Search Results

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html?referringSource=articleShare By: David E. Sanger and Nicole Perlroth December 8, 2020 The same Russian spies who penetrated the White House and State Department several years ago and have attempted to steal coronavirus vaccine research have carried off another brazen hack, this time breaking into the servers of one of the world’s premier cybersecurity firms, FireEye, according to people familiar with the matter. The breach was disclosed by FireEye on Tuesday, though the firm did not attribute it to Russia’s foreign intelligence service. It was detected in recent weeks, said one of the people, who like others interviewed for this story spoke on the condition of anonymity because the investigation is ongoing. FireEye CEO Kevin Mandia said the hackers stole sensitive hacking tools that the company uses to detect weaknesses in customers’ computer networks and that could be turned back against the same customers or others. He said they primarily went after information related to certain government customers. “We are witnessing an attack by a nation with top-tier offensive capabilities,” Mandia said in a blog post. “The attackers tailored their world-class capabilities specifically to target and attack FireEye.” The firm went public with the incident to ensure that its 9,600-plus customers around the world and the cybersecurity industry were aware and could take steps to ensure that they won’t be breached with the stolen tools. The tools are used by FireEye “Red Teams” to test a company’s cyber defenses. The FBI is investigating the breach. “Preliminary indications show an actor with a high level of sophistication consistent with a nation-state,” said Matt Gorham, assistant director of the bureau’s cyber division. In 2015, hackers with the Russian SVR intelligence service compromised the servers of the Democratic National Committee. That group, known among private-sector security firms as APT29 or Cozy Bear, also hacked the State Department and the White House during the Obama administration. The SVR, however, did not leak the hacked DNC material. Rather, U.S. officials have said, a rival Russian intelligence service, the military spy agency GRU, separately hacked the DNC and leaked its emails to the online anti-secrecy organization WikiLeaks in an operation that disrupted the 2016 presidential campaign. The SVR, by contrast, hacks for traditional espionage purposes, stealing secrets that can be useful for the Kremlin to understand the plans and motives of politicians and policymakers. Its operators have filched industrial secrets, hacked foreign ministries and gone after coronavirus vaccine data. At this point, Mandia said, although the hackers were able to access internal systems, the firm has seen no evidence that they removed data from primary systems that store customer information. The governments targeted did not necessarily include the United States, said a person familiar with the investigation. The hackers “operated clandestinely, using methods that counter security tools and forensic examination,” Mandia said. “They used a novel combination of techniques not witnessed by us or our partners in the past.” It was the equivalent, said one person familiar with the investigation, of a “sniper shot.” The attackers made off with a significant number but not all of the firm’s tools, the person said. Mandia said FireEye has seen no evidence that any hacker to date has used the tools. Nonetheless, he said, the firm has developed more than 300 countermeasures for its customers to help shield them from attack. FireEye has skilled people developing its Red Team tools by building off techniques observed in incidents and publicly available capabilities. None of the tools used “zero days” or previously unknown exploits that help a hacker compromise a system. “These would be tools primarily we’ve seen used by attackers that we want to emulate,” the person said. “Security companies are one of the top targets of nation-state operators and many have been successfully compromised over the years, including Kaspersky, RSA and Bit9,” said Dmitri Alperovitch, who co-founded a leading cyber firm, CrowdStrike, and is chairman of the Silverado Policy Accelerator think tank. “The primary goals of these operations are typically to get access to capabilities that would make it easier for them to hack companies all over the world,” he said. “It is impressive how transparent FireEye has been at disclosing the breach, the details of what happened and providing mitigations for their stolen ‘Red Team’ tools to help minimize the chance of others getting compromised as a result of this incident.” The motive behind the breach is unclear. Besides obtaining hacking tools, a nation-state might also have wanted to learn what FireEye knows about its capabilities and adjust its techniques accordingly, or it could study the tools for weaknesses that can be exploited, said Gregory Touhill, president of AppGate Federal Group and former federal chief information security officer. Mandia founded the cyber firm Mandiant, which was bought by FireEye in 2014. Mandiant made headlines with a2013 report < Caution-https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf > detailing the exploits of a prolific Chinese military hacking unit that targeted victims around the world, including in the United States. Microsoft is assisting FireEye with the investigation.

