Compliance Report

RESEARCH FROM THE TEAM AT SERA-BRYNN

Q1 2018

Sera-Brynn, a global cybersecurity audit and advisory firm, provides guidance on compliance mandates and solutions for organizations of all types and sizes. The Compliance Report is intended as a resource guide for C-Suite Executives, IT leaders, CIOs, CISOs, and Compliance Officers.

grayfooterline
Quick Links

  • New DFARS COMPLIANCE 252.204-7012
  • DFARS vs FAR, what’s the difference?
  • Does 23 NYCRR 500 apply to me?
  • GDPR and the penalties for non-compliance
  • Q&A on FISMA | GLBA | SOX
    grayfooterline

    SECOND EDITION

    It’s time to rethink Supply Chain Management to include cyber risk

    Why business, thought, and government leaders have their eye on supply chain cybersecurity

    Rob Hegedus, CEO at Sera-Brynn

    Suffolk, Va. – Feb. 15, 2018

    True supply chain resiliency will rest on cybersecurity. According to research published by the SANS Institute, up to 80% of breaches are a result of supply chain issues. Recent and emerging laws imposing cyber requirements on industry, especially those that handle or create sensitive, non-classified U.S. government data, are directly addressing cybersecurity in the supply chain. In some cases, investing in supply chain cybersecurity is forward-thinking and competitive. In other case, there is an applicable law that just straight-up imposes cybersecurity and reporting requirements on an organization’s suppliers, subcontractors, and third-party vendors.

    In this report, Sera-Brynn will discuss how and why companies and organizations are expanding cyber risk management to secure their supply chains.

    But First, A Very Brief History

    The use of supply chains to efficiently produce goods evolved over hundreds of years — from moving goods along the Silk Road, to Viking shipbuilding, to the Industrial Revolution. The American System of Manufacturing, credited with advancing the use of pre-manufactured parts, assembly lines, and mass production, started in the 1800s and peaked in the 1960s. The International Organization for Standardization (ISO) began operations in 1947 to help standardize industrial practices and continues to this day. After the internet was created and web browsers made it accessible (Mosaic was created in 1993; Google in 1998), cyber risk became a prominent threat to supply chain production.

    Supply Chain Management Today

    Today, managing supply chain performance at high-functioning companies typically includes state-of-the-art technologies to enhance visibility into the chain, as well as the periodic use of outside experts or consultants to look for ways to boost performance. However, many companies manage their supply chains manually – with tools like spreadsheets and DIY databases. The trend now is to include cyber risk in any multi-dimensional approach to managing a supply chain, which is now conceptualized as an “ecosystem” rather than a linear “chain.”

    Why the trend?

    One reason is that cyber-attacks involving “back door” penetration through the supply chain are prevalent and newsworthy. For example, it was highly-reported that the 2013 data breach suffered by the retailer Target, where up to 40 million credit and debit cards were stolen, was caused by hackers accessing Target’s network by using credentials taken from a third-party vendor, a refrigeration and HVAC company. Media outlets are replete with stories of professional vendor breaches – like law, accounting, consulting, financial, and Wall Street firms. In 2017, it was widely reported that hackers stole money from third-party Amazon seller accounts.

    Typical spear phishing attacks are successful because they take advantage of trusting business relationships, like those in the supply chain. The 2017 Cybersecurity Ventures Crime Report states that 91% of attacks by sophisticated cybercriminals start with spear phishing emails. When a cybercriminal spoofs a vendor’s email, creates a fake vendor webpage, and manages to collect a payment, this is a supply chain vulnerability. The crime demonstrates how interconnectivity is intrinsically exploitable. And this makes supply chain management very challenging.

    Legal Requirements Drive Cybersecurity in the Supply Chain

    Many U.S. and international laws now demand that businesses address cybersecurity throughout their supply chain. Some legal requirements that impact supply chain management include:

    FAR and DFARS – Right now, under the Defense Federal Acquisition Regulation Supplement 252.204-7012, Defense contractors and their contractors must comply with cybersecurity and reporting requirements. There is an express supply chain flow-down clause embedded in the regulation. Most recently, the U.S. government announced its intent to start rulemaking in April 2018 to impose cybersecurity program requirements uniformly across agencies. Sera-Brynn is preparing for the expansion of the Controlled Unclassified Information (CUI) requirements we now see in Defense acquisitions to nearly all the executive agencies. We expect that third-party vendors will be addressed in this new regulation — which will undoubtedly have major impact on U.S. government contracting.

