August 15 - Cybersecurity Workshop Training - DFARS 204.73 / NIST SP 800-171 - Bowie, MD - Shared screen with speaker view
Good Morning! The event will begin at 8:30 AM
Good Morning! We will begin at 8:30 AM. Please let me know if the sound is working. We tested it, and you can adjust your volums, but sometimes adjustments are needed as we begin.
We can hear folks talking in the background,
We are dialed in and can hear fine.
Sounds is working well.
Sounds better. Thank you.
Sound low - wrong mic
How id Deepak sounding?
loud and clear
Loud and clear
did not hear anything...just tested my audio and it tested good
Loud and clear right now
I tested my audio, and heard music, but I do not hear any speaking voice.
I do not hear music either
Sounds is good.
If you cannot hear, it is your computer - retest your sound.
If you have not yet downloaded the slide deck. Here is the web address: https://sites.usc.edu/cyberworkshops/workshop-materials/ password: cyber
I did the retest your sound and it all was good on the test just nothing in real life
Is there an incident if informatioon is compromised that was not identified by the prime?
Can you hear us?
Loud and clear
yes, there was network latency earlier.
I have your audio on my phone and the slides on my computer screen
Very good. Thank you.
Will those of us online be able to access the slidedeck? (Or has a link been provided and I missed it?)
I received a link as part of the invite
the link in the live feed and the link in the previously downloaded (posted) files are different, is there a better link (on one I should ignore)? Thanks!
It was in the reminder emails, including trhis morning: sites.usc.edu/cyberworkshops password:cyber
Answering in person, ignore last note!
https://eca.orc.com/pricing/ $109 / year for the medium level assurance cert
thx for link
You bet! The link provided on the slide takes you to the .gov site, which links to two external pages for purchase...pretty sweet deal to be one of two vendors authorized for sale
Many cloud information systems that state compliance may have controls capable but not necessarily implemented or activated. The controls are our (client) responsibility.
Re: AWS, region specification satisfies territorial requirement. Multiple US intelligence agencies are on AWS US-East.
Is the PKI cert the same as the medium level assurance cert or different certs for different situations?
There will be a BREAK for 15 minures until 10:15 AM.
My audio is fine - they are just not talking into the mic.
When you had no audio - we were informing the local audience of non-workshop logistics information.
Those of us online cannot hear the questions or comments from the audience. Would the facilitator please repeat the question before answering?
I believe that’s because we’re technically on break, and the presenter is just chatting with participants in between.
Will there be a recording of this session for us to view later?
I am sorry if I missed this question being asked/answered already. Will we be sent a link to the recorderd session or do we need to submit a request to someone?
The slides are available but not the video recording.
Once the 110 controls have been satisified, who will decide how a contracor is certified?
Self attestation, I believe. Until audited
More information on CMMC can be found at https://www.acq.osd.mil/cmmc/index.html
We perform a self audit and review annually. Technology changes and we need to enhance our environment protection as needed. Consider these controls as a living, always changing system.
Comment: Controls may be accepted by one contract, and rejected or requires enhancement from another. They can be very subjective.
Question: How do we get clarity and truly know what is CDI or CUI...will the DD254 state this? Who can clarify this for us to be sure to know if we need to implement this?
The links to those are in the slides. CUI is defined on the NIST pages and CDI is a derivation through the DFARS.
CUI is easy. CDI is...unclear. As far as I can tell, it comes down to following the markings. The place where I'm unclear is that it *seems* that the data must originate from the Government and be properly marked to count as either one. Contractors can't randomly decide that something is CUI or CDI without approval from a CO.
This also means that pretty much everything is marked incorrectly on every contract ever but that's a CO issue since they're the specification originator ( I think ).
Federal contracting officers are required to provide in each work statement or specification the identification of any covered defense information (CUI, CDI).
In other words check your contracts, if not in your contract insist that it is.
From my experience it should be on the DD254 which flows down to the subcontrators if you are Prime
ok....so if we do NOT have a contract with any CDI or CUI markings, then we do not need to have these controls in place or self certify? But once we get a contract, then we need to ensure we comply?
CUI covers a very wide scope. includes accounting, contract information to agriculture and other environmental systems. think CDI as defense related material.
