A CYBER PANORAMA - MAJOR FACTORS DRIVING CYBERSECURITY

Cyber Threats for the Public & Private Sectors

National Security & Public Safety Threats

Digital Pearl Harbor (e.g., DoD Secretary’s warning
Critical infrastructure threats

Personal Data & Individual Threats

Half-billion personal records compromised
Major public & private sector data breaches\

Intellectual Property & Economic Threats

$1 trillion global losses
Systematic cyber looting (e.g., DNI report)

The Information Technology Kingdom

Federal Sector & Information Security

Federal sector as largest information entity in world
Types of high-value data in federal sector
-- National security
-- Sensitive personal & healthcare data
-- High-value technology & trade secrets

Private Sector & Information Technology

85% of critical infrastructure in private sector
Information technology sector as critical infrastructure
$1 trillion IT sector

Public Policies Competing with Information Security

Information Sharing vs. Security

Connecting the data” as essential to security
Security risks due to information sharing (e.g., WikiLeaks)

Transparency and Disclosure vs. Security

Federal requirements for transparency & disclosure
-- FOIA
-- eGov Act

Competing federal policies between confidentiality & transparency

Privacy vs. Information Security

Privacy & information security as complementary policies
Security requirements competing against privacy
-- Personnel screening
-- Internet surveillance (e.g., Einstein project)

THE STATUTORY AND REGULATORY FRAMEWORK FOR INFORMATION SECURITY

Basic Federal Information Security Laws & Rules

Federal Information Security Management Act (FISMA)

Fundamental requirements
Applicability to federal agencies & contractors
FISMA interpretation & implementation
-- Executive policy
-- Congressional oversight
-- Judicial interpretation

Federal Acquisition Regulation

Applicability to government contractors
Incorporation of OMB and NIST standards

OMB & NIST Standards

Key OMB guidance
NIST & FIPS standards
Mandatory vs. voluntary standards

Agency Regulations Implementing Cybersecurity

GSA Information Security Regulations
-- Regulatory requirements
-- GSA implementation
-- Sample RFP clauses

DoD Information Assurance Rules

DFARS regulatory requirements
DIACAP security implementation
DoD proposed rules for information assurance
Sample RFP clauses

DHS Information Security

Regulatory requirements
DHS implementation
Sample RFP clauses

DOE Information Security

Regulatory requirements
DOE implementation
Sample RFP clauses

VA Information Security

Regulatory requirements
VA implementation
Sample RFP clauses

HHS Information Security

Regulatory requirements
HHS implementation
Sample RFP clauses

Cloud Computing and Information Security

Executive Policy on Cloud Computing
-- Factors driving cloud computing
-- Implementation & initiatives

FedRamp Program
-- Purpose
-- Move towards federal uniformity

Cloud Security and Key Issues
-- Security risks & benefits
-- Key security initiatives

Privacy Laws and Information Security

Overview
-- Patchwork privacy laws in U.S.
-- Information security as essential to privacy

Privacy Act
-- Fundamentals of Privacy Act
-- Civil & criminal remedies as factor in security breaches

HIPAA and Healthcare Privacy
-- Fundamentals of HIPAA
-- HIPAA requirements & information security

State Security Breach Laws
-- Overview of state provisions & requirements
-- Duties for security programs & safeguards

SEC Enforcement of Information Security

SEC Guidance on Material Risks & Information Security
-- Expanding the information security net
-- Implications for publicly traded companies

Key Factors for Information Security
-- Security breach incidents & disclosure
-- Internal safeguards & assessement
-- Major cyber risks & reporting

KEY ELEMENTS FOR A SOUND INFORMATION SECURITY PROGRAM

Establishing Security Objectives

Integrity

Confidentiality

Availability

Identifying Security Needs

Requirements Identification

Risk Assessment

Initial risk assessment
Periodic risk assessment

Cost-Effectiveness Assessment

Appropriate Level of Security

Levels of security
Multiple factors in determining security levels

Life-Cycle Security

Implementing a Security Program

Policies and Procedures

FISMA requirements
Other requirements

Security Controls

Management controls
Operational controls
Technical controls

Continuous Monitoring

Configuration management & control processes
Security impact analyses
Assessment of security controls
Security status reporting

Configuration Control

Continuity of Operations

Ensuring Compliance

Training

Periodic Testing and Evaluation

Accountability

Security Incident Detection and Reporting

Remedial Actions

CYBER CONTRACTING

Acquisition Planning & Formation

Cybersecurity as Planning Factor
Specifications & Restrictive Requirements
Uniformity in Federal Acquisitions
Emerging Protest Issues

Contract Performance

Security Programs & Agency Approval
Contractor Access to Federal Networks
Disqualification & Due Process
Past Performance & Security Breach

Liability and Risk Allocation

Government Contractor Defense
Public Law 85-804
SAFETY Act
Cyber Insurance

Cyber War and Contractor Risks

Agency & Contractor Oversight

Congressional Oversight & Initiatives
GAO Oversight
Inspector General Oversight