 Welcome back at the Cyber Underground. I know it's been a really long time. I kind of took the summer off. Did you miss me? It's okay. I'm back and everything's going to be fine now. My name's Dave Stevens. I teach for the University of Hawaii at Kapiolani Community College. I teach network security and ethical hacking. And I'm also the co-founder of Kapu Technologies, a cyber security company here in Honolulu in the Hawaii Islands. You can come down here and visit us anytime. We'd love to see you. Also, I'm doing the presentation today for myself and Andrew Lanning, co-founder of Integrated Security Technologies, also here in Hawaii. And they do physical and electronic security. And next week, we will be in Texas in Dallas at the Cyber Security Forum 2019. On Tuesday at 2.15 in the afternoon, we'll be giving this exact presentation. And then we're going to come back on August 6th on Andrew's show, Security Matters. We'll both be on the show to tell you how it went and to give you an update on some of these things that are coming by at the speed of light. Why should you care? Because if you run a business and you do any business with the federal government, your life's about to change. And I like that it changes so often because it tells me the federal government actually keeps track of this stuff and tries to keep up at the speed of cyber, which you know is actually faster than light. Let's roll to our first slide and let's talk about the Defense Federal Acquisition Regulations, or DFARS, and they cover all of these industries you're seeing on the screen right now. If you think your industry's not covered, think again because every one of these industries has about 15 to 20 sub-industries and we'll go over that a little bit later. But the reason I'm bringing this up is because DFARS is what's going to show up on your contract with the federal government. They're going to have a couple of requirements on there and I'm going to show you what they're going to look like. And it's going to change how you deal with cybersecurity. And when I say how you deal with it, I mean that you're going to have to become certified and that's the big change by January 2020. DFARS will require you to become certified on the cybersecurity maturity certification matrix, levels one through five, five being the highest, but don't worry, not everyone can get there. In the level five, you'd have to have an operation or security operation center running 24, 7, 365 and not a lot of us can keep up that kind of overhead. But you can be level one and have basic cyber hygiene and be a typical small or medium-sized business and your contract details will dictate what level you have to be at. If you don't know what DFARS is, let's roll through to the next slide and find out. On your contract, you're going to see something like this. DFARS, the clauses they're going to end in 7012 and the next one down there are the two red boxes, the ones you should pay attention to. These are the ones that are going to affect how you store data. Now, which data? We'll talk about that. Let's roll through to the next slide. Check out my notes here. All right, this is the Defense Safeguarding Covered Defense Information or DFARS clause that covers what's called CUI or Controlled and Classified Information. You may not think that pertains to you, but nine times out of ten, it does. And I'm going to give you an example. I used to work for a company that went inside and calculated square footage for the inside of buildings on base for contracts relating to janitorial services in the middle of the night when people come in and clean up your buildings. Well, that square footage got published and that square footage plus locations of bases could be controlled on classified information because it could compromise the security of that particular base. So as you can see, a particular piece of information that might not be security assets put together or the aggregate total of them might actually constitute some controlled information. So if you're storing that or creating that or transporting that on your networks or on your systems or in your cloud storage, these contracts pertain to you. So when you sign up with the federal government and they want you to do business with them, you're going to have to comply. Let's roll through the next slide and start talking about that. First of all, you can go look at the CUI or controlled on classified information categories at the National Archives. This is how you get to it. This is what it looks like. And it goes on and on and on. And the great part about this National Archives, if you click on something that looks like your industry and you think that pertains to you, the link will take you to a place that actually shows you link by link, document by document, exactly what you have to do to be covered. Okay, let's roll on through. This is the definition of controlled on classified information or controlled technical information. It could include engineering drawings. You never know. If you're making something for the federal government, it is actually controlled information. Let's look how this is broken down and how you're supposed to classify this in your own environment. Let's roll to the next slide. What we're looking at here under DFARS, they make you comply with something that was published by the National Institute of Security and Technology, NIST. They have a special publication called 800-171. That has all the controls