Hello and Welcome to the NIST 801 71 Learning Path My name is Dave Hatter. I'm an instructor for this class and this is course for Creative System security plan so in the last video in course for we did an overview of system security plans. In this video, we're going to jump in and use the Nist template to actually start building out a system security plan with some real world examples and referencing the Nist 801 71 a document. So you can see how the assessment objectives can inform how you go about answering or how you go about addressing each one of 110 requirements have missed 801 71. So what you see here is a screenshot of the Rearden steel system security plan, this is a completely fictional company, a completely fictional system security plan. Again based up in this template that I started to fill out to try to demonstrate how you can go about doing this and just a reminder before we jump into the word document and we'll bounce back and forth between the word document and the pdf that has the 871 a information in it. Your system security plan is a blueprint of your cybersecurity program it documents implementation of controls that show how you satisfy or in some cases don't satisfy. The 110 requirements of NIST 801 71 which would get us to our plan of action of milestones that will talk about in the next course so with that let's jump in and take a look at building out our system security plan. I'm going to switch screens here bear with me for one second while I pull up the word screen so we'll get the word here and what you should see on your screen now is this fictional system security plan for the fictional company Rearden and steel. So you can see here Rearden steel system security plan last updated july Second of 2021. Again, this was built using the template that's available free from NIST I have a link in there for you to download that you can get that from the Nist website. There are other templates available companies have, taking the basic structure of this and improved upon It there are 3rd Party companies like compliance for it. You will sell you all kinds of different compliance oriented templates they have some great stuff, but I think for most people you're going to find that the free template available from this is sufficient for this purpose. So let's jump right in and take a look at this, you can see section one system identification in here they ask you for the name of the system I call this weird and steel information system again, totally fictional. Just made this up but want to be able to demonstrate how you might go about doing this 1.1.1 System categorization this is the language supplied by Nist. You should leave that as the default moderate impact for confidentiality, 1.12 System unique identifier I made this up RS I 0001, so reared and steal information. System 001 responsible organization reared and steel with the address and phone number information owner they say the government point of contact responsible for providing and receiving CUI. So here it's hank Rearden the president of Rearden and Steel and then there's his address and contact information and we've got system owner they say assignment of security responsibility in this case that's John Galt the director of cybersecurity for reared and steel. And there's his contact information and then system security officer we have Francisco de Laconia who's the CISO for Rearden and steel and there's his contact information. So you'll see here next asked you to give a general description or purpose of the system this is my attempt at doing that again completely fictional. The Rearden steel information system provides general information storage and processing capabilities to support Rearden steel business functions including accounting, finance, human resources, inventory scheduling, sales, shipping reporting and other common business functions. This system contains CUI as it is used to store and manage contract information and manufacture products under various contracts Pretty basic description I think the more the more fleshed out the more details you can provide in your description. The better up next we have 1.3.1 number of end users and privileged users so the red languages from Nist and you can see they say in the table below provide the approximate number of users and administrators of the system include all those with privileged access, such as system administrators, database administrators, application administrators, etcetera. Ad rows to define different roles as needed, I think it makes more sense to add a column for this, you'll notice when you go download in this template, their template does not contain this first column I added that. So you can see where I have a column for role and I basically, I'm just kind of outlining the different places Where users are involved so, active directory 200 users with three administrators or privileged users I've got some databases 200 users. One privileged user or administrator for the database server and then as you're slash office 3 65 200 users with two administrators, so you can see here than general description of information. CUI information types processed, stored or transmitted by the system are determined and documented for more information. See the CUI registry and they have a link to archives dot gov now, this is one of the things that can be really tricky sometimes you'll have contracts that don't have the CUI clearly marked in some cases you will. That's always win because sometimes determining what CUI where it is and so forth can be quite difficult I would encourage you if it's not