Paul is correct BUT, from my reading, it's Government sourced. PII that is not Government sourced is not CUI because it is not "Federal Data" (it's company data for insurance or whatever). Without this, these requirements would creep across the either US Business landscape.
I recommend you have them in place. In order to apply or recieve a government contract you must be in compliance with the 10 but should be incompliance with the 110 NIST requirements else have and plan of how you will manage it and moved forward towards compliance
I agree with Yevette but I think that everyone should start asking their CO about proper markings since contractors cannot randomly mark things just because they "think" it's missing.
For small businesses - now days most primes NG, GDIT etc... make you self certify to receive and subcontract
this also applies to idenpendent consultants
Todd: A company may not win a contract if these controls are not already in place for segregation and protection.
But (and this is important for subs), the primes *MUST* ensure that all data is properly marked. The subs cannot assume anything in particular and mismarked data is the problem of the originator, not the receiver.
True paul, either as a sub or a prime.
As a prime, it maybe beneficial to do spot checks on subs in order to verify controls are in place. Even though the subs have signed documents stating that they are in compliant, it still will fall upon the prime in the end, I think.
Quentin: How would you suggest that work. I'm certainly not giving anyone outside of my company, or authorized Government personnel, access to any of my systems.
True and the primes I ahve worked with do check and make the sub compliant.
Also, my internal policies are proprietary.
Trevor then you may become an unfavorable subcontractor
Some primes require you to perform work on their systems in which they provide a key for you to use to log into their system
Trevor, think about it, in the end, you will give a thrid party access to your systems to preform an audit, right? If we've signed a teamig agreement, then one would think that we have a relationship that would cover such.
Working on someone else's system is easy because I agree to abide by their policies. Giving someone access to *my* systems, is interesting.
Obviously, I would comply with any agreement that has been signed. That's easy.
I haven't seen many agreements that allow access to *non-contract* systems in any TA though.
Trevor, what I'm suggesting is showing me how you have policies in place, not to actually log onto your systems.
Ah, that one is certainly easy enough but doesn't really validate that anyone is doing anything in particular.
A curious problem.
Trevor, if I say, "can you produce GPOs that show your password change history" you should be able to produce such. This would tell me that you have controls inplace to govern password changes.
I am sure you are experienced in the accounting survey which asks if you would allow the prime to review your system. Of course you say no but will allow the government. I think that this is coming.
Alternatively, each prime gets a pass-through cost for full isolation. Doesn't seem ideal.
Quentin: You assume that I use Windows ;-). This is also going to be an interesting sitution for people auditing things that they don't understand.
your cost can be recovered in your indirects
Yevette, you are correct, I believe it is coming as well.
Yevette: Not at the LoE that would actually be required to get approved by anyone.
Small companies can be as tiny as a handful of people and the rates get astronomical when they need to do this type of split effort.
Meeting. Good conversation though.
Trevor, the same type of questions can be applied to Linux as well. The point of the exercise is as a prime, to cover your six.
I think it will especially with the new requirements coming down for security clearances and contracts containing TS/SCI
Quentin: I know, I build a platform for automated compliance on Linux systems. But I've found few people that can actually dig into any given set of systems beyond window dressing in a timely manner. Technially, we have to be fine with whatever level gets set but most scanning tools are...lacking.
red seal? cloud strike?
Trevor, I agree...
sorry sylvia corrected me crowdstrike
My hand goes up
yes to public website
no. public system has no cui
Hopefully no one...
What is a separate "system"? Is this a separate cloud account? or a partitioned directory?
A seperate system is one that is seperated from your internal system via a firewall.
BYOD is an issue and should be controlled by mobile device management (MDM) controlling types of access like download, copy, encryption-at-rest, etc
devices can be identified by several things, MAC (faked) certificates (can be stolen), IP addresses - 2FA (two-factor authentication) should be employed to strengthen.
Dont recommend Google services
But a lot of small busineeses use GSuite for business....so need clarity on that
what about office 365 email?
Core business for google is data collection. Im sure that the business services are fine, just my personal preferrance. Microsofts Office 365 can also work and be compliant only if proper controls are applied in the Azure archetiture. I do not know the security details of Google GSuite.