that your small and medium business has to comply with to do business with federal government organizations. Those rules, there's 110 of them broken down into 14 families, which you're looking at now. And we're going to break them down even further and tell you how you can start to comply with these regulations before they say you have to. All right, let's roll again. At the end of the document, NIST 171, you're going to see tables like this. It shows you exactly the rule you're supposed to comply with on left. And it drills down to another more detailed document, the 800-53, which is made for federal government organizations only. If you read those rules in the 800-53, it will tell you how to actually comply with those rules. And it tells you which ones to comply with. So just for your reference, 800-171 has 110 controls. And the 800-53 has a couple thousand controls. So just a subset of 800-53 constitutes what you as a small non-governmental business have to comply with. Okay, let's roll again. Here's where it hits home. You have to store your stuff these days in cloud environments. We don't all do on-premise installations and storage of our data anymore because, well, let's face it, data centers cause the fortune of storing stuff in the cloud is fantastically economical, saves you a whole bunch of money and overhead. You can charge less and be more competitive in your contracts. And when you do get the money, you can save a little bit and put more on your bottom line. So we're all going cloud these days. So that middle column is telling you if you want to be certified at a level that you can work with the DFARS clauses for the federal government, you have to have your data hosted in an environment that's at least at that level. And what we're doing is going over Office 365 and the Azure Cloud environment servers here. You have to have at least GCC high or the government community cloud level high to comply with this. NIST 800171 is one of those requirements. You can see it's yes across the board for those. But the DFARS C through G, that's what you need to worry about. So the reason you have to do that is because that's going to be in your DFARS contract going forward very soon. And if it's there, that means you have to comply. And complying with those C through G means if there's an incident and you report it, which you should within a certain amount of time, the government could and usually does ask for your physical hard drives. And unless you're in the GCC high environment in Microsoft Azure 365, they won't give the government those drives and you will be out of compliance and your contract will be canceled and you'll be cut loose. To get into this environment is a little difficult. Let's go to the next slide. Once you get into a place where you need this, you'll have the requirements on a contract first. When it comes to that and you have it in your contract and you're not in that environment, you have to go see a cloud service provider that is FedRAMP certified according to these new DFARS regulations. Once you find somebody like this company, Cullfire, they'll give you an attestation letter, which is this one telling you which controls they will handle in their environment and which ones you're responsible for. There are also some controls that you both have to handle. Those are shared controls and I'll go over those in a minute. Now to get to this place, you have to be a contractor with a contract that requires this level of certification and these requirements, you have to have it in contract first before Microsoft will let you into the government community cloud or GCC high environment. And it's not cheap. You can have six months and multiple thousands of dollars to get into this environment. However, there's no longer a requirement to have 50 or more users. You can go in with two to ten users and still be just fine. It's going to cost you some money. However, you can't pass on that cost legally to the federal government because they know they're building more requirements into their contract. You can charge for that. Oh, you're going to get your money back. Okay, let's roll again to the next slide. What do these requirements come from? Well, we had the federal information processing standards or FIPS. That's been around for, it feels like centuries, but then again, I'm just old. So maybe multiple decades. We have the FIPS 200 minimum security requirements for federal information and non-information systems. I need to emphasize that the FIPS regulations constitute the NIST 800-171 basic requirements. And then we get derived requirements after that. I'm going to give you some examples of both of those. So don't worry. I'm not going to leave you hanging. Let's roll to the next slide. Here's the NIST 800-171. It is uniquely put together to eliminate federal requirements. So this is for non-federal organizations exclusively. And it's expected that you as an organization, if you're required to do this, you are routinely monitoring and updating your security plan or system security plan, also known as an SSP. That system security plan is actually what gets you the contract. You have to hand it to your contracting officer and they say yes or no. Go or no, go. You get the contract or you don't. And there's going to be some surprise requirements. We're going to discuss that in a second. Next slide. Contracts used with the U.S. Fed applies to all components of non-federal systems. And we were just discussing that process store, create, transmit, or provide CUI. Most of the times you need to go to your contract officer and say, sir or ma'am, what actually constitutes controlled, unclassified information or controlled technical information in my contract? Lock them down on their scope. Don't let them skate on this one. This is incredibly important to you as a business owner. If you don't, you can get caught holding the bag and you can get fined and you can be charged criminally. Don't let this happen to you. At the very least, you'd lose your contract and that's a loss of a whole bunch of money on your bottom line. Don't do that. We're broken down into 14 security families in this document. 