well, it would be a good idea to go check out the CUI registry at the arc at archives dot gov anyway. But if you're not really familiar with the CUI, you've never done this before, I really strongly recommends you check that out because again, ideally you're going to scope your system so that you're only applying all these requirements to the parts of the system where CUI exists. You obviously have to know what is CUI to know where it exists so I would definitely take a look at that here's my attempt to answer this question for our fictional Rearden steel as part of various contracts we store process and or transmit control technical information. We produce steel used in a variety of products the specifications are considered CUI slash CTI. So now we're in a section two system environment, they tell you include a detailed topology narrative and graphic that depicts the system boundaries, system interconnections and key devices. They noticed, they say this does not require to picking every workstation or desktop but included instance for each operating system and use an instance. Reportable components, all virtual and physical servers, network workstations, firewalls, routers, etcetera, right? All the equipment you would find in a typical network infrastructure then they see and read their insert a system topology graphic provide a narrative consistent with the graphic that clearly listen, describes each system component. So as you, as you get into the more detailed components of this, specifically the 100 10 requirements of 801 71, in some cases you're just going to have to start with what you got right and you're going have to, this is going to be an incremental process. You're going to have to try to move the ball forward so I made up a system our network diagram here for our fictional Rearden and steel it doesn't meet the requirements of everything that they said here. But again, this would be starting with what I got right and then I'm going to improve this over time. So you can see here simple network, the few switches, a router firewall, we've got some encrypted cloud backup out there were using 365 for our email, which we'll get into more detail in a minute. We've got some remote users going through the firewall for the VPN, we've got some servers providing up services inside the company, etcetera. So, you know, we've got some V LANs but you can see this is a fairly simplistic diagram. It doesn't really meet all of their requirements, but it would be a place to start and there's at least showing some some evidence of your network. And then, you know, some description here, we use afford a gate 500E with VPN for remote access 3 minutes, which is one router and somebody lands, you know, more information here is going to be better. The more detail that can be the better off it's going to be in terms of any sort of assessment. 2.1 include a reference to complete and accurate listing of all hardware and software components including make OLEM model versions, service packs, etcetera, right. So they're asking for a lot of information here, I think the point is, if you don't know what you have, you can't possibly secure it correctly, right. If you don't know what you have, you can't know is it getting patched, who's responsible for, it doesn't have to see you are in it. So they want you to show an inventory of your hardware and software and this particular case. My answer is we have an RMM and network monitoring tools to capture hardware and software inventory information. A current hardware inventory can be found here and then a link credentials will be required and will be supplied to authorize assessors upon written request. You know, if you have a small network and you only have a few devices, it might make sense to just go ahead and list them out here. Chances are you may not have all of this information, you may have to collect some of that I'm suggesting in my fictional reared and steel. Thanks to our our mm and our network monitoring tools like OVIC, I have all this information, it's automated and I can produce which will be stored here in our portal hardware inventory. And you can see also software inventory because my answer for the software pieces, the same current software inventory can be found here. Again, this is totally fictional in the real world, you may need to build that inventory, if you don't have it, you should definitely have one. I mean it's sort of a core tenet of basic information security that you need an inventory so you know what you have and you can make sure it's being adequately secured. So yeah, again, all fictional, you could just post your answers here, I think what you're going to find though is this document will get unwieldy very quickly. If you just start posting everything in it with 110 controls, you can easily hit hundreds of pages, if you start putting all the artifacts for your evidence in this document. Generally I just like to refer to something else which you can see what I've done here 2.2 list all software components installed on the system. And you can see a similar answer, current software inventory can be found here. 2.3 hardware and software maintenance and ownership is all hardware and software maintained by the organization, if no explain so I said no, and then here's the explanation. We use Microsoft 365 for email teams, SharePoint in one drive and then it goes into detail trying to explain why are Microsoft 365 Tenant is secure. We have the licensing required and used to follow on all accounts multifactor authentication. Microsoft defender for office 365 formerly advanced threat