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://icitech.org/threats-to-industry-4-0/ The Institute for Critical Infrastructure Technology (ICIT) provides objective, nonpartisan research, advisory, and education to legislative, commercial, and public-sector cybersecurity stakeholders. One of their focus areas is “Threats to Industry 4.0, OT, and IIoT.” The convergence of IT and OT and the rapid growth of Industrial Internet-of-Things (IIoT) has created new threats which organizations much understand and control. This initiative will focus specifically on this emerging area which impacts our commercial sectors, government agencies, and ultimately our national security.

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://cyware.com/news/ransomware-attacks-have-surged-drastically-during-remote-working-30d4e732 12/07/20 The COVID-19 pandemic forced millions of people to work remotely and cybercriminals are taking advantage of it. According to Group-IB‘s annual Hi-Tech Crime Trends 2020/2021 report, ransomware attacks wreak havoc on businesses and cost the world over $1 billion as a financial loss. Key insights Since late 2019, ransomware attacks have surged drastically, targeting both the private and government sectors. Around 500 ransomware attacks spanning over 45 countries were reported around the world during this period. The U.S., the U.K, France, and Germany together make up 20% of all ransomware attacks. Attacks on North and South American countries are 10%, while that of Asian states is 7%. The five most attacked sectors include retail (51 victims), manufacturing (94 victims), government agencies (39 victims), construction (30 victims), and healthcare (38 victims). The operator’s Maze and REvil are believed to be behind more than half of all successful attacks. Other ransomware families included Ryuk, NetWalker, and DoppelPaymer came second. Ransomware operators are using targeted brute-force attacks on remote access interfaces (such as RDP, SSH, VPN), downloaders, and new types of botnets (or brute-force botnet). Recent Attacks Though there have been hundreds of attempts ever since lockdown was imposed due to COVID-19, here a few as of late. Recently, U.S. Fertility, one of the largest networks of fertility clinics located in the U.S., was hit by a ransomware attack. The Baltimore County Public Schools were hit by a ransomware attack that compromised distributed virtual learning. Conclusion Existing security solutions used by a lot of companies usually fail to spot and block ransomware activity at early stages. Thus, experts recommend taking a backup of important data, patching software and operating systems regularly, and providing training to identify spam emails with malicious intent.

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://www.tripwire.com/state-of-security/risk-based-security-for-executives/ceo-personally-liable-cyber-physical-security-incidents/ By TRIPWIRE GUEST AUTHORS 11/17/20 Digital attack attempts in industrial environments are on the rise. In February 2020, IBM X-Force reported that it had observed a 2,000% increase in the attempts by threat actors to target Industrial Control Systems (ICS) and Operational Technology (OT) assets between 2018 and 2020. This surge eclipsed the total number of attacks against organizations’ industrial environments that had occurred over the previous three years combined. Converging Worlds The growth in the number of attacks discussed above is at least partially tied to OT’s ongoing convergence with Information Technology (IT). Previously, IT and OT were worlds unto themselves. IT personnel mainly helped to maintain the PCs, servers, and other technology assets that interacted with or, in some way, handled enterprise-related information. In contrast, OT staff members primarily managed controllers and segmented the industrial network. There was some collaboration, but this was limited to specific purposes like submitting work orders and billing. These worlds converged when many organizations began undergoing a digital transformation. Through this transformation process, organizations arrived at the belief that they could optimize their OT assets’ performance by connecting them to the Internet and IT systems. This convergence has introduced an abundance of network and computing devices into industrial environments that weren’t previously accessible via the web, thus expanding the IT systems attack surface in OT environments. Malicious actors didn’t waste any time in modifying their attacks. Indeed, TRITON (also known as TRISIS), WannaCry, and other malware made headlines for successfully targeting organizations’ industrial environments. Each of these attacker groups shaped their malicious activity to accord with their motivations. Some infiltrated organizations surreptitiously to conduct espionage and leverage whatever knowledge they gained about their targets to give a leg up to a competing country or organization. Others were a bit “louder” in their approach by seeking to disrupt their victims’ industrial systems in the hopes of undermining the economy, national security, and/or public safety of the country in which the targeted organization resided. With these threats in mind, it’s sobering for IBM X-Force to report that over 200 new ICS-related CVEs were released in 2019. This discovery led researchers to predict that attacks against OT and ICS targets will continue to increase in 2020 and beyond. Limiting Factors Organizations with industrial environments aren’t blind to these threats. Even so, some feel that they aren’t in a position to do anything about those dangers because of the costs associated with purchasing an industrial security solution. MarketsandMarkets found that organizations specifically need security measures that cover their entire industrial environments. This requirement causes OT security solutions to be expensive and organizations to opt for multi-threat solutions that don’t require high upfront costs like licenses or maintenance activities. But if you think industrial cybersecurity is expensive, try an accident. An unintended or malicious cyber incident can cause catastrophic failures similar to the Buncefield oil storage facility explosion, Taum Sauk dam failure, and Texas City refinery explosion. The issue here is what’s at stake. Organizations with industrial environments tend to operate Cyber-Physical Systems (CPS) that are responsible for ensuring smooth operations in plant environments such as critical infrastructure. If they are disabled or compromised, CPS can cause malfunctions in the plant environment that endanger public safety, threaten property destruction, and/or cause natural disasters. Hence, Gartner predicts that the financial impact of attacks against CPS will continue to rise, with the total cost reaching $50 billion by 2023 in compensation, regulatory fines, and reputation loss. (Those costs don’t even account for the value of human life.) The Issue of Accountability There’s an important development in the works, however. Indeed, Gartner also sees liability for CPS attacks ultimately extending to 75% of CEOs by 2024. This personal liability for CEOs reflects the fact that many enterprises are not aware of their organizations’ CPS and their vulnerabilities. This situation could result from rising shadow IT as personnel from outside IT install hardware and software to drive automation and modernization efforts at work. But even when they’re aware of which CPS the organization is responsible for managing, CEOs and the Board might not be pursuing a sound security strategy for these assets. The reality is that CEOs and the Board are unaware that typical CPS risk assessment reports shared with them have an underrepresented view of the real operational, public health, and safety and environmental risks. These assessment reports are developed through a ‘coordinated view’ approach. Assessors and plant operations and engineering stakeholders exchange information as part of this approach, but with a limited common understanding of the cyber-physical systems’ nature and complexity. This approach leads to an unbalanced focus on prioritizing IT network and system risks, which are generally more well understood than the more significant CPS risks in OT that require further assessment of their physics and engineering. While the coordinated view approach to risk assessment is in some ways better than isolated cyber risk assessments conducted by IT, operations, and engineering in their respective domains, it does not offer a ‘converged view’ of the CPS risk problem. Hardening Their Industrial Assets Organizations need a way to harden their industrial assets to avoid the costs of an industrial cybersecurity incident both in terms of corporate fees and personal liability to CEO and board members. Organizations must leverage frameworks like ISA/IEC62443, NERC CIP, and MITRE to strengthen their OT assets’ security and select industrial cybersecurity solutions that help create a reliable cyber operational resilience program. To develop a better understanding of industrial frameworks, to align IT/OT, and to use the right tools for the job while obtaining executive buy-in, take a read of the eBook by Tripwire, “Navigating Industrial Cybersecurity: A Field Guide.”

