the changing security environmentncms-seminar.org/seminar_files/docs/ingenito_sutphin.pdf ·...
TRANSCRIPT
| 1 We know what’s at stake.
The Changing Security Environment
Tony Ingenito Sector Director, Industrial & Program Security Northrop Grumman Corp Michelle J. Sutphin, ISP Vice President, Security P&S Sector BAE Systems
Updated: 6/8/2016
| 2
Agenda
NISP Executive Order 13691 NISPOM Conforming Change 2 NISPOM Re-Write OPM Breach Continuous Evaluation SEADs RMF SAP Commerce/DSS Survey
REAL ID DSS System Updates Drug Usage and Clearances CUI UCTI DFARS Clause
| 3
Intro to the NISP
National Industrial Security Program established by Executive Order 12829 on January 6, 1993 The purpose of this program is to safeguard classified information that may be released or has
been released to current, prospective, or former contractors, licensees, or grantees of United States agencies.
https://www.youtube.com/watch?v=zkHgfpRZOJk&list=UUqKDH4QdAYzlSMJATaMiboQ
As part of this EO, the NISP Policy Advisory Committee (NISPPAC) was also formed Comprised of both Government and industry representatives, is responsible for
recommending changes in industrial security policy through modifications to Executive Order 12829, its implementing directives, and the National Industrial Security Program Operating Manual.
| 4
NISPPAC Members
4
GOVERNMENT William Cira, Acting Chair ISOO George Ladner CIA Fred Gortler DSS David M. Lowy Air Force Patricia Stokes Army Eric Dorsey Commerce Greg Torres DOD Marc Brooks Energy Scott Ackiss DHS Anna Harrison DOJ Jeffrey Bearor Navy Kimberly Baugher DOS Kathy Healy NASA Dennis Hanratty NSA Denis Brady NRC Richard L. Hohman ODNI
INDUSTRY Tony Ingenito, Chair Northrop Grumman Dennis Keith Harris Corporation Quinton Wilkes L3 Communications JC Dodson BAE Systems, ESS Bill Davidson KeyPoint Phil Robinson Squadron Defense Group Michelle Sutphin BAE Systems, P&S Martin Strones Strones Enterprises
MOU JC Dodson AIA Dan McGarvey ASIS Brian Mackey CSSWG Marc Ryan ISWG Dennis Arriaga NCMS Mitch Lawrence NDIA Kirk Poulsen Tech America
| 5
EO 13691
Promoting Private Sector Cybersecurity Information Sharing
Signed 13 February 2015
Amends the NISP: Inserts the Intelligence Reform and Terrorism Prevention Act (IRTPA) of 2004
Adds the Department of Homeland Security as a Cognizant Security Agency (CSA) • Gives DHS the ability to grant Facility Clearances for threat information sharing purposes only
• NISPOM Addendum will be added to specifically address the limited capacity of the DHS Facility Clearance
5
| 6
NISPOM CC 1 and 2
NISPOM Conforming Change 1 was published on March 28, 2013 Incorporated additional marking guidance
Snowden, Manning and Alexis prompted much discussion surrounding policy change on Insider Threat
NISPOM Conforming Change 2 was published May 18, 2016 Will require a formal Insider Threat program for each cleared company in the NISP Designation of an ITPSO (Insider Threat Program Senior Official) that also must be a KMP Insider Threat training will be mandatory for all cleared employees Insider Threat Seminar from DSS: 1:00 PM, Workshop 7c, Thursday
The DSS ISL for NISPOM CC2 published May 25, 2016 Clarifies how industry will implement the Insider Threat Program and also provides links to
resources that FSOs and ITPSOs can use Requires a system to track patterns of behavior that haven’t been reported regarding potential
compromise of classified information
| 7
NISPOM Re-Write
Full re-write is currently underway Different format and also a full review for revisions Coordination between government and industry is taking place at the NISPPAC
level Currently have over 70 industry participants reviewing and providing comments
to the NISPPAC Items being suggested for revision:
Removal of Chapter 4 and instead references to 32 CFR 2001 Removal of most of Chapter 8
Last meeting took place May 10, 2016 and are expected to continue throughout 2016 and 2017
7
| 8
OPM Breaches
Phase One: Penetration of data belonging to federal workers’ personnel records which impacted roughly 4.5 million federal workers. ALL HAVE BEEN NOTIFIED.
Phase Two: Investigation data impacting roughly 21.5 million contractors. $133M Contract was awarded to Identity Theft Guard Solutions Notifications started going out at the end of September ALL HAVE BEEN NOTIFIED Anyone who has not gotten a letter but thinks they are a victim, should call: 866-408-4555.
Up to date information here: https://www.opm.gov/cybersecurity
8
| 9
OPM Breach Impacts
Due to the requirement for the government to provide Identify Theft protection, OPM pushed that cost onto the different agencies that requested the OPM background investigations.
