nist sp 800-171 dod assessment methodology ......do not subtract points if wireless access not...
TRANSCRIPT
NIST SP 800-171 DOD ASSESSMENT METHODOLOGY (DAM), VERSION1.2.1
Chris NewbornDAU Cybersecurity Enterprise Team
Webcast - Why
Targeted for Acquisition Workforce Members (AWF) who are responsible to:
• Deliver secure and resilient systems• Determining cybersecurity requirements
2
Webcast - Why
Provides a forum to bring the right set of disciplines together to provide clarification regarding:
• AWF’s roles & responsibilities implementing the DFARS Clause and transitioning to the CMMC process
• Migration from current security requirements to the new CMMC process
• Challenges & issues concerning the implementation and execution of DFARS Clause on current and future procurements and the migration to the CMMC process
3
Webcast - Series Restart
The DFARS /CMMC webcast series will restart 25 Aug 2020. Possible subjects /topics:
• DFARS /CMMC Overview• CMMC Level Selection• CMMC AB Roles & Responsibility /Certification Process• CMMC RFI /RFP Implementation• DFARS /CMMC Limited Dissemination Control (LDC)/
CUI Export Information
4
Outline
• Current Policy - DFARS• Future Process - CMMC• CMMC Roles & Responsibilities• DoD Assessment Methodology
- Overview- Scoring Methodology- Scoring- DIBCAC Result- DIBCAC Assessment Status- Stakeholder’s Roles & Responsibilities
• Summary5
Current Policy – DFARS Clause 252.204-7012
Requires the program office/requiring activity to:• Mark or otherwise identify in the contract, task order, or delivery
order Controlled Unclassified Information (CUI)
Requires the contractor/subcontractor to:• Provide adequate security to safeguard CUI• Report cyber incidents• Flow down the clause in subcontracts
6
Future Process - CMMC
A certification process that measures a DefenseIndustrial Base (DIB) company’s ability to protectFederal Contract Information (FCI) & CUI, within the supply chain
Combines cybersecurity standards and maps practices and processes to maturity levels; from “basic cyber hygiene” to “highly advanced”
Builds from existing regulation and guidelines (48 Code of Federal Regulations (CFR) 52.204-21, DFARS 252.204-7012, NIST SP 800-171 & NIST SP 800-171B)
7
CMMC Roles/Responsibilities
Requires the program office/requiring activity to:• Identify FCI/CUI Data and Marking Requirements• Develop/Update Security Classification Guide (SCG) and
Program Protection Plan (PPP)• Identify CMMC Level(s)
Requires the contractor/subcontractor to:• Develop/Update Artifacts/Deliverables per RFI/RFP• Request C3PAO to perform CMMC assessment• Develop Supply Chain/Tier 1 & below Contractor Support
Agreements8
Why DAM?
Executives /Project Managers /Contract Managers• Develop certification strategy and scope
o Subnetwork / Enclaves to support Supply Chaino Identification of CMMC Level III (CUI) and Level I (FCI) subcontractors and associated CMMC
deliverables• Develop contract artifacts/deliverables per RFI/RFP to include contractual flow down requirement
• Perform self-assessment to confirm CMMC Level requirements are 'fully' implemented and ready for 3rd party assessor
• Request C3PAO to perform CMMC assessment• Develop draft response to RFI identifying possible CMMC compliance challenges• Develop Supply Chain /Tier 1 Contract Support Agreements
9
CMMC Roles & Responsibilities - Prime/Subs:
NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1
Standard approach to “strategically” assess and document contractor's implementation of NIST SP 800-171Assessment measures the extent to which a company has implemented the security in NIST SP 800-171• Results based on what, if anything, is not yet implemented• Results do not reflect specific implementation approach or compare
solutions • All solutions that meet the NIST SP 800-171 requirements are acceptable
Consists of three levels of assessments to reflect the depth of the assessment and the associated level of confidence in assessment results (Basic, Medium, and High)
10
DoD Assessment Changes Enacted Since COVID-19 Restrictions
DCMA’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) partnered with the DIB conducted Pilot NIST SP 800-171 DoD AssessmentsFundamental concepts learned post pilot resulted in refinements to the assessment process• Standardization of assessment methodology• Need for reciprocity• Repeatable processes and assessment rigor• Scoring consistency across DOD no mater which DoD entity conducts assessment
Additional changes were enacted due to COVID-19 and DoD enacted travel restrictions• DCMA pivoted methodology• Continued assessment mission virtually• Kept same standard and rigor for Assessments Virtual High Assessments are born• The NIST SP 800-171 DoD Assessment Methodology Version 1.2 documents these changes
1111
NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1
Levels of AssessmentBasic Medium High – Virtual High – Onsite
Assessments conducted by:
• Contractor(self-assessment)
• Contractor and DoD Component personnel trained IAW DCMA/DIBCAC procedures
• Contractor and DoD/DCMA personnel trained IAW DCMA/DIBCAC procedures
• Contractor and DoD/DCMA personnel trained IAW DCMA/DIBCAC procedures
Assessments conducted IAW NIST SP 800-171A and consist of:
• Review/Score:‒ System Security Plan(s)‒ Plan(s) of Action