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://www.linkedin.com/posts/jpitlik_cybersecurity-htb2020-activity-6736497456554618880-YLEY/ Lucian Niemeyer, Assistant Secretary of Defense, Office of Management & Budget, discusses the importance of protecting our operational technology from cyber-attacks at MISIS’s Hack the Building Conference https://www.hackthebuilding.tech/

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: http://www.cisa.gov/publication/cyber-essentials-toolkits The final Cyber Essentials Toolkit has arrived: Chapter 6: Your Crisis Response. This chapter focuses on responding to and recovering from a cyberattack. In addition to resource links, this chapter also includes an exercise that information technology and cybersecurity managers can use to engage company leaders in thought-provoking discussions about cybersecurity. The exercise is designed to raise leaders’ awareness of the risks and the need to integrate cybersecurity decision-making with day-to-day risk management processes and procedures. The Cyber Essentials Toolkit is a set of modules designed to break down the CISA Cyber Essentials into bite-sized actions for IT and C-suite leadership to work toward full implementation of each Cyber Essential. Each chapter focuses on recommended actions to build cyber readiness into the six interrelated aspects of an organizational culture of cyber readiness.

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://www.bloomberg.com/news/articles/2020-12-07/nsa-warns-of-russian-hackers-urges-patching-of-defense-systems By Alyza Sebenius 12/07/20 The U.S. National Security Agency warned that Russia’s hackers are exploiting a flaw in products made by the software company VMware Inc. The NSA said in a Monday advisory that Russia was using the flaw to “access protected data” and urged administrators of national security and defense systems, as well as defense contractors, to patch their networks and take other measures to reduce the risk of attack. In a written statement, a VMware representative said that the company “responded to a new security issue” and that it “has provided the appropriate updates and patches to mitigate this issue.” The company encouraged “all customers to apply the latest product updates, security patches and mitigations made available for their specific environment.” Speaking at an event last month, the NSA’s cybersecurity lead, Anne Neuberger, said that Russia can weaponize publicly known digital flaws in as few as 48 hours -- making prompt patching important. The NSA warning comes a few days after the Department of Homeland Security issued an alert about Iranian hackers -- saying that they are becoming more sophisticated and improving their offensive arsenal, leading to the possibility of “cyber-enabled kinetic attacks” in the future. Iranian actors are defacing web pages, taking sites offline by flooding them with traffic, stealing personal data and conducting influence operations on social media, according to a Dec. 3 notice by the Department’s Cybersecurity and Infrastructure Security Agency.

On behalf of a tireless (CS)2AI annual report steering committee, I am proud to announce the availability of the very first (CS)2AI-KPMG Control System Cyber Security Annual Report. The report was based on survey results from industry members at large and a representative sample of (CS)2AI’s worldwide membership (approaching 19,000 members today), with questions regarding control system security events, trends in attack activities and protective technologies, and how organizations are adapting to changes in the threat landscape. The primary intent of this report is to provide a free and valuable decision support tool that helps guide control system cyber security practitioners and management to make well-informed and prioritized decisions regarding the protection of critical assets. From the start, we believed that by casting a very wide survey net globally and applying come careful evaluation of the data we could find some valuable insights. We did find those. Amongst other factors, the data revealed potentially overlooked aspects of the interactions between business, operations, personnel and technology, and how all of those affect the security of organizations (and society.) As we worked on this project with partners and members around the world it became clear that the very nature of our neutral not for profit organization coupled with our large and diverse membership base is ideal for such research and decision support tools. It is now a firm part of our organizational mandate to help identify which efforts to improve security are working, where they aren’t as effective as they should be, and even where they might be counterproductive. Moving forward, the (CS)2AI research program is squarely aimed at answering these questions and more. This comprehensive report is the result of significant participation from our Strategic Alliance Partner, KPMG, who we owe a heartfelt ‘thank you’ to for helping