SlideShare a Scribd company logo

Webinar: Critical Steps For NIST Compliance

Download as PPTX, PDF
Withum
Withum

In January 2020, the Department of Defense released the initial version of Cybersecurity Maturity Model Certification (CMMC) standard. Certifications will begin for new and existing defense contractors this year. As you are preparing for the CMMC now by becoming NIST 800-171 compliant, it is critical to ensure you can continue bidding on RFPs. Any type of cybersecurity audit takes time and getting compliant to NIST 800-171 ahead of an audit is no different. Whether your organization’s security and compliance are 80% of the way there, or you think your infrastructure needs a complete overhaul, get tips and insights to get you closer to compliance. We Share: - An overview of the compliance requirements, - Tips for analyzing current cyber security measures and processes, - How the Microsoft 365 Cloud helps ensure compliance - Measures you can put in place to help you meet NIST 800-171 compliance

Related slideshows

10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know
 
4 Ways to Build your Immunity to Cyberthreats
4 Ways to Build your Immunity to Cyberthreats4 Ways to Build your Immunity to Cyberthreats
4 Ways to Build your Immunity to Cyberthreats
 
Smarter cyber security v8
Smarter cyber security v8Smarter cyber security v8
Smarter cyber security v8
 
1 of 38
1 SM September 10, 2020 Webinar: Critical Steps for NIST Compliance
2 SM Withum | BE IN A POSITION OF STRENGTH Housekeeping • Webinar is being recorded • 50 minute session • 10 minute Q&A session at the end • Send in your questions! • Type your questions in the Questions Pane of the GotoWebinar Panel • Slides and recording will be emailed after the webinar
3 SM About Daniel Daniel Cohen-Dumani @dcohendumani dcohendumani@withum.com Partner, Market Leader 15+ years of Digital Transformation Expertise with Microsoft 365, Security, Compliance Interests: Productivity in the Modern Workplace. Work 2.0 Started working with SharePoint when nobody could spell it
4 SM About Chris Chris Ertz @CCErtz certz@withum.com Practice Leader Our managed services team moves all types of workloads to the Microsoft cloud including applications and infrastructure. We then optimize cloud subscriptions to drive the most value. Expertise: Innovative Digital Solutions Technology Platforms Security and Compliance Managed Cloud Services Fun Fact: I participated on stage for a Microsoft Windows and Office launch event from Windows 95 to Windows 8
5 SM About Anurag Anurag Sharma asharma@withum.com Principal 15+ years of IT Security and Compliance audit experience Helps make the compliance journey for organizations as “pain less” as possible Expertise: NIST 800-53, NIST 800-171, NIST CSF, ISO 27001, SOC 1, SOC 2, SOC for Cyber Regular speaker on Cybersecurity and SOC related topics at NJCPA PICPA, CTCPA, FICPA, and the AICPA
6 SM Withum | BE IN A POSITION OF STRENGTH What to Expect From Today’s Webinar • Understand NIST 800.171 and CCMC concepts • Your path to compliance • How the Microsoft 365 cloud suite of products enhances your maturity level
7 SM Withum | BE IN A POSITION OF STRENGTH Security Challenges in 2020 • Cloud risks continue • Ransomware threats escalate • Physical security becomes an issue • Optimization, rationalization will be essential to keeping up • Getting business on board to battle cybersecurity challenges • Watch for AI to help -- and hurt -- cybersecurity efforts • Zero trust moves into the mainstream
8 SM Cyberspace is the new battlefield Security skills are in short supply Virtually anything can be attacked The cybersecurity landscape is rapidly changing
9 SM
11 SM Data is exploding It’s created, stored, and shared everywhere Public cloud Remote Structured Platforms Emails Documents Classified Records Vendors SMS Unstructured SaaS Public
12 SM NIST and CMMC
13 SM Withum | BE IN A POSITION OF STRENGTH What is NIST 800.171 (and 171B) • The National Institute of Standards and Technology (NIST) created Special Publication 800-171 to help protect Controlled Unclassified Information • NIST 800-171 refers to National Institute of Standards and Technology Special Publication 800- 171, which governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations. It is essentially a set of standards that define how to safeguard and distribute material deemed sensitive but not classified • Defense contractors must implement the recommended requirements contained in NIST SP 800- 171 to demonstrate their provision of adequate security to protect the covered defense information included in their defense contracts, as required by DFARS clause 252.204-7012 • If a manufacturer is part of a DoD, General Services Administration (GSA), NASA or other federal or state agencies’ supply chain, the implementation of the security requirements included in NIST SP 800-171 is a must • Draft NIST SP 800-171B was developed in the spring of 2019 as a supplement to NIST SP 800- 171. This new document offers additional recommendations for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations where that information runs a higher than usual risk of exposure. 800-171
