Transcription
Demystifying the Cloud:CMMC and FedRAMPRob Wilson, Chief Technology Officer, NeoSystems LLC
Who’s in charge now?The Federal Information Security Management Actdefines a comprehensive framework to protectgovernment information, operations and assetsagainst natural or man-made threats.The Federal Risk and Authorization ManagementProgram (FedRAMP) is a government-wideprogram that provides a standardized approach tosecurity assessment, authorization, andcontinuous monitoring for cloud products andservices.DFARS Safeguarding rules and clauses, for thebasic safeguarding of contractor informationsystems that process, store or transmit Federalcontract information. DFARS provides a set of“basic” security controls (SP 800-171) forcontractor information systems upon which thisinformation resides.Tasked by the US Government to developtechnology standards, including InformationSecurity standards like SP 800-171, SP 800-53.DFARS 252.204-7012Create publicly-available risk managementframeworks, controls, and technicalstandards cited for use by Federal, State,and Local regulations.
Who’s in charge next?The Cybersecurity Maturity Model Certification(CMMC) is designed to provide increasedassurance to the DoD that a DefenseIndustrial Base contractor can adequatelyprotect Controlled Unclassified Information(CUI) at a level commensurate with the risk,accounting for information flow down to itssubcontractors in a multi-tier supply chain.Revised FAR 52.204-21Revised DFARS 252.204-7012FAR Council – Office of Management & Budget,DoD moving from self attestation to auditingGSA, NASA & DoD. 2H2020: Expecting newFAR 52.204-21 requiring CMMC Level 1.incorporating the CMMC.
50,000 Foot View FedRAMP – Gov’t-widecloud security DFARS 7012 – DoD DIBsystem security andincident reporting CMMC – Certification toverify compliance NIST – Creates thestandards used in above
Why?Money Cost of Malicious Cyberactivity on the U.S.economy: 57-109B/yr Global cost ofcybercrime: 600B/yr
Why?HumansMoney Defense Industrial Base 300,000 companies Inconsistentinterpretation ofrequirements Inconsistentimplementation ofcybersecurity Target-rich environmentfor our adversaries
Why?HumansMathMoney Problem: “Overreliance on ‘trust,’in dealing with contractors,vendors, and service providers,has encouraged a complianceoriented approach to security—doing just enough to meet the‘minimum’ while doubting thatsufficiency will ever be evaluated.” Solution: “Structure acquisitionsso contractors have a profit motiveto enhance security.”– Mitre, Deliver Uncompromised
The FedRAMP Program Government-wide program established in 2012 Standardized approach to security assessment, authorization,and continuous monitoring for cloud products and services Assess once; re-use across many agencies/use cases Mandatory for all agencies and all cloud services
Who’s In Charge Here?
FedRAMP cts?sort productName
Federal Policy and Legal Framework
FedRAMP Program Goals Accelerate the adoption of secure cloud solutions through reuse ofassessments and authorizations Improve confidence in the security of cloud solutions and securityassessments Achieve consistent security authorizations using a baseline set ofagreed-upon standards for cloud product approval in or outside ofFedRAMP Ensure consistent application of existing security practices Increase automation and near real-time data for continuousmonitoring
What is “Cloud”?As related to Federal Data Cloud computing is a model for enabling ubiquitous, convenient, ondemand network access to a shared pool of configurable computingresources (e.g., networks, servers, storage, applications, and services) thatcan be rapidly provisioned and released with minimal management effortor service provider interaction.- NIST SP 800-145cloud computing enables network access to shared computing resourcesOn-demand self-serviceBroad network accessResource poolingRapid elasticityMeasured service
Why are Cloud ServicesTransformational?Save moneyEase of adoptionEase of scalingAdded security capabilitiesTransfer risk (and compliance)Improve time to resultsPurchase vendor-driven innovation
FedRAMP For Contractors: DFARS252.204-7012(b) Adequate Security (2) (ii) (D)If the Contractor intends to use an external cloud service provider to store, process, ortransmit any covered defense information (CDI) in performance of this contract, theContractor shall require and ensure that the cloud service provider meets securityrequirements equivalent to those established by the Government for the Federal Risk andAuthorization Management Program (FedRAMP) Moderate baseline and that the cloudservice provider complies with requirements in paragraphs (c) through (g) of this clause forcyber incident reporting, malicious software, media preservation and protection, access toadditional information and equipment necessary for forensic analysis, and cyber incidentdamage assessment.
