Transforming Government Compliance - Fen Labalme

already last but certainly not least so brett introduced fen laboum he'll be presenting on transforming government compliance if Emily balm CISSP has been involved with data security and personal privacy for decades starting with this 1981 MIT thesis of an electronic newspaper that foresaw problems with personalization if privacy was ignored News bake today Fenn is the chief information security officer for civic actions and is working to bring agile free and open-source security to government ages government agencies federate antiquated static cyber security compliance requirements fens goal for this year is to an able general purpose authority to operate otherwise known as ATO authorizations in two weeks we're currently this process takes agencies from nine months to three years

please welcome Fenn wow that's great he just gave half my talk I forgot that those were all in the introduction so we can all go home now so basically with transforming government compliance is something that actually transforming government is something I'm very interested into and transforming government compliance is something that we need to do watching a lot of these talks industry private sector compliance is way ahead of government government is still good a bunch of checkboxes and so I'm gonna give some background on that and then talk a little bit about what we're doing to try to make the process more automated so yeah I just gave the table of contents how we got here

what is civic actions the company I work for what is compliance and endpoint security is improving we're seeing that I'm really happy to say and then the automated SSP creation and next steps I've always had interested in in security even before that the thesis I met Ron Rivest Shamir the RNA from R&S from RSA back when they were introducing public key cryptography and wrote my thesis on personalized social media with privacy was a get involved with the e FF was a founding member the cypherpunks did a lot of things with p3 platform for privacy preferences with the w3c and a bunch of other bunch of other things over a bunch of years but then I get involved with civic actions

civic actions is working at working to try to make the grave greater good for the first 10 years we were working at empowering people at the edges working at making nonprofits that made that we liked work better we were founded in Berkeley we are a hundred percent remote we're also at represents free and open-source software our first clients were people like Amnesty International and Greenpeace and then in 2014 we decided let's let's think about transforming government and see if we can take government and make it work better for people make better products for them and help them do things that we all would like government to do it's interesting transferring from Amnesty International to our first client which

was the DoD but it was a DSCA which is a defense security cooperation agency if there is a Department of Peace in the in the Department of Defense it's probably this group they they measure their successes by conflict conflicts avoided and we grew from 35 to 75 people since we did that we've got a bunch of clients now some of the clients that I'm involved with are DSC a Department of Education Health and Human Services NSF also Veterans Affairs and the GSA is our newest client so if federal compliance origins I'm going again briefly go over this so you can save some time at the end for talking about where we're going it's kind of started in 2002 when the

government realized that their systems were getting hacked into and FISMA became law the federal Information Security Management Act and that was the first time that they actually codified or not maybe no the first time but the time that it became a law that people actually had to make systems that were met a certain amount of compliance and they set the bar with pretty high at the time with approximately 300 security controls and you had to actually your show that your system meets these with checking boxes and then they would grant you a authority to operate which would say that your system is now secure for the next three years this was in 2002 not much has changed since then

which is really kind of scary there has been a lot of things that I cap came out the 837 which the risk management framework really changed the way that those 300 controls were set up continuous monitoring was introduced in 2011 and the Department of Homeland Security brought up the concept of continuous diagnostics and mitigation but a lot of people consider that continuous they think the CNM stands for continuous monitoring that's it's a good thing except for the fact that the control basically puts H BSS and and a caste systems into your system is designed for Windows these are McAfee agents that go into your system we're all open-source so we're running Red Hat Linux in Ubuntu and so these have to get

kind of put into our system is the only software that I can't look at and see what's going on the last speaker just said that the the EPO a policy Orchestrator that pushes the software down actually has been used to push malware this is one of my fears basically what we need is we need to open open for any kind of continuous monitoring system there should be open protocols and open data formats anything anything less if it's if it's completely closed you can't trust it there should be referenced applications on github that you can see and modify and change that's just just the beginning and actually we are working on where I'm actually working with a DHS I can't

believe I'm working with the Department of Homeland Security I'm working with a DHS to try to make some of these changes because they're realizing that these systems do need to be open the next versions of there's security asset management systems are going to have an API also so that we can actually write into them FISMA Modernization came modernize anything the dye cap decided it's gonna start using the risk management framework and 853 you may have heard of it this is the version that came out that really became the Bible of everyone doing government compliance I know this 853 way too well right now so what is this compliance and when we started doing government work we

needed to see so and I was the last person to take a step backwards and I jumped into the role I I wrote one of the first things I did was write an SSP system security plan for the for the DSCA and it was a 400-page Word document that's what they wanted I tried to give them code I tried to get them to look at get they wouldn't look at it it was a book of monsters and not only was it a book of monsters but it's based on the RMF witch but besides the 853 all the documents that points to i'm trying to Ameri know the name of the man who actually counted the pages but it's

about 6,000 pages of compliance documentation so nobody even reads nobody reads the the SSP and nobody reads the documentation that goes into it so I learned one thing I did learn as compliance is not security and probably a lot of you know this so the government actually began figuring it out started updating risk management they've done some good work the OMB circular a-133 53 I don't think but it was the first place that really mentioned ongoing authorization they don't want the authorization be one time every three years but they wanted to be continuously checked and they also mentioned interoperability among tools and I obviously did not have interoperability among tools because it fell off the back

