Protecting Controlled Unclassified InformationCUI in Nonfederal Information Systems and Organization

all right so first ciders as we mention earlier he's going to talk about protecting old unclassified information it's a non federal information systems an organization exciting stuff huh thank you so he said I'm Chris ciders I'm a security analyst with the University of Pittsburgh cissp certified since 2002 I'm with the central IT department at University of Pittsburgh were called the computing services and systems development CSSD standard to client disclaimer these are my views and they do not represent the views of the University of Pittsburgh or its faculty or staff now familiar with Pittsburgh we have five campuses 36,000 plus students with 12,000 faculty and staff in addition to being a cadet academic institution we're also highly

involved in research were ranked nine nationally in federal science and engineering funding according to the National Science Foundation and were ranked fifth in US and universities based on National Institutes of Health is our agenda for tonight I'm going to be talking about security frameworks and why you might want to use them compliance drivers for why you might want to use frameworks in academia and research gonna be talking about a tale of three frameworks that since my time with the University of Pittsburgh I started there in 2013 I've been involved in three different frameworks FISMA the cybersecurity in this cybersecurity framework in the NIST 800 171 and then we're also going to talk about implementation guidelines and just how

how I went through implementing some of those there's those three standards so security frameworks basically I think most people in here probably aware a security framework is just a foundation for an information security program it's basically a blue print that you could follow or that institutions could follow to develop their information security program we used to just refer to them as best practices but I think somebody at some point sometime people got together and decided to say like let's let's put always what what we're calling best practices I put that in quotes because there was no everyone's everyone had their own idea what what was best but I think people worked together what was what was best practices for an

information security program and turn those into frameworks in addition to using it to to build your information security program frameworks can be used to audit or review an existing program so if you have an existing information security program and you're curious to see basically just do a health check on it you can grab a framework and compare your program against a framework another use for frameworks is to use it to guide your strategic planning and the NIST cybersecurity framework is especially useful for that and I'll talk about that a little bit later but they basically have this concept of a current profile where you assess yourself for where you're currently yet and then you assess yourself for your

target profile for where you want to be and what controls and what areas where you want to improve and then you can do use that as a very easy gap analysis to to help drive your your planning activities and and finally another reason why you might want to be involved with security frameworks is you might have compliance requirements so there's a if the last reason is the reason why you're you're looking at frameworks there's no reason to be intimidated although that being said federal contracts might require that you use be in compliance with several standards the two that I've seen in the federal contracts that we've gotten at the University there's FISMA requirements and more

recently requirements to follow the NIST 800 171 and if you are if you do happened to be an institution like Pittsburgh and you do get federal contracts it might not be really easily noticeable that you're subject to these these provisions if you're not actively looking at your contracts there could be language buried in those contracts that are holding you to following these standards but if you've never seen the contracts that your researchers are getting or that your your contractors are getting you may not be aware that that you're subject to these and we discovered that a lot of the contracts that were coming through had these languages in them and in most cases the researchers in the IT department that

they were using were not following these standards so what we did was we put a process in place with the office or office of research so anytime new any new contract came in we have them looking for these language terms and if they see that then they contact the CSSD department and we review the language review the research project and determine where the the projects gonna occur on the network and make sure that the required controls can be met we warn the researchers that there could be significant costs to the research project by implementing the security controls that are required by these so if you have a researcher that's you know just getting a 5,000 dollar contract and

we don't want to tell them it's going to cost them $10,000 a year for us to host their their computer environment and in our data center so that's the driving reason why we wanted to to get with the office research to to identify these so you might see language such as NIST special probably publication 800-53 that would indicate that you might need to follow FISMA guidelines if you're working with Department of Defense contracts you might see a deef our reference to 52.2 o4 - 701 to safeguard and covered defense information and cyber incident reporting that actually implies that you need to be file the 801 71 control and then obviously if it's best calls out the control itself

you obviously need to follow it or if you see a contract that identifies that it's specifically related to controlled unclassified information and it'd be nice if you had unlimited time to to me and compliance but more for the in the case of the Department of Defense that default contract if that's in any any contracts it requires the contract to implement the NIST 801 seventy one standards as soon as practical but no later than December 31st 2017 so you're probably all behind the times if you haven't implemented that yet so you might want to actually go back to your contracts or have your office of research contract go back through contracts to see if that that term or that provision is in in

here and your contracts and when we see it in our contracts it's it's buried in the yeah it's like in the appendix at the end and they say oh by agreeing to this contract or a subcontract you're gonna agree to all these these deflower terms and there could be 20 30 d4 terms in there so that could be buried in there so you might not even be aware that you're you're subject to this compliance requirement when when you really are another reason for for compliance the department education is dropping some not so subtle hints that they might be requiring educational institutions to start following the NIST 801 71 this is an excerpt from the Dear