bring this to life. We must also thank Airbus CyberSecurity, Fortinet, Palo Alto Networks, and Waterfall Security Solutions for their important contributions to both the research phase and the final report. Through their direct support of (CS)2AI and this joint project, these companies continue to demonstrate their commitment to help solve the challenges the control systems cyber security workforce face today. We also want to express our gratitude to the annual report steering committee members who spent many hours pondering the exact questions before we launched the survey and each iteration of the report draft. Finally, I want to thank all of you who participated in this research for the benefit of others; without that there is no crowd wisdom to gather, study and share back with the community. This is yet another (CS)2AI "Members helping Members" initiative. I sincerely hope you find this report valuable and I invite you to provide feedback of all types. Though we'd all love to hear positive things, constructive criticism is a necessary ingredient to making this resource the best it can be. For feedback or if you want to get involved in the 2021 report project, please email us at research@cs2ai.org

By Michael Chipley PhD GICSP PMP LEED AP, President, The PMC Group, (CS)²AI Fellow November, 2020 INTRODUCTION In response to continued data breaches and exploits of the Defense Industrial Base and other DoD contractors/vendors such as A&E, construction and systems integrators, the DoD is replacing the current DFARS 7012 Protecting Controlled Unclassified Information (CUI) self-attestation with the Cybersecurity Maturity Model Certification (CMMC) process. The CMMC builds upon the current NIST SP 800-171 and 172 standards and adds additional enhancements based on Levels 1 through 5, with 5 being the most difficult and intended for larger organizations with full IT and SOC capabilities. For most small and medium size organizations, Level 3 will be the typical baseline meaning they have a CMMC compliant Cyber Risk Management Plan (CRMP) in place and can identify and report a cyber incident. The desired state is Level 4 where the organization has an active Hunt and Defend program in place and performs Continuous Monitoring and Audits for Advanced Peristent Threats (APTs).  DoD RFP’s will be scored against the Level and an organization will only be able to obtain an RFP for which they have been certified. DoD is currently in acquisition stage discussions with 3rd Party Assessor Organizations (3PAO’s) with the intent to go to full Rule Making for the large DIB primes and their suppliers/subcontractors to start in early 2021. https://www.acq.osd.mil/cmmc/index.html OFFICE OF SECRETARY OF DEFENSE FOR ACQUISITION A& SUSTAINMENT CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) recognizes that security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward. The Department is committed to working with the Defense Industrial Base (DIB) sector to enhance the protection of controlled unclassified information (CUI) within the supply chain. OUSD(A&S) is working with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry to develop the Cybersecurity Maturity Model Certification (CMMC). · The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats. · The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements. · The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels. · The intent is for certified independent 3rd party organizations to conduct audits and inform risk. The CMMC is divided into 17 Capability Domains and 5 Levels with associated Practices and Processes. The 5 Level Practices and Processes are intended to enable an organization to implement a cybersecurity program consistent with their cybersecurity contractual requirements as well as their financial and technical ability to obtain the desired Level of certification. The CMMC will have database (currently being developed as a DISA eMASS instance) of Certified organizations and as part of the Solicitation/RFP a Level will be assigned to the type of work/acquisition. The DoD will specify the required CMMC level in Requests For Information (RFIs) and Requests for Proposals (RFPs). Levels 1 an2 are intended primarily for Vendor/Suppliers and Level 3 is the minimum Level that most contractors/vendors must attain to be able to obtain RFP’s. Levels 4 and 5 are for organizations able to perform Hunt and Defend and/or have a SOC capability. The current year 2020 timeline is a bit behind schedule, but initial CMMC training and mock assessments are underway and the Final Rulemaking will hopefully occur in 2021. The CMMC Compliance matrix has been posted to the OSD website. The excel file can be used in conjunction with the ESTCP NIST SP 800-171 System Security Plan Word template. The CMMC Accreditation Body is now accepting applications for 3 PAO’s. https://www.cmmcab.org/ DFARS 701 CLAUSE AND CREATING A NIST 800-171 COMPLIANT CYBER RISK MANAGEMENT PLAN (CRMP) Established by Executive Order 