Touche LLP. All rights reserved. 2 Agenda Current High Level Threats To Higher Education 3 Federal Government Response 6 How It Affects You 11 Our Approach 14 A Look Ahead 19 Q&A 23
Touche LLP. All rights reserved. 4 Recent News Real World Threat Examples Spies Using American Universities to Recruit Students Source: https://www.townandcountrymag.com/socie ty/tradition/a12814064/spy-school-daniel- golden-fbi-cia-recruit-at-american-colleges/ FBI Director: U.S. Needs to Defend Themselves Source: http://www.businessinsider.com/china- threat-to-america-fbi-director-warns-2018- 2?r=UK&IR=T Hackers Gain Access to High Value University Data Within Two Hours Source: https://www.hstoday.us/subject-matter- areas/cybersecurity/hackers-gain-access-to- high-value-university-data-within-two- hours/ Chinese Hackers Target Universities in Pursuit of Maritime Military Secrets Source: https://www.wsj.com/articles/chinese- hackers-target-universities-in-pursuit-of- maritime-military-secrets-11551781800 Education or espionage? A Chinese student takes his homework home to China Source: https://www.nbcnews.com/news/china/educ ation-or-espionage-chinese-student-takes- his-homework-home-china-n893881 Iranian-backed hackers stole data from major U.S. government contractor Source: https://www.nbcnews.com/politics/national- security/iranian-backed-hackers-stole-data- major-u-s-government-contractor-n980986 Hackers exploit casino’s smart thermometer to steal database info Source: https://mashable.com/2018/04/15/casino- smart-thermometer-hacked/ March 5th, 2019 March 23rd, 2018 March 8, 2019 April 15, 2018 April 4th, 2019 February 13th, 2018 October 13th, 2017 Education software maker Pearson says data breach affected thousands of accounts in the US Source: https://techcrunch.com/2019/07/31/educati on-software-maker-pearson-says-data- breach-affected-thousands-of-accounts-in- the-u-s/ July 31, 2019
Touche LLP. All rights reserved. 5 The threat landscape Cyber security in higher education $60b in Federal research funded by the United States Government in 2017. Source: The American Association for the Advancement of Science (AAAS) “The protection of controlled unclassified information while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations.” Source: NIST Special Publication 800-171 15.5m Records compromised Resulting from 562 reported data breaches at 324 higher education institutions between 2005 and 2014. Source: Symantec 2016 Internet Security Threat Report 80% of attackers who perpetrated data breaches against higher education institutions in 2019 were motivated by financial gain Source: Verizon 2019 Data Breach Investigations Report Universities that partner with private Silicon Valley companies, run policy institutes or research centers are probably more likely to be a target of cyber-espionage than secondary school districts. Source: Verizon 2019 Data Breach Investigations Report These and other factors have led the Federal government to increase cyber security regulations. Protecting this information is being treated as a matter of national security.
Touche LLP. All rights reserved. 7 Executive Order 13556 Gather various information categories – those requiring added protection from disclosure but otherwise not classified Single definition of protected information for all federal agencies NARA National Archives and Records Administration (NARA) Registry of information and handling requirements for Controlled Unclassified Information (CUI) DFARS Clause 252.204-7012 Department of Defense (DOD) contracts must comply with this clause The National Institute of Standards and Technology published in Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations A matter of national security Legal basis for Defense Federal Acquisition Regulation Supplement (DFARS)
Touche LLP. All rights reserved. 8 Executive Order 13556 Gather various information categories – those requiring added protection from disclosure but otherwise not classified Single definition of protected information for all federal agencies NARA National Archives and Records Administration (NARA) Registry of information and handling requirements for Controlled Unclassified Information (CUI) DFARS Clause 252.204-7012 Department of Defense (DOD) contracts must comply with this clause The National Institute of Standards and Technology published in Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations A matter of national security Legal basis for Defense Federal Acquisition Regulation Supplement (DFARS)
Touche LLP. All rights reserved. 9 Executive Order 13556 Gather various information categories – those requiring added protection from disclosure but otherwise not classified Single definition of protected information for all federal agencies NARA National Archives and Records Administration (NARA) Registry of information and handling requirements for Controlled Unclassified Information (CUI) DFARS Clause 252.204-7012 Department of Defense (DOD) contracts must comply with this clause The National Institute of Standards and Technology published in Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations A matter of national security Legal basis for Defense Federal Acquisition Regulation Supplement (DFARS)
Touche LLP. All rights reserved. 10 Information security requirements established for third parties contracting with the federal government, which seek to protect Controlled Unclassified Information (CUI) in non-federal systems. Controlled Unclassified Information CUI can be any data received from the federal government that is not designated as classified; this can include but is not limited to: Controlled technical information Patent information Export control data Research data NIST SP 800-171 has been designated by the US Government as the minimum security standard for protecting CUI data associated with federal contracts. US Government agencies are being required to consolidate and transform over 100 different policies and markings to comply with CUI Program requirements, involving an estimated $25 billion in higher education research contracts and grants alone. Traditional approaches to cybersecurity are no longer adequate. While many contractors already deal with a great many government regulations and reporting requirements, NIST 800-171 demands special attention. Organizations that do not comply risk losing federal funding for research and, potentially, financial aid. Financial information (i.e. student loans) Student records Genetic Data Engineering data and drawings Agricultural data Privacy data Health records What is Controlled Unclassified Information? What is being required? What does this mean for higher educational institutions?