Colleague letter that was sent out to all institutions of higher education and July 1st of 2016 and they strongly encouraged institutions that are not following the standards to to do a gap analysis and immediately begin to design and implement plans so they're laying the groundwork here the consensus is is that there shortly going to and stop encouraging us and start mandating that higher education Institute's start start utilizing this standard especially when it comes to financial aid and and financial aid information so the the term controlled classified information that's a term that's specifically related to the the NIST 800 171 and it's classified as any information that's not my students that classified it's it's defined as any information that's not in

a classified category so if it's not secret top secret any of those classifications or any other classifications it's going to fall into the controlled unclassified information they have these 22 different categories and 85 subcategories and and they're vague I don't even know why you know that the purpose of why these have these because they could apply to pretty much everything

it could be PII like health information so under like the category 17 privacy one of the subcategories is health information so so potentially if you're having dealing with health information you know even if you're not a a health institution if for some reason you you know or dealing with health information you know this this standard could apply

absolutely yeah yeah yeah

yeah and there is a lot of great areas a lot of the contracts that I've been working with we tried to determine if the information really is COI because the university might be doing work for contract or for contract or even a subcontract where we're a subcontractor to another contractor that's working for the federal government and in those cases we might be doing work to generate you know a deliverable to give to the contractor is that work that we're doing cui is the work product that we're giving them cui and we actually we just ask you know either the sponsoring agency or the the sub or the primary contractor you know is this cui and a

lot of times they can't tell us we're like well you need someone needs to tell us whether or not we need to be following this or not yeah and they didn't ask the questions themselves so they don't know how to answer the questions to us so it's difficult because again it's fairly new and I'll get into the history of these a little later so yeah I want to talk to you at a law 3 frameworks since I started with fit and 2013 I've been involved in three different frameworks when I got there in 2013 they had already spent significant efforts into building this FISMA model they the thinking was back then that if they built this FISMA model it would help

facilitate us getting awards for federal contracts that required FISMA or they had FISMA FISMA language in them so we thought we could get a competitive advantage by having this pre-built basically a cookie cutter environment that we built and then when we got a new contract in we could just apply the stock FISMA system security plan and just customize it for the specific aspects of the project and and we could just replicate this model throughout unfortunately we build it and we only got three contracts that that were that actually had physical language and the model that we built there's three different types of FISMA classifications there's low moderate and high each one has progressively more stringent

controls our model was a FISMA moderate level and the three contracts that we got were FISMA low so it really wasn't a good investment I mean it was expect a successful project but the the actual benefit we did not get out of it the second framework we started working with in 2015 we decided to go with the NIST cybersecurity framework we had a desire to come up with a standard that we could use across the entire university so instead of just building a standalone model that could be just be used for there's those use cases we wanted the standard that we could use across the entire university and we wanted to use it within CSS D as well as within the

individual colleges and departments throughout the university we like I mentioned earlier it's really good for doing a gap analysis and when we did our assessment of CSS D it really did align with a lot of the existing initiatives that we had already had in place what it actually gave some justification for why those initiatives were needed and we could actually show how it would improve our information security program to the point we were where we wanted it to we piloted this our assessment with the Swanson School of Engineering they have 13 different departments under there like chemical engineering and you know structural engineering all of them operate almost completely separate from each other so they each department

did their own self-assessment and it was very successful and they were they were really happy with it again they did their the current talk their current profile and then did their target profile which helped them again identify gaps where were they where they could improve their program but again we really didn't roll it out any further after the pilot we had actually lost our RC so and we were how they a leader for a while so we were just surviving you know trying to survive on our own without uh without a head and we kind of noticed that the 801 71 was becoming more prevalent standard especially in some of our contract languages yeah I'll