13556, the Controlled Unclassified Information (CUI) program standardizes the way the Executive branch handles unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies. DoD issued the DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting in 2015 with compliance required by January 2018. The intent is for an organization to be able to Detect a cyber incident and report it within 72 hours so that the compromise or breach can be evaluated for other impacts to DoD and/or contractor/vendor/Defense Industrial Base partners. (a) Definitions. As used in this clause— “Adequate security” means protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information. “Compromise” means disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred. “Contractor attributional/proprietary information” means information that identifies the contractor(s), whether directly or indirectly, by the grouping of information that can be traced back to the contractor(s) (e.g., program description, facility locations), personally identifiable information, as well as trade secrets, commercial or financial information, or other commercially sensitive information that is not customarily shared outside of the company. “Controlled technical information” means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions. “Covered contractor information system” means an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information. The DoD implementation of the EO was issued December 2015 as the “Guidance to Stakeholders for Implementing Defense Federal Acquisition Regulation Supplement Clause 252.204-7012 (Safeguarding Unclassified Controlled Technical Information). The protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations. The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations. Technical data or computer software as defined in DFARS Clause 252.227-7013, Rights in Technical Data-Non Commercial Items, regardless of whether or not the clause is incorporated in the solicitation or contract. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code. The data may be in tangible form, such as a blueprint, photograph, plan, instruction, or an operating manual, or may be intangible, such as a technical service or oral, auditory, or visual descriptions. Examples of technical data include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software. DoD ESTCP WEBSITE CYBER RISK MANAGEMEN PLAN TEMPLATES The current 800-171 DFARS 7012 CRMP process is posted on the DoD ESCTP website at: https://serdp-estcp.org/Tools-and-Training/Installation-Energy-and-Water/Cybersecurity/FRCS-Protecting-CUI. All DoD projects that will collect, transmit, or store CUI data must have a current Cyber Risk Management Plan (CRMP) IAW with NIST SP 800-171 and the DFARS CUI Guide, compliance required by Dec 2017. Templates are provided for each of the documents and the IE and ESTCP offices will assist contractors/vendors to complete a CRMP. Note the templates can be used for both corporate IT business systems and OT FRCS projects. Typical CUI data on corporate IT systems includes design drawings and site information (CAD, BIM, GIS), specifications, test results, and consumption data (meter, site data). Typical CUI on OT projects includes network traffic (Modbus, BACNet, TCP/IP) between HMI and lower level controllers, configuration files, hardware/software versions and hashes, and consumption data (meter, site data). The following documents are typically included in the CRMP (presented in order of recommended completion): CRMP Table of Contents Checklist Event/Incident Communications Plan (EICP) Event/Incident Response Plan (EIRP) Information Systems Contingency and CONOPS Plan (ISCP) Information System Policies and Procedures (ISPP) Security Audit Plan (SAP) System Security Plan (SSP) Security Monthly (or Quarterly)Assessment Report (SMAR) Plan of Action & Milestones (POAM) DFARS CUI DIBNet Incident Response Form US-CERT Incident Response Form CJCSM 6510.01B Incident Response Form The DFAR 7012 Clause uses the NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations standard as the basis of a cybersecurity program. “ The protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations. The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations. “ The NIST SP 800-171 controls originated in NIST SP 800-53 R4, condensed version – note the numbering scheme using the 3.X.X that differentiates it from NIST SP 800-53. The current DFARS 7012 requires an organization to have a System Security Plan (SSP) and Plan of Action and Milestones (POAM). · NIST SP 800-171, Security Requirement 3.12.4 (System Security Plan):−Develop, document, and periodically update, system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems · NIST SP 800-171, Security Requirement 3.12.2 (Plans of Action):−Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems The SSP and PAOM templates are provided on the ESTCP website. The DoD CMMC Compliance Matrix or the DHS CSET Tool can be used to generate the Security Controls and