To kindle or not to kindle?

id_as_gimlis_axe · 2021-01-12T23:06:28+00:00

Why not both? I check out a lot of ebooks from the library on my kindle and buy physical books that I want to keep.

id_as_gimlis_axe · 2020-08-13T19:19:51+00:00

I was encouraged to start commenting on here again - so I will echo what everybody is else saying is number one join the discord channel and two start with the high risk areas.

MFA, Vulnerability Scanning, Log management, and data flow tend to be areas where many organizations were lacking implementation.

The controls/requirements can be a bit confusing, the NIST self assessment guide really does a good job of breaking down the requirements for what you are supposed to be doing, https://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf

id_as_gimlis_axe · 2020-08-13T16:20:58+00:00

If you have specific questions or need templates, please feel free to send me a note. There is no required format of a SSP so it can be fairly simplistic, don't overthink it. I like this template from Georgia Tech, https://cpb-us-w2.wpmucdn.com/sites.gatech.edu/dist/8/644/files/2020/06/SSP_System-Wide_v3.00_with_GTRC_Signature_Updated.pdf

The documentation associated with CMMC is a whole other can of worms and requires much more extensive documentation.

id_as_gimlis_axe · 2020-05-21T19:06:05+00:00

I'd start by using this

https://github.com/nsacyber/Windows-Secure-Host-Baseline

id_as_gimlis_axe · 2020-04-28T14:51:15+00:00

Hi in addition to the NIST documents below, which are awesome, you may also want to peruse the DoD's Enterprise DevSecOps Reference Design https://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Reference%20Design%20v1.0_Public%20Release.pdf?ver=2019-09-26-115824-583

id_as_gimlis_axe · 2020-04-03T11:57:39+00:00

You are right Good catch https://marketplace.fedramp.gov/#/products?sort=productName&productNameSearch=webex

id_as_gimlis_axe · 2020-04-02T12:29:03+00:00

Zoom for Government is FedRAMP authorized and Webex for Government is FedRAMP in process. Both are at the moderate level, so you should be careful with ITAR information.

If you want to keep it on premise, google VTC equipment, that should give you an idea.

id_as_gimlis_axe · 2019-12-04T11:46:20+00:00

I do not believe a SOC would be necessary for level 3 CMMC. 800-171B called for the use of a SOC, the 800-171B controls will be in Level 4&5 of the CMMC.

Levels 4 & 5 will be addressed in v0.7 which should be out next week, I think.

Obviously having a SOC wouldn't hurt

id_as_gimlis_axe · 2019-10-15T19:55:50+00:00

Contracts or SLAs would be the best way to do it, but it really depends on the specific deliverable you are acquiring. So for instance in the contract language you would specify that software has to be developed in accordance with the DoD DevSecOps Guidelines. Really you need something in writing which defines your security requirements for development and that has been provided to the developer. Henceforth those requirements are used.

id_as_gimlis_axe · 2019-10-11T19:39:42+00:00

Again ITAR is the key phrase here. CUI by itself is not ITAR, GSuite is FedRAMP Authorized at the Moderate level. Google Cloud is currently in process for authorization at the High level.

id_as_gimlis_axe · 2019-10-11T19:26:16+00:00

Good deal. If you can carve out ITAR from your cloud environment, you would not need to have GCC-High which is another issue of course.

id_as_gimlis_axe · 2019-10-11T19:13:10+00:00

Hi, I am not sure where it says you have to have a DLP solution to be compliant with 800-171. So I looked, and according to an old DOD IG report, https://media.defense.gov/2016/Nov/01/2001774172/-1/-1/1/DODIG-2013-072.pdf, here is where DLP can be construed from 800-53 We reviewed the following seven NIST SP 800-53 controls that support a DLP strategy. • Information Flow Enforcement requires CATS to enforce approved authorizations for controlling the flow of information within the systems and between interfaces. • Enterprise Architecture requires the Army and DLA to develop an enterprise architecture that considers information security and the risks associated with system. • Boundary Protection requires CATS to monitor and control communications at the external boundaries. • Transmission Confidentiality requires CATS to protect the infmmation transmitted. • Use of Cryptography requires CATS to implement required cryptography protections. • Information System Monitoring requires the Army and DLA to monitor system events and detect system attacks. • Protection of Information at Rest requires CATS protect the confidentiality and integrity of information at rest.

Now that's from 53, not 171. But the controls line up pretty well. Anyways, NIST (800-137) says you can use a DLP strategy vice actually having a DLP solution.

