Saturday, January 16, 2016

Work with the government? Get ready.


NIST SP 800-171 is designed to protect controlled unclassified information (CUI) outside of the government, and for those who bid on contracts, several new GSA regulations are being put in place that state that every company must now attest to the fact that they have a security program in place, and (report to the government) when they have a breach that affects CUI.

I’m not a huge fan of compliance models, and this is no different, but it’s a step in a direction that’ll both be praised and criticized. Why praised? Because this is a huge step forward in a national plan for cyber reform. Is it perfect? Not by a long shot but you fill the ocean one drop at a time. Why criticized? Several areas where this is going to require some attention. I’ve been down this path before as both in private industry and as a government guy. I’ve seen the argument from both sides and understand both.

The new rules are going to require that protection of CUI in non-federal systems.

What exactly is CUI? I’m not asking for the definition of CUI, rather exactly what is the CUI that the government wants protected? Give me a list of key components in that widget. If we lose them to espionage actors, I’ll tell you.

How many pieces of CUI has the government defined, in how many contracts, that must have extra controls and be reported if lost during a cyber event? Is there a central repository where these things are stored? Can I log in and search for the list of things my contract requires me to protect?

How has the government protected my CUI? Should we use the same controls as defined by the government when they don’t work? Was OPM FISMA compliant? 800-53?

Do the authors of the rule understand that the vast majority of the companies that this will affect have no idea what those actors look like on the wire, and have very little ability to protect themselves? In the last 30 days I’ve talked to two companies –one 1500 people and one 11,000 people. Both are heavy satellite suppliers to NASA and DoD –but neither had a designated Chief Information Security Officer or security team.

So here’s the deal

There is no way that a company who does any kind of work will escape the requirement to report breaches to the government; and don’t plan on using their tech –Einstein is old tech, and not available for your use. So what should you be thinking about?

I run a small business. We audit our systems annually, and must document our security, attest to several of our customers. If you’re not prepared, this can be a huge cost sink. I get asked the question all the time… How do we do it?
  • Place your systems behind those who have the ability to protect them.  Regardless of cloud or on-premise, there are some great MSSPs out there that can protect your data at the baseline level. If you need more specialization, look for more specialized providers.  MSSPs are a great way to get good protection at a reasonable price --it's far less than building it yourself.
  • Our data is segmented into multiple levels of sensitivity and we protect them each differently. What could you afford to lose? What must you never lose? When you get that CUI list, what level of protection and monitoring will that require? As an example, we use cloud services for some of our data for our lowest levels of sensitivity –public facing stuff, but we put motes around private data in diverse locations for more sensitive data.
  • We use encryption often and we never trust SSL.
  • Use VPNs to create motes around highly sensitive data.
  • We model to ISO 27001. 
Need more? A plan? Start here. It’s free. I wrote it in 2012, but it’s still highly applicable. Need monitoring and intel? Call us. I’ll set you up with a partner who’ll get you up and running.

Have a great weekend, and..

GO PATS!

Jeff