50
But compliant isn't good enough, is it? Doesn't it have to be verified?
William Wilkinson
05:33:47
If you are use a module to perform the encryption, the that module has to be validated.
Trevor Vaughan
05:34:17
Yes, everything must be *validated* to count
Trevor Vaughan
05:34:30
This means that Windows must be put into FIPS mode if you wish to use Windows encryption.
Trevor Vaughan
05:35:20
"Uses FIPS-compatible encryption algorithms" does not count
Trevor Vaughan
05:36:29
heh...let's see if the DoD starts mandating Dvorak keyboard layouts
William Wilkinson
05:36:49
Please no.
Dennis Kearney
05:36:54
Why doesn't FIPS count?
Trevor Vaughan
05:37:21
FIPS-compatible doesn't count. FIPS enforcing, on a validated cryptographic module, is all that counts.
Reid Spearman
05:37:21
The key word is "compatible."
William Wilkinson
05:38:08
https://csrc.nist.gov/Projects/cryptographic-module-validation-program/Validated-Modules/Search
William Wilkinson
05:38:10
FYI
Paul Weekley
05:42:30
yse to cut finger.
Trevor Vaughan
05:42:40
What a retention program!
Trevor Vaughan
05:43:28
I like how we consistently ignore swap
Jesse Keilson
05:44:18
Are you talking for a running process? Or during data destruction?
Trevor Vaughan
05:44:36
Persistence of CUI on a computing device.
Trevor Vaughan
05:44:51
Swap pinning is a suggestion to the kernel, not mandatory.
Jesse Keilson
05:45:23
Then turn it off
Paul Williams
05:45:39
What is an external and internal boundary for Managed Service Provider (like Office 365)?
Trevor Vaughan
05:46:44
@Paul: That would be defined by the FedRAMP data for the provider.
Trevor Vaughan
05:46:58
If there's no FedRAMP data, it's pretty much "unknown" from a policy point of view
Trevor Vaughan
05:48:48
Or do you mean "your laptop in your company" vs O365 hosting provider?
Trevor Vaughan
05:49:11
NIST 800-18 is a good guide to figuring this out from a practical point of view.
Paul Weekley
05:50:23
hate wireless but a necessity. if possible use exterprise authentication to limit threat surface to specific access.
Rickey Williams
05:54:38
Are there any good tools that a consumer can used to monitor SaaS applications likr Workday or ADP from a SEIM perspective.
Paul Weekley
06:14:56
Also, US Government has instructed not to use it on systems
Robyn Young
06:20:16
FYI - FAR 52.204-23 prohibits using Kaspersky software.
Dennis Kearney
06:31:53
Opinion on encryption between PGP and SSl
Trevor Vaughan
06:32:25
Encryption is encryption. CUI and DFARS requires FIPS so anything works as long as it's compliant.
Dennis Kearney
06:32:27
sorry SSL
Trevor Vaughan
06:33:28
Note: Most things aren't compliant.
Paul Weekley
06:37:11
hold on..
Trevor Vaughan
06:40:42
SSL is probably easier given that you can use the native OS tools on Windows (web browser)
Trevor Vaughan
06:41:00
PGP *can* work depending on the vendor and the underlying crypto tie-ins.
Jesse Keilson
06:41:40
OpenSSL has been validated, but there are special procedures required
Dennis Kearney
06:43:15
+
Paul Weekley
06:43:26
for many of these controls, we have over 1000+ computer controls in GPO policies
Jesse Keilson
06:44:45
Don't let that deter you! many of those are well documented, or even readily accessible as part of automation / CM packages
Jason Gray
06:45:38
Paul, are you using STIG GPO as a base and building on to those to be compliant?
Paul Weekley
06:45:59
Jason - Yes. For OS, and applications.
Jason Gray
06:46:14
Okay, thanks
Paul Weekley
06:46:59
very effective as long as it is not too strict to make the endpoint unusable for daily tasks. :) I had to ease up on many.
