In my previous post, I covered some aspects of situational awareness for NIST SP 800-171 and how it applies to organizations that serve the Defense Industrial Base (DIB). In this post, I will dig into the NIST SP 800-171 itself. For those interested, NIST is the National Institute for Standards and Technology. It is part of the United States Department of Commerce. The function of NIST in the context of cybersecurity is to research, develop, and publish standards and guidance for specific cybersecurity use cases. NIST Special Publication (SP) 800-171 Rev.2 is titled Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
This leads us to the crux of the issue. Data. Whenever I consult with customers, the first area I explore is the type of data that is critical to their organization. In order to effectively secure data, you have to know why it is critical, how it is used, and where it is stored. NIST SP 800-171 is written with specific data in mind: Controlled Unclassified Information or CUI. Per the National Archives and Records Administration (NARA) Glossary: “Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information…” Does your organization handle CUI?
A quick and simple test for this is to look at your federal contract or subcontract. If the contracting organization included the DFARS Clause 252.204-7012 in your contract, you are subject to NIST SP 800-171. If you are still unsure and you want to understand CUI further, the DoD recently published a quick reference guide for CUI: https://www.dodcui.mil/Portals/109/Documents/Desktop%20Aid%20Docs/21-S-0587%20cleared%20CUI%20Quick%20Reference%20Guide%20Dec%202020.pdf?ver=MzU7WWsXpkBKMvpz5jX-SA%3d%3d. The chart in the upper left-hand corner of the second page is a great litmus test on whether you are storing and handling CUI.
Now that we know you are handling CUI, here are some details about what you need to do. First, is to get your score. In an upcoming post, I will be detailing how to score the NIST SP 800-171 and relevant considerations. Once you have determined your score, there are two items that you must have in place. The first is a Plan of Action and Milestones (POAM). The POAM is a document that details every NIST SP 800-171 practice for which your organization is deficient. For each deficient practice, you must include a plan of how you will bring it into compliance and a target date for doing so. In practice, the POAM is a remediation plan of how your organization intends to become fully compliant with NIST SP 800-171. The second item you must have in place is a System Security Plan (SSP). The SSP is a document that describes the system boundary, the operational environment, how security requirements are implemented, and the relationships with or connections to other systems. The SSP is critical documentation of not just your environment, but how your organization has applied specific security controls as it relates to NIST SP 800-171.
To wrap it all up, for current compliance when handling CUI, you need to have the following:
- Your NIST SP 800-171 score (X out of 110).
- Your POAM, showing how you will increase your score.
- Your SSP, documenting your environment and how you have implemented your controls.
-David Malicoat Founder, BAMCIS Cyber
This post is targeted more for those that operate in the Defense Industrial Base (DIB). According to the United States’ own Cybersecurity and Infrastructure Security Agency (CISA), the DIB is “the worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and component parts, to meet U.S. military requirements.” Naturally, that is a mouthful. What would you expect from a government website? That being said, the goal of this, and future writings is to provide organizations that fit the DIB definition above a resource by which to gain situational awareness about their role in the DIB, the current and upcoming defense contracting requirements, and how cybersecurity is intertwined through it all.
This is the first of a series of informative posts about the DIB and cybersecurity. To get started, unfortunately we will need to cover some unpleasant government contracting legalese. Hold tight and grab a cup of coffee. There are two main documents that control contracting with the U.S. Government and subsequently the Department of Defense (DoD). First, there is the Federal Acquisition Regulation (FAR), which is a set of regulations that governs all acquisitions and contracting procedures associated with the Federal Government. Second, there is the Defense Federal Acquisition Regulation Supplement (DFARS), which is an extension of the FAR, but specifically for the DoD. You can think of these as standard contract language that will most likely be found in your contract (prime or sub) when providing products or services as part of the DIB. Both of these are wholly contained in the Code of Federal Regulations (CFR), which is the centrally located set of regulations for the entire government. Title 48 of the CFR is the Federal Acquisition Regulation (FAR) mentioned above. At this point, I am sure you are wondering how this links to the NIST SP 800-171. Here is the payoff: Section 252.204-7012 (often referred to just as 7012) is the part of the FAR that requires government contractors to adhere to NIST SP 800-171. We could go into the history, but to keep things simple we will jump ahead to November 30, 2020, where the DoD created what is popularly known as The Interim Rule. The Interim Rule did two things: 1) It required all contractors (prime and sub) to perform a basic cybersecurity self-assessment using NIST SP 800-171 and report the score using the Supplier Performance Risk System (SPRS). 2) It establishes the Cybersecurity Maturity Model Certification (CMMC) as the future path for cybersecurity in the DIB and provides the timelines for its implementation. (We will cover the CMMC in much more detail in future posts.)