14 SM Withum | BE IN A POSITION OF STRENGTH What Does NIST 800.171 Cover • Access Control: Who is authorized to view this data? • Awareness and Training: Are people properly instructed in how to treat this info? • Audit and Accountability: Are records kept of authorized and unauthorized access? Can violators be identified? • Configuration Management: How are your networks and safety protocols built and documented? • Identification and Authentication: What users are approved to access CUI and how are they verified prior to granting them access? • Incident Response: What’s the process if a breach or security threat occurs, including proper notification. • Maintenance: What timeline exists for routine maintenance, and who is responsible? • Media Protection: How are electronic and hard copy records and backups safely stored? Who has access? • Physical Protection: Who has access to systems, equipment and storage environments? • Personnel Security: How are employees screened prior to granting them access to CUI? • Risk Assessment: Are defenses tested in simulations? Are operations or individuals verified regularly? • Security Assessment: Are processes and procedures still effective? Are improvements needed? • System and Communications Protection: Is information regularly monitored and controlled at key internal and external transmission points? • System and Information Integrity: How quickly are possible threats detected, identified and corrected?
15 SM What is CMMC • CMMC establishes five certification levels that reflect the maturity and reliability of a company's cybersecurity infrastructure to safeguard sensitive government information on contractors' information systems. • The five levels are tiered and build upon each other's technical requirements. Each level requires compliance with the lower-level requirements and institutionalization of additional processes to implement specific cybersecurity-based practices.
16 SM CMMC Level 1 • CMMC Level 1 is the base level of certification • It consists of practices that correspond to basic safeguarding requirements in Federal Acquisition Regulation (FAR) clause 52.204-21. • It includes 55 basic and more extensive cyber security practices such as: • Implementing Identity and Authentication • Implementing basic Access Controls • Level 2 is all about protecting Federal Contract Information (FCI) and is most likely to be required for anyone who obtains a DoD contract but does not produce solely Commercial Off the Shelf products
17 SM CMMC Level 2 • CMMC Level 2 is the base level of certification who has access to Controlled Unclassified Information “CUI” • It consists of written policies for each of the 72 domains covered by CCMC as well ad documented practices for the implementation of the policies for each domain • It includes 72 basic cyber security practices and 2 processes • Level 2 is all about protecting CUI and documenting the process implemented in Level 1 and 2 which represents a subset of NIST 800.171
18 SM CMMC Level 3 • CMMC Level 3 increases the level of compliance to increase the overall security of your organization • IT consists of implementing all the requirement of NIST 800.171 as well as additional standards and practices with a total of 130 practice areas • Level 3 is the base level that will be required for any government contractors bidding on DOD related contracts
19 SM CMMC Level 4 • CMMC Level 4 increases the level of compliance to and shift to enhancing the organization effectiveness in protecting CUI from Advanced Persistent Threat • IT consists of implementing all the requirement of NIST 800.171 as well as additional 11 practices from the draft NIST 800.171B and 4 processes • Includes an additional 15 practices to demonstrate a proactive cybersecurity program
20 SM CMMC Level 5 • CMMC Level 5 increases the level of compliance to and shift to enhancing the organization effectiveness in protecting CUI from Advanced Persistent Threat • CMMC Level 5 will require that organizations standardize and optimize process implementation across the organization. Each practice is documented, including lower levels; A policy exists that covers all activities • A plan exists that includes all activities • Activities are reviewed and measured for effectiveness • There is a standardized, documented approach across all applicable organizational units • This level is again focused on the protection of CUI from APTs and as such implements many more advanced security practices for the organization
21 SM CMMC in Summary
22 SM How to start your journey to compliance?
23 SM Secure identities to reach zero trust Identity & access management Security management Strengthen your security posture with insights and guidance Threat protection Help stop damaging attacks with integrated and automated security Locate and classify information anywhere it lives Information protection Infrastructure security