DSS incurred the majority of this cost (in addition to influx of clearances) which therefore created a budget shortfall for both 2015 and 2016.
As a result, DSS will be managing the process for initials and PRs for 2016 much more carefully which means you may see delays in the processing of “non-essential” clearances.
The FBI is also in a backlog of 28,000 cases due to a manual name check as part of the NAC process. They are currently trying to hire additional staff to address this.
When CAS v4 comes out, the NAC will be required for all Interims. If the FBI does not resolve the backlog, Interims may be delayed
9
| 10
OPM Breach Impacts
As a result of the breaches, OMB, DNI and DOD conducted a 90 day review to investigate the investigation and clearance process
One of the results was the dissolution of OPM Federal Investigative Service (FIS) and the creation of the National Background Investigations Bureau (NBIB)
Announcement here NBIB is expected to be set up and announced October 2016
NBIB Director will be Presidential appointee and full PAC (Performance Accountability Council) Member
OPM IT Applications will no longer fall under OPM purview and will be moved to the Office of the DOD CIO
OPM to hire 400 more investigators NBIB Transition Team being led by Jim Onusko and Christy Wilder
10
| 11
Continuous Evaluation
Continuous Evaluation has been in the works since 2014 Pilots underway of both Government and Industry:
100,000 in 10/2014 250,000 in 12/2015 500,000 by 12/2016
By September 30, 2017 each Executive Branch Agency must have enrolled at least 5% of Tier 5 clearances in CE
11
| 12
Consolidated Appropriations Act 2016
Included a clause called “Enhanced Personnel Security Programs” (EPSP) DNI is to direct federal agencies to conduct an “enhanced review” of covered individuals The program shall integrate relevant and appropriate information from various sources,
including government, publicly available, and commercial data sources, consumer reporting agencies, social media, and such other sources as determined by the DNI
The checks must be conducted “not less than 2 times every 5 years” The head of an Agency shall take appropriate action if a review finds relevant information that
may affect the continued eligibility of a covered individual to access classified information and hold a sensitive position.
12
| 13
SEADs
Security Executive Agent Directives SEAD 1: SECEA Authorities and Responsibilties SEAD 2: Use of Polygraphs SEAD 3: Minimum Reporting Requirements (in coordination) SEAD 4: Adjudicative Backlogs (in coordination) SEAD 5: Social Media usage in Investigations and Adjudications
Signed May 12, 2016
Both Continuous Evaluation and EPSP are supposed to be coordinated into one
SEAD
13
| 14
Risk Management Framework (RMF)
Implemented by NAO (NISP Authorization Office) – formerly ODAA
14
System Accreditation Status Transition Timeline/Instructions
SSP Submitted Prior to August 1, 2016 Continue to use C&A process with latest version of the ODAA Process Manual. ATO will be no greater than 18 months starting August 1, 2016. Within 6 months, develop a POA&M for transition to RMF.
Stand-Alone Systems after August 1, 2016 Execute RMF Assessment and Authorization through the use of the DSS Assessment and Authorization Process Manual (DAAPM).
LAN, WAN or Interconnected System between August 1, 2016-February 28, 2017
Continue to use the current C&A process with the latest version of the ODAA Process Manual. ATO will be no greater than 18 months starting August 1, 2016. Within 6 months of authorization, develop a POA&M for transition to RMF.
LAN, WAN or Interconnected System after March 1, 2017 Execute RMF Assessment and Authorization through the use of the DSS Assessment and Authorization Process Manual (DAAPM).
*All authorizations in existence will continue through their current timeline of three years. After August, they will only grant 18 month approvals.
| 15
SAP Manual DoD 5205.07 Special Access Program Manual development
Vol 1 (General procedures) Published June 2015 Vol 2 (Personnel Security) Published November 2015 Vol 3 (Physical Sec) Published April 2015 Vol 4 (Classified Info Marking) Published October 2013
Eliminates JFAN and NISPPOM SAP Supplement upon publication of all the above. And NISPOM CC #2.
AF SAPCO officially rescinds JFAN 6/9 with modified Vol 3 and citing in DD254’s. Min training standards for AF SAO personnel and appointment letter. Submit TEMPEST Form A and FFC to SAO/PSO. Non-compliant review at SAF/AAZ. FFC required documentation for AF SAPF. Waivers will be processed through the SAP Security Director, AFOSI /PJ for approval.
Navy SAPCO intended to implement manuals as written. OSD DoD SAP Central Office memo (7 Jan 16); Reciprocity of DoD SAPF
accreditation's. 15
| 16
Commerce/DSS Critical Facilities Survey
Initiative started by DSS in July of 2015 that will continue through 2017 Purpose is to get a better understanding of the supply chain and the threats/risks
to the Cleared Defense Contractors Survey is MANDATORY & will take considerable effort Starting with single facility companies now, will move to MFOs shortly Will be going out to the FSO via mail NISPPAC currently engaged regarding implementation
16
| 17
Commerce/DSS Critical Facilities Survey
17
| 18
REAL ID
REAL ID Passed in 2005. Requires IDs to have minimum requirements in order to access federal installations and CONUS air travel starting in 2016.