Shared ResponsibilityCustomerDataApplication / DBMiddlewareOperating SystemSaaS ProviderPaaS ProviderIaaS ProviderServers / VirtualizationCompute, Network, StoragePhysical Facility
DFARS 252.204-7012 Adequate security on all covered contractor information systems NIST SP 800-171 mandatory since Dec 31, 2017 FedRAMP Moderate for cloud services Other security measures Contractor determines are needed based oncircumstances/risks Cyber incident reporting Investigate incidentsAssess damagePreserve/protect evidenceReport to DoD within 72 hoursSubmit malicious software and other evidence for analysis Flow down to subcontractors
Challenges With Implementation 1000 supplierssurveyed Identified NISTSP 800-171controls notyetimplemented Leastimplementedcontrolsdeemed “mostdifficult”Source: https://my.exostar.com/display/TE/June 2018%3A Most Difficult Controls in NIST 800-171
CMMC The Cybersecurity Maturity Model Certification (CMMC) is designed toenhance the protection of controlled unclassified information (CUI) andFederal Contract Information (FCI) in the DoD supply chain Nearly all contractors possess FCI All DoD contractors will be required to have a CMMC certificationincluding: Small businesses Contractors that do or do not possess CUI or FCI Subcontractors Commercial contractors CMMC is designed to build upon DFARS 252.204-7012 and NIST SP800-171 CMMC does not replace the DFARS requirements such as incidentreporting
CMMC Timeline The Expected Process: CMMC version 1.02 is dated March 19, 2020 Initial training for assessors is planned to start inJuly 2020 First “pathfinder” contracts with a CMMCrequirement expected in late 2020 Adding CMMC to new and renewing contractsover a 5 year roll out period “Crawl, Walk, Run”Find the latest CMMC documents here: https://www.acq.osd.mil/cmmc/draft.html
CMMC Requirements“M” is for Maturity
CMMC RequirementsPractices – “A specifictechnical activity or activitiesthat are required toachieve a specific level ofcybersecurity maturity.”Each level adds newPractices cumulatively ontothe lower levels.Source: Cybersecurity Maturity Model Certification (CMMC), version 1.0, January 30, 2020
CMMC RequirementsProcesses – “A specificprocedural activity that isrequired. to achieve acapability level. Processesdetail maturity ofinstitutionalization of thepractices.”Each level adds an increasinglevel of maturity of theProcesses used to managecybersecurity.Source: Cybersecurity Maturity Model Certification (CMMC), version 1.0, January 30, 2020
Certified Third Party AssessmentOrganizationsSELFATTESTATIONVSASSESSMENT Major difference between NIST SP 800-171 andCMMC Contractors will have to engage an independentC3PAO to perform an assessment and issue arecommendation on certification Assessments will require contractors to be able todemonstrate they are meeting the requirements ofthe level of certification they seek Documented evidence for required Practices andProcesses All Capabilities must be fully demonstrable
SUMMARYSource: CybersecurityMaturity ModelCertification (CMMC),version 1.0, January30, 2020
What Changes Can We Expect? Revised DFAR 7012 expected soon mandating CMMCrequirements Levels 1 through 5 Incident reporting requirements will remain Subcontractor flow-down will remain Reciprocity between CMMC and FedRAMP expected for Cloud services FedRAMP requirement likely to remain, strengthened & codified Revised FAR 52.204-21 expected to mandate CMMC Level 1 forall government contractors
27Finally: What we’re all about Leading provider of Managed Services andBusiness Management System Implementation& Consulting Services Enable, Run & Secure Business Operations Accounting Financial Planning & Analysis Hosting Security IT Infrastructure & Management HR Management Training Best-in-Class Technology PartnershipsNEO SYSTEMS INTEGRATOR AND FedRAMP ReadyMANAGEDSERVICESMANAGEDSECURITYFISMA ModerateACCOUNTINGPREVENTIONNIST 800-171HUMAN CAPITALDETECTIONSOC 1ITRESPONSEHOSTINGSOC 2 Turn Key or Custom SolutionsNeoSystems LLC 2019
28How We help Managed service provider with full coverage of administrative and technical CMMC requirementsManaged SecurityCMMCSuccessManaged ITFedRAMPReadyHostingNeoSystems LLC 2020
29How We HelpBasic CMMC Compliance Package NeoSystems assumes responsibility for cybersecurity compliance, including successfully passing theCMMC audit. Fractional Information Security Officer (ISO) assigned as your “go-to” person for all security complianceitems. This consultant is responsible to drive the security program from beginning to end. Gap assessment mapped directly to the applicable compliance requirements (CMMC, FAR, DFARS, etc.) Foundational documents needed for a mature security program – policies, procedures, security plans, etc.– built from our templates. You pay only for the time needed to customize them to your organization.One-time On-going support to drive all periodic recurring security program tasks on a strict schedule. This ensuresthat all required processes operate effectively. On-request access to security expertise for questions, new systems, new risks, etc.On-going Vulnerability scanning of all systems monthly to create a prioritized list of IT asset vulnerabilities. Thisenables system administrators to effectively manage the risk of software flaws. Incident response support including required data collection and reporting (to meet DFARS requirements).As NeededPricing is fixed monthly service fee (on-going) plus T&M for set up (one-time) and incident response (as needed)NeoSystems LLC 2019
30How We HelpCMMC-Related Services to fill gaps in required Technical Practices Managed detection and response (log management) Endpoint protection (managed anti-malware) Boundary protection (managed firewall) Patch management Managed IT Network, server, and endpoint management Patch management Cloud backup Encryption Email protection Microsoft O365 management Cloud application hosting (FedRAMP Moderate) Hosted desktops (secure enclave)Standard offerings to cover ALL technical practices required by CMMC – Add to Basic CMMC Package as neededNeoSystems LLC 2019
Q&A / CONTACT USRob WilsonCTO, NeoSystems LLCrob.wilson@neosystemscorp.comMore Info: growahead@neosystemscorp.comChat with us at: https://www.neosystemscorp.com
Pricing is fixed monthly service fee (on-going) plus T&M for set up (one-time) and incident response (as needed) . (managed firewall) Patch management Managed IT Network, server, and endpoint management Patch management Cloud backup Encryption Email protection Microsoft O365 management Cloud application .