Now that we have all the government language and acronyms out of the way, we can boil it down to the bare facts:
- If you are in the Defense Industrial Base (DIB) you are currently subject to the NIST SP 800-171.
- You should have a score from within the last 3 years.
- The score should be reported into the SPRS system.
- The CMMC is coming and you should be getting prepared.
- The good news is that the NIST SP 800-171 is wholly contained in the CMMC Maturity Level 3 (ML3) or above.
- If you have and/or are currently working on your NIST SP 800-171 items, you will not be duplicating your efforts and cost.
- The bottom line is that the NIST SP 800-171 is here to stay in the near-term and the CMMC is currently arriving and the reality of the future. When looking at NIST SP 800-171 and CMMC, I have seen the gamut of readiness. There have been organizations that did not know about 171. There have been organizations that were all over it and already dialing in their CMMC practices. The best advice I can give: If you feel like you may be behind, you probably are. There is an old Chinese proverb that states: “The best time to plant a tree was 20 years ago. The second best time is today.”
The bottom line is that the NIST SP 800-171 is here to stay in the near-term and the CMMC is currently arriving and the reality of the future. When looking at NIST SP 800-171 and CMMC, I have seen the gamut of readiness. There have been organizations that did not know about 171. There have been organizations that were all over it and already dialing in their CMMC practices. The best advice I can give: If you feel like you may be behind, you probably are. There is an old Chinese proverb that states: “The best time to plant a tree was 20 years ago. The second best time is today.”
-David Malicoat Founder, BAMCIS Cyber
As I covered in Part 1, middle market businesses have a unique conundrum when it comes to cybersecurity. If you have not had the opportunity, I encourage you to read it. In the second part on this subject, I am going to cover some real world experiences that led BAMCIS Cyber to shift the way we deliver services for our target customer base. It has been an interesting experience and I hope that you will find some pearls of wisdom that will help guide you on your organization’s cybersecurity journey.
There are multiple factors that impact how a middle market company approaches cybersecurity. I will cover a few of the most impactful. First and foremost is the cybersecurity talent shortage. Regardless of the perceived overall cause, it will well-accepted that there is a shortage of cybersecurity talent in our country and across the world. This is particularly impactful for middle market companies. Mid-size companies must rely on subject matter generalists across their workforce. This can be a extremely risky and fraught with challenges in the area of cybersecurity. As a resource’s experience increases, so does their expected salary, many times pricing them out of the reach of middle market companies. Business leaders are then forced to hire a less experienced candidate to meet these cost pressures. That is, if they even hire someone at all.
A trend that I have noticed in the middle market is the complete absence of cybersecurity professionals in subject organizations. Whether it be the IT team performing the cybersecurity function as a collateral duty or the function simply missing, mid-size companies find themselves in a challenging position. You can hire someone for cybersecurity and subsequently watch them leave in 6 months due to better offers that you cannot match. The other option is to not hire someone and maintain the status quo. Besides, what bad guys would target a middle size company that does what you do? There are many. Why? Because middle market companies, as opposed to other size companies, pay the ransom.
Where do you go from here? How can you extract your organization from the current proverbial rock and a hard place? The good news is that there is a new approach to cybersecurity for the middle market. Cybersecurity-as-a-Service (CaaS). CaaS is an approach born out of the challenges faced by mid-sized businesses. Generally, CaaS is a full set of cybersecurity services, provided on a fractional basis, that address not only the cybersecurity skills gap, but also rapidly elevates the cybersecurity maturity in any organization in which it is deployed. In my market research, I have found some of the big cybersecurity players have CaaS offerings, as well as several small to medium sized companies. Each approach the problem differently and with varied potential outcomes. Here at BAMCIS Cybersecurity, we categorize our CaaS offering into four distinct modules: Leadership, Governance, Operations, Tools. We find that these discrete areas address the cybersecurity issues of the middle market business, all while maintaining cost efficiency on behalf of the customer. Additionally, you gain access to a wide range of cybersecurity expertise that doesn’t break the bank. Cybersecurity-as-a-Service is the future of risk reduction for the middle market. If you are a mid-size business leader and fear the cybersecurity unknown, I encourage you to look into CaaS.
