Webinar: Critical Steps For NIST Compliance
- 2. 2
SM
Withum | BE IN A POSITION OF STRENGTH
Housekeeping
• Webinar is being recorded
• 50 minute session
• 10 minute Q&A session at the end
• Send in your questions!
• Type your questions in the Questions
Pane of the GotoWebinar Panel
• Slides and recording will be emailed
after the webinar
- 4. 4
SM
About Chris
Chris Ertz
@CCErtz
certz@withum.com
Practice
Leader
Our managed services team moves all types of
workloads to the Microsoft cloud including
applications and infrastructure. We then optimize
cloud subscriptions to drive the most value.
Expertise:
Innovative Digital Solutions
Technology Platforms
Security and Compliance
Managed Cloud Services
Fun Fact:
I participated on stage for a
Microsoft Windows and Office
launch event from Windows 95 to
Windows 8
- 5. 5
SM
About Anurag
Anurag Sharma
asharma@withum.com
Principal
15+ years of IT Security and Compliance
audit experience
Helps make the compliance journey for
organizations as “pain less” as possible
Expertise:
NIST 800-53, NIST 800-171,
NIST CSF, ISO 27001,
SOC 1, SOC 2, SOC for Cyber
Regular speaker on Cybersecurity
and SOC related topics at NJCPA
PICPA, CTCPA, FICPA, and the AICPA
- 6. 6
SM
Withum | BE IN A POSITION OF STRENGTH
What to
Expect From
Today’s
Webinar
• Understand NIST 800.171 and CCMC
concepts
• Your path to compliance
• How the Microsoft 365 cloud suite of
products enhances your maturity level
- 7. 7
SM
Withum | BE IN A POSITION OF STRENGTH
Security Challenges in 2020
• Cloud risks continue
• Ransomware threats escalate
• Physical security becomes an issue
• Optimization, rationalization will be essential to
keeping up
• Getting business on board to battle cybersecurity
challenges
• Watch for AI to help -- and hurt -- cybersecurity
efforts
• Zero trust moves into the mainstream
- 8. 8
SM
Cyberspace is the
new battlefield
Security skills are in
short supply
Virtually anything
can be attacked
The cybersecurity landscape is rapidly changing
- 10. 11
SM
Data is
exploding
It’s created, stored, and
shared everywhere
Public cloud Remote
Structured
Platforms
Emails
Documents Classified
Records
Vendors
SMS
Unstructured
SaaS
Public
- 12. 13
SM
Withum | BE IN A POSITION OF STRENGTH
What is NIST 800.171 (and 171B)
• The National Institute of Standards and Technology (NIST) created Special Publication 800-171 to
help protect Controlled Unclassified Information
• NIST 800-171 refers to National Institute of Standards and Technology Special Publication 800-
171, which governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems
and Organizations. It is essentially a set of standards that define how to safeguard and distribute
material deemed sensitive but not classified
• Defense contractors must implement the recommended requirements contained in NIST SP 800-
171 to demonstrate their provision of adequate security to protect the covered defense
information included in their defense contracts, as required by DFARS clause 252.204-7012
• If a manufacturer is part of a DoD, General Services Administration (GSA), NASA or other federal
or state agencies’ supply chain, the implementation of the security requirements included in NIST
SP 800-171 is a must
• Draft NIST SP 800-171B was developed in the spring of 2019 as a supplement to NIST SP 800-
171. This new document offers additional recommendations for protecting Controlled
Unclassified Information (CUI) in nonfederal systems and organizations where that information
runs a higher than usual risk of exposure.
800-171
- 13. 14
SM
Withum | BE IN A POSITION OF STRENGTH
What Does NIST 800.171 Cover
• Access Control: Who is authorized to view this data?
• Awareness and Training: Are people properly instructed in how to treat this info?
• Audit and Accountability: Are records kept of authorized and unauthorized access? Can violators be
identified?
• Configuration Management: How are your networks and safety protocols built and documented?
• Identification and Authentication: What users are approved to access CUI and how are they verified prior
to granting them access?