protection which includes anti phishing saplings and safe attachments, we use Azure as your AD password protection. We're using Azure Active directory information protection, we've disabled auto forwarding for email, we're blocking legacy authentication. We've disabled third party application integration, we've disabled user consent applications, we have dedicated administrator accounts with strong unique passwords and MfK. We've restricted standard user accounts to the Azure AD administrator portal, we restricted standard user access to MS online, so you can't run PowerShell scripts. We've been able to audit log searching, we're using Azure sentinel and we have securities for spam filtering. Which by the way, all of those things would be good things to do if you have Microsoft 365 to ensure the security of tenure. It will require certain licensing but it's money well spent to make sure that your tenant is much, much more secure, so again, a lot of details supplied here in general. The more details you can provide, the better, so section three requirements is really where the rubber hits the road, this has all 110 of the next 801,71 requirements listed here. And then as you can see when I scroll down right, starting with the access control requirement family. We have the first requirement 3.1.1 limit system access to authorized users, processes acting on behalf of authorized users and devices including other systems. The notice they say, have you implemented controls that will satisfy this requirement, you're planning to implement them or it's not applicable, right. And you'll see, let's go down for a second, this is the format throughout the rest of the document, each each requirement is listed and then you can say it's implemented. Plan to be implemented or not applicable and then you're going to supply the rationale evidence and artifacts that show either how you satisfy that requirement or how you haven't satisfied that requirement. At which point then we're talking about plan of action of milestones, in this case, I'm going to build that. We'd be talking about plan of action of milestones in the next course, in much more detail. I'm going to build that as a separate document and just referenced this as you'll see as we look at a couple of the controls and try to show how you might respond to this. So as I mentioned in the previous course, I'm sorry, the previous video, it's a really, really good idea to download, missed 801 71 A. And take a look at the assessment objectives for each control as you think about how to address this, okay, so I'm going to switch windows again. Bear with me here for a second and I want to pull up 801 71 and show it to you so you can see what this looks like and hang on one seconds. There we go, so sorry about that, what you should see on your screen now. Least special publication 801 701A assessing security requirements for controlled unclassified Information. I did a quick search in here to find control 3.1.1 limit system access to authorized users processes acting on behalf of authorized users and devices including other systems. Now here you see assessment objective determine if and the six objectives for this particular requirement, right? 3.1.1 A authorized users are identified 1.1 B processes acting on behalf of authorized users are identified 1.1C devices and other systems authorized to connect to the system to identify. So again, we're really talking about an inventory type of concept here, we need to know what these things are, right and then D E and F. System access is limited to authorized users, system access is limited to, process is acting on behalf of authorized users. System access is limited to authorize devices, including other systems, right? So we've determined who the authorized users processes and devices are, and then we're ensuring that the system actually only allows access to those authorized users processes and devices. So they describe the potential assessment methods, and again, this is important because it gives you insight into what you really need to know. It breaks this down in much more detail than the requirement itself, and then I think this is where the real insight comes in and most of these. Right, we talked about the three ways they might do an assessment. I might examine something, I might interview someone, or I might test something or possibly some combination of all of these. But when you read through this, it points you to the kinds of things that are going to help you collect evidence and provide artifacts that will show how you satisfied a given requirements. So for example, examine, select from access control policy procedures addressing account management, system security plans, system design documentation, system configuration settings, and associated documentation. List of active system accounts and the name of the individual associated with each account. Notifications of records of recently transferred, separated or terminated employees. List of conditions for group enroll membership. List of recently disabled system accounts along with the name of the individual associated with each account. Access authorization records, account management, compliance reviews, system monitoring records, system audit logs and records. List of devices and systems authorized to connect organizational systems, other relevant documents. Now that's a mouthful. It's a lot of stuff. But again, great insight here. If you have an access control policy, right? That can be part of your evidence, right? That's the artifact. I have an access control policy and you can reference