• Review/Score:‒ System Security Plan(s)‒ Plan(s) of Action
• Discussion/Interviews
• Review/Score:‒ System Security
Plan(s)‒ Plan(s) of Action
• Discussion/Interviews• Review Documentation
• Review/Score:‒ System Security
Plan(s)‒ Plan(s) of Action
• Discussion/Interviews• Review Documentation• Onsite Review
Results ‒ Relevant to every contract supported by the assessed covered contractor information system(s)
• ‘Low’ level of confidencein resulting score
• ‘Medium’ level of confidence in resulting score
• ‘High’ level of confidencein resulting score
• ‘High’ level of confidencein resulting score
Scoring methodology is consistent across all levels of assessment
12
NIST SP 800-171 DoD Assessment Scoring Methodology
If all requirements are met, a score of 110 is awarded • For each requirement not met, the associated value is subtracted from 110
(which may result in a negative score)• Security requirements are weighted based on the impact to the information system and the
DoD CUI when that requirement is not implemented• Absence of a system security plan will result in a finding that ‘assessment could not be completed
due to incomplete information and noncompliance with DFARS clause 252.204-7012’• Security requirements not implemented, whether a plan of action is in place or not, will be
assessed as ‘not implemented’ (with the exception of any enduring exceptions to the requirements to accommodate special circumstances (e.g., medical devices), or any individual, isolated or temporary deficiencies)
Implemented security measures adjudicated by the DoD CIO as equally effective, or approved as ‘not applicable,’ will be assessed as ‘met,’ with no deduction
13
NIST SP 800-171 DoD Assessment Scoring Methodology
Security Requirement Value Comment3.1.17 Protect wireless access using
authentication and encryption.5 Do not subtract points if
wireless access not permitted
3.4.9 Control and monitor user-installed software
1
3.5.2* Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.
5
3.5.3 Use multifactor authentication (MFA) for local and network access to privileged accounts and for network access to non-privileged accounts.
3 to 5 Subtract 5 points if MFA not implemented. Subtract 3 points if implemented for remote and privileged users, but not the general user
3.8.1 Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
3 Exposure limited to CUI on media
* Basic safeguarding requirements and procedures to protect covered contractor information systems per Federal Acquisition Regulation (FAR) clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.
NIST SP 800-171 DoD Assessment Scoring Template• Weighted requirements include all
‘Basic’ Security Requirements and a subset of ‘Derived’ Requirements
• If not implemented, points subtracted from score of 110 as follows:
‒ 5 points for requirements that could lead to significant exploitation of the network, or exfiltration of DoD CUI
‒ 3 points for ‘Basic’ and ‘Derived’ requirements that have specific and confined effect on security of the network and its data
‒ 1 point for remaining ‘Derived’ requirements (limited impact/indirect effect on security of network/data
14
Basic AssessmentContractor's self- assessment of NIST SP 800-171 implementation status, based on a review of the system security plan(s) associated with covered contractor information system(s), and conducted in accordance with Section 5 and Annex A of this document.• Results in a confidence level of 'Low ' in the resulting score
because it is a self-generated score.
15
Medium Assessment• Conducted by DoD personnel who have been trained in
accordance with DoD policy and procedures to conduct the assessment.
• The first step - Contractor conducts a Basic Assessment and submit results to the Department.
• Assessment consists of a review of the Basic Assessment and a thorough document review and discussion with the contractor regarding the results to obtain additional information or clarification as needed.
• Assessment results in a confidence level of 'Medium' in the resulting score.
16
High Assessment• Conducted by DoD personnel, requires a thorough on-site verification
/examination /demonstration of the Contractor's system security plan and implementation of the NIST SP 800-171security requirements.
• The first step - Contractor conducts a Basic Assessment and submit results to the Department.
• Assessment consists of a review of the Basic Assessment, a thorough document review and discussion with the contractor regarding the results to obtain additional information or clarification as needed, combined with government validation that the security requirements have been implemented as described in the system security plan. Network access by the assessor(s) is not required.
• Assessment uses NIST SP 800-171A and determines if the implementation meets the requirements by reviewing appropriate evidence and/or demonstration (e.g., recent scanning results, system inventories, configuration baselines, demonstration of multifactor authentication).
• Assessment results in a confidence level of 'High' in the resulting score.17
DoD Assessment Scores
18
• Score of 110 = Full implementation of ALL 110 NIST 800-171 Reqts
• Subtractive & Weighted scoring between 1 to 5 points off for every unimplemented reqt.