• Incident Response: What’s the process if a breach or security threat occurs, including proper notification.
• Maintenance: What timeline exists for routine maintenance, and who is responsible?
• Media Protection: How are electronic and hard copy records and backups safely stored? Who has access?
• Physical Protection: Who has access to systems, equipment and storage environments?
• Personnel Security: How are employees screened prior to granting them access to CUI?
• Risk Assessment: Are defenses tested in simulations? Are operations or individuals verified regularly?
• Security Assessment: Are processes and procedures still effective? Are improvements needed?
• System and Communications Protection: Is information regularly monitored and controlled at key internal
and external transmission points?
• System and Information Integrity: How quickly are possible threats detected, identified and corrected?
- 14. 15
SM
What is
CMMC
• CMMC establishes five
certification levels that reflect
the maturity and reliability of a
company's cybersecurity
infrastructure to safeguard
sensitive government
information on contractors'
information systems.
• The five levels are tiered and
build upon each other's
technical requirements. Each
level requires compliance with
the lower-level requirements
and institutionalization of
additional processes to
implement specific
cybersecurity-based practices.
- 15. 16
SM
CMMC Level 1
• CMMC Level 1 is the base level of certification
• It consists of practices that correspond to basic safeguarding requirements in
Federal Acquisition Regulation (FAR) clause 52.204-21.
• It includes 55 basic and more extensive cyber security practices such as:
• Implementing Identity and Authentication
• Implementing basic Access Controls
• Level 2 is all about protecting Federal Contract Information (FCI) and is most
likely to be required for anyone who obtains a DoD contract but does not
produce solely Commercial Off the Shelf products
- 16. 17
SM
CMMC Level 2
• CMMC Level 2 is the base level of certification who has access to Controlled
Unclassified Information “CUI”
• It consists of written policies for each of the 72 domains covered by CCMC as well
ad documented practices for the implementation of the policies for each domain
• It includes 72 basic cyber security practices and 2 processes
• Level 2 is all about protecting CUI and documenting the process implemented in
Level 1 and 2 which represents a subset of NIST 800.171
- 17. 18
SM
CMMC Level 3
• CMMC Level 3 increases the level of compliance to increase the overall security
of your organization
• IT consists of implementing all the requirement of NIST 800.171 as well as
additional standards and practices with a total of 130 practice areas
• Level 3 is the base level that will be required for any government contractors
bidding on DOD related contracts
- 18. 19
SM
CMMC Level 4
• CMMC Level 4 increases the level of compliance to and shift to enhancing the
organization effectiveness in protecting CUI from Advanced Persistent Threat
• IT consists of implementing all the requirement of NIST 800.171 as well as
additional 11 practices from the draft NIST 800.171B and 4 processes
• Includes an additional 15 practices to demonstrate a proactive cybersecurity
program
- 19. 20
SM
CMMC Level 5
• CMMC Level 5 increases the level of compliance to and shift to enhancing the
organization effectiveness in protecting CUI from Advanced Persistent Threat
• CMMC Level 5 will require that organizations standardize and optimize process
implementation across the organization. Each practice is documented, including
lower levels; A policy exists that covers all activities
• A plan exists that includes all activities
• Activities are reviewed and measured for effectiveness
• There is a standardized, documented approach across all applicable organizational units
• This level is again focused on the protection of CUI from APTs and as such implements many
more advanced security practices for the organization
- 22. 23
SM
Secure identities to
reach zero trust
Identity & access
management
Security
management
Strengthen your security
posture with insights
and guidance
Threat
protection
Help stop damaging
attacks with integrated and
automated security
Locate and classify
information anywhere
it lives
Information
protection
Infrastructure security
- 23. 24
SM
Securing Privileged Access
Office 365 Security
Rapid Cyberattacks
(Wannacrypt/Petya)
https://aka.ms/MCRA Video Recording Strategies
Office 365
Dynamics 365
+Monitor
Azure Sentinel – Cloud Native SIEM and SOAR (Preview)
SQL Encryption &
Data Masking
Data Loss Protection
Data Governance
eDiscovery
- 24. 25
SM
Examples of shared responsibilities: NIST
800-171
Access to production environment
Set up access controls that strictly limit
standing access to customer’s data or
production environment Organization
responsibility
Access to production environment
Set up access control policy and SOP,
leveraging Customer Lockbox / identity
management solutions
Protect data
Encrypt data at rest and in transit
based on industrial standards (BitLocker,
TLS, etc.)