when I when I exported this presentation but we use some of the tools we use are things like open s cap docker chef in-spec ansible there's a lot of open source tools that can be used as a baseline for getting started also open control is which I'll talk about in a few moments then this cybersecurity framework is something that works inside the public in the private sector if you don't know about this yeah it's been talked about for several talks bring it up it's very extremely good it's really well written language CEOs can read it and understand it I recommend you ask your CEO to read it and it's something that can be done with completely without

government intervention you can do it yourself and it's a really really good set of commands also as was mentioned the CIS security framework benchmarks are really good and the RMF v2 just in december the version 2 of the RMF came out and that is also aiming more towards the public sector it's taken out the word federal it's mentioning it's emphasizing privacy more and and also bringing up the concept of the information lifecycle really realizing that they're going to look at information from the time it's created to destruction the entire the entire lifecycle of information so I'm really hat so as any security researcher knows endpoint security is improving if you remember to change their passwords from

admin admin but it's there's still a lot of work to do because of the way you tell the government that you're actually secure is by using these three hundred four hundred page word documents also cyber security scope is rapidly increasing the systems are virtualizing and moving to the cloud so the cyber security framework is moving into the boardroom the gdpr which demands has a lot of changes both of gdpr and the CCPA are both bringing up a lot of privacy requirements for for users to make sure how that people know how their information is being used and collected very important stuff what's going on is well in in user interface design people understand responsive design they

realize that you have to build a system that works for every kind of platform what we also need is responsive security and agile security mechanisms and the government doesn't really get that they still have our stuck in a one size fits fits all so what the work that we're working on is automating system security plan this is sort of a back-end but we're actually having hooks into the front-end of actually hooking into the CI CD pipelines shifting left the process of security into the developers area so that when the developers make changes they can help make changes that will feed through and into the security plan wrong direction so it starts with machine readable files

that we store and get they're called open control open control looks like this I don't think I have a pointer but what we see here is this is the risk assessment family risk assessment number one which is a policy we see that it's from the standard key mist 853 and as a text underneath the department follows risk assessment policy and procedures formally documented this is machine readable code for a policy one like this it'll probably be written by a person and not written by the computer but when it is but it can also be turned into using an editor like hyper GRC which is a free system on available online you can see on the left it has the actual

guidance from 853 then it has the controls the controls are the control for risk assessment number one has three parts to it part part of it comes from AWS it's system partially inherits it part of it comes from Civic actions the contractor working on it part of it comes from links the client and you can actually see the department follows the risk assessment policy and procedures coming directly from the from the mo we also want reusable components because when you build something if you build something on AWS you're probably gonna if you have five systems in AWS they're all going to inherit the same things from AWS you shouldn't have to write the same section

of code the same section of your system security plan over and over again so when we did the system security plan for this client we created five major components one for AWS one for Civic actions one for Drupal one for the organization and one for the privacy overlay these each one of these right now is static but we're currently in the process of make template izing them so that we can push them out and put them on github and make them available to anyone this is just a quick look at the AWS component you can see a c-1 AWS if I click this is not live unfortunately but an AC one this is something that's

partially inherited a c2 is also partially inherited but for the Drupal component a c1 is not involved because the policy this is not part of Drupal but Drupal does actually define very clearly very specifically Part A Part D and part G of account management by the way I'm realizing talking really fast and if anyone ever asked any questions at any point please feel free

so we've got these llamo files and the next step what we want to do is do automated evidence collection when an authorizing official from the government wants to see or see or as system security plan what they want to do is they want to see evidence and the evidence in the past has been screenshots take a screenshot it's crazy they take a screenshot of the page showing the configuration of a system and they're happy that's what I use them that first SSP well here's an example for if the password must be at least 14 characters maybe needs to be more actually this has just changed where now this client needs 16 characters the evidence at the bottom says attach

evidence right now we're manually attaching the evidence but we're building a building the back end so so we can have scripts that go out check the could check the configurations see that it's looking at 16 characters pull it in and then we can verify that over against the baseline and get you know pop up a green light that we're meeting this control or pop it but red light if we're not meeting the control this is this this page just shows we can also do dips between controls and there are a five part a in the middle you can see AWS does not contribute to that but actively Acquia ace built an AWS does so we can take take any two sets of

components and and do a diff between them if we have time afterwards I can actually I can actually show some of this working we want sharing of control information will be putting ours out in both open control and an auth Cal format on our on our github site I was hoping to have it done by today or out there by today you know the week make so defined that week is probably three weeks but but it'll it'll be out there soon so it'll be out an open control format which open control was started I if I didn't mention it before it was found it was created by pivotal and 18f and now there's a small group of very excited

people working on it but there's also this group called us calc coming from NIST and this is it's it's hard to say but there's a lot of overlap between us Cal and open control it's where the open control committees a little dismayed that a scowl people didn't come to us and say what are you doing how can we extend it and they just started their own thing but it's a scale looks really good and I think I have an example some other made document creation with both this is this is a document created from our open control this is actually our a5 of vulnerability scanning which again has the at the top the the guidance and

underneath the AWS component and a links component one of the great things that you can do with with markdown fortunately is there's a great there's a great script called the PMBOK that will turn this turn this into Microsoft Word and that's