responses. Another key area to address is the Information System Contingency Plan and conducting a Table-Top Exercise. A Ransomware Table-Top Exercise is an excellent way to also test the Event/Incident Communications Procedure (EICP) and the Event/Incident Response Plan (EIRP). DFARS CYBER INCIDENT REPORTS DFARS cyber incidents are reported to the Defense Cyber Crime Center (DC3) via the DIBNet portal. Note: DIBNet is a web portal for sharing threat information between DoD and DIB companies. See appendix F for a list of reportable fields. If the contractor does not have all the information required by the clause within the 72-hour time constraint, specified in paragraph (d)(1) of the safeguarding clause, the contractor should report the details available at the time. Having created and exercised all of the CRMP documents, an organization is ready to Self-Attest compliance. An additional DFARS requirement is to flow down the DFARS CUI security requirements to all subcontractors/teammates. CMMC IMPACT ON OTHER FEDERAL AGENCIES The recently released GSA STARS III RFP includes requirements for all bidders to become CMMC compliant as they expect the CMMC will become the baseline for other federal agencies. H.6.3.3 While CMMC is currently a DoD requirement, it may also have utility as a baseline for civilian acquisitions; so it is vital that contractors wishing to do business on 8(a) STARS III monitor, prepare for and participate in acquiring CMMC certification. H.6.3.4 8(a) STARS III contractors should begin preparing for CMMC and SCRM accreditation by staying aware of developing requirements and by implementing the appropriate NIST SP 800-series documents. Examples of appropriate actions include the following: (1) Determine if your company receives federal funds from the Department of Defense either directly as a prime contractor or indirectly via subcontracts, purchase orders, or other contractual agreements. If so, and/or if Civilian agencies adopt the same program, you should be prepared to obtain at least a Level 1 certification. (2) Determine whether your company currently or in the future expects to electronically process, store, or transmit CUI in the performance of its defense contracts. If so, you should be prepared to obtain at least a Level 3 certification. (3) Review your company’s current compliance with NIST SP 800-171 Rev 1 in relationship to your expected CMMC level requirements. Begin drafting a System Security Plan (SSP) in accordance with NIST SP 800-18 Rev 1, If you currently have a Plan of Action and Milestones (POAM) in place or identify additional concerns, dedicate appropriate resources to ensure that progress is being made to close any gaps as quickly as possible. Examine Draft NIST SP 800-171B for enhanced security requirements to improve cybersecurity maturity capabilities as applicable given the CMMC level you intend to attain. (4) Review your company’s current compliance with NIST SP 800-161 to include the establishment of a SCRM Plan. (5) Investigate your subcontractor base as CMMC and SCRM requirements may flow down to subcontractors, including commercial item subcontractors. It is expected that consent to subcontract at the Order level may also consider subcontractor CMMC level. SUMMARY Any organization can download the ESTCP CRMP templates and start on the process to become NIST SP 800-171 and CMMC compliant. Organizations wishing to do business with the DoD and soon the GSA will need to ensue they have a CMMC Compliant Cyber Risk Management Plan in place and perform Continuous Monitoring and Auditing to ensure the IT systems are not compromised. The government does not penalize an organization that experiences a compromise or data breach, however, an organization MUST be able to DETECT and REPORTa cyber incident within 72 hours. The CMMC costs to achieve a 3PAO compliance assessment has not been published, but the FAQ’s state “The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive.” The CMMC Accreditation Board website says a 3PAO must be ISO 17021 certified and they are now accepting applications.

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://thehackernews.com/2020/10/antivirus-software-vulnerabilities.html By Ravie Lakshmanan 10/05/20 Excerpt: “Chief among the flaws is the ability to delete files from arbitrary locations, allowing the attacker to delete any file in the system, as well as a file corruption vulnerability that permits a bad actor to eliminate the content of any file in the system. Per CyberArk, the bugs result from default DACLs (short for Discretionary Access Control Lists) for the "C:\ProgramData" folder of Windows, which are byapplications to store data for standard users without requiring additional permissions. Given that every user has both write and delete permission on the base level of the directory, it raises the likelihood of a privilege escalation when a non-privileged process creates a new folder in "ProgramData" that could be later accessed by a privileged process.”