Yes to using laptop at airport, but not on Wifi.
emails! (something you know
Tough to get the required controls and meet DFAR requirements in the Enterprise level of Office 365. But they recently removed the 500 seat minimum requirement for Office 365 GCC.
we had to get a sponsor for Office 365 GCC. One of our primes wrote a letter to submit to Microsoft.
Edward - A company can be NIST compliant under Office 365 Enterprise E1,E3 and E5. Government is better, but not necessary for compliance. If a contracter requires it, then that direction need to be followed. Please note that just being on O365 Enterprise, that does not make you compliant. Enterprise is FEDRAMP compliant and is control capable.
Edward: Additonally, control where your data is located is also a control for CUI. Microsoft and Google would not be compliant for ITAR support under their genernal commercial services. That would require government cloud ready system.
@Paul Weekley, do you have any documetnation for this? In the secure trust portal Microsoft previously stated that only GCC and GCC high were capable of meeting the NIST requirements.
Jessica, that is what I see when I go to the compliance center. It says that only the GCC options are capable of compliance.
I would have to look that up but it likely is referring to specifc data like ITAR. Yes, it would also support CUI, etc. As long as your can meet the control requirements, you can be compiant under the NIST 800-171 controls. Enterprise is Fedramp, supports access control restrictions, encryption at rest (you can control the encryption keys) and additional controls restriction access like multi-factor authentication and so on. Feel free the reach out if you would like firstname.lastname@example.org . I dont want to pull away from this workshop. He has great information.
Feel free to ask the question to the presenter of using non-government cloud services being compliant. I would be interested in the response.
I believe the GCC high support the ITAR level. US soil US people.
Enterprise O365 allows foreign nationals to access data (e.g. tech support). I believe this is the major point where non-GCC tenants would fail compliance.
Office 365 has a control called lock-box to block access to techs without permission from company admin that is estab lished. This is off by default.
I think I missed what he just said. But is MFA only required for accounts with Privledged access?
This is going to have sweeping impacts for small business + Cybersecurity Maturity Model Certification (CMMC) requirement that ties this all in is an unknown. Never ends...
Regarding "local" and "remote"--are all managed service providers (like Office 365) by defintion "remote"?
William, what was that conclusion on MFA> Missed part of it?
@Felece - you will need to have a CMMC rating to qualify as a Government contractor in the future
I asked the presenter the question about using gsuite or microsoft, not government cloud, and still be compliant.
Brett, that's why I asked my question. He said that local privledged access requires MFA and remote by all requires MFA.
MFA is required for Privledged access locally. Non privledged access does not need it.MFA is required for Privledged and non privledged when accessing remotley.
Yep, understood. I just missed part of the answer he gave. Thanks. Appreciate it.
No, repeat yourself please.
password blocking would include web portals extra.
Would be interesting to poll the audience--both there are online--how many small businesses are running their own network vs. using managed service providers (like Office 365)
My guess is that smalls/mediums are using managed services and bigs are using their own network in general.
I am a "My own servers" guy, but industry, busdgets and costs is forcing away from local to 'cloud' services.
@PaulWilliams...We use both but for CUI we use the managed services
Absolutely! Feel like so much of this is targeting medium - large sized companies. Can't imagine many <10 outfits are setting up their own physical infrastructure to meet these
can we log off and then rejoin at 1?
We are also hybrid, with CUI being on managed services (GCC)
we are technically a micro-business ( <10) and are primiarly managed services
Yep. The OH cost of a 10 person outfit with 2 additional people dedicated to infrastructure would take your OH costs through throof.
Lunch.. We will reconvene at 1 PM.
can you please have the speaker define “authorized user”
And OH costs == higher rates which equate to primes not hiring you and/or the Government not approving your rates.
That's kinda my point--and my biggest complaint about the 180-171 controls. They're written from a perspective of running your own network and have little "tranlation" for that that means for MSP.
That;s where I'm at. We have 20 people with only a total of 6 having access to our local server running Freenas. This is not going to be fun.
I will pose the question again to the presenter about the commercial suites vs GCC government services upon return from break.