Touche LLP. All rights reserved. 12 Covered defense information (CDI) is used to describe information that requires protection under DFARS. It is defined as unclassified controlled technical information (CTI) or other information as described in the CUI Registry that requires safeguarding/dissemination controls DFARS 252.204-7012 Requirements Source: https://www.gpo.gov/fdsys/pkg/CFR-2014-title48-vol3/pdf/CFR-2014-title48-vol3-sec252-204-7012.pdf DFARS Subcontractors Requirement Certain requirements of the DFARS clauses apply from the prime contractor to subcontractor Least Privilege Access Organization must limit access rights for users to the bare minimum permissions they need to perform their work Multi-Factor Authentication All privileged account access and users who access resources with existing CUI or CDI must use an Multi-Factor Authentication solution Rapid Reporting Requirements Security breaches must be reported within 72 hours of occurrence Adequate Security Provide efforts to meet expanded obligations to secure covered defense information NIST SP 800-171 Applies standard 110 controls for protection of CUI/CDI
Touche LLP. All rights reserved. 13 University researchers contract with the Federal Government to conduct billions of dollars in research each year. If not met, new information security requirements for CDI will likely jeopardize a significant portion of that funding. What does this mean for universities? Information Sharing Researchers will be required to limit information sharing and protect research data in ways that they may see as antithetical to traditional values of academic freedom. Shifting attitudes and behaviors to support information security will require special attention. Federal Funding Federal funds for research will be dependent upon universities providing not only technology via secure computing solutions, but also governance and audit improvements. Non-compliance will lead to revocation of current funds, potential legal action and possibly a university-wide ban for future awards. CDI Protection Required Research funded by the Department of Defense and subject to DFARS 252.204-7012 is now required to be protected. If those projects are not compliant, funding is currently at risk. Compliance for additional categories of information will be required in the near future. Source: https://www.gpo.gov/fdsys/pkg/CFR-2014-title48- vol3/pdf/CFR-2014-title48-vol3-sec252-204-7012.pdf If a contractor is seen as being noncompliant with the guidelines set forth in the safeguarding clause, there is potential for contract loss and/or legal prosecution.
Touche LLP. All rights reserved. 15 A roadmap to DFARS compliance Analyze the impact and scope Access the current state of security Develop a plan to achieve compliance and mitigate existing gaps 5 4 3 2 1 Establish responsibilities and efficient processes to achieve sustained compliance over the long haul Employ third-parties as needed to provide a thorough review of current practices across the entire academic enterprise A step by step approach to establishing a sustainable compliance plan. A path to compliance: Form a working group with representatives from academics, administration, and research; the group should have top-down support and the sustained engagement of leadership. Once formed the working group should consider the following steps:
Touche LLP. All rights reserved. 16 Adhering with NIST SP 800-171 goes well beyond technological solutions. Overcoming top challenges Reframe in terms of enterprise risk management, with the business impact to the institution clearly spelled out. Executive and board-level attention: This is not yet on the radar of many institutional leaders or boards of trustees. 1 An enterprise-level solution is needed, as is a central authority to assess and certify data and access compliance. Governance coordination: Responsibility for ensuring contractual compliance lies with the research division. 3 Stress the need for enhanced security while maintaining a federated model for data sharing and access. Cultural barriers: Colleges and universities have often enjoyed a culture of openness and sharing. 2
Touche LLP. All rights reserved. 17 Leaders should align DFARS requirements to roles and responsibilities to create a true enterprise-level solution. Aligning all members of the institution • Works collaboratively with the deans to secure grants and contracts, integrates efforts by university and college level advancement to communicate and raise private funds for research • Facilitates and expands university-wide faculty and student based research • Serves as liaison between academics and administration • Leads faculty recruitment efforts and ensures faculty development • Ensures academic integrity throughout the institution • Creates a culture where deans can collaborate Provost Head of Research Executive Vice President Typical Role/Responsibilities Oversees the day-to-day implementation of many administrative functions, often including: • Business processes • Budget management • Audit and compliance • Human resources • IT systems DFARS alignment Provosts and Head of Research should work together to align academics of DFARS requirements and implications Head of Research and Executive Vice Presidents should then align current capabilities of academics to DFARS solution