Requirements are: (1) The person's full legal name. (2) The person's date of birth. (3) The person's gender. (4) The person's driver's license or identification card number. (5) A digital photograph of the person. (6) The person's address of principle residence. (7) The person's signature. (8) Physical security features designed to prevent tampering, counterfeiting, or duplication of the document for
fraudulent purposes. (9) A common machine-readable technology, with defined minimum data elements.
18
| 19
REAL ID When applying for a drivers license or ID, states must require:
(A) A photo identity document, except that a non-photo identity document is acceptable if it includes both the person's full legal name and date of birth.
(B) Documentation showing the person's date of birth. (C) Proof of the person's SSN or verification that the person is not eligible for a SSN. (D) Documentation showing the person's name and address of principal residence. (E) EVIDENCE OF LAWFUL STATUS- states must require valid documentary evidence
that the person: • (i) is a citizen or national of the United States; • (ii) is an alien lawfully admitted for permanent or temporary residence in the
United States; • (iii) has conditional permanent resident status in the United States; • (iv) has an approved application for asylum in the United States or has entered
into the United States in refugee status; • (v) has a valid, unexpired nonimmigrant visa or nonimmigrant visa status for
entry into the United States; • (vi) has a pending application for asylum in the United States; • (vii) has a pending or approved application for temporary protected status in the
United States;
19
| 20
REAL ID Timeline
20
Phase Implemented Phase 1: Restricted areas (i.e., areas accessible by agency personnel, contractors, and their guests) for DHS’s Nebraska Avenue Complex (NAC) headquarters.
YES
Phase 2: Restricted areas for all Federal facilities and nuclear power plants. YES
Phase 3: Semi-restricted areas (i.e., areas available to the general public but subject to ID-based access control) for most Federal facilities. Access to Federal facilities will continue to be allowed for purposes of applying for or receiving Federal benefits.
YES
Phase 4: Boarding federally regulated commercial aircraft. A driver ’s license or identification card from a noncompliant state may only be used in conjunction with an acceptable second form of ID for boarding federally regulated commercial aircraft.
January 22, 2018
| 21
REAL ID States
21
Compliant Filed Extension Non-Compliant
| 22
REAL ID Recent Changes
If a state is not compliant for its identification to be accepted by a Federal facility, the state may be granted an extension.
Current states with extensions will expire on October 10, 2016 States NOT granted extensions and will NOT be accepted at federal facilities are:
Minnesota New Mexico Illinois Missouri Washington American Samoa (territory)
22
| 23
REAL ID Options
If your state ID is not compliant you may use: Passport or Passport Card REAL ID approved Enhanced Driver’s License (some states already have these) U.S. military ID (active duty or retired military and their dependents, and DoD civilians) Permanent resident card HSPD-12 PIV card (to include RapidGATE)
23
| 24
DSS System Updates
24
E-FCL
SWFT
JPAS
NCAISS OBMS
ISFD
STEPP
CURRENT
DMDC System
DSS System
| 25
DSS System Updates
25
NISS (replacing eFCL, ISFD, NCAISS)
STEPP
DISS
(JVS)
OBMS
NCCS
FUTURE
Projected DMDC System
DSS System
| 26
Just Say No?
26
| 27
Just Say No?
General Clapper of DNI issued a memo on October 25, 2014… “…no state can authorize violation of federal law, including violations of the
Controlled Substance Act…” “…IRTPA…prohibits a federal agency from granting or renewing a clearance to an
unlawful user of a controlled substance…” “Executive Order 12564 mandates a…drug-free federal workforce, and expressly
states that use of illegal drugs on or off duty by federal employees in positions with access to sensitive information may pose a serious risk to national security…”
27
| 28
Just Say No?
Section 543 of H.R. 2029: Consolidated Appropriations Act, 2016 Signed into Law on 12/18/2015 “None of the funds made available in this Act to the Department of Justice may be used, with
respect to any of the States of Alabama, Alaska, Arizona, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Illinois, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, Oklahoma, Oregon, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, Washington, Wisconsin, and Wyoming, or with respect to the District of Columbia, Guam, or Puerto Rico, to prevent any of them from implementing their own laws that authorize the use, distribution, possession, or cultivation of medical marijuana.”
