CYBERSECURITY
Comments (2)
Nice article. Agree completely about starting with the Team. People first. Too often in cyber we try to start with the technology first and that is a consistent error.
I do have one point of order and one comment, though
From step 2, NIST 800-171 did not go into effect 30 November. The requirement for its adoption by Defense contractors actually was final after a several-year implementation period 1 January 2018, so over 3 years ago. This is carried in DFARS 7012 which has been applied to nearly all contracts at this point. What went into effect 30 November under the interim rule publication were three new DFARS clauses 7019, 7020, and 7021. 7019/7020 are what require using the DCMA Basic Self Assessment Methodology, to score yourself on your current NIST 800-171 implementation. That guidance is here: https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.2.1%20%206.24.2020.pdf
I think this point is important and would like that 'DCMA methodology' to be mentioned as often as possible. Many companies out there I believe are responding to the SPRS submission requirement and do not understand that this specific method of scoring is what should be used. The more we can get that word out the better. There is a lot of confusion and misinformation on it.
My one comment is that I would submit almost no one today is aiming for Level 5, and indeed the DoD has said that they only expect a handful of contractors to ever require it. Particularly not smalls. A big part of this is that Level 3 is actually really hard to get to 100% on.
The more I dig into effective implementation at the level required to meet every assessment objective for Level 3 the more I find out it is exceptionally hard. The DoD interpretation and enforcement approach keep moving the bar higher. The DoD (heard Jim Ellis at DCMA make some comments on it recently) concept that full implementation at Level 3 against the 720 assessment objectives is "just basic security" is unfortunately not correct. When you stick your hand deeply into the 171 bucket, as one of my friends recently said, "you find a lot of razor blades." Even Level 1 is not without its challenges when you start to look at it through the lens of proving perfect, no fail, compliance against the assessment objectives in the Assessment Guides. This really only comes to light I think when you look at each control, and then the multiple assessment objectives for those controls, and say "how do I prove that?"
Some good examples are:
AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices.
Assessment Objective [f] system access is limited to authorized devices (including other systems).
Assume the system is defined as your network. In order to prove that I must have a perfect inventory (very hard), and only allow designated authorized systems to connect. For a network of almost any scale, this means a full NAC implementation with enforcement turned on. You might be able to get away with Mac address filtering, but if you have more than a handful of devices that connect to your network this gets very hard, fast.
Another might be:
CM.2.062 Establish and enforce security configuration settings for information technology products employed in organizational systems
[a] essential system capabilities are defined based on the principle of least functionality;
[b] the system is configured to provide only the defined essential capabilities.
Here I think the assessment objectives very significantly expanded the original requirement and made it much much harder.
Since this is a level 2 control, let's limit this to your Level 3 enclave solution that consists of some servers, and your Windows 10 endpoints. You now need a listing of EVERY function performed by W10 endpoints and every function performed by your servers, many of which are not truly available publically, and then you need from that list of let's say 500K functions, to decide which of those are truly essential. You then must limit the system functionality to just that list. Really not doable.
Sound extreme? Yes but... at every turn the DoD seems to be taking the ultimate literal interpretation on enforcement of controls. I think you could fail almost any company in the world (and the DoD of course) if you read this control literally and enforce it.
These are only a couple of the razor blades in the level 3 stack. There are more.
The "driving into impossible territory" is my top concern at the moment. For the sake of your article though.... I hope we just get through some Level 3 successful assessments first before we start talking level 5! I think a successful level 3 assessment is going to be way harder than most think today.
Thanks much for the article and the chance to comment. Working to get ready now is something every defense contractor should be doing.
I really enjoyed the article Rick and agree with each of your steps. Steps 1, 2 and 4 sang to me. People are always the most important and having the right team working towards your goals is key. I also really like that you encourage folks to keep learning. Nothing is as certain as change and so learning along the way is critical. Step 4 is similar to step 1 in that finding the right external support - or the right people who just happen to be external to assist is pivotal. In agreeance with Vince too. Let's get Level 3 first and then work from there. Appreciate the awareness that with malevolent cyber activity still on the rise, organizations can't afford not to take cybersecurity seriously (with or without a requirement to do so).
Jana Steen at 3:40 PM