110 of them are basic requirements. And we'll show you examples later on. 79 are derived requirements. That means they take the basic requirement. Then they get a little bit more specific. Let's roll on to the next slide. First, when you comply with a NIST, 801.71, or documentation, don't go through the controls and just check all the boxes and think you're secure. You've got to balance your organization. The DFAR is the FIP, the NIST. They all require this incredible confidentiality. There's this thing called the CIA triad that we use in security, confidentiality, integrity, and availability. And you can make things incredibly secure and lose the availability of that data or lose the integrity of the data. I'll give you an example. I could be the most secure organization in the world. If this was my CUI, I could take it. I could put it in a closet, the big steel nuclear proof door, shut it, lock it, and throw away the key. Hey, that's secure. That's the most confidential data in the entire world. But then what? What do you do with that? Do you know it's accurate data? No, because you can't see it. So the integrity of the data is in question. And, of course, it's not available, so you can't use it, so who cares? So in your organization, when you actually apply these tools, keep business in mind, you have to keep things moving forward. You have to complete your objectives. You have to actually fulfill the requirements of your contract, and you apply all this confidentiality and the data can't move or be transmitted or be used or you have no faith in it. You've lost scope. You've lost your data. So really, you've got to balance your organization here. And to do that, you've got to create a culture that spreads through your entire organization. You can't just hire one or two security people and say, hey, you're it. Cool. We're all covered. We're secure. Now we can go about our business. That's not going to work because the first person that clicks on an email with a malware-laced PDF, you're down because that goes right around your firewall. It's social engineering and your training was inadequate. And your whole team could be victimized with ransomware or malware or a backdoor or Trojan or some other virus. You don't want that. So balance your culture. Get everyone involved. You have to use kind of a hive mentality. And organize training sessions. Most people do it at least once a year for a small meeting business. I'd recommend a minimum of twice a year. And some organizations actually do four times a year quarterly. And that's because nutrition. You lose people. You gain people. You've got to make changes in your organization. New training comes out. New threats are out there. Old ones never go away, by the way. They're still out there. Low-tech is best. And they can get around picking locks. So train everybody how to be the most secure they can and to be hyper-aware at all times. And retrain them because you might forget. People are people. Let's roll through to the next slide. Okay, we're going to go through checking boxes or creating a culture right after we take a break. We've got one minute. We're going to take a break, pay some bills. We'll be right back until then. They say. Hi, I'm Rusty Kamori, host of Beyond the Lines. I was the head coach for the Punahou Boys varsity tennis team for 22 years. And we're fortunate to win 22 consecutive state championship. This show is based on my book, which is also titled Beyond the Lines. And it's about leadership, creating a superior culture of excellence, achieving and sustaining success and finding greatness. If you're a student, parent, sports or business person and want to improve your life and the lives of people around you, tune in and join me on Mondays at 11 a.m. as we go Beyond the Lines on Think Tech Hawaii. Aloha. Aloha. My name is Wendy Lowe. And I want you to join me as we take our health back. On my show, all we do is talk about things in everyday life in Hawaii or abroad. I have guests on board that will just talk about different aspects of health in every way, whether it's medical health, nutritional health, diabetic health. You name it. We'll talk about it. Even financial health. We'll even have some of the Miss Hawaii's on board. And all the different topics that I feel will make your health and your lifestyle a lot better. So come join me. I welcome you to take your health back. Mahalo. We're back. Surprise. Now, you thought I was going to go on vacation again. I'm going to pester you again with another 10 or so minutes of really boring stuff, but it's really important to your company. If you're doing business with a federal government, you have to do this. We're going to go back into checking boxes versus creating a culture. This slide is telling you, if you