Are You Prepared for the CYBERSECURITY CHALLENGE? › wp-content › uploads › 201… · of all surveyed in 2016 reported being victims of cyber attacks. (National SBA) 70% of all

Are You Prepared for the CYBERSECURITY CHALLENGE?

The Cybersecurity Division of IMRI Presented by: Martha Daniel, President and CEO

Confidential & Proprietary © 2018 IMRI Cytellix, the Cybersecurity Division of IMRI

IMRI/Cytellix – Trusted Leader in Managed Cybersecurity

Computer Operations:

Manages over $300 million

Cybersecurity:

Over 1500 networks, 7 million devices;

Engaged with U.S Army Network Enterprise Technology

Command; Missile Defense Agency; U.S Army Corps of

Engineers; DISA

Data Center/Cloud Computing:

15 facilities, 4 million users, 2800 applications

Data Center Consolidation:

22 operations with merger of $2 billion in assets

Software Development:

Application modernization and software development

planning and implementation

Certifications:

ISO 9001 / AS9100; CMMI compliant; industry and

professional certifications


ARE YOU PREPARED for the CYBERSECURITY CHALLENGE ?

TODAY’S DISCUSSION

What is the Cybersecurity Challenge?

“Cybersecurity is big business concern” Bad Actors- Hackers love Small Businesses

How can I become better prepared for the

Cybersecurity Challenge?

Questions and Answers


Pentagon Warns CEOs: Protect Your Data or Lose Our Contracts

Deputy Defense Secretary Patrick Shanahan

“Cybersecurity should be a top priority for its contractors.” Deputy Defense Secretary Patrick Shanahan


Regulatory Mandate for Cybersecurity Compliance

Compliance: Effective Jan 1, 2018

30-days after contract award

Breach notification 72-hours

100% Compliance has been delayed

- 5 -

DFAR’s

252.204-7012

NIST SP 800-171

CSET

The goal of the new regulations is to secure sensitive data on the computers and networks at smaller companies.

Cyber Security Evaluation Tool (CSET®)

Compliance


WHAT IS THE ….

Discussion #1


CYBERSECURITY CHALLENGE ?

A. DFARS compliance

B. Cybersecurity as an evaluation criteria

C. Expansion of federal contractor cybersecurity obligations beyond DoD

D. Cybersecurity audits

Regulatory Mandate for Cybersecurity Compliance


A


DFARS Compliance

DFAR 252.204-7012 : All Department of Defense (DoD) contractors that store, process, or transmit covered defense information (CDI) .

CONTRACTORS MUST Implement NIST 800-171 standards

1. Performed an assessment

2. System security plan (SSP)

3. Plan of actions and milestones (POAM)

Definition Covered defense

information system (CDI)

An unclassified information, system that is owned, or operated by or for, a contractor and that stores, processes, or transmits CDI.


B


Cybersecurity as an Evaluation Criteria

NIST SP 800-171 Rev. 1 : Agencies may request SSPs and POAMs from contractors. These

cybersecurity protections documents may be considered by procurement agencies in evaluating proposals for contracts.

IP Keys Tech, B-414890, B-414890.2, October 4, 2017

The GAO found that the agency reasonably assigned the awardee’s proposal a strength for exceeding the minimum cybersecurity criteria.

Syneren Tech, Corp, B-41508, B-415058.2, Nov. 16, 2017

General Accountability Office (GAO) upheld the Navy’s determination

• offer was technically unacceptable • failed to meet DoD and Navy

cybersecurity requirements

Disqualified as Technically Unacceptable Fully Compliant to NISP SP 800-171


C


Expansion of Federal Contractor Cybersecurity Obligations Beyond DoD

Several agencies include contract-specific cyber clauses in select contracts

Individual agencies are taking their own steps to strengthen cybersecurity protections

Department of Homeland Security also has proposed cybersecurity regulations for DHS contractors

GSA announced that it is developing proposed GSA FAR supplement (GSAR) clauses that will impose NIST-based controls on contractors with access to unclassified GSA information as well as cyber incident reporting requirements

Federal Acquisition Regulation (FAR) includes a basic safeguarding clause, FAR 52.204-21, which incorporates only 15 of the NIST 800-171 requirements


