the essential roadmap to dfars compliance

1 Confidential and Proprietary © Metalogix1 Confidential and Proprietary © Metalogix Move, Manage, Protect

Welcome!!The Essential Roadmap to DFARS Compliance

Start Time: 11:00 AM ET

2 Confidential and Proprietary © Metalogix2 Confidential and Proprietary © Metalogix

ABOUT BRIAN LEVENSON

• Office 365 US Government• 8+ years at Microsoft• Son of a software engineer, beta testing since childhood• Worked in various IT roles including help desk• Prolific speaker, photographer, and puppy cuddler• Twitter @brian_levenson

• Q&A #O365Security

Product Marketing Manager

ABOUT BEN CURRY

• Summit 7 Systems Lead Architect• Eleven time Microsoft MVP • CISSP, MCP, MCT• Author of several SharePoint books by Microsoft PRESS• Master SCUBA Diver Trainer• [email protected]• Twitter @curryben

• Q&A #O365Security

Principal Architect

Outline• Introduction

• DFARS Policy and Compliance

• Microsoft Cloud Security and Compliance

• Microsoft Cloud Platforms

• Lessons Learned

• Supporting Technical Features

Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.

DFARS Policy and Compliance


Executive Order 13556

• November 4, 2010

• Established the Controlled Unclassified Information Program in order to unify government wide policies, procedures, markings and controls for CUI

• Rescinded the May 2008 “Designation and Sharing of CUI” Presidential Memorandum

• Designates the National Archives and Records Administration (NARA) as the Executive Agent

• NARA delegated authority over the program to the Information Security Oversight Office (ISOO)

• Program Implemented via 32 CFR 2002 and Calls NIST SP 800-171


CUI, CTI, CDI

• CUI – Controlled Unclassified Information

• CTI – Controlled Technical Information

• CDI – Covered Defense Information (Umbrella term that encompasses all CUI and CTI)

• Gone…• UCTI

• FOUO

• SBU

• Etc.


CUI / CDI• Replaced designations such as UCTI, SBU, Etc

• Unclassified information that is provided by or on behalf of the DoD in connection with a contract.

• CUI/CDI/CTI may also be developed in the performance of a contract

• 24 Separate Categories listed in the CUI Registry at https://www.archives.gov/cui

• 2 Categories that almost all companies have• Controlled Technical Information

• DoD 5230.24 “Distribution Statements on Technical Documents”• Engineering drawings and Data, Technical Reports, Specifications, Data Sets, Analysis, etc

• Procurement and Acquisition Information• Information related to acquisition actions• Cost and Pricing Information• Contract Information• Indirect Costs and Direct Labor Rates

• CUI Basic• Protect CUI Basic at the Moderate level with the controls in NIST 800-171

• CUI Specified (ITAR / HIPAA / etc)• May only be upgraded to “CUI Specified” by a designating agency” • May require additional controls beyond NIST 800-171 and FISMA Moderate

• Marking guidance from the Government is available at https://fas.org/sgp/cui/marking-2016.pdf


https://www.archives.gov/cui

https://fas.org/sgp/cui/marking-2016.pdf

DFARS 252.204-7012


87% of all DoD Contracts in 2017 3 Major Components

Provide Adequate Security on all Covered Contractor Information Systems*

• FedRAMP Moderate• NIST SP 800-171 with mapping to

NIST 800-53 Relevant Security Controls

Rapidly Report Cyber Incidents to DoD at http://dibnet.dod.mil

• 72 Hours• Medium Assurance Certificate• Meet Paragraphs C-G

Contract Flowdown Requirements3

1.

2.

3.

Key Dates

December 31, 2017

2017-2018Precursor to Expected FAR changes

POA&M and SSP must be completed

* Defined as: an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits CDI

http://dibnet.dod.mil/

DFARS Rules


• “Compliance with Safeguarding Covered Defense Information Controls”

• If you plan to vary from NIST 800-171 you must submit explanation for consideration to the DoD CIO via the Contracting Officer

• “Limitations on the use or disclosure of third-party contractor reported cyber incident information”

• How to handle sub-contractor incident information

• “Cloud Computing Services”• Only Applicable to GoCo or “Type 1” systems

252.239-7010

252.204-7009

252.204-7008

What Does Adequate Security Mean?