Paul Weekley
06:48:54
terminate can be putting machine to sleep
Paul Weekley
06:49:33
-sorry - that is for network sessions
Arshad Noor
06:49:45
At the risk of being accused of being self-serving (even though we are a small business ourselves, trying to become compliant to these regulations), I would encourage looking at a solution we readied for SMBs: Tellaro T-100. Uses FIPS 140-2 Level-2 certified hardware for key-management; encryption keys never leave the appliance; FIDO2-hardware based strong-authentication for users - exceeds even digital certificates for security and convenience: https://strongkey.com
Tam Gregersen
06:50:14
Does Terminate mean logoff the user?
Paul Weekley
06:50:29
@Tam yes
Paul Weekley
06:50:40
out of session
Tam Gregersen
06:51:05
thx
Jason Gray
07:01:47
Had freeradius on a pi for WLAN AAA...lasted about 1 week.
Paul Weekley
07:05:55
@Jason Nice. hardware filaure or user tolerance?
Trevor Vaughan
07:06:07
Fun fact: RADIUS has MD5 embedded in the protocol and cannot be made secure according to Govm't regs
Trevor Vaughan
07:06:16
I facepalm'd hard at that one
Paul Weekley
07:08:38
I thought external systems was more related to accessing Internet sites, etc, not specifically media.
Jason Gray
07:09:41
Users, haha
Paul Weekley
07:09:47
Under media controls, we block USB type connections access
William Wilkinson
07:09:52
External systems meaning a system that is not yours.
CED Administrator
07:24:58
Break... We'll restart at 3:25 pm
Derrick Smith
07:42:21
I understand the slides will be available. Will audio of the presentation be available?
Quentin Sligh
07:42:54
@Derrick, I think they stated no earlier...
CED Administrator
07:43:31
No, the slides are available for you
Walter Rey
07:43:58
It would be great if they made it available, after all is being recorded already.
Quentin Sligh
07:44:31
Good point...
Derrick Smith
07:44:33
Ok, thanks. I saw reference to video but didn't any mention to audio.
Paul Weekley
07:49:25
yes
Paul Weekley
07:49:46
all of the above except door. :)
Sandra Kanavel
07:49:50
No IOT.
Sandra Kanavel
07:55:59
How do you balance limiting privileges with inability to update inividual software.
Paul Weekley
08:00:12
Software management services with endpoint agents can assist in updating genernal and custom software packages without providing admin priv to users. Windows Configuration manager can do these and Puppet server (supports linux/windows) are examples of those.
Yevette Bratten
08:06:44
With all of these requirements - has it been determined how many IT persons should be managing, monitoring, configuring, documenting, quality assurance, and implementing the plan as a whole. By size of the organization? # of users?
Paul Williams
08:07:38
Good question, bet you get a non-specific answer...
Yevette Bratten
08:09:02
I was thinking there could be a matrix with recommended hours on each daily, weekly, monthly, quartely, and annual requirements...
Quentin Sligh
08:10:59
@Yevette, I think that will most likely depend on the level of effort and the size on the operation.
Yevette Bratten
08:11:23
understood looking for industry standard
Yevette Bratten
08:12:01
with all of this research i thought it would be available
Jesse Keilson
08:12:42
Depends on industry, level of connectedness, etc
Paul Weekley
08:14:50
@yevette - there are so many variables that this would be difficult. You should have at least one with IT security best practices knowledge, but even that is difficult for small businesses since all this work is overhead. With an experienced person and existing infrastructure, one person can go a long ways, but supporting 100 users is a different story. Much goes into the policies in place, access provided and type of work being performed. A manufacture would have different support needs than a cyber security company, although both would need to be compliant with NIST 800-171 if they are under a government contract.
Quentin Sligh
08:16:15
One of the biggest issues small companies will run into regarding the number of techs needed will be how much they are willing to pay.
William Wilkinson
08:18:17
how do you reccomend marking digital media?
Rachael Trudell
08:18:18
should we be marking thumbdrives and external storage media
Jeanmarie Richardson
08:18:35
how does having an agreement with a managed service provider affect this? typically we have agreements with them and personnel working on our systems are known
Johnson Sabariar
08:19:03
Any idea the camera can show the audiences when they speak?