Touche LLP. All rights reserved. 18 Our holistic approach to DFARS/FAR compliance DFARS 252.207-7012 requires compliance with NIST SP 800-171 and over 110 security requirements. Achieving compliance with these controls requires more than a technical solution. Technical Requirements Governance Requirements A secure computer operating environment that is compliant and meets organizational needs Data and personnel lifecycle management process maps, including on-boarding, off-boarding, and transfer processes An organizational design capable of managing, overseeing, and maintaining CUI requirements A compliance package ready for audit, including a, Security Traceability Matrix (STM), System Security Plan (SSP), and Plans of Action and Milestones (POA&Ms) Security hardening practices built into core platforms and business applications Unified, strategic stakeholder awareness and engagement campaigns that garner shared understanding and buy-in Security and IT operations policies and procedures which provide the minimum mandatory security standards A robust training and awareness program to educate appropriate organizational stakeholders regarding safeguarding CUI Audit-Readiness Requirements
Touche LLP. All rights reserved. 20 Wider-Scope - While DFARS applies to DoD data, the FARS covers a wide variety of items and can include agriculture, some PII, and other things that may not typically be considering “sensitive”. Review Contracts – Federal CUI contracts and data should have a document referencing the data specifically identified as CUI and at the institution level that it must follow NIST SP 800-171. Non-Compliance – Research contracts, grants, and overall research funds can be negatively impacted for non-compliance to these standards. Universal Applicability – The FAR rule and NIST SP 800-171 is mandated at the Federal level which means it follows the data not the school. Programs may implement differently, but adherence will be wherever the data goes. The intended purpose of the rule is to provide basic safeguarding of covered contractor information systems shared by the federal government with a nonfederal entity. FAR 52.201-21 requirements FAR CUI Examples • Controlled Technical Information • Patent • Export control • Engineering data • Engineering drawings • Agriculture • Privacy • Health Information • Student Records • Genetic Information • Recorded audio meetings • Executable code • WebEx sessions • Blueprints • Meeting Minutes
Touche LLP. All rights reserved. 21 The Cybersecurity Maturity Model Certification (CMMC) will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced”. Cybersecurity Maturity Model Certification Cybersecurity Maturity Model Certification The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. All organizations conducting business with the DoD must be certified. The level of certification required will depend upon the amount of CUI a company handles or processes. The CMMC framework will be released in January 2020. By June 2020 industry should begin to see the CMMC requirements as part of Requests for Information. The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the partners’ networks.
Touche LLP. All rights reserved. 22 Key Takeaways Meeting the requirements outlined in the DFARS clause cannot be done by technology alone, or in a vacuum. It requires support from multiple stakeholders and a holistic approach to have lasting success Meeting the requirements outlined in DFARS clause 252.204-7012 and NIST SP 800-171 can have a net positive cyber affect on organization in terms of protecting sensitive data, and helps protect against known causes of cyber incidents. All signs indicate that for future contracts under DFARS and CMMC future RFP awards dealing with CUI/CDI audit readiness will be mandatory as a condition of award and will need to be maintained during the entirety of time that CUI/CDI is processed, stored, used, (or created) during the fulfillment of that contract Be able to show transparency and traceability in order to build trust
Touche LLP. All rights reserved. 25 Presenter Bios Maurice Ferguson Specialist Master [email protected] Deloitte & Touche LLP Maurice Ferguson is a Specialist Master with Deloitte Advisory. He has over 15 years of experience architecting, maintaining and securing Information Systems. He has technical experience in data center operations, cloud platforms, server & desktop virtualization and security. In security, areas of experience include Cyber Risk strategy, cloud, data recovery, business continuity, policy & procedural, and compliance management. Maurice has served in both strategic and technical hands-on roles guiding, federal, industry, and higher-education clients to address technical requirements and mature their cyber capabilities to meet DFARS 7012 and NIST SP 800-171. Wendy Overton Manager [email protected] Deloitte & Touche LLP Wendy is a security professional with over 10 years of experience in delivering valuable results to clients across a number of industries. Wendy has focused her time at Deloitte advising on physical and cyber security program design, risk management, security strategy, governance, program optimization, and communications development, amongst other competencies. Wendy has guided Fortune 500 financial institutions, Fortune 50 technology companies, and U.S. Government organizations in the conceptualization and implementation of their security programs, and higher education institutions in implementation of DFARS 7012 and NIST SP 800-171 based programs.
About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.
texasnaturalresourcesinformationsytem
ebarakazuhiro
layerx
rinchsan
glaforge
nokonoko1203
you
ktc_wada
minorun365
oleur
rigolon
cybozuinsideout
daikikanemitsu
cromwellryan
matthewcrist
jlugia
bkeepers
maggiecrowley
chriscoyier
chrisshort
schacon
zakiyama
cassininazir
paulrobertlloyd
lemiorhan