• Type 1 System• Operated on Behalf of the Government

• Must Comply with 252.239-7010• Calls out the DISA Security Requirements Guide v1R3

• Specifies that the NIST 800-53r4 Control Set must be Used

• If leveraging a Cloud Service Provider, the CSP must be FedRAMP Moderate and SRG L4

• Type 2 System• Operated by a Contractor, but not on behalf of the Government

• Specifies NIST 800-171 Control Set must be Used

• If leveraging a Cloud Service Provider, the CSP must be FedRAMP Moderate


Chapter 3

Security Control Families

• Access Control

• Awareness and Training

• Audit and Accountability

• Configuration Management

• Identification and Authentication

• Incident Response

• Maintenance

• Media Protection

• Personnel Security

• Physical Protection

• Risk Assessment

• Security Assessment

• System and Communications Protection

• System and Information Integrity

Policy Controls

Technical Controls

NIST 800-171 Compliance

NIST SP800-171 DFARS/FAR Timeline


2015 2016 2017 2018

FAR 52.204-21Modified & Added15 NIST Controls

FAR 32 CFR 2002 Federal Agencies begin 2 year effort of implementing and requiring NIST 800-171

New Contracts and Mods will add NIST 800-171 to Fed Contracts

Anticipated Release of new FAR requiring full NIST 800-171 Compliance

Anticipated: Full NIST 800-171 Compliance in all Federal Contracts

DFARS 252.204-7012 DoD Agencies begin 2 year effort of implementing and requiring NIST SP 800-171

New Contracts and Mods add DFARS 7012 to DoD Contracts

DFARS 7012 Requires Compliance including SSP and POA&M

Functional, Technical and 800-171 Compliance Requirements

Corporate Technology Policies

Chosen Platform Capabilities

Corporate Security Policies

Compliant Platform

How do you approach compliance?


CSP manages

You manage (shared responsibility to protect)

You or CSP manages (Depends on Provider and Configuration)

Data Governance and Rights Management

Client End-points

Account and Access Management

Identity and Directory Infrastructure

Application

Network Controls

Operating System

Physical Hosts

Physical Network

Physical Datacenter

SaaS PaaS IaaS On-Prem

Microsoft Cloud Security and Compliance


Microsoft’s Commitment to the Cloud


Security

• State-of-the-Art Physical Security

• 24x7 Incident Response

• Encrypted at Rest and Transit

Privacy

• You Control Access to Your Data

• You Control where your Data is stored

• Content Cannot be used for Marketing or Commercial Purposes

Compliance

• Industry Leading Compliance Portfolio

• Regular Independent Audits

• Access to all Certification Documentation

Transparency

• Clear and Strict Policies on how Customer data is managed

• Vigorous defense of customer privacy rights

• Easy to Understand Info on where customer data resides

Availability

• Financially Backed SLAs

• Robust DR, Backup, Monitoring and Management tools

• Easy to access Service Health Information

Microsoft Office 365 Security & Compliance

Threat Protection

Exchange Online Protection

Advanced Threat Protection

Threat Intelligence

Information Protection

Azure Information Protection

Data Loss Prevention

Office Message Encryption

Security Management

S&C Center

Cloud App Security

Secure Score

Compliance Solutions

Advanced Data Governance

Advanced eDiscovery

Customer Lockbox

Compliance Manager


Multifactor Authentication

Microsoft is meeting customer security needs with the industry's largest compliance portfolio

ISO

27001PCI DSS Level 1 *

SOC 2 Type

2

ISO

27018

Cloud Controls

Matrix

Content Delivery and

Security Association *

Shared

Assessments

SOC 1 Type

2Worldwide

National

European Union

Model Clauses

Singapore

MTCS Level 3

New Zealand

GCIO

Australian Signals

Directorate

Japan

Financial

Services

Spain ENSENISA

IAFHIPAA /

HITECH

Government

FIPS 140-2DISA Level 2

DISA Level 4

DISA Level 5

FERPAFedRAMP

JAB P-ATO

FISMACJIS21 CFR

Part 11

IRS 1075Section 508

VPAT

United Kingdom

G-Cloud

EU-U.S.