    FedRAMP – There are detailed vendor management and acquisition requirements for Cloud Service Providers (CSPs) who are or would like to be part of the Federal marketplace.
    Financial Services – Requirements for managing third party service providers are built into the New York State Department of Financial Services cybersecurity rule, and the Financial Industry Regulatory Authority includes provisions in its cybersecurity checklist for third parties handling sensitive information.

    GDPR – The European Union’s General Data Protection Regulation (GDPR) has global reach and imposes penalties on companies that fail to secure their supply chain. It goes into effect in May 2018.
    Other regulatory authorities, like the U.S. General Services Administration (GSA) and the U.S. Department of Homeland Security (DHS), are also in the process of writing rules that may impose requirements on supply chain management. Sera-Brynn, and other industry analysts, agree that the need to adhere to legal requirements is a major factor in the upward trend to manage cyber risk in the supply chain.

    Cybersecurity in the Supply Chain is a National Security Priority

    Lastly, supply chain resiliency is not only a business objective, it is a national security priority. On December 18, 2017, the White House released the National Security Strategy (NSS). Published every four years, the document identifies the vital national interests of the country and sets the tone for the executive branch’s national security policy. The policy specifically calls for improved cybersecurity within the Federal Government networks, critical infrastructure, American businesses, the Defense Industrial Base, and the U.S. National Security Innovation Base.

    Supply chain cybersecurity is named as a vital national interest, as cyberattacks “cripple American businesses, weaken our Federal networks, and attack the tools and devices that Americans use every day to communicate and conduct business.” (NSS, at page 12). The NSS calls for improved response to cyberattacks on the country’s Defense Industrial Base as a “priority action,” stating:

      A healthy defense industrial base is a critical element of U.S. power and the National Security Innovation Base. The ability of the military to surge in response to an emergency depends on our Nation’s ability to produce needed parts and systems, healthy and secure supply chains, and a skilled U.S. workforce. (NSS, page 29)

    The National Security Policy also calls for greater cybersecurity in the U.S. National Security Innovation Base, the network of American companies, research institutions, universities, and laboratories that innovate. Specifically, the NSS calls for the need to protect the Innovation Base’s data and intellectual property from theft and other malicious activities, stating:

      The United States will expand our focus beyond protecting networks to protecting the data on those networks so that it remains secure—both at rest and in transit. To do this, the U.S. Government will encourage practices across companies and universities to defeat espionage and theft. (NSS, page 22)

    Thus, from the U.S. government’s perspective, the innovation in thought and materials that flows from the private sector and academia is part of an interconnected web of suppliers – all of which face real risks in cyberspace. As a result, the analysts at Sera-Brynn fully anticipate that NIST-based standards will be imposed on more and more suppliers, in one fashion or another.

    Sera-Brynn predicts that supply chain management in every sector will include cyber risk as a core component. Ultimately, the best supply chain strategy will fail if it doesn’t include cyber risk management.

    Rob Hegedus is CEO at Sera-Brynn, a global Cybersecurity Audit and Advisory firm.

    Contributors: Colleen H. Johnsons, Senior Cyber Legal Analyst; Heather Engel, Chief Strategy Officer.

    Sera-Brynn is a FedRAMP Third Party Assessment Organization (3PAO) specializing in cyber risk management. Offering compliance and risk assessment, risk control, and incident response services, Sera-Brynn empowers clients to manage cyber risk and meet applicable and mandatory cybersecurity regulatory standards. Founded in 2011 by former members of the U.S. intelligence community, Sera-Brynn is ranked #9 worldwide on the Cybersecurity 500 list.

    grayfooterline

    Q4 2017

    Sera-Brynn, a global cybersecurity audit and advisory firm, provides guidance on compliance mandates and solutions for organizations of all types and sizes. The Compliance Report is intended as a resource guide for C-Suite Executives, IT leaders, CIOs, CISOs, and Compliance Officers.

    grayfooterline
    Quick Links

  • New DFARS COMPLIANCE 252.204-7012
  • DFARS vs FAR, what’s the difference?
  • Does 23 NYCRR 500 apply to me?
  • GDPR and the penalties for non-compliance
  • Q&A on FISMA | GLBA | SOX
    grayfooterline

    FIRST EDITION

    The Quarterly Outlook: Compliance Is Still Your Best Firewall

    Regulatory developments in 2017, industry insight, and updates.