-David Malicoat Founder, BAMCIS Cyber
Part 1: How the Middle Market Can Think Differently About Cybersecurity
It seems like everyone in the cybersecurity industry agrees that our current approach to securing organizations has its challenges, including outcomes that tend to miss the mark. One can look at the continued upward trend of data breaches over the last several years and question whether the prevailing approaches are working. Let’s look at the situation from the filter of a middle market business. (For reference, a middle market business is defined as having gross annual revenues between $20 million and $10 billion.) Middle market businesses account for a full one-third of strength of the U.S. economy. Middle market businesses have unique challenges when it comes to technology and cybersecurity. Generally, if the business started within the last 5-7 years, it is technology heavy, specifically in cloud adoption (also known as cloud native). Older middle market companies tend to also be heavy in technology, but have a hybrid approach with some technology workloads on premises and some in the cloud. A common thread between both profiles is the challenges around cybersecurity practices.
In my years of consulting, and more recently in speaking with potential customers in the middle market, there is significant evidence that cybersecurity programs have not kept pace with the technology adoption mentioned above. This is not a guilt trip, it is just a reality. Businesses have to be responsive to market forces. Fast and effective adoption of technology can give an organization an edge over their competitors. It can also mean the survival of the company. The security of that solution tends to be de-prioritized as the effectiveness of the technology solution is realized. The de-prioritization is not intentional and allows the technology to move forward on time and under budget.
As a business leader in the middle market, you may have noticed a recent trend developing. From a cybersecurity perspective, it is a good trend. It can be a bit of a paper exercise and it can be a creative exercise if your organization is challenged by your cybersecurity posture. I am speaking of 3rd Party Risk Management. Have you been receiving cybersecurity questionnaires from your customers, vendors, or regulatory organizations? Have you and your staff spent hours upon hours filling out these forms? Tell the truth, have you been providing answers that are accurate only in the most lenient sense? Third party risk management activity has increased significantly over the last few years due to high profile data breaches like Target and Home Depot. These breaches involve vendors or suppliers as the means by which the bad actors were able to carry out the attack. What is the purpose of these questionnaires? What happens if you are found not to be practicing the cybersecurity principles as you describe in the questionnaires. These organizations are actively transferring risk from theirs, to yours. With the current slate of options in the cybersecurity market, this leaves the middle market business leaders with their back against the wall.
Join me in Part 2 of this post where I cover a new way of approaching cybersecurity for the middle market.
-David Malicoat Founder, BAMCIS Cyber
In our most recent post, we covered a short history lesson on Antivirus. It is important to understand history, lest be bound to repeat it. There are certain events that take place in the course of history that stand out. In the timeline of cybersecurity, the fourth generation of antivirus (AV), also known as endpoint detection and response (EDR), is one of those events.
In future posts, we will cover the effect of COVID-19 on organizations and the risks it places on their data. That being said, it is ever more critical to protect your organization’s data where it meets the human. This most often occurs at the endpoint, making your choice of AV/EDR all that more critcal. You should think about the types of data that your organization uses. Is the data personally identifiable information (PII) of your customers? Is the data trade secrets about your latest product offering that is going to give your company the upper hand against competitors? Are you able to understand where that data sits, how it is used, and most importantly, making sure that it is protected to the fullest extent possible?
The good news is that there have been significant improvements not only in AV/EDR technologies themselves, but delivery and consumption options have dramatically changed, often times removing barriers and pain points associated with Gen 1-3 AV/EDR products. First, we will cover service providers. A key question is: Does your organization provide cybersecurity as a core competency of your business? As an executive, driving value for your stakeholders (shareholders, board of directors, employees, etc.) is priority above all else. One question that many executives need to consider is if the business is performing functions that do not directly drive benefit to the business’s value proposition. An example of this could be going to market for a financial accounting function. Unless you are in the business of performing accounting, it makes sense to look for efficiencies and expertise in the market. This is true for the cybersecurity services function.
Specific to AV/EDR, there are a number of managed security service providers (MSSP) that have significant technology delivery capability, as well as incident response expertise. Instead of the “roll your own” approach by keeping the function in-house, you have the opportunity to “buy up” through engaging with reputable MSSPs that bring not only expertise and technology, but battle tested and hyper focused experience. You can focus on the bottom line in your organization at the same time you improve your cybersecurity capabilities and significantly reduce risk. An added bonus is that the MSSP will always be looking for a competitive advantage of having the latest and greatest AV/EDR platform available to their customers. This takes you out of the technology refresh procurement cycle where you are forking over significant capital every three years, just to feel protected.