24 SM Securing Privileged Access Office 365 Security Rapid Cyberattacks (Wannacrypt/Petya) https://aka.ms/MCRA Video Recording Strategies Office 365 Dynamics 365 +Monitor Azure Sentinel – Cloud Native SIEM and SOAR (Preview) SQL Encryption & Data Masking Data Loss Protection Data Governance eDiscovery
25 SM Examples of shared responsibilities: NIST 800-171 Access to production environment Set up access controls that strictly limit standing access to customer’s data or production environment Organization responsibility Access to production environment Set up access control policy and SOP, leveraging Customer Lockbox / identity management solutions Protect data Encrypt data at rest and in transit based on industrial standards (BitLocker, TLS, etc.) responsibility Protect data Encrypt data based on org’s compliance obligations. E.g. encrypt PII in transit between users, using its own encryption key, etc. Personnel control Strict screening for employees, vendors, and contractors, and conduct trainings through onboarding process Personnel control Allocate and staff sufficient resources to operate an organization-wide privacy program, including awareness- raising and training
26 SM Shared responsibility model Customer management of risk Data classification and data accountability Shared management of risk Identity & access management | End point devices Provider management of risk Physical | Networking Responsibility On-Prem IaaS PaaS SaaS Data classification and accountability Client & end-point protection Identity & access management Application level controls Network controls Host infrastructure Physical security
29 SM Security solutions Microsoft 365 E5 covers Security solutions other Microsoft solutions cover What Microsoft Services/MSSPs/ ISVs cover What Microsoft integrates with What Microsoft doesn’t do can replace up to 26 other security vendors and drive your compliance effort SingleSign-on(SSO) Reportin g Pen Testing/ Risk Assessment
30 SM Identity & access management
31 SM Secure authentication Getting to a world without passwords Microsoft Authenticator FIDO2 Security KeysWindows Hello for Business
32 SM Azure AD Conditional Access User and location Device Application Real time risk Conditional access
33 SM Threat protection
34 SM Office 365 Advanced Threat Protection Actionable insights Automated response Industry-leading protection Training & awareness
35 SM Information protection
36 SM Microsoft Information Protection Discover & classify sensitive information Apply protection based on policy Monitor & remediate Apps On-premisesCloud servicesDevices Across Accelerate Compliance
37 SM Follow the data—throughout its lifecycle Apply protection based on policy Have you defined what “sensitive data” means for your company? Do you have a way to detect sensitive data across your company? Do you have a way to ensure that labels persist with the data—wherever it travels? Which regulations and compliance factors impact you? Are you able to empower end-users to classify and label content themselves, or apply automatically based on company policies? Detect & classify sensitive information Monitor & remediate Do you have visibility into how sensitive data is being access and shared, even across 3rd-party SaaS apps and cloud services? Are you able to remediate actions immediately, such as quarantine data or block access? Are you able to integrate event information into your SIEM system or other tools?
40 SM Strengthen your security posture with insights and guidance Understand your current security position across your organization (Assessment, Workshops) Establish products required to meet compliance and security level Use the built-in recommendations to find the right balance of security. Enable continuous monitoring Create policies, configure policies and enable controls to better define your security position
41 SM Compliance Manager Manage your compliance from one place Ongoing risk assessment An intelligent score reflects your compliance posture against regulations or standards Actionable insights Recommended actions to improve your data protection capabilities Simplified compliance Streamlined workflow across teams and richly detailed reports for auditing preparation Compliance Manager is a dashboard that provides the Compliance Score and a summary of your data protection and compliance stature as well as recommendations to improve data protection and compliance. This is a recommendation, it is up to you to evaluate and validate the effectiveness of customer controls as per your regulatory environment. Recommendations from Compliance Manager and Compliance Score should not be interpreted as a guarantee of compliance.
42 SM Withum | BE IN A POSITION OF STRENGTH Key takeaways Adopting modern, secure and compliant cloud solution like Microsoft 365 E5 or Microsoft 365 Business Premium will get you started in your path to compliance and leverage a shared responsibility model CMMC is still evolving with deadline changing; all DOD contractors will need to meet Level 3 to continue bidding on RFI/RFP NIST 800.171 is a good cyber practice that applies to any organizations
43 SM We are offering a complimentary Security and Compliance workshop for qualifying organizations. SIGN UP HERE