• You could be 80% done, and still score ZERO (or even have a negative score)
• Suppliers should be scored on the same scale, and be ready to share their SSPs and/or undergo 171-A evidence-based validation when requested
Cybersecurity Scoring with the Assessment
• Weighted requirements include all of the fundamental NIST SP 800-171 'Basic Security Requirements' - high-level requirements which, if not implemented, render ineffective the more numerous 'Derived Security Requirements'; and a subset of the 'Derived Security Requirements' -requirements that supplement the Basic Security Requirements - which, if not implemented, would allow for exploitation of the network and its information
• For security requirements that, if not implemented, could lead to significant exploitation of the network, or exfiltration of DoD CUI, 5 points are subtracted from the score of 110
- Basic Security Requirements with a value of 5 points include 3.1.1, 3.1.2, 3.2.1, 3.2.2, 3.3.1, 3.4.1, 3.4.2, 3.5.1, 3.5.2, 3.6.1, 3.6.2, 3.7.2, 3.8.3, 3.9.2, 3.10.1, 3.10.2, 3.12.1, 3.12.3, 3.13.1, 3.13.2, 3.14.1, 3.14.2, and 3.14.3.
- Derived Security Requirements with a value of 5 points include 3.1.12, 3.1.13, 3.1.16, 3.1.17, 3.1.18, 3.3.5, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.5.10, 3.7.5, 3.8.7, 3.11.2, 3.13.5, 3.13.6, 3.13.15, 3.14.4, and 3.14.6.
19
Cybersecurity Scoring with the Assessment
• For Basic and Derived Security Requirements that have a specific and confined effect on the security of the network and its data, 3 points are subtracted from the score of 110
- Basic Security Requirements with a value of 3 points include 3.3.2, 3.7.1, 3.8.1, 3.8.2, 3.9.1, 3.11.1, and 3.12.2.
- Derived Security Requirements with a value of 3 points include 3.1.5, 3.1.19, 3.7.4, 3.8.8, 3.13.8, 3.14.5, and 3.14.7.
• All remaining Derived Security Requirements have a limited or indirect effect on the security of the network and its data. For these, 1 point is subtracted from the score of 110
20
Documenting NIST SP 800-171 DoD Assessment Results
21
• Summary level assessment scores will be posted in the Supplier Performance Risk System (SPRS) to provide DoD Components with visibility to the results of:
‒ Basic (self) assessments completed by the Contractor
‒ Medium and High assessments conducted by DoD
• DoD Components should rely on scores posted in SPRS in lieu of including requirements to assessimplementation of NIST SP 800-171 on a contract-by-contract basis.
• Authorized Contractor representatives may access SPRS to view their ownresults
Results posted in SPRS for each system security plan assessed:
• The standard assessed (e.g., NIST SP 800-171 Rev 1)
• Organization conducting assessment (identified by DoD Activity Address Code (DoDAAC) or Commercial and Government Entity (CAGE) Code)
• Each information system/system security plan assessed, mapped to associated CAGE code(s)
‒ If contractor has multiple system security plans and/or CAGE codes, all CAGE codes must be mapped to appropriate system security plan(s)
• Date and level of assessment, i.e., Basic, Medium, High (Virtual) or High (Onsite)
• Summary level score (e.g., 105 out of 110)
• Date score of 110 will be achieved based on information gathered from associated plan(s) of action
21
Status of Results Posted in SPRS
Results for 114 Basic, Medium, and High NIST SP 800-171 DoD Assessments posted in SPRS, representing 71 companies• Basic – 78• Medium – 8• High – 28
Go to https://www.sprs.csd.disa.mil for information on how to access
22
DIBCAC Assessments Status Update
23
Stakeholder Roles and Responsibilities -NIST SP 800-171 DoD Assessment
Program Offices CISOs, CIOs, and
IT Security Specialists
Contracting Community DCMA Defense
Industrial Base
Conduct Basic (self-assessment) NIST SP 800-171 DoD Assessment
Partner with DIBCAC and DoD
Components to complete
Medium or High DoD Assessments
Further contractual requirements pending
publication of DFARS Case 2019-D041, Strategic
Assessment and Cybersecurity Certification
RequirementsWhen warranted as part of overall risk decision, partner with DCMA
DIBCAC* to conduct Medium or High NIST SP 800-171 DoD Assessments
DIBCAC* to partner
with DIB and DoD Components
to conduct Medium or High
DoD Assessments
Assess/address acceptable level of risk should cyber incident on contractor’s information system impact DoD CUI:
• Check SPRS for results of completed NIST SP 800-171 DoD Assessments
• See DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented
Augment solicitation and/or contracts with
enhanced requirements when necessary to address
risk
As part of contract oversight - verify system security
plans/associated plans of action
are in place
Complete System Security Plan(s) and associated
Plan(s) of Action to demonstrate
implementation of NIST SP 800-171
* DCMA’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), established to ensure contractor compliance with cybersecurity standards
24
Summary
• NIST SP 800-171 DoD Assessment Methodology- Applicable to NIST SP 800-171 security requirements- Can be used to evaluate past performance
/compliancy- Should be a RFP entry /submission requirement
• Each Command /Procuring Activity should validate /verify their primes and/or subs have performed assessments and uploaded in the Supplier Performance Risk System (SPRS)
25
The slides and question will be posted at
xxxxx
And the recording will be posted athttps://www.dau.edu/dau-webcasts
26
Survey: xxxx
27