Privacy Shield

NIST 800-

171

China MLPS*,

TRUCS*, GB

18030*

http://www.asd.gov.au/infosec/irap/index.htm

http://www.asd.gov.au/infosec/irap/index.htm

https://www.fisc.or.jp/




Microsoft Cloud Platforms


GCCCC

Microsoft Cloud Landscape

Microsoft Office 365 Commercial• Available for all Organizations

• Certified to FedRAMP Moderate

• Certified to DISA Level 2

• Not DFARS C-G Compliant*

• Is NOT ITAR Capable*

* Official Microsoft Position


Office 365 Government

Office 365 GCC

Office 365 GCC High

Office 365 GCC High DoD

Customer Access Government / Contractors

Government / Contractors

DoD Agencies

FedRAMP Moderate Moderate Moderate

DISA Level 2 Level 4 Level 5

ITAR Capable No* Yes Yes

NIST 800-171 Capable

Yes Yes Yes

DFARS C-G No* Yes Yes


• GCC High can be fully DFARS Compliant with Proper licensing, design, configuration and policy control.

• All Contractors must be approved as having a verified need

• Some Capabilities Available in Office 365 Commercial are not yet available

• Requires a Minimum of 500 licenses

*Official Microsoft Position


Key Office 365 Features and NIST 800-171Security Control Family Section Requirement Office 365 Feature and Office 365 License

Configuration Management 3.4.9 Control and Monitor user-installed software Intune in EM+S E3

Identification and Authentication 3.5.3Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts

Standard in E1, E3 and E5 Licenses

Incident Response 3.6.1Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detention, analysis, containment, recovery, and user response activities.

Data Loss Prevention (DLP) and eDiscovery in E3 License

Incident Response 3.6.2Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization.

Data Loss Prevention (DLP) and eDiscovery in E3 License

System and Communications Protection

3.13.1Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

Azure Information Protection P1 in EM+S E3 License

Maintenance 3.7.6Supervise the maintenance activities of maintenance personnel without required access authorization. Customer Lockbox in E5 or as an Add On License

System and Communications Protection

3.13.8Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

Azure Information Protection P1 in EM+S E3 License

System and Information Integrity 3.14.4 Update malicious code protection mechanisms when new releases are available.Advanced Threat Protection in E5 or as an Add

On License

System and Information Integrity 3.14.6Monitor the information system including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

Advanced Threat Analytics in EM+S E3

Enable Customer LockboxSettings -> Security & Privacy -> Toggle on/off

Microsoft Azure(Commercial)

• Available for Organizations

• Certified to FedRAMP Moderate

• Certified to DISA Level 2

• Is Not ITAR Capable

• Not Compliant with DFARS C-G

• No Minimum service required

* Official Microsoft Position


Azure Government Community Cloud

• DFARS Compliant with proper services, design, configuration and policy control

• Is ITAR Capable

• All Contractors must be approved by Microsoft and have a verified need

• Some Capabilities Available in Azure Commercial are not yet available

• No Minimum Service Requirement


Azure Government

Azure Government DoD

Customer Access Government / Contractors

DoD Agencies

FedRAMP High High

DISA Level 4 Level 5

ITAR Capable Yes Yes

DFARS Compliant Yes Yes

Lessons Learned


CUI / CDI Lessons Learned

Every Defense Industrial Base (DIB) company has CUI / CDI content

Outside of basic CUI / CDI needs, ITAR content is a major driver.

Office 365 Lessons Learned

Office 365 GCC High (Level 4) Environments take 6 weeks to provision

Custom Office 365 Deployment and Migration takes 4 – 12 Months

Templated Office 365 Deployments take 4 - 6 Weeks

Industry Lessons Learned

87% of all contracts released in 2017 have the DFARS 7012 Clause

Every DIB company has at least 1 contract with the DFARS 7012 clause in it

Corporate IT and Security Policies are not well understood or implemented

Mobile Devices are ubiquitous and BYOD is the standard

With these lessons learned, and our continual discovery cycles, we have simplified the equation for total solution success…

Compliance is a Risk Management Exercise. Risk Acceptance and Mitigation is common.

Key Decision Points – 2 Driver Categories


Driver 1: Environmental

ITAR Data Timeline Risk Acceptance

Driver 2: Licensing

Mobility NIST 800-171

Requirementsdrive licensing

Desktop License Availability

Where do I get that licensing matrix?!?!