show a crosswalk later yeah definitely yeah yeah I think I'll get to that later on if I don't just remind me again I have something like implementation steps who went through and I'll break down each of the frameworks high-level controls and then drill down into the low level controls for each framework and then you know compare and contrast the three different frameworks okay so in 2017 we started looking at the the 800 171 we were definitely seeing a lot more contracts for the department events coming in they actually adopted it pretty much every Department of Defense contract is going to have eight hundred 171 requirements in it they were the first federal agency to to

adopt this and we expect other agencies to start start following it so we thought because we were seeing all those in our DoD contracts the indications from the department education that they wanted institutions to start following it and we just kind of thought it was it was a better framework it was a lot more I don't want to say well it definitely is lots more simpler than been FISMA and it's it's I don't say it's better than the NIST cybersecurity framework I think the Missis cybersecurity framework is still a good tool to use for assessing your information security program and continuously monitoring and assessing and again doing the you know constant target and the current and target

profile to basically keep doing a health check on your information security program but the 801 71 is a good a good framework if you don't already have an existing framework the one thing I'll point out like I kind of mentioned if if you have a sponsoring agency or even another prime contractor going to them and asking them for help on how they're actually implementing these these controls that they're requiring of you you'll just get silence they won't they won't tell you what they're doing because I don't think they are doing it I think it's something that that they've been mandated to put these provisions in the contracts for any subcontractors or any anybody that's doing work on the

behalf of the federal government but I don't think they're doing it themselves so they've been less than helpful whenever we've asked about this they even when we ask them you know is this the you know is the information you're giving us see you I know like you don't know what's cui it's like you need to tell us if it's cui because you know it's really going to dictate whether or not we need to follow specific standards not really basically those screens I had earlier where just had the the categories that's actually taken out of the 171 document I've never seen I haven't seen anything like that no that's FISMA no no no it either is or

isn't I have had fairly good success by doing pushback and saying we're not gonna we want you to strike the provision that says 800 171 unless you can conclusively say that the data cui and because they won't now usually they've just been striking the striking the provision so I've had a lot of luck with just getting them to to remove the requirement again because I pushback because they usually ask them like how are they following 801 71 and again they're saying or not so I think they don't want us to call out the fact that that they're not following what they're requiring of us so that they strike the provision from us

that was physical and and as we go through the history of FISMA and the 170-180 announced to some of the details you'll see that 171 was created to basically bridge the gap between having someone follow FISMA standards which nobody can I mean that's it's it's horrific I'll show you like how big the document is and and just how many controls there are requiring a like the University of Pittsburgh to follow FISMA standards just to protect you know some we think of an example of a project that we work on one was for the military we we were analyzing tissue samples that were exposed to explosive forces so you know they they took muscle tissue blew

it up and then they want us to examine the data and see how various like protection garments would protect the tissues is that super sensitive information does it require you know the the 409 FISMA controls no is it you know sensitive military information that you know that it should have a reasonable level protection yeah so 800 171 is reasonable set of controls to apply to that level of information so I'm just going to go quickly through the history this stuff again the FISMA was an act that came out in 2002 it actually was a law and basically it provides a framework for the protection of you know federal operations and assets some key requirements of it a set of information

security standards guidelines and techniques to reduce the information security risk to an acceptable level it's made up of two parts there's the FIPS 200 series as well as the NIST special publication 800-53 the 853 is the main guts of the FISMA that's the controls within the within there and even if you're not implementing a FISMA system the 800-53 controls are a good reference document even for the 171 i'm in this cybersecurity framework or even other frameworks it's very prescriptive it goes down to high-level details for a lot of a lot of controls so it's a great reference reference yeah and actually the 853 will reference the the FIPS documents within the with individual controls yeah

yeah so as I said the the 853 document which again is just one one document within the the whole FISMA its 487 pages long and it within there within the first page it's got to start referencing other 800 series documents and other NIST documents so it's an ugly standard too to try and read and implement it's it's it's a monster so these are the the controls there's 18 control families with 240 high level controls I'd mentioned there's low medium and high so you see for the yeah for the for the FISMA low you might not have the same number of controls as you do for them to mod the medium and high there's one control in the medium that I

found really makes the difference and that's there's a data loss protection controls between the the low and the medium so there's there's requirements to to keep information from leaking out of the system so the way we we build our afisma bottle was it was completely isolated on private address space and there was very little connections in and out of it and very locked down