Paul: I disagree actually. But you have to know what you're responsible for and inherit the underlying controls.
This is non-trivial but doable (if excessively tedious)
Pretty sure that FedRAMP == evaluated and non-FedRAMP == do your own homework (AKA, probably not worth is)
Ugh, this chat system is just the worst
Good time for Lunch Break!
Sound just cut out.
Lunch Break -We will resume at 1 PM.
Trevor: This is definitely doable and a government cloud is better. I only state that compliance should be able to be met under other systems. Control is the key and it takes additional steps. This would require multiple policies and controls to be in place and may require multiple products or vendors. You must know were your data is and who can access it. Personally, I prefer controlling a data center and perimeter but that is not always an option for small sized companies. We have a hybrid at the moment and are continually adjusting and adding enhancement. (Zoom Please add spell check)
Does anyone have a favorite make of UBA card reader?
Thats not made and controlled in a foreign country?
supply chain control is insane
Maybe we should go back to Morse Code? No one even remembers what that's about anymore. Just kidding...sort of.
We have started! Hope you can hear Dr. Neuman fine.
I'm online and can hear him 5 x 5.
Loud and clear
good to go
Loud and clear
yes and clear
Drives in copiers are concern too
And memory cards in routers and switches
Cellphones? hadn't thought of that with email
Windows bitlocker is FIPS 140-2 compliant
Servers are restricted, but user workstations are another story
But compliant isn't good enough, is it? Doesn't it have to be verified?
If you are use a module to perform the encryption, the that module has to be validated.
Yes, everything must be *validated* to count
This means that Windows must be put into FIPS mode if you wish to use Windows encryption.
"Uses FIPS-compatible encryption algorithms" does not count
heh...let's see if the DoD starts mandating Dvorak keyboard layouts
Why doesn't FIPS count?
FIPS-compatible doesn't count. FIPS enforcing, on a validated cryptographic module, is all that counts.
The key word is "compatible."
yse to cut finger.
What a retention program!
I like how we consistently ignore swap
Are you talking for a running process? Or during data destruction?
Persistence of CUI on a computing device.
Swap pinning is a suggestion to the kernel, not mandatory.
Then turn it off
What is an external and internal boundary for Managed Service Provider (like Office 365)?
@Paul: That would be defined by the FedRAMP data for the provider.
If there's no FedRAMP data, it's pretty much "unknown" from a policy point of view
Or do you mean "your laptop in your company" vs O365 hosting provider?
NIST 800-18 is a good guide to figuring this out from a practical point of view.
hate wireless but a necessity. if possible use exterprise authentication to limit threat surface to specific access.
Are there any good tools that a consumer can used to monitor SaaS applications likr Workday or ADP from a SEIM perspective.
Also, US Government has instructed not to use it on systems
FYI - FAR 52.204-23 prohibits using Kaspersky software.
Opinion on encryption between PGP and SSl
Encryption is encryption. CUI and DFARS requires FIPS so anything works as long as it's compliant.
Note: Most things aren't compliant.
SSL is probably easier given that you can use the native OS tools on Windows (web browser)
PGP *can* work depending on the vendor and the underlying crypto tie-ins.
OpenSSL has been validated, but there are special procedures required
for many of these controls, we have over 1000+ computer controls in GPO policies
Don't let that deter you! many of those are well documented, or even readily accessible as part of automation / CM packages
Paul, are you using STIG GPO as a base and building on to those to be compliant?
Jason - Yes. For OS, and applications.
very effective as long as it is not too strict to make the endpoint unusable for daily tasks. :) I had to ease up on many.
terminate can be putting machine to sleep
-sorry - that is for network sessions
At the risk of being accused of being self-serving (even though we are a small business ourselves, trying to become compliant to these regulations), I would encourage looking at a solution we readied for SMBs: Tellaro T-100. Uses FIPS 140-2 Level-2 certified hardware for key-management; encryption keys never leave the appliance; FIDO2-hardware based strong-authentication for users - exceeds even digital certificates for security and convenience: https://strongkey.com
Does Terminate mean logoff the user?
out of session
Had freeradius on a pi for WLAN AAA...lasted about 1 week.