• http://info.summit7systems.com/office-365-licensing-guide-for-dod-contractors


Resources

• DoD Contractor Office 365 Licensing Guide

• Webinar: Updates and Lessons Learned on DFARS/NIST/ITAR Compliance

• Thursday November 16, 2017 from 10-11AM CST

• http://info.summit7systems.com/blog/webinar-dfars

• http://microsoft.com/trust


http://info.summit7systems.com/blog/webinar-dfars

http://microsoft.com/trust

The Technical Stuff


Multifactor Authentication (MFA)

• NIST Maintenance 3.7.5• Require multifactor authentication to establish nonlocal maintenance

sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

• MFA is configurable on a user by user basis.

• MFA is available for all Office 365 enterprise license types across all user roles.

• Advanced MFA options are available with Enterprise Mobility + Security


MFA Verification Methods

Office 365 Identity Management

• Included with Standard User Licensing• Mobile App Notification

• Verification Code with Mobile App

• Phone Call

• Text Message

Hybrid Identity Management• Standard User Licensing

• Phone Call• Text Message• Mobile App Notification• Verification Code with Mobile App

• Azure MFA (Additional Licensing)• Over 20 Third Party Providers• Can Secure On-Premises Apps• Includes Reporting Capabilities• Includes Fraud Alerts• Customized Greetings and Caller ID for

Phone Calls

• AD Federation Services


Azure AD Identity Protection

• Users with leaked credentials• Found in the dark Web by Microsoft Systems and Staff

• Sign-ins from anonymous IP addresses

• Impossible travel to atypical locations

• Sign-ins from unfamiliar locations (IP and Latitude/Longitude)

• Sign-ins from infected devices (known BOT IPs)

• Sign-ins from IP addresses with suspicious activity

Advanced Threat Protection

• Enhancement to Exchange Online Protection

• Safe Links • Active protection for links in email messages after mail delivery• Protection is continual• Configured to not allow clicking on a hyperlink that is determined to be malicious

• Safe Attachments• Protects against unknown malware and zero-day malware• Attachment behavior analysis in an external hypervisor environment

• Reporting• Tracking allows you to track malicious links that have been clicked• Reporting allows you to investigate potential attacks


Advanced Security Management (ASM)• Focus Families

• 3.1 Access Control• 3.3 Audit and Accountability• 3.6 Incident Response

• Advanced Security Management Capabilities• Investigate Office 365 Activity• Investigate Application Permissions and Use• Create Anomaly Detection Policies (Anomalous logins, Unknown threats, Password

sharing, Lateral movement)• Create Activity Policies• Create Anomaly Alerts• Leverage Cloud App Discovery to determine potential attack vectors

• Capabilities are Available in the E5 License or as a Standalone License


Investigate Activity


Create Activity Policy


Cloud App Discovery


ExchangeNetwork File

Share

Intune

Managed

apps

Unmanaged

apps

DLP Policy

Applied

Retention

Policy Tag

Client AIP

Client No AIP

Client with

Sharing app

MDM Policy

Intune

MAM Policy

Location

Retention Policy

DLP

Tenant Retention

Policy

Application Policy

Device Policy

• Office 365 Data Loss Prevention (DLP) provides real-time protection of sensitive content.

• Office 365 Labels provide a way to tag document within Office 365 for the purpose of retention, identification, search, and eDiscovery.

• Azure Information Protection (AIP) adds additional security to documents in addition to the container they are already secured within.

• Azure Intune controls how information is consumed, copied, saved, and forwarded on mobile devices and laptops.

Data Security

Azure Information Protection (and Rights Management Service) • Focus Families

• 3.1 Access Control• 3.13 System and Communications Protection

• Azure Information Protection Capabilities• Classify and Protect (Encrypt) Files Internally or Externally• Audit and monitor Usage of Protected Files• Create Custom Rights Policies• Leverage your own Cryptographic Keys or Cryptographic Keys Managed by MS

• Baseline RMS capabilities are available in the E3 and E5 Licenses

• Additional capabilities are available in Azure Information Protection as an stand alone add in or as part of EM+S E3 or E5.