More Related Content

Webinar: Critical Steps For NIST Compliance

  • 1. 1 SM September 10, 2020 Webinar: Critical Steps for NIST Compliance
  • 2. 2 SM Withum | BE IN A POSITION OF STRENGTH Housekeeping • Webinar is being recorded • 50 minute session • 10 minute Q&A session at the end • Send in your questions! • Type your questions in the Questions Pane of the GotoWebinar Panel • Slides and recording will be emailed after the webinar
  • 3. 3 SM About Daniel Daniel Cohen-Dumani @dcohendumani dcohendumani@withum.com Partner, Market Leader 15+ years of Digital Transformation Expertise with Microsoft 365, Security, Compliance Interests: Productivity in the Modern Workplace. Work 2.0 Started working with SharePoint when nobody could spell it
  • 4. 4 SM About Chris Chris Ertz @CCErtz certz@withum.com Practice Leader Our managed services team moves all types of workloads to the Microsoft cloud including applications and infrastructure. We then optimize cloud subscriptions to drive the most value. Expertise: Innovative Digital Solutions Technology Platforms Security and Compliance Managed Cloud Services Fun Fact: I participated on stage for a Microsoft Windows and Office launch event from Windows 95 to Windows 8
  • 5. 5 SM About Anurag Anurag Sharma asharma@withum.com Principal 15+ years of IT Security and Compliance audit experience Helps make the compliance journey for organizations as “pain less” as possible Expertise: NIST 800-53, NIST 800-171, NIST CSF, ISO 27001, SOC 1, SOC 2, SOC for Cyber Regular speaker on Cybersecurity and SOC related topics at NJCPA PICPA, CTCPA, FICPA, and the AICPA
  • 6. 6 SM Withum | BE IN A POSITION OF STRENGTH What to Expect From Today’s Webinar • Understand NIST 800.171 and CCMC concepts • Your path to compliance • How the Microsoft 365 cloud suite of products enhances your maturity level
  • 7. 7 SM Withum | BE IN A POSITION OF STRENGTH Security Challenges in 2020 • Cloud risks continue • Ransomware threats escalate • Physical security becomes an issue • Optimization, rationalization will be essential to keeping up • Getting business on board to battle cybersecurity challenges • Watch for AI to help -- and hurt -- cybersecurity efforts • Zero trust moves into the mainstream
  • 8. 8 SM Cyberspace is the new battlefield Security skills are in short supply Virtually anything can be attacked The cybersecurity landscape is rapidly changing
  • 10. 11 SM Data is exploding It’s created, stored, and shared everywhere Public cloud Remote Structured Platforms Emails Documents Classified Records Vendors SMS Unstructured SaaS Public
  • 12. 13 SM Withum | BE IN A POSITION OF STRENGTH What is NIST 800.171 (and 171B) • The National Institute of Standards and Technology (NIST) created Special Publication 800-171 to help protect Controlled Unclassified Information • NIST 800-171 refers to National Institute of Standards and Technology Special Publication 800- 171, which governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations. It is essentially a set of standards that define how to safeguard and distribute material deemed sensitive but not classified • Defense contractors must implement the recommended requirements contained in NIST SP 800- 171 to demonstrate their provision of adequate security to protect the covered defense information included in their defense contracts, as required by DFARS clause 252.204-7012 • If a manufacturer is part of a DoD, General Services Administration (GSA), NASA or other federal or state agencies’ supply chain, the implementation of the security requirements included in NIST SP 800-171 is a must • Draft NIST SP 800-171B was developed in the spring of 2019 as a supplement to NIST SP 800- 171. This new document offers additional recommendations for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations where that information runs a higher than usual risk of exposure. 800-171
  • 13. 14 SM Withum | BE IN A POSITION OF STRENGTH What Does NIST 800.171 Cover • Access Control: Who is authorized to view this data? • Awareness and Training: Are people properly instructed in how to treat this info? • Audit and Accountability: Are records kept of authorized and unauthorized access? Can violators be identified? • Configuration Management: How are your networks and safety protocols built and documented? • Identification and Authentication: What users are approved to access CUI and how are they verified prior to granting them access? • Incident Response: What’s the process if a breach or security threat occurs, including proper notification. • Maintenance: What timeline exists for routine maintenance, and who is responsible? • Media Protection: How are electronic and hard copy records and backups safely stored? Who has access? • Physical Protection: Who has access to systems, equipment and storage environments? • Personnel Security: How are employees screened prior to granting them access to CUI? • Risk Assessment: Are defenses tested in simulations? Are operations or individuals verified regularly? • Security Assessment: Are processes and procedures still effective? Are improvements needed? • System and Communications Protection: Is information regularly monitored and controlled at key internal and external transmission points? • System and Information Integrity: How quickly are possible threats detected, identified and corrected?