@Jason Nice. hardware filaure or user tolerance?
Fun fact: RADIUS has MD5 embedded in the protocol and cannot be made secure according to Govm't regs
I facepalm'd hard at that one
I thought external systems was more related to accessing Internet sites, etc, not specifically media.
Under media controls, we block USB type connections access
External systems meaning a system that is not yours.
Break... We'll restart at 3:25 pm
I understand the slides will be available. Will audio of the presentation be available?
@Derrick, I think they stated no earlier...
No, the slides are available for you
It would be great if they made it available, after all is being recorded already.
Ok, thanks. I saw reference to video but didn't any mention to audio.
all of the above except door. :)
How do you balance limiting privileges with inability to update inividual software.
Software management services with endpoint agents can assist in updating genernal and custom software packages without providing admin priv to users. Windows Configuration manager can do these and Puppet server (supports linux/windows) are examples of those.
With all of these requirements - has it been determined how many IT persons should be managing, monitoring, configuring, documenting, quality assurance, and implementing the plan as a whole. By size of the organization? # of users?
Good question, bet you get a non-specific answer...
I was thinking there could be a matrix with recommended hours on each daily, weekly, monthly, quartely, and annual requirements...
@Yevette, I think that will most likely depend on the level of effort and the size on the operation.
understood looking for industry standard
with all of this research i thought it would be available
Depends on industry, level of connectedness, etc
@yevette - there are so many variables that this would be difficult. You should have at least one with IT security best practices knowledge, but even that is difficult for small businesses since all this work is overhead. With an experienced person and existing infrastructure, one person can go a long ways, but supporting 100 users is a different story. Much goes into the policies in place, access provided and type of work being performed. A manufacture would have different support needs than a cyber security company, although both would need to be compliant with NIST 800-171 if they are under a government contract.
One of the biggest issues small companies will run into regarding the number of techs needed will be how much they are willing to pay.
how do you reccomend marking digital media?
should we be marking thumbdrives and external storage media
how does having an agreement with a managed service provider affect this? typically we have agreements with them and personnel working on our systems are known
Any idea the camera can show the audiences when they speak?
No, the camera can't show the audience
love the letter. wow.
a seal must be safe. (its not)
company backup may affect company reputation, if they were not able to recover from an incident.
@Paul, good point!
Did we skip sections 11 and 12?
They come later.
Will certificate be issued for this training?
Starts at slide 80
Not sure about certificate, but should be eligable for 8 CPE credits.
How do we get access to the slides?
No, there are no certificates for this training. This training is designed to make you aware of the DFARS requirements.
@Reid - thank you for sharing the site
Note, the password is cyber
Disable splt tunneling.
Can we have info to other classes our speaker teaches at USC?
Please send an email at email@example.com and we will get back to you. Thanks.
machine sleep will meet this after duration of time.
collabrative devices - mics, cameras, etc
scanning and pen testing is critical to know what is on your network and the status of services.
Having a pen tester on staff is a great asset!
Enhanced controls are being drafted already for NIST 800-171: https://csrc.nist.gov/publications/detail/sp/800-171b/draft This will not affect all contractors, only high targets. Worth a peak to prepare if you make drones, etc.
Document those processes!
I think Tampa session is Aug 23rd
What is your website?
If your organization is already CMMI certified, processes should be easy.
Please tell the presenter “Thank You!” Lots of wonderful information!
Agreed. Would have preferred to be in the room, but webinar was better than just reading the presentation.
Thank you! It was very informative..
Robert L. Hubbard
good and clear
Thanks..... Great insights being shared.
Presenter was fabulous. I've been immersed in this for almost 2 years and this is the best presentation I've taken part in.
Thank you to everyone involved, lots of good information
great session today -- THANK YOU!
Thank you. Nice presentation and lots of information.
Thanks, lots of food for thought and action!
Thank you. This was a good session
many thanks hope to stay in contact in future
really informative session. Thanks
Thank you everyone! Signing off!
Robert L. Hubbard
I'm very glad to haveparticipated in this highly informative workshop. Presenter was excellent and very knowledgeable and information covered outstandingly useful. DBR, Inc. thanks you all for the invitation to participate.
How do we save the recording?