    Rob Hegedus, CEO at Sera-Brynn

    Suffolk, Va. – Nov. 6, 2017

    At Sera-Brynn, we have a motto: Compliance is your strongest firewall. To date, 2017 has been a dynamic year for new cybersecurity regulations and compliance frameworks worldwide. At the forefront of this report is one of the most pressing compliance deadlines – the end-of-the-year deadline for Defense contractors to comply with the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 by December 31, 2017. With the finish line in sight, many Defense contractors are working long hours to finish making the needed changes and turning towards assessing their supply chains. Some are compliant. Many are not.

    In this report, we look at DFARS, NIST and the push for cloud service providers to pursue or consider accreditation under FedRAMP. We also shed light on how the deadlines imposed by the New York Department of Financial Services is forcing security change in the financial services industry.

    Finally, we sum up some of the interesting compliance events of the last quarter and look ahead as the end of the year races towards us. We hope this helps you keep pace.

    grayfooterline

    Brendan Lynch, Chief Privacy Officer at Microsoft on GDPR Compliance


    grayfooterline

    The DFARS Domino Effect

    As of October 1, 2017, there are 13 weeks left until U.S. Department of Defense (DoD) contractors and subcontractors must be fully compliant with Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012. The regulation imposes security and incident reporting requirements and requires the implementation of NIST 800-171. The deadline for compliance is December 31, 2017.

    One questions we commonly hear is: will there be an extension to the deadline? The regulation was announced in 2013 there are no rumors of extensions. The stated reason for the necessity of the regulation is “national security.” So, an extension is highly unlikely.

    One of the most significant clauses of DFARS is the mandatory flow-down provisions to subcontractors. Unlike other cybersecurity regulations (like the New York regulation imposed on financial institutions, discussed below) in the DFARS, there is no across-the-board exemption for small business or businesses with minimum revenue derived from DoD sources. Small defense contractors are facing the same deadlines, the same security requirements, and, in many cases, the same push to change the way they do everyday business.

    At the same time, large defense contractors are auditing their supply chains and imposing institutionalized changes in order the make their supply chain more resilient. As such, we know that DFARS non-compliance is being viewed as a systemic vulnerability in the supply chain. We have already seen businesses choose to discontinue working on government contracts rather than absorb the cost and effort to implement these acquisition requirements.

    Another notable clause provides baseline requirements for use of cloud services. If a company is using an external cloud to store, process, or transmit covered information, the Cloud Service Provider (CSP) must meet minimum security requirements established under the Federal Risk and Authorization Management Program (FedRAMP), discussed below.

    Most Defense contractors are evaluating sizeable investments of time and money needed to comply. And 2018 is expected to bring us additional updates to the Federal Acquisition Regulations (FAR) that expand the requirements for NIST 800-171 compliance to all Federal contractors. Expect government acquisition compliance to be an issue for months to come.

    FedRAMP

    Across government agencies, focus has been shifting from technology maintenance to core competencies. In other words, technology experts provide the technology using cloud based services, while the agency focuses on the mission. FAR and DFARS requirements for CSPs have service providers wondering if a FedRAMP accreditation is a worthwhile investment.

    Even more critical are cloud-based resource management systems that play a role in manufacturing or critical industries. As anyone who has worked with an Enterprise Resource Management System is aware, migration could mean years of work and millions of dollars.

    This is where vendor management plays a big role – a contractor storing government data in a cloud subjects the CSP to FedRAMP or equivalent security under the DFARS clause. This has had a high impact on many small and mid-size providers, and we expect to see a market shift and consolidation as smaller MSPs and CSPs look to merge with already accredited clouds. In any case, many are now weighing the cost of a FedRAMP accreditation or equivalent security against potential business gained or lost.

    There are different ways to accredit a system under FedRAMP but all require an evaluation of the system against NIST 800-53. As a Third-Party Assessment Organization (3PAO), Sera-Brynn performs initial and periodic assessments that secure the cloud.

    Financial Services: 23 NYCRR 500

    In March 1017, the New York Department of Financial Services’ (NYDFS) Section 500 took effect. This first-of-its-kind regulation requires establishment of a cybersecurity program, appointment of a Chief Information Security Officer, vendor management, and several technical requirements designed to protect nonpublic information. It applies to Covered Entities regulated by the NYDFS.