  • 14. 15 SM What is CMMC • CMMC establishes five certification levels that reflect the maturity and reliability of a company's cybersecurity infrastructure to safeguard sensitive government information on contractors' information systems. • The five levels are tiered and build upon each other's technical requirements. Each level requires compliance with the lower-level requirements and institutionalization of additional processes to implement specific cybersecurity-based practices.
  • 15. 16 SM CMMC Level 1 • CMMC Level 1 is the base level of certification • It consists of practices that correspond to basic safeguarding requirements in Federal Acquisition Regulation (FAR) clause 52.204-21. • It includes 55 basic and more extensive cyber security practices such as: • Implementing Identity and Authentication • Implementing basic Access Controls • Level 2 is all about protecting Federal Contract Information (FCI) and is most likely to be required for anyone who obtains a DoD contract but does not produce solely Commercial Off the Shelf products
  • 16. 17 SM CMMC Level 2 • CMMC Level 2 is the base level of certification who has access to Controlled Unclassified Information “CUI” • It consists of written policies for each of the 72 domains covered by CCMC as well ad documented practices for the implementation of the policies for each domain • It includes 72 basic cyber security practices and 2 processes • Level 2 is all about protecting CUI and documenting the process implemented in Level 1 and 2 which represents a subset of NIST 800.171
  • 17. 18 SM CMMC Level 3 • CMMC Level 3 increases the level of compliance to increase the overall security of your organization • IT consists of implementing all the requirement of NIST 800.171 as well as additional standards and practices with a total of 130 practice areas • Level 3 is the base level that will be required for any government contractors bidding on DOD related contracts
  • 18. 19 SM CMMC Level 4 • CMMC Level 4 increases the level of compliance to and shift to enhancing the organization effectiveness in protecting CUI from Advanced Persistent Threat • IT consists of implementing all the requirement of NIST 800.171 as well as additional 11 practices from the draft NIST 800.171B and 4 processes • Includes an additional 15 practices to demonstrate a proactive cybersecurity program
  • 19. 20 SM CMMC Level 5 • CMMC Level 5 increases the level of compliance to and shift to enhancing the organization effectiveness in protecting CUI from Advanced Persistent Threat • CMMC Level 5 will require that organizations standardize and optimize process implementation across the organization. Each practice is documented, including lower levels; A policy exists that covers all activities • A plan exists that includes all activities • Activities are reviewed and measured for effectiveness • There is a standardized, documented approach across all applicable organizational units • This level is again focused on the protection of CUI from APTs and as such implements many more advanced security practices for the organization
  • 21. 22 SM How to start your journey to compliance?
  • 22. 23 SM Secure identities to reach zero trust Identity & access management Security management Strengthen your security posture with insights and guidance Threat protection Help stop damaging attacks with integrated and automated security Locate and classify information anywhere it lives Information protection Infrastructure security
  • 23. 24 SM Securing Privileged Access Office 365 Security Rapid Cyberattacks (Wannacrypt/Petya) https://aka.ms/MCRA Video Recording Strategies Office 365 Dynamics 365 +Monitor Azure Sentinel – Cloud Native SIEM and SOAR (Preview) SQL Encryption & Data Masking Data Loss Protection Data Governance eDiscovery