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://www.energy.gov/articles/us-department-energy-provides-65-million-connected-communities-buildings-powered-transform By U.S. Department of Energy (DOE) 10/13/20 WASHINGTON, D.C. – The U.S. Department of Energy (DOE) announced up to $65 million through its Connected Communities funding opportunity announcement (FOA) to expand DOE’s network of grid-interactive efficient building communities nationwide. “As our Nation’s energy system continues to undergo dramatic transformations, there is a growing need for solutions that integrate and optimize all of our energy resources on the grid to provide Americans with the most reliable and affordable electricity possible,” said Secretary of Energy Dan Brouillette. “With today’s announcement, DOE will broaden its capability to evaluate and demonstrate the growing flexibility of one such solution—smart, grid-interactive, efficient buildings—to best serve the needs of building occupants and the grid while reducing energy consumption overall.” America’s 125 million homes and commercial buildings currently use almost 40% of U.S. energy, 74% of its electricity, and account for the great majority of peak electricity demand. Connected communities can leverage the latest advancements in building science, like state-of-the-art sensors, controls, and analytics, to more flexibly manage and deploy grid-scale energy efficiency and distributed energy resources. “The integration of emerging technologies and systems is essential to the success of efforts to maximize the effectiveness of advanced building technologies,” said Assistant Secretary for Energy Efficiency and Renewable Energy Daniel R. Simmons. “Our Grid-Interactive Efficient Buildings Initiative helps the U.S. further modernize its power grid and thus improve reliability, integrate renewable power sources, improve environmental performance, and make electricity more affordable for America’s households and businesses.” Integration is at the heart of the Connected Communities FOA, and the Building Technologies Office (BTO) within DOE’s Office of Energy Efficiency and Renewable Energy (EERE) is collaborating with EERE’s Solar Energy Technologies Office and Vehicle Technologies Office and DOE’s Office of Electricity and Lawrence Berkeley National Laboratory to bring together critical technologies and programs. The FOA, first described in a Notice of Intent and later shaped by responses to a Request for Information, could increase by five-fold the number of EERE-supported testbeds like Reynolds Landing in Hoover, Alabama. As a recent report by Oak Ridge National Laboratory shows, Reynolds Landing uses 44% less energy than comparable all-electric communities and 34% less power demand during winter peak hours, leading to lower utility bills for families while in higher-functioning houses. Teams of broad partners are necessary to undertake this innovative and ambitious endeavor. To learn more about this FOA and its teaming partner list and to submit a concept paper, please visit EERE Exchange. To see what DOE plans to learn about and demonstrate in these connected communities, click HERE.

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://www.usatoday.com/story/tech/columnist/2020/09/08/iphone-tracking-everywhere-you-go-how-find-setting/5695132002/ By Kim Komando 9/08/20 At this point, digital privacy is long gone. There’s always another device, feature or service tracking what we say, what we look at online and the places we go. Ever wonder how your iPhone is able to automatically pull up directions to work when you get in the car? Or when you leave for the day, do you wonder how your phone knows you’re heading home? It’s not only part of location services but a separate and more in-depth thing called “Significant Locations.” Prepare yourself for a shock when you look at yours. Want to know how to access it and, if you’d like, turn it off? Here are your steps: Open your iPhone’s settings; Tap on Privacy; Select Location Services; Then tap System Services; Scroll down until you see Significant Locations and tap on that After entering your password or opening up your phone with FaceID, you’ll see a list of locations you’ve visited. Now, some of them may seem a bit off to you, but that’s because the location is not always precise. Tap on a place and it will open up a page with more specifics, including a map. Even if it didn’t peg you exactly right, it will have you in the area. Individually, you can edit locations so they will no longer be stored in your phone. To do that, tap on any city it had you in. Then, on the next screen, tap on the “Edit” button in the upper right-hand corner. That will bring about a red circle next to the location, which you can then tap on to remove it. If you’d like to turn off Significant Locations altogether, you just need to scroll to the top of the page that lists the city locations and tap on the green button on the top-right in the tab. Stop tracking: If you use Google Maps, you may want to shut down that tracking, too. Tap or click to turn off Google location tracking for good.