do something, don't just walk away. A lot of people go out there, create a security plan. They give it to the contracting officer, and they think, great. They wash their hands. They throw it over the fence. And that's that. If anyone asks them, they break it out. And great. So what have you done? I've created plans. Well, if I create plans, what do I have to do? I have to test those plans. Otherwise, who cares? If I make backups daily or monthly or weekly and have a backup rotation, if I never test those backups, are they any good? No, they're not. Because when you do need them after a ransomware attack and you're recovering from backups and your backups are corrupt, that was useless. It was a waste of time because you didn't find out what was wrong with your backup system. So make a plan. Test the plan. Disaster recovery. You make that plan. At least do the tabletop exercise that's a simulated exercise of who you contact. How are you going to contact them? What's the information? Who's the team members that need to do things? Who's responsible for what? Who reports to whom? And how you get your environment back up and running as quickly as possible. If you create teams, update the teams. People come. People go. People change phone numbers. Email addresses come and go. We change environments like we're changing clothes these days and technology moves at the speed of light. So you could create a team and then lose track of your team. Or as I've seen in some organizations, 50% of the team members aren't working for you anymore. So your disaster recovery plan, incident response plan doesn't really work too well. Training teams, critically important. If you have a good training team, you want to know first of all, who's the best trainer? Who can do it the most rapidly and repeat it most consistently throughout your organization without person leaves? And you didn't update that team member? Well, you're missing a team member and you didn't know it. So your training program or your training plan in your SSP doesn't mean anything. And if anyone catches you, well, actually no one's going to catch you, but ransomware people will. Because you're not training your employees and you didn't update your team. So your people don't know what ransomware looks like anymore and you click on a link and that's it. You're all encrypted. If you create rules and you don't enforce them, are they rules? The tree falls in the woods and no one's there. It's making a noise. Well, it's the same thing with the rules. If you create a rule but you didn't enforce it, it doesn't you know good. And here's a couple of examples. Firewalls. If I have all these rules for my firewalls, but I never gave them to my network engineer who implement those firewall rules, hopefully they tested them first, but then you implement them. If I never gave them to the network guy, well, of course I implemented. If I never gave anybody in the administration section of my company the password policy and said enforce password complexity, well then it's not enforced. If it's not enforced, the policy means nothing and you're less secure. Let's go to the next slide. This is why you have to do these things. Now, the first NIST 800-171 guidance came out around 2015. It's gone through several iterations. It was supposed to be implemented by the end of 2017. Almost nobody complied. Almost nobody could comply by that time because there were so many requirements they couldn't handle it. But now we have the cyber security maturity model certification and certification levels. And it's going to be, as you can see in the red type there, it's going to be a go-no-go decision. If you do not have a CMMC level from a certified organization for your next contract, you don't get the contract. You have to have it before you get it. For current contracts, if you're currently out there doing DFARS contracts with the government, they're going to implement this. They're going to tag this onto your contract. You have the absolute right to charge more and do a change order of your contract to add the cost of being a classified level one through five, whatever they need. You can put that in your contract and charge the government for that and give them what's called a POAM, a plan of action and materials to put together what you're going to do to comply with what the acronym means now. It's a POAM, P-O-A-M, Plan of Action Materials. You put together this plan and say, I will comply by such and such a date and you can continue with the contract. If you don't do that, they have the right to yank your contract and cost you a lot of money. Now coming out here by September, that's what the government says, and of course they're always on schedule, they're coming out with NIST 8171B. Revision B is going to have more rules than the current 8171, let's just say it's A, but it's revision one right now. It's going to have more rules and the current 8171 document as it stands covers the CMSC certification levels one through three as we'll see in a second. And level B or the revision B will take levels four and five and add them on there because larger organizations will have more requirements. Now these will be contained in your RFPs and RFIs in sections L and M. You'll have to report your CMSC level when you report back or the word is you won't be considered. Okay, let's move on to the next slide. Let's look at the CMMC levels here. As you can see on the left hand side, there are the current 8171 by