it. Interviews, personnel with account management responsibilities, system or network administrators. Personnel with information security responsibilities. Test, organizational processes for managing system accounts, mechanisms for implementing account management, right? So once you see all of this, you realize this is what you need to know to figure out how to adequately answer these questions. So, let's go back over to our Word document now and let's take a look at how I tried to answer for 3.1. So now on your screen you should see our our system security plan again, right? And here is my attempt to answer or to respond to how I've satisfied this requirement. So I've said implemented, only authorized Rearden Steel users can access our systems that process, store, transmit CTI/CUL. User identification and authorization is enforced through Active Directory. Active Directory is used for all user rights management. User groups are configured and managed in Active Directory. ELAP integration to Fortigate VPN as controlled using the FortiClient. VPN is controlled by Active Directory security groups. Only Rearden Steel owned devices can access the VPN. There are policies established and then the evidence, right? So rather than put all of this in this document, I'm referencing other sources. Generally what I would do is create like a SharePoint folder or a series of folder structure for all of this information. And then I'm just pointing to the artifacts, the evidence that proves all of these claims that I've made here, right? So some screenshots of Active Directory, some VPN screenshot, and then the policies that would align with this. So again, took a look at the assessment objectives and then went out and collected the information to try to answer this as thoroughly as possible including artifacts. So let's take a look at another control. And again, you'll see the same structure repeats over and over. So I'm going to skip down to the next control family awareness of training, right? And another crack at trying to answer, or trying to show how I've satisfied the requirements of 3.2.1. Which is ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems. So again, I'm going to switch windows here. Bear with me for a second. Let's go take a look at the assessment objectives for this particular requirements and bear with me here. This gets a little funky sometimes trying to switch windows in the software. There we go. And I'm going to go ahead and search for 3.2.1. There we go, awareness and training. So it tells us our requirement, I won't read that to you again. And you can see there are four assessment objectives for this requirement. 3.2.1 A, security risks associated with organizational activities involving CUI are identified. 3.2.1 B, policy standards and procedures related to the security of the system are identified. 3.2.1 C, managers system administrators and users of the system are made aware of the security risks associated with their activities. And then 3.2.1 D, managers system administrators and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system. Then you can see the assessment methods and objects from examine security awareness and training policy. Procedures addressing security awareness, training implementation, relevant codes of federal regulations, security awareness training curriculum. Security awareness training materials, security system planning, training records, other relevant documents or records. So this is telling you, hey, you probably need a policy for security awareness and training. If you don't have one, you probably want to get one. If you do have one, that's going to be great artifact to include a reference to show how you are trying to comply with this requirement, right? Interviews, personnel with responsibilities for security awareness training. Personnel with information, security responsibilities. Personnel composing the general system user community. Personnel with responsibilities for role based awareness training. I should have mentioned this when we talked about 3.1.1, the folks that the assessor might interview to determine if you satisfied this requirement. If you don't have this information or you don't know if you have this information, you don't know how to get the information. The people in roles they're saying that they would interview is a clue for who you should be talking to in your organization if you don't know the answer to that. Right in the test, mechanisms managing security awareness training, mechanisms managing role based security training. So again, I'm using this to inform how I'm going to try to answer this question and be as thorough as possible. So let's go back to Word and let's take a look at how I've attempted to answer 3.2.1. I've said implemented and you can see here Rearden Steel uses no before security awareness training. I'm a big fan of no before by the way. All users are required by policy to complete regular training. Additionally, phishing emails are sent out on a biweekly basis and any users to click on a phishing email are required to watch video training. Management regularly reviews training and phishing results and users that click on a phishing email more than twice in a year are cancelled. Additionally, a cybersecurity consultant provides training for all users on a yearly basis. There was a focus on CTI/CUI during this training and then evidence no before report. So the screenshot of some reports from the before. Screenshot of a sample phishing email sent by no before. And then some of the policies that show how we are attempting to satisfy this