On February 16, 2016, the Department of Homeland Security and the Department of Justice issued preliminary guidance on the implementation of the Cybersecurity Act of 2015. Some three months later, on May 16, 2016 a final FAR regulation (48 C.F.R. Part 4.19) was issued. FAR establishes minimum safeguarding information system requirements for federal contractors. The new FAR regulation goes into effect this week, on June 16.
These changes in the law for federal contracts provide insight into the U.S. Federal Government’s goals to regulate the public and private patchwork information sharing industry. Understanding the goals of the Cybersecurity Act and the new FAR regulation on information systems are important to prepare for the future of the industry.
The Cybersecurity Act of 2015, signed into law on December 18, 2015, is a first step by the federal government toward partnering private and government industry to address the cybersecurity threat. The Cybersecurity Act seeks to align private industry and domestic nonfederal entities into a federal information sharing initiative focused on sharing cyber “threat indicators.”
By sharing threat indicators, the federal government hopes to encourage the voluntary exchange of cyber-security threat information between the private sector and the federal government in a system of real-time notification. The Department of Homeland Security has already implemented a method to accomplish this called the “Security Cyber Threat Indicator and Defensive Measures Submission System.”
One concern presented by the lofty goals of the Cybersecurity Act is the recent failures in the federal government to protect information in past years. The OPM breach, FBI Portal Breach and IRS breach (to name a few) have demonstrated the federal government is deficient in internal cyber-security controls.
DHS expects to receive and share a vast amount of data under the Cybersecurity Act. Security controls for the handling and retention of sensitive data to prevent unauthorized disclosure or access must be strengthened in both the public and private sectors. Otherwise, the Cybersecurity Act could create an Achilles heel of vulnerability.
To address the weaknesses in current cyber-security controls, the Act instructs governmental and private entities to review cyber-threat indicators and related information to identify whether such information contains personally identifiable information (PII) and to remove PII prior to sharing.
Carbon black is one step ahead of the federal government’s goals to develop a system to exchange threat information. Carbon Black recently announced its key initiative in the realm of sharing and empowering the cyber-security community with a “Collective Defense.” The Carbon Black Detection eXchange enables any customer or partner in the Carbon Black network to share Patterns of Attacks (POA).
Of important note here is that the Detection eXchange enhances the focus of sharing “threat indicators” to a higher level of threat intelligence – “Patterns of Attack” – which identify the behavior, techniques and tactics of the attacker. “Patterns” are far more difficult for an attacker to change than “indicators” and provide a deeper level of insight for cyber-security professionals. Perhaps the federal government should model its threat exchange goals after Carbon Black’s initiative. Where the government seeks to provide threat indicators – the forensics that merely indicate a crime – Carbon Black’s Patterns of Attack provide the entire crime “story.” This more robust information will allow all users in the Detection eXchange to immediately protect themselves from similar attack vectors.
On May 16, 2016, a final rule was published amending the Federal Acquisition Regulations (FAR) “to add a new subpart and contract clause for the basic safeguarding of contractor information systems that process, store or transmit federal contract information.”
FAR 4.19 (and implementing contract clause 52.204-21) apply to all federal contractor information systems that “are owned or operated by a contractor that processes, stores, or transmits federal contract information.”
While the new regulation does not require compliance with NIST standards at the moment, it mirrors many of the security requirements listed in NIST SP 800-171 and lists 15 minimum mandatory security controls. Some of the more pertinent controls that Carbon Black specifically addresses are:
- Access controls must be robust through user auditing and compartmentalization of access to only authorized transactions.
- Separation of public systems from internal networks.
- Monitoring, controlling and protecting organizational communications “at the external boundaries and key internal boundaries of the information system.” (This is a key component of Carbon Black’s focus on the endpoint.)
- Identify, report and correct information system flaws in a timely manner.
- Implement protections from malicious code at appropriate locations within organizational information systems. (This is a key component of Carbon Black’s focus on the endpoint.)
- Periodic scans of the information system and real-time scans of files from external sources must be performed. (Carbon Black takes this a step further with continuous, real-time monitoring of enterprise endpoints (laptops, desktops and servers) for signs of malicious activity.)
As my colleague Ben Johnson aptly noted in a recent blog post: “Sharing your collective, effective intelligence with others and consuming what they share is the end goal. With each attack, the security industry gets better through sharing. Another way of saying that is: ‘The more attackers attack, the stronger we, as defenders, become.’ As our organizations increasingly work together, we can start to build a cyber security all-star team where the “big” guys greatly accelerate the knowledge of the “little” guys. The little guys can contribute to the larger community by seeing and sharing edge cases that the big guys don’t have time to look at. This sharing system grows organically with agility.”
The government’s focus on safely sharing pertinent threat information is an important first step in establishing a stronger security posture for organizations. Carbon Black’s enhanced approach to complying with (and exceeding) the standards set by the FAR and Cyber Security Act of 2015 should be mirrored by any organization that takes security seriously and wishes to comply with new government requirements.