    This past quarter contained two notable deadlines for financial institutions subject to the regulation, known as NY Rule 500 or 23 NYCRR Part 500. August 2017 marked the month that banks, insurance companies, and other financial services institutions subject to New York DFS regulation were required to create compliant cybersecurity programs. September 27, 2017 was the deadline for filing notices of exemption under the regulation.

    23 NYCRR 500 is robust and has many similarities to the requirements imposed on Defense contractors via DFARS. The Colorado Division of Securities has since adopted cybersecurity regulations on brokers and investment advisors. In the absence of nationwide, regulated cybersecurity requirements for financial institutions, we expect more states will adopt similar measures.

    Quarter in Review: Notable News and Compliance Events

    While the massive Equifax breach dominated cybersecurity news this past quarter, a small change to NIST password guidelines created a cycle of news stories celebrating the apparent relaxing of the standard. It’s not often that NIST makes the news, but it’s also not often that a cybersecurity standard become less complex.

    July to September 2017 contained some notable regulatory and legal events related to cybersecurity compliance. Some highlights include:

    • In August 2017, China reportedly brought the first enforcement action against information technology companies under China’s Cybersecurity Law.
    • In August 2017, Delaware joined 14 other states and amended its breach notification laws to strengthen the ways organizations in the state protect personal information. The changes, which include new requirement for credit monitoring and an expanded definition of personal information, will be effective on April 14, 2018.
    • On September 12, 2017, the public comment period ended for The National Institute of Standards and Technology’s (NIST) draft, Revision 5, of Special Publication 800-53 “Security and Privacy Controls for Information Systems and Organizations.” The latest draft of SP 800-53 is part of the government efforts to unify the cybersecurity framework used by the federal government, but it has practical implications for the private sector. The word “federal” has been removed from the title and the federal focus of the document has been de-emphasized. The current version, Revision 4, has been in use since April 2013.
    • On September 19, 2017, the National Institute of Standards and Technology (NIST) updated its Digital Identity Guidelines, releasing NIST SP 800-63-3. This four-volume set (SP 800-63-3, 800-63A, 800-63B, and 800-63C) provides technical requirements for federal agencies implementing digital identity services. Of all the changes, the one that made the news was the change to password guidelines. However, the updates to the approved types of Multifactor Authentication (MFA) are also significant, especially for those seeking compliance under DFARS 252.204-7012.
    • The Department of Homeland Security (“DHS”) is in rulemaking (the public comment period is now closed) with three new proposed cybersecurity regulations for DHS contractors under the Homeland Security Acquisition Regulation (HASR).
    • Organizations that process, store or handle information on European Union citizens have about 7 months left until GDPR enforcement begins – on May 25, 2018. (Also, on September 14, 2017, the UK Government published a draft of the Data Protection Bill which increases the level of cybersecurity mandates country-wide and impacts the GDPR).

    Looking Ahead to the Next Quarter: What Will the DFARS Deadline Bring?

    Looking ahead through December 2017, we anticipate that the collective effort of DoD contractors trying to implement DFARS requirements will reach a fever pitch. We may see movement on the proposed cybersecurity updates to the Department of Homeland Security’s acquisition rules, as well as the Federal Acquisition Regulations, which would apply to a broad spectrum of government contracts. Mandatory cybersecurity clauses in the FAR will be an enabler of change.

    As the year ends, watch for signs of enforcement action – to see what becomes of companies that willingly fail to comply with the cybersecurity clauses of DFARS. To put this in context, in FY 2016, the Department of Justice obtained more than $4.7 billion in settlements and judgments from civil cases involving fraud and false claims against the government. Claw backs from health care and financial fraud made up the largest portions of this $4.7 billion. We will see how cybersecurity fraud stacks up in 2017.

    Rob Hegedus is CEO at Sera-Brynn, a global Cybersecurity Audit and Advisory firm.

    Sera-Brynn is a FedRAMP Third Party Assessment Organization (3PAO) specializing in cyber risk management. Offering compliance and risk assessment, risk control, and incident response services, Sera-Brynn empowers clients to manage cyber risk and meet applicable and mandatory cybersecurity regulatory standards. Founded in 2011 by former members of the U.S. intelligence community, Sera-Brynn is ranked #9 worldwide on the Cybersecurity 500 list.

    grayfooterline

    © 2016-2017 Cybersecurity Ventures. All rights reserved. Federal copyright law prohibits unauthorized reproduction of this Report by any means and imposes fines up to $150,000 for violations. Reproduction in whole or in part in any form or medium without expressed written permission of Cybersecurity Ventures is prohibited.