no there was no means to actually get information out of it it was a completely closed system it was a single purpose application a database application for um brain tissue so it researchers with just key information into it there was a means to to encrypt data and go through like a data exchange server to get information out that was sent back up to NIH but for the most part it was I'm completely closed system so yeah I think that's it

okay these are the detailed controls for the access control family so this is all the controls for access control again you can see if it's n/a that means that that control is not not needed for for the FISMA low but you know this thing is obvious you know controls least privileged session termination session locks remote access all sorts of things you know there's some of the control families they'll have a national control but then they'll have sub controls as well so again it's highly detailed I'll have an example of a control here coming up right here so this is AC 22 publicly accessible content so basically and again this is a framework this is just

the the foundation you take these controls and you make them your own so or something like again here's the sub controls - so AC 22 B trains authorized individuals to ensure that publicly accessible information does not contain non-public information so you can change that or put an addition in there and basically just say our information security program informs employees on acceptable use of social media and the what's what's allowed and not allowed to be posted on on social media and other public websites so you take these controls and you make them your own but again you can see this is very prescriptive it goes down into some some fairly fairly detailed options you know it says that you should define the

frequency to review the content on publicly accessible websites and then yeah looking for non-public information on the websites and then remove it on a timely basis so very prescriptive we'll compare this to controls for the other the other frameworks so the NIST cybersecurity framework came out in 2014 it was an executive order it wasn't a law it was a risk-based risk-based approach to managing cybersecurity and again it can be a foundation for a new cybersecurity framework or a cybersecurity program or a mechanism to improve an existing program and then in December 2015 honor this as an update so yeah after it came out after a year they missed sent out a request for information for feedback on

the on the framework they held a workshop in 2016 again to get more feedback they took those that feedback and they have actually I think they're on their second draft a version 1.1 and it really haven't changed I don't think they've changed too much in the the new version but but they they are actively supporting it so the framework has five main categories very simple identify protect detect respond and recover and then under that there's you know there's there's subcategories for each of the main categories and here's an example of access management subcategories so physical devices and systems within the organization are inventoried that's the country that's the control compare that to the the FISMA where you

know it had you know four or five different sub levels this is you know very open-ended software platforms and applications within the organization or inventory organization communications and data fluid or map so just knowing knowing what your data flows are so very very simple controls that you can take with and just describe how you're what you're doing to meet those controls you'll find a lot of crosswalks for a lot of these frameworks so any one of these if you you know familiar with coab adore iso standards and you want a more detailed information actually there's the 853 so you're not sure how to implement that control you can go to the two 853 go to

configuration management control number eight and that'll have the details there that you can pick through and it might help you decide how to how to meet those controls so as I mentioned a couple times the one of the core tenets of the the cybersecurity framework is the the concept of a current profile and a target profile and and it's actually pretty challenging actually when I sat down with the School of Engineering and I started asking them you know how they are meeting certain controls you know like patch management you know they said well we're we're in the process of doing this and like the time out you know what are you actually doing not do you want

to do or what are you planning on doing or what's in what's in progress what are you currently doing and once they got that mindset down they could do the current profile and then went back through a second time and said like okay now what do you want to do as far as you know patch management they said oh we want to do this we're planning on doing this like it okay put that as your your target for that control and and and then they love the end result because again it just spelled out specifically the areas that they wanted to do and in a lot of cases they already knew what they the the the action item was but in other

cases there wasn't an action item but it drove some of those strategic discussions and even some tactical discussions on how they were going to to get to the point where they wanted to be okay so the history of the NIST 801 71 and November 2010 there was basically to increase the to address the increasing federal government need to protect sense have unclassified government information the ones we were talking about earlier that didn't fall under any of the other classifications they created an executive order 13563 tout to nist and said hey you guys are good at drift drafting guidelines help us draft a guideline for to meet this executive order so they basically looked at the