responsibility
Protect data
Encrypt data based on org’s
compliance obligations. E.g.
encrypt PII in transit between users,
using its own encryption key, etc.
Personnel control
Strict screening for employees, vendors,
and contractors, and conduct trainings
through onboarding process
Personnel control
Allocate and staff sufficient resources
to operate an organization-wide
privacy program, including awareness-
raising and training
- 25. 26
SM
Shared responsibility model
Customer management of risk
Data classification and data accountability
Shared management of risk
Identity & access management | End point devices
Provider management of risk
Physical | Networking
Responsibility On-Prem IaaS PaaS SaaS
Data classification
and accountability
Client & end-point
protection
Identity & access
management
Application
level controls
Network controls
Host infrastructure
Physical security
- 26. 29
SM
Security solutions
Microsoft 365 E5 covers
Security solutions other
Microsoft solutions cover
What Microsoft
Services/MSSPs/
ISVs cover
What Microsoft
integrates with
What Microsoft doesn’t do
can replace
up to 26
other security
vendors and
drive your
compliance
effort
SingleSign-on(SSO)
Reportin
g
Pen Testing/ Risk Assessment
- 31. 34
SM
Office 365 Advanced Threat Protection
Actionable
insights
Automated
response
Industry-leading
protection
Training &
awareness
- 34. 37
SM
Follow the data—throughout its lifecycle
Apply protection
based on policy
Have you defined what “sensitive data” means
for your company?
Do you have a way to detect sensitive data
across your company?
Do you have a way to ensure that labels persist
with the data—wherever it travels?
Which regulations and compliance factors impact you?
Are you able to empower end-users to classify and label
content themselves, or apply automatically based on
company policies?
Detect &
classify sensitive
information
Monitor &
remediate
Do you have visibility into how sensitive data is being access and shared, even across
3rd-party SaaS apps and cloud services?
Are you able to remediate actions immediately, such as quarantine data or block access?
Are you able to integrate event information into your SIEM system or other tools?
- 35. 40
SM
Strengthen your
security posture with
insights and guidance
Understand your current security position
across your organization (Assessment,
Workshops)
Establish products required to meet
compliance and security level
Use the built-in recommendations to find the
right balance of security. Enable continuous
monitoring
Create policies, configure policies and enable
controls to better define your security position
- 36. 41
SM
Compliance Manager
Manage your compliance from one place
Ongoing risk assessment
An intelligent score reflects your compliance posture
against regulations or standards
Actionable insights
Recommended actions to improve your data
protection capabilities
Simplified compliance
Streamlined workflow across teams and richly detailed
reports for auditing preparation
Compliance Manager is a dashboard that provides the Compliance Score and a
summary of your data protection and compliance stature as well as recommendations
to improve data protection and compliance. This is a recommendation, it is up to you
to evaluate and validate the effectiveness of customer controls as per your regulatory
environment. Recommendations from Compliance Manager and Compliance Score
should not be interpreted as a guarantee of compliance.
- 37. 42
SM
Withum | BE IN A POSITION OF STRENGTH
Key
takeaways
Adopting modern, secure and compliant cloud solution like
Microsoft 365 E5 or Microsoft 365 Business Premium will get you
started in your path to compliance and leverage a shared
responsibility model
CMMC is still evolving with deadline changing; all DOD contractors
will need to meet Level 3 to continue bidding on RFI/RFP
NIST 800.171 is a good cyber practice that applies to any
organizations
- 38. 43
SM
We are offering a
complimentary Security and
Compliance workshop for
qualifying organizations.
SIGN UP HERE