requirement, okay? So I'm going to show you one more and then we'll wrap it up for this course. We'll go down to the, [COUGH] excuse me, for some reason, this Word document does not want to let me search in it, which really doesn't make a whole lot of sense. And I went way too far, sorry about that. There was 3.5.3, here we go. As I'm sure everyone watching this is well aware of both Microsoft and google have come out and said independent of one another. Multi factor authentication is one of the single most powerful things you can do to improve your security posture. So I picked this one because I just wanted to focus on multifactor authentication. It's so important, especially in light of the seemingly never ending an ever increasing cyber attacks. So 3.5.3 use multifactor authentication for local and network access to privileged accounts and for network access to non privileged account, right? So again, MFA for local and network access to privileged accounts and for network access to non privileged account, okay. So here I'm saying, well I have not fully implemented this, right. Notice, I've said plan to be implemented but before we delve into my rationale here, let's go back to our PDF for a second and take a look At 801 71A what they say the assessment objectives are for this guy, right? So we're going to go here and we're going to search For 353. And you can see here security requirement, use multifactor authentication for local and network access to privileged accounts and for network access to non privileged accounts. So are we have four Assessment objectives. A privileged accounts are identified. B, multifactor authentication is implemented for local access to privileged accounts. C, multifactor authentication is implemented for network access to privileged accounts. And D, multifactor authentication is implemented for network access to non privileged accounts. So you can see here in my assessment methods and objects, examine identification and authentication policy procedures addressing user identification and authentication. System security plan, system design documentation, system configuration settings and associated documentation, system on it logs and records. List of system accounts, other relevant documents or records. Interview is personnel with system operations responsibilities, personnel with account management responsibilities, personnel with information security responsibilities, system or network administrators and system developers. And then under test mechanisms supporting or implementing multifactor authentication, right? So I'm going to go ahead now and switch back to our system security plan and word. Let's get that guy. And so you can see here again for 3.5.3, I've said plan to be implemented because I have not fully satisfied this requirement. If you look at other templates out there sometimes they'll change these. For example you might have a compliant, partially compliant, noncompliant, not applicable, alternative approach or something like that, right? I've seen a lot of different ways to do this but again, we're just sticking with the base this template here and you can see on this guy I'm saying plan to be implemented and then here's my response with evidence. Multifactor authentication has been implemented for Microsoft 365 and VPN use only. So any access t Office Microsoft 365 or through the VPN requires multi factor authentication. MFA has not been implemented for local network access yet. We're planning to implement DUO. See the POAM the rearden steel POAM.xlxx, right? I'm referencing this external spreadsheet. My POAM that's going to have more details about our plan to implement this. Right? So we're saying we're going to implement it and then over there I'm going to have a timeline and milestones and that sort of thing, right? And then here's my evidence. So some screenshots of Microsoft 65 I might throw up a screenshot of the multifactor authentication box kicking in. I might show some screenshots of the various settings and the tenant that show this is on VPN log in screen, right. These are just some sort of screenshots that would be taken and then you can see here the two policies that references. Rearden Steel Identification Authentication policy and Rearden Steel Remote Access Policy. So what I've tried to demonstrate here, that's all I'm going to do for this is to show you the actual MS template, how it's structured, how it works. Why you would want to get the Nist 801 71A document and use it to inform where to go to get this information, the kind of information you need to show that you've satisfied the requirement and how you might go about documented. And then again this isn't the only way but I do think if you take this approach it's going to allow you to create a very solid system security plan that will not only stand up to assessment, but also frankly, as you work through these, understand where your gaps are and you fill those gaps, ultimately make your organization much more secure. I realize if you're in the government contracting business compliance is absolutely critical so that you can get those contracts. But I think you can make a really sound case that even outside of compliance with these requirements. If you were to satisfy all these requirements, your organization would be vastly more secure and it is a worthwhile goal to attempt to ultimately satisfy All 110 Requirements of missed 801 71. So with that I'm going to wrap it up for this video. Thanks for watching and I will see you in the next course where we will take a look at creating your plan of action of milestone.