FIP standards in the 853 and i like to think of it as a FISMA light so 801 71 is FISMA light so key requirements were protecting cui consistent statutory and regulatory requirements for federal and non-federal system safeguards for implementing the federal and non-federal systems and confident she impacted no lower than moderate basically it's the FISMA moderate so if you have like a physical fit mahai you would not be able to to meet that with with NIST e100 171 so applies to cui that we're talking about it specifically calls out information sharing outside of the federal government institutions for research purposes or for some contracts again that's a lot of work that we do and if no other federal laws or

regulations apply to controlling the data missed a turn or 171 applies again there's that gray area whether or not the information actually is federal information that you're dealing with again it may be information that's being used to support the project but it may not actually be federal information one thing you might see a lot of vendors are hosting webinars saying how their products can help you be missed miss certified and while they might be able to help you implement some of the controls and monitoring of the controls you can't just write a check and expect to be compliant so here's the new state hunter 171 controls there's just 14 control families 110 controls instead of the how

many was for FISMA 200 some I think have it later and they have they broke them broke them down into basic controls and drive controls the drive controls are just detailed level of the the basic controls again the basic controls are kind of just high-level statements the drive controls go a little bit deeper and get into some of the more details but as you can see there's there's not even a whole lot of aside from the access control family which has 20 Drive controls the majority of them have just a few basic controls and then a few more drive controls these are the descriptions of the various families and you know the the goals are supposed to

accomplish access control limit information system access to authorized individuals make sense ensure that system users are properly trained easy enough create information system audit records establish baseline configurations and inventory of systems this is what we used to call best practices right what someone just took the best practices and said hey let's put them together for people that may not know what best practices are so I'm not gonna read through all of them but you can kind of see that they're fairly basic basic instructions conduct risk risk assessments good stuff here's a breakdown of the some of the basic controls and again you know access control 3-1 limit information system access to authorized users process acting on behalf of authorized users or

devices limit information system access to the types of transactions and functions that authorized users are permitted 2x cute so if you can just define how you're doing that in your organization you've met the controls

let's see yeah so these are this is the access control 101 again which that one has a lot of drive controls but even those are fairly simple control the flow of cui in accordance with approved authorizations so you know do you define authorized approved authorizations so who in your organization is approved to access the information and control where it's where it flows Miss John yeah it it does take time especially depending on the like for FISMA that was definitely it required almost every department within the IT department and internal audit and general counsel and was probably some departments that I not aware or that haven't it's not coming to mind but dia that that involved a lot of

meetings it was actually a formal project and it wasn't just an IT project and it did involve determining which controls we needed to meet with the various stakeholders and meet with them to work out what the control should be

now but that's a lesson learned and that's how we did the that's how we did the other two two frameworks and and I have some slides to go over how we did that too but yeah for FISMA we there's a lot of lessons learned from that and again it took a lot of time and there was a lot of in-person interviews versus survey so we we had some lessons learned from that so yeah these are this just for the three frameworks FISMA has 18 control families three subgroups the low moderate and high and 240 controls then a cybersecurity framework has five control families 23 subgroups and 109 controls 800 171 has 14 control families two subgroups

I call them subgroup so it really is just the basic and the drive drive controls and they have 110 controls so um so this is it this is this was our approach to to implementing the three frameworks for FISMA again there was a lot of project meetings a lot of pre pre implementation planning a lot of documentation but the main part of it was this this of the controls was building this isolated environment we had dedicated virtual hardware that was separate from the VM clusters that we used for normal academics systems we segment and waffle on their own private network space and accessible by any of the other networks and basically created a repeatable model that we could just

cookie cut and and spread out once we had all the administrative aspects taken care of all the a lot of those policy-driven there's a lot of technical controls but there was a lot of policy driven controls as well because of the cost we did we did implement this as a chargeback model because it did require a lot of capital expenditure and there was a lot of ongoing work that was involved there's FISMA has controls for continuous monitoring continuous risk assessments any time the system changed you had to document the change document any new risks and how are you going to address those risks they call them plan of actions and milestones poems so basically you had to document everything

about the system since we only had three customers and it did require so much effort to maintain the people that were maintaining it stopped maintaining it and it pretty much died on the vine so we're doing the bare minimum to support the three customers that we currently have but we're no longer maintaining the the model for any future customers our approach for the NIST cybersecurity framework was was a little different we came up with a self-service questionnaire and when we piloted it with the Swanson School of Engineering we basically had the control questions that they would freeform answer but when we got the responses back from all the 13 departments they were inconsistent they might have misinterpreted the