You should take a hard look at your AV/EDR. If you are Gen 1-3, you have a ways to go to reduce your risk. You don’t have to go through the pain of procurement and forking over that big check. We recommend you take a “bottom line” approach by concentrating the efforts of your existing staff on inwardly focused and elevated business problems. Let the innovations of the market drive a better product and set of services to your door.
By David Malicoat, CEO and Founder, BAMCIS Cybersecurity
I recently wrote a white paper on cyber resiliency, titled Solving Cybersecurity’s Achilles’ Heel, A Cyber Resilience Framework for Technology. You can find it here: https://bamciscyber.com/cybersecurity-white-paper. In the paper, I cover a new mental model for weaving resiliency into the cybersecurity ecosystem. When I came up with the Cyber Resilience Framework (CRF), I admonished myself for creating yet another framework related to the cybersecurity community. There are plenty out there and it quickly becomes an alphabet soup. Then I trended back the other direction. Cyber Resilience represents a distinctly different thought process and encompasses much more than the scope of the standard cybersecurity frameworks. You may be thinking that most standardized cybersecurity frameworks already address resiliency. I agree. They do. Unfortunately, the frameworks themselves tend to stay buried in the cybersecurity function as a tactical tool. They do not natively enable broader engagement with the business.
The CRF is a wide ranging framework that interfaces with Enterprise Risk Management (ERM) influencing through Cybersecurity Risk Management (CRM). It includes governance, architecture and solutions, all the way through operations. It is intended to advance the concepts of resilience throughout the organization, particularly the technology function. The CRF is based on four foundational pillars:
1. Design components and systems to be difficult to attack
2. Minimize the impact when the attack comes
3. Allocate resources proportional to the importance of the assets being secured
4. Continuously deliver critical capabilities to the business
This post is not meant to be a criticism of standardized cybersecurity frameworks. I believe them to be invaluable and are responsible for a heightened maturity level of cybersecurity practice wherever they are adopted. Further, virtually all of them contain components that guide practitioners to a more resilient stature. Overall, standardized cybersecurity frameworks such as the NIST CSF, ISO 27002, COBIT, HITRUST, and others are a good place to start for organizations that are finding their footing when it comes to cyber risk. These frameworks provide solid guidance and address the 80/20 rule for most organizations. I believe cybersecurity professionals need to understand the intricacies of the businesses they serve to fully anticipate potential risk scenarios. By design, standardized frameworks are generalized and therefore do not address this need.
Using the NIST CSF, let’s look at some examples of cyber resiliency reinforcing principles. I am declining to cover the obvious examples that are the functions of “Respond” and “Recover.” These functions contain the vast majority of the traditional concepts related to Business Continuity (BC) and Disaster Recovery (DR), which have long been associated with resiliency. I will note that the use of automation in the Respond and Recover functions will provide you a decided advantage when addressing the four foundational pillars. Let’s discuss two examples of cyber resilience contained elsewhere in the NIST CSF.
Category: Asset Management.
Sub-Category: ID.AM-5 – Resources (e.g., hardware devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value.
This concept reinforces CRF Foundational Pillar #3. Not all data systems are created equal. If your business holds customer data, payment card data, or research and development outcomes of your organization’s next product, the security controls applied to these systems and their corresponding network architecture need to be the most robust you can muster. On the other hand, if you are holding public website data or queued social media posts, your security controls and level of effort should be dialed down according to the lowered criticality of the data. This concept also means that you need to know where your data sits and its level of criticality. Utilizing this sliding scale of protection vs. criticality allows you to focus your security budget, avoiding the costly “one size fits all” approach.
Category: Security Continuous Monitoring
Sub-Category: DE.CM 1-8 (All)
The concept addressed by this category is simple: if you don’t perform monitoring on all your devices (network, server, endpoint), you are running blind. It is extremely difficult to respond to an event that you had no idea ever took place. In the not too distant past, this meant blowing your security budget on expensive tools and high priced talent to run them. This is no longer the case. There are developments in security tools that provide them multi-tenant capabilities and an entire ecosystem of service providers embracing these developments. You have the ability to go to market to seek monitoring services that are highly cost effective with a high level of customer service.
Cybersecurity frameworks are important and can be critical to your success. But you have more to do. You must reach into your organization and understand how it operates. This understanding allows you to prioritize your risk response and focus your budget accordingly. Don’t fear reaching outside the norm to explore services that support your cyber resilient posture.