AIP Global Configuration


• AIP will primarily be used to protect access to files on the client• The following options can be configured on any label:

• Restricted Actions• Encryption• Group-scoped Policies (security trimmed labels)• Labels apply metadata that can be seen by other systems,

i.e. DLP, eDiscovery, Search.• Force justification when classifying down, such as with

CUI/CDI changes seen in the accompanying graphic:• A full version of the AIP client must be installed to author and

classify documents. • Office Online allows read-only access to AIP protected files – co-

authoring is not allowed. • Only a Windows machine with the full AIP client will be able to

edit AIP documents.

Azure protected file management


• When a file is moved between systems, the ability to read the file will vary based on location.

• Protected files moving between SPO/ODB and ExchO will lose any related permissions.

• Protected files moving between a file share, external drive or external cloud resource and SPO/ODB or ExchO will only retain the AIP and RMS policies associated with that object.

• A superuser account must be created so that it is always added to the item’s security, this is what allows DLP, search, eDiscovery, and more to keep on working.

Azure Information Protection


Ease of use- Right click- Direct access in the application

Classification and Protection

Filetypes Supported for Classification• Legacy Microsoft (97/00/03/07/10)

• XPS

• Photoshop

• Solidworks

• Autodesk

• Others


Filetypes Supported for Classification and Protection (Encryption)• Microsoft Office 2013/2016• Adobe PDF• Text and Image

Data Loss Prevention (DLP)

• Focus Families• 3.1 Access Control

• 3.13 System and Communications Protection

• DLP capabilities in Exchange Online, SharePoint Online and OneDrive for Business• Create DLP Policies to Identify sensitive information

• Prevent accidental sharing

• Notify Users of Policies or Block them from sharing

• Create Compliance Reports and Notify Administrators on DLP incidents


Data Loss Prevention (DLP)


• DLP allows us to control access to content based on many configurable options using policies.

• Policies can be created 4 ways:• With the built-in sensitive information types

found in Azure.• Programmed via XML and uploaded to the

tenant.• Based on managed search properties and

document tagging.• Based on Office 365 labels

Office 365 DLP Policy Templates


Includes 41 DLP Policy Templates• Financial Regulations• Medical and Health Regulations• Privacy Regulations

Examples• Patriot Act• PII Data• PCI Data Security Standard• SSN Confidentiality• HIPAA• US Financial Data

Azure Intune data security


• Azure Intune will add enhanced protection of files on mobile devices.

• Office 365 data can only be consumed in Managed Device applications and not by unapproved (unmanaged) applications.

• Office 365 content cannot be moved between Managed apps to Unmanaged applications. • Only unmanaged content can be moved into

managed apps.• Any user can use unmanaged applications all they want,

they cannot use those unmanaged applications to access corporate content.

Device Compliance (MDM)• Options differ based on OS

• At least one policy per OS required if you want MDM• Be sure to encrypt Android! (iOS is already encrypted)

• Configure Compliance• Device Health• OS Properties• Password Complexity

• Set Validity Period in days• After X days, the device will be treated as noncompliance

• Monitor Compliance

• Enforce Compliance / Remove Corporate Data

Device Configuration (MDM)

• Create Profiles and Deploy to groups/users

• Based on Platform Type

• Profile Types change based on Platform

• Win 10 has most options

• Mac OS has fewest options

Managed Apps Policies – Limit Data Relocation / Exfiltration• Prevent backup to Cloud (iCloud, etc)

• Allow Data Transfer (All, none, managed apps)

• Receive data from other apps (All, none, managed apps)

• Prevent “Save As”• Select None, or a combination of ODB, SharePoint Online, and Local

• Copy/Paste (Blocked, Any App, managed apps)

• Encrypt App data

• Disable Contacts sync

• Disable Printing


Missed something?

• This session will be recorded, so you will have the opportunity to watch it again or share with your colleagues.

• You will also receive an email tomorrow with the link to the recoding and the PowerPoint slide.

• The recording can also be found on the Metalogix webinar page.

58 Confidential and Proprietary © Metalogix58 Confidential and Proprietary © Metalogix58 Confidential and Proprietary © Metalogix58 Confidential and Proprietary © Metalogix

Thank you for Joining us Today!

• You can find the webinar recording on Metalogix.com/webinars

• You can find the follow blog on Metalogix.com/blog

• Our next webinar will cover the _______________seats are going fast so follow this link to register today.

I hope you all enjoy the rest of your week!


Move, Manage, Protect

metalogix.com | 202.609.9100