questions differently and there wasn't a consistent way to to basically assess how the different departments were meeting the controls so we decided to come up with a multiple choice solution so for each of the controls we had four possible answers that were various maturity levels to meet that control so let's see yeah here's a sample of the question so for the for the first again it's the the the ID admin one the physical devices are in systems are inventoried so the very first thing the CSF ask is do you have an inventory of your systems because we don't know what you have you don't know you know what needs protection so we just came up with

four four levels so an inventory exists the inventory is updated periodically Doh dress new equipment the inventory is updated to include relocated repurposed and sunset assets and the process is automated and they could check one or more of these and if they check none of them then you know they that just meant that they did not have an image or similar questions for the for the applications and we did this for the you know all 110 controls and that way you know the departments could go in and just check off you know how they thought they were they were meeting they control and then we could score score the department's based on how they did for

each of the hundred and nine controls we had most of the time we had four four different questions for different maturity levels that we had or four options for each control four options on how you might be meeting that control

absolutely yeah that's the yeah cuz again these these were pretty simple simple controls with not a whole lot of levels you know again the inventory you know and and we kind of structured them like this like you're you're you're you're doing the bare minimum or you might just be doing a little or you're you have an automated process or a system that that's doing this for you and again that was the purpose or the intent was so that we could kind of gauge which departments were strong in some areas and weak and others and and so that like if the engineering department could do it they could see some departments might be weak in the

access control family but they're good and the protection family and vice versa and again just kind of give us a measurement of how the various departments were meeting security you know based on this standard

yeah and that's the we came to the same conclusion to again we never actually rolled out the cybersecurity assessment we build it but we we lost or see so and we lost the the drive to to use it as a as an assessment framework we still might use it as an affray Mart as an assessment framework I think the initial intent was just to do purely attestation but down the road go back and maybe do some auditing and ask for evidence to make it be a more evidence based so we definitely want to do on an annual basis to reassess but maybe that was something we do on on the recurring of answers is asking how they're doing it I have been

trying to get a GRC for about four years now to help with these things and it's we've we got budget approval for it but then other initiatives came in and on a daily basis with our new C so so like you know GRC would help with that so I would love a GRC and we actually have a GRC prod project that we're working on trying to to evaluate products okay so our approach for the 801 71 what we're currently doing this is the current framework that we're working on we're building an initial questionnaire to send out to the entire University to identify where the high risk data is and then based on the answers to that question though the

initial questionnaire have some basic questions that everyone will fill out basically even if it is load and water at risk and that there's only about a dozen questions for that but for the ones that are using high risk data we're going to send out a detailed questionnaire and that's going to be the hundred tanking controls and we actually did for that one we have it's a lot of yes/no questions but it's I don't say it's dumbed down questions but there we took the control especially if there was multiple parts within the control and we broke it down and said are you doing this or are you doing this are you doing this yeah yeah because we figured that you

know we because again they're depending on the department it might be like the English departments administrative assistant that's going to be filling out this questionnaire because they don't have their own IT department whereas our FIS Department they have more IT people than than we do so they're gonna you know have they're gonna understand the question better but well that's where we're currently at we're currently working on the the detailed questionnaire and finalizing the initial questionnaire that we're going to be sending out and we definitely know this is gonna be a multi-year project just to communicate to the to the University departments and get them comfortable with what's going to be coming and then probably gonna be a lot of hand-holding

as well as we roll these out this is it's an example of the initial questionnaire that's going out so it's just going to be a checklist for them to identify what types of data that department deals with we're using Qualtrics as the survey tool so it's mobile friendly so we're going to try and make this as easy as possible on the on the end-users in summary there's obviously many frameworks that you can choose from these just three missed frameworks but obviously there's there's many others compliance might be your driver again if your contract says that you must follow FISMA standards you must follow FISMA standards says 801 71 again if you're stuck with a given framework

you can use the other frameworks as reference there's there's crosswalks there's we used after we implemented the FISMA model we started working with our school dental medicine which is a hipaa-covered entity to make sure that they had all the controls so we were actually able to use a crosswalk to say for certain controls under the HIPAA environment we already had the controls in HIPAA so we we didn't have to do a whole lot of work and we didn't have to start from scratch so yeah they can the crosswalks can help and they can also help with the control creation you know the suggestion I have is take your time these you can't build these overnight but if you dedicate the

resources to them they can they can actually be very helpful I appreciate your time [Applause]