NIST. The first three levels are covered by the current rules. Now this is going to cover most, an enormous amount of small and medium business dealing with the federal government because we're all small vendors. There's very few big ones out there. The big guys, the big players out there will be required to do levels four and five for the national security contracts with say TSSEI clearance and things like that. So don't panic your contract. Like I said, we'll ask for a certification level. Most are going to be levels one through three and one is basic cybersecurity hygiene. And of course, level three is good cybersecurity hygiene. Wouldn't want that. Okay, moving on to the next slide. Can I use Office 365 in Azure? Well, yes, you can. Office is certified as FedRAMP, Moderately High Baseline Audits, and certified according to all the FedRAMP standards. So you're covered once you're in that environment. Now Office 365 in Azure environment, you don't need GCC High if you don't have the requirements of DFARS C and G in your contract. Just a 701-2, you can be in this environment just in the basic Office 365. Moving on. We're capable of levels up to three and GCC High will cover you if you see that C and G DFARS on your contract. And all of the scope services are on there for GCC High. You can see there's a number of applications and storage solutions in there. So if you get into GCC High, you are seriously covered. Moving on. Some of these controls, you're not going to be able to handle yourself and your hosting environment, Office 365, won't be able to handle for themselves either. Let's look at a few what we call shared controls right now. We have example one, multi-factor authentication, which of course they can implement on their side in the cloud environment for Office 365. They can do multi-factor authentication for all their systems. It's fine. However, you have an on-premises network. You have devices. You have BYOD policies. You have on-premises computers and data and printers and networking equipment. All needs to comply with these regulations for multi-factor authentication for privileged accounts. That's your part of the deal. So if they do theirs, you do yours, that rule is covered. Another one is training. They can train all they want, but they're not training your people. You still have to train your organization. Okay, moving on. This is what it looks like in the Office 365 Compliance Manager now. I gave you a link in there in this slide. Follow that link. Oddly enough, when you're in the admin section for Office 365 Compliance Manager, you're not going to see any links that take you here. That's odd. So you have to go here separately. In the Compliance Manager, follow that link, and this is what it's going to look like. These boxes across the page, now this is going to change. They have a new user interface coming out. This is the old one. The new one's coming out in a couple of months. They're doing the rollout over the next couple of months. So it might look a little different, but this is basically what you see. If you click on the 800-171 box, click on it, and you can do your compliance. Let's roll on to the next slide. Here's the warning you get when you get into the 800-171 box. If you're not in the government community cloud or GCCI, you'll get this warning in the red text there, that micro font saying that you cannot activate your environment and force it to be compliant with 800-171, but you can still do registered assessments in your environment and keep all the data in the cloud. Let's roll on. Here's what you'll see if you click on that 800-171, you can go in there and see the control that's activated for your environment, what your score is currently. You can click on in the middle column there, the NIST 800-171, see what the requirements are. You can actually click on the links and manage documents to upload your policies in there to make yourself more compliant. Rolling on. Here's the detail of controls breakdown. If I clicked on one of those rules on the right-hand side, I would say where I'd get more information on how to comply with that rule. One more, and the last one, the reporting tool. So after you've gone through the 800-171 compliance regulations you've uploaded, all your policy documents, you've taken care of all of these controls. You've checked all your boxes and made sure everything is completely updated. On the right-hand side there, you'll see a little button Export to Excel. You get a completely formatted report of everything you've done, and you can put it in several different formats and actually put that in your system security plan if you're reporting to the federal government. Okay. Just a review now. DFARS, Defense, Federal Acquisition Reporting, or Requirements, sorry. Also DFARS, D-F-A-R-S. And in there it's going to be NIST dash 800-171. Coming up is 800-171-B. You have to look for the DFARS clauses C and G added to your contract. And also as of January 2020, you're going to find an organization to come in and audit your organization and give you a third party certification on the cybersecurity maturity model matrix, levels one through five. Well, that's what's coming up, and we're going to do this presentation in Texas next week and we'll come back on Security Matters, 10 a.m. here in Think Tech, Hawaii, and we'll tell you all about it at that time with Andrew Lanning. We'll both be on the show. Until then, everybody, thanks for bearing with me. Stay safe.