  • 24. 25 SM Examples of shared responsibilities: NIST 800-171 Access to production environment Set up access controls that strictly limit standing access to customer’s data or production environment Organization responsibility Access to production environment Set up access control policy and SOP, leveraging Customer Lockbox / identity management solutions Protect data Encrypt data at rest and in transit based on industrial standards (BitLocker, TLS, etc.) responsibility Protect data Encrypt data based on org’s compliance obligations. E.g. encrypt PII in transit between users, using its own encryption key, etc. Personnel control Strict screening for employees, vendors, and contractors, and conduct trainings through onboarding process Personnel control Allocate and staff sufficient resources to operate an organization-wide privacy program, including awareness- raising and training
  • 25. 26 SM Shared responsibility model Customer management of risk Data classification and data accountability Shared management of risk Identity & access management | End point devices Provider management of risk Physical | Networking Responsibility On-Prem IaaS PaaS SaaS Data classification and accountability Client & end-point protection Identity & access management Application level controls Network controls Host infrastructure Physical security
  • 26. 29 SM Security solutions Microsoft 365 E5 covers Security solutions other Microsoft solutions cover What Microsoft Services/MSSPs/ ISVs cover What Microsoft integrates with What Microsoft doesn’t do can replace up to 26 other security vendors and drive your compliance effort SingleSign-on(SSO) Reportin g Pen Testing/ Risk Assessment
  • 28. 31 SM Secure authentication Getting to a world without passwords Microsoft Authenticator FIDO2 Security KeysWindows Hello for Business
  • 29. 32 SM Azure AD Conditional Access User and location Device Application Real time risk Conditional access
  • 31. 34 SM Office 365 Advanced Threat Protection Actionable insights Automated response Industry-leading protection Training & awareness
  • 33. 36 SM Microsoft Information Protection Discover & classify sensitive information Apply protection based on policy Monitor & remediate Apps On-premisesCloud servicesDevices Across Accelerate Compliance
  • 34. 37 SM Follow the data—throughout its lifecycle Apply protection based on policy Have you defined what “sensitive data” means for your company? Do you have a way to detect sensitive data across your company? Do you have a way to ensure that labels persist with the data—wherever it travels? Which regulations and compliance factors impact you? Are you able to empower end-users to classify and label content themselves, or apply automatically based on company policies? Detect & classify sensitive information Monitor & remediate Do you have visibility into how sensitive data is being access and shared, even across 3rd-party SaaS apps and cloud services? Are you able to remediate actions immediately, such as quarantine data or block access? Are you able to integrate event information into your SIEM system or other tools?
  • 35. 40 SM Strengthen your security posture with insights and guidance Understand your current security position across your organization (Assessment, Workshops) Establish products required to meet compliance and security level Use the built-in recommendations to find the right balance of security. Enable continuous monitoring Create policies, configure policies and enable controls to better define your security position
  • 36. 41 SM Compliance Manager Manage your compliance from one place Ongoing risk assessment An intelligent score reflects your compliance posture against regulations or standards Actionable insights Recommended actions to improve your data protection capabilities Simplified compliance Streamlined workflow across teams and richly detailed reports for auditing preparation Compliance Manager is a dashboard that provides the Compliance Score and a summary of your data protection and compliance stature as well as recommendations to improve data protection and compliance. This is a recommendation, it is up to you to evaluate and validate the effectiveness of customer controls as per your regulatory environment. Recommendations from Compliance Manager and Compliance Score should not be interpreted as a guarantee of compliance.
  • 37. 42 SM Withum | BE IN A POSITION OF STRENGTH Key takeaways Adopting modern, secure and compliant cloud solution like Microsoft 365 E5 or Microsoft 365 Business Premium will get you started in your path to compliance and leverage a shared responsibility model CMMC is still evolving with deadline changing; all DOD contractors will need to meet Level 3 to continue bidding on RFI/RFP NIST 800.171 is a good cyber practice that applies to any organizations
  • 38. 43 SM We are offering a complimentary Security and Compliance workshop for qualifying organizations. SIGN UP HERE