D


• Verification that the contractor has an SSP

• Verification that the contractor submitted a POAM to the DoD Chief Information Officer (CIO), within 30 days of any contract award

• Verification of any necessary External Certificate

Authority (ECA) or Public Key Infrastructure (PKI) certificate

Cybersecurity Audits

Business System Audits


Discussion #2


Attackers -- Hackers, Nation States, Hacktivists, Organized Crime have a business predicated on successful attacks on your data

Cyber attacks on the rise SMB’s are the largest targets

“Cybersecurity is only a concern for big business“



60% of SMB cybercrime victims go out of business within 6 months of attack (NCSA)

50% of all surveyed in 2016 reported being victims of cyber attacks. (National SBA)

70% of all targeted attacks struck small to mid-sized organizations in 2016 (SMB Group)

The Small & Medium Business as a Target

50% of small and midsized businesses have fallen victim to ransomware

48% of those paid a ransom (2017 Ponemon Institute)


Attacks are becoming common place. Hacking is a fact of life

Cyber Attacks on the Rise! Cybersecurity Misconceptions:

Real Reasons Why Are SMBs Targeted

• Lack of Investment in Cybersecurity • SMBs can Lead to Blue Chip Organizations

• SMBs are More Inclined to Pay Ransom

The Top Security Challenges SMBs Currently Face: • IoT Opens Excessive Entry Points

• Insiders are the Most Common Culprits

• The Cloud Isn't Safe From Security

Flaws


Top Cyber Attack Threats


Discussion #3


Simplifying the actions Following the Cybersecurity Framework

Identify

Respond

Recover Protect

Detect

Assessment

Gap analysis actions (POAM)

Continuous monitoring for cyber events

Cyber event notification,

policies, planning,

implementation

Remediation, Policies &

Procedures


Simplifying the actions


NIST 800-171 is our recommended guidance

Adequate security is defined as a minimum in NIST 800-171 with the 14 controls ( to

protect controlled, unclassified data):

Contractors must notify the DoD, of any security gaps, within 30-days of any contract award

Cybersecurity Framework The recommendation for all companies and verticals

• Access Control

• Awareness and Training

• Audit & Accountability

• Configuration Management

• Identification & Authentication

• Incident Response

• Maintenance

• Media Protection

• Personnel Security

• Physical Protection

• Risk Assessment

• Security Assessment

• System & Com Protections

• System & Info Integrity


CSET Assessment management & report

Scaled to meet NIST 800-171 requirements

Network scan and real-time assessment &

report

Gap Analysis & Assessment of 14 controls

& report

Security Plan & Plan of Action & Milestones

(POAM)

Continuous network asset monitoring

Remediation – best practices & practical

implementation

To Continue with Contract Awards from your Prime Contractors or the Federal

Government You must Complete the following Cyber Security Requirements:


AS

SE

SS

ME

NT


AS

SE

SS

ME

NT


GA

P A

NA

LYS

IS R

EP

OR

T




Pla

n o

f Actio

n &

Mile

ston

es (P

OA

M)


CO

NT

INO

US

RE

AL

TIM

E M

ON

ITO

RIN

G


How Do I Get Started With My CyberSecurity Challenge ?

You Have Choices

1. Self Compliance Assessment

ICE-CSET Tool (Technical Knowledge Required)

2. Turn it over to my IT Team

Cybersecurity Skills Required and

FEDRAMP Certification

3. Secure a Consultant /Outsource

Select a firm that is affordable

TurnKey Managed Services (FedRAMP)

Automated best practices providing you with remediation support

REMEDIATION

www.cytellix.com https://www.cytellix.com/webinarregistration/ [email protected] Corporate Office: 85 Argonaut Suite 200 Aliso Viejo, Ca 92656 Phone: (949) 215-8889

The Cybersecurity Division of IMRI

http://www.cytellix.com/

https://www.cytellix.com/webinarregistration/

mailto:[email protected]

Documents

Are You Prepared for the CYBERSECURITY CHALLENGE? › wp-content › uploads › 201… · of all surveyed in 2016 reported being victims of cyber attacks. (National SBA) 70% of all