CED Administrator
08:20:15
No, the camera can't show the audience
Paul Weekley
08:22:12
love the letter. wow.
Paul Weekley
08:22:32
a seal must be safe. (its not)
Paul Weekley
08:24:41
company backup may affect company reputation, if they were not able to recover from an incident.
Quentin Sligh
08:27:12
@Paul, good point!
William Wilkinson
08:28:57
Did we skip sections 11 and 12?
Reid Spearman
08:30:02
They come later.
John Abbey
08:30:31
Will certificate be issued for this training?
Reid Spearman
08:30:33
Starts at slide 80
Paul Weekley
08:31:05
Not sure about certificate, but should be eligable for 8 CPE credits.
John Abbey
08:31:20
okay
Andrew Moore
08:31:23
How do we get access to the slides?
Reid Spearman
08:31:58
https://sites.usc.edu/cyberworkshops/workshop-materials/
CED Administrator
08:32:33
No, there are no certificates for this training. This training is designed to make you aware of the DFARS requirements.
CED Administrator
08:33:26
@Reid - thank you for sharing the site
CED Administrator
08:33:45
Note, the password is cyber
Andrew Moore
08:34:05
Thank you!
William Wilkinson
08:35:58
Disable splt tunneling.
Kevin Davis
08:37:18
Can we have info to other classes our speaker teaches at USC?
CED Administrator
08:38:13
Please send an email at ced@usc.edu and we will get back to you. Thanks.
Paul Weekley
08:38:16
machine sleep will meet this after duration of time.
Paul Weekley
08:39:40
collabrative devices - mics, cameras, etc
Paul Weekley
08:48:10
scanning and pen testing is critical to know what is on your network and the status of services.
Quentin Sligh
08:59:10
Having a pen tester on staff is a great asset!
Paul Weekley
09:02:22
Enhanced controls are being drafted already for NIST 800-171: https://csrc.nist.gov/publications/detail/sp/800-171b/draft This will not affect all contractors, only high targets. Worth a peak to prepare if you make drones, etc.
Paul Weekley
09:06:08
Document those processes!
Julia Henry-Curry
09:09:00
I think Tampa session is Aug 23rd
Beverly boler
09:09:44
What is your website?
Quentin Sligh
09:10:23
If your organization is already CMMI certified, processes should be easy.
Paul Weekley
09:13:08
Good presentation
Kevin Davis
09:13:50
Thanks!
Heidi Garvin
09:13:53
Please tell the presenter “Thank You!” Lots of wonderful information!
Arshad Noor
09:14:17
Agreed. Would have preferred to be in the room, but webinar was better than just reading the presentation.
Borislava Peycheva
09:14:37
Thank you
Quentin Sligh
09:14:44
Thank you! It was very informative..
Robert L. Hubbard
09:14:47
good and clear
pooya payandeh
09:15:00
thank you
Jonathan Lerner
09:15:00
Thanks..... Great insights being shared.
Lisa Rhyner
09:15:01
Presenter was fabulous. I've been immersed in this for almost 2 years and this is the best presentation I've taken part in.
Jesse Keilson
09:15:03
Thank you to everyone involved, lots of good information
Joseph Karolchik
09:15:05
great session today -- THANK YOU!
Johnson Sabariar
09:15:08
Thank you. Nice presentation and lots of information.
Jorge Vasquez
09:15:13
Thanks, lots of food for thought and action!
Tinah Ibironke
09:15:19
Thank you. This was a good session
Reid Spearman
09:15:27
Thanks!
gbenga oyedele
09:15:29
Thanks
Dennis Kearney
09:15:46
many thanks hope to stay in contact in future
Mike faulkner
09:16:07
really informative session. Thanks
CED Administrator
09:16:16
Thank you everyone! Signing off!
Robert L. Hubbard
09:16:56
I'm very glad to haveparticipated in this highly informative workshop. Presenter was excellent and very knowledgeable and information covered outstandingly useful. DBR, Inc. thanks you all for the invitation to participate.
Thomas Shaefer
09:19:16
How do we save the recording?