28
| 29
Sensitive But Unclassified (SBU)
Designation used when an Agency cannot deem the information classified, but still wants to protect it to some degree
Types of SBU:
FOUO (For Official Use Only) LES (Law Enforcement Sensitive) SSI (Sensitive Security Information) LOU (Limited Official Use) CII (Critical Infrastructure Information) Export Controlled Information
There are over 100 different types of SBU
| 30
Enter…CUI
13,500 Cleared facilities vs ~800,000 facilities that access CUI Will attempt to categorize all SBU into two CUI Areas:
CUI Basic CUI Specified
30
| 31
Approved CUI Categories
31
| 32
CUI Phased Implementation
32
| 33
Plan for CUI Protection
Executive Order 13556
Establishment of the CUI Registry
Federal CUI rule (32 CFR Part 2002) to establish the required controls and markings for CUI government wide.
NIST Special Publication 800-171 to define security requirements for protecting CUI in nonfederal information systems and organizations.
Federal Acquisition Regulation (FAR) clause to apply the requirements of the federal CUI rule and NIST Special Publication 800-171 to contractors.
33
| 34 We know what’s at stake.
DFARS
And now to confuse you even more…
34
| 35
DFARS Subrule 252.204-7012 Timeline
UCTI Implemented on
11/13/2013
Interim Rule Implemented
on 08/26/2015
Deviation Implemented on
10/8/2015
Second Interim Rule
Implemented on 12/30/2015
| 36
DFARS Subrule 252.204-7012
“Safeguarding of Unclassified Controlled Technical Information” (UCTI) implemented on 11/13/2013
This is a form of SBU which will eventually become a subcategory of CUI This impacted both primes and subcontractors equally and was required to be
flowed to all subcontractors, even commercial ones
36
UCTI Implemented on
11/13/2013
Interim Rule Implemented
on 08/26/2015
Deviation Implemented on
10/8/2015
Second Interim Rule
Implemented on 12/30/2015
| 37
DFARS Subrule 252.204-7012
Defined UCTI as “technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.” Does NOT give guidance on what to do if this information is not marked.
Required reporting of all cyber incidents on systems housing UCTI within 72 hours of discovery. Does NOT define a “cyber incident”
Required all IT systems housing UCTI to conform to 51 NIST standards that are listed in the NIST 800-53.
37
UCTI Implemented on
11/13/2013
Interim Rule Implemented
on 08/26/2015
Deviation Implemented on
10/8/2015
Second Interim Rule
Implemented on 12/30/2015
| 38
DFARs Subrule 252.204-7012 AMENDED
On August 26, 2015, this rule was amended and published as an Interim Rule. Full compliance must take place on all contracts issued with this clause effective Aug 26.
38
UCTI Implemented on
11/13/2013
Interim Rule Implemented
on 08/26/2015
Deviation Implemented on
10/8/2015
Second Interim Rule
Implemented on 12/30/2015
| 39
DFARs Subrule 252.204-7012 AMENDED
Key Items include: Name change to “Safeguarding Covered Defense Information and Cyber Incident Reporting”
which now includes: Export Controlled Information, UCTI, critical information and other information requiring protection by law, regulation or Government-wide policy
Requires adherence to NIST Policy 800-171 instead of 800-53 Allows DOD Personnel to examine Industry’s networks in the event of a cyber incident The use of two-factor authentication for logging onto computers storing this information to
include classified systems
39
UCTI Implemented on
11/13/2013
Interim Rule Implemented
on 08/26/2015
Deviation Implemented on
10/8/2015
Second Interim Rule
Implemented on 12/30/2015
| 40
DFARs Subrule 252.204-7012 DEVIATION
Deviation to the Interim Rule published on 10/8/2015 Allows contractors up to 9 months to comply with “using multifactor
authentication for local and network access to privileged accounts and for network access ton on-privileged accounts”
40
UCTI Implemented on
11/13/2013
Interim Rule Implemented
on 08/26/2015
Deviation Implemented on
10/8/2015
Second Interim Rule
Implemented on 12/30/2015
| 41
DFARs Subrule 252.204-7012 2nd Interim
Contractors have until December 31, 2017 to implement 800-171 security requirements on covered contractor information systems
Contractors must, within 30 days of contract award, notify the DoD CIO of any 800-171 security requirements that are not implemented at the time of contract award
The requirement for DoD CIO acceptance of alternative, but equally effective, security measures prior to award is DELETED
Subcontractor flow down requirements are amended to limit the requirement to flow down the clause only to (i) subcontracts for operationally critical support, or (ii) where subcontract performance will involve a covered contractor information system (previously the Interim Rule required the clause to be flowed to “all subcontracts”)
Other than identifying the parties, changes in the substance of DFARS 252.204-7012 are now expressly prohibited when flowing down the clause to subcontractors
41
UCTI Implemented on
11/13/2013
Interim Rule Implemented
on 08/26/2015
Deviation Implemented on
10/8/2015
Second Interim Rule
Implemented on 12/30/2015
| 42 We know what’s at stake. 42
Questions?