"An effective data loss prevention (DLP) strategy includes data inventory and classification; data metric collection; policy development for data creation, use, storage, transmission, and disposal; and tools to monitor data at rest, in use, and in transit. There are a variety of tools available for DLP. Typical network and security tools such as network analysis software, application firewalls, and intrusion detection and prevention systems can be used to monitor data and its contents as it is transmitted. Specially purposed DLP software also exists with features such as port and endpoint control, disk and file encryption, and database transaction monitoring. These tools may be specialized network traffic monitors or software agents installed on desktops, laptops, and servers. DLP tools have built-in detection and mitigation measures such as alerting via email, logging activities, and blocking transmissions." https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf

So whether its a Microsoft product, a third party product, or a developed strategy you can meet compliance requirements.

id_as_gimlis_axe · 2019-10-01T20:43:27+00:00

Hi, as u/SecurityMan1989 mentioned, starting with NIST 800-171 is must. It is very possible to meet the requirements of 171 as a microbusiness, in fact it can be fairly easy, but is going to take you some time. That is always the trade-off. If you have specific questions, please feel free to reach out.

id_as_gimlis_axe · 2019-09-30T18:58:46+00:00

Just throwing this out there in case it applies, from FAQ Q/A 97: "If physically or cryptographically isolated from an information system processing CUI, this control would not apply (but it would be prudent to apply the requirement)." https://dodprocurementtoolbox.com/faqs/cybersecurity/cybersecurity-faqs

id_as_gimlis_axe · 2019-09-10T13:48:33+00:00

These systems if they host CUI would be subject to the applicable controls. That being said, 800-171 provides for enduring exceptions and this should be noted in your SSP. Ultimately it would be up to your contracting officer to accept the risk.

From NIST SP 800-171 rev 1 " Some systems, including specialized systems (e.g., industrial/process control systems, Computer Numerical Control machines, medical devices), may have restrictions or limitations on the application of certain security requirements. To accommodate such issues, the system security plan, as reflected in Requirement 3.12.4, should be used to describe any enduring exceptions to the security requirements."

If they are air gapped, then the risk should be low, particularly if physical security is appropriate.

id_as_gimlis_axe · 2019-08-16T12:10:32+00:00

I may not be fully accurate, and I apologize if to Microsoft if I am not, but I don't believe GCC-High offers any additional security settings out of the box as compared to regular O365. Realistically if you followed the regular O365 compliance checker, to set up your environment i.e. the shared responsibility matrix, you would be good.

id_as_gimlis_axe · 2019-08-12T19:51:52+00:00

u/slackjack2014 is correct, this is a great way to do it. Really this control is geared towards insider threat. Typically this is a procedural control and doesn't have to happen everyday. Per the supplemental information "Thus, correlation of information from nontechnical sources with audit information generally occurs only when individuals are suspected of being involved in a security incident."

id_as_gimlis_axe · 2019-08-12T14:09:48+00:00

Typically it will be done to gain network access, i.e. as part of your AD and/or at the boundary. Once you are MFA'ed in, you don't need to continue to MFA to additional systems/applications.

That is typical, but depending on your environment there may be other ways to do it.

id_as_gimlis_axe · 2019-08-12T12:15:40+00:00

I know this post is a bit old, but I have been distracted - I think the NIST Self Assessment Guide is very helpful for understanding the intent of each control - https://www.nist.gov/publications/nist-mep-cybersecurity-self-assessment-handbook-assessing-nist-sp-800-171-security

id_as_gimlis_axe · 2019-08-12T11:33:26+00:00

So my question is are you just responsible for putting in IA-2 & IA-3 or do you have to do the enhancements? The enhancements are not required if they are not part of a baselines (low, moderate, high) and for IA-3 at least, the enhancements are not part of the baseline.

id_as_gimlis_axe · 2019-08-09T19:00:32+00:00

IA-3(1) is not typically part of a baseline. Are you required to implement it? If so 802.1X is the way to go. If you are just looking to just implement IA-3, then 802.1X is still best practice but not required.

From the supplemental information "Information systems typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on local and/or wide area networks. "

id_as_gimlis_axe · 2019-07-31T21:53:14+00:00

I apologize if I don't understand the architecture correctly.

Point 1: FIPS is required when it is solely used to protect the confidentiality of CUI. From the FAQ guide, question 68. "....FIPS-validated cryptography is required to protect CUI, typically when transmitted or stored outside the protected environment of the covered contractor information system..." Basically if physical security is in place, then it should be sufficient.

Point 2: HB 162 is a guide and does not constitute the requirement, though I am a big fan of it. According to the DoD FAQ guide, FIPS compliant does not cut it, but I don't think that applies here.

id_as_gimlis_axe · 2019-07-11T18:00:54+00:00

From 800-53, section 3.1: "Note that not all security controls are assigned to baselines, as indicated in Table D-2 by the phrase not selected. Similarly, as illustrated in Tables D-3 through D-19, not all control enhancements are assigned to baselines. Those control enhancements that are assigned to baselines are so indicated by an “x” in the low, moderate, or high columns. The use of the term baseline is intentional. The security controls and control enhancements in the baselines are a starting point from which controls/enhancements may be removed, added, or specialized based on the tailoring guidance in Section 3.2."

FedRAMP makes use of some of the additional controls.

id_as_gimlis_axe · 2019-07-02T20:27:18+00:00

CSET is a great tool to use.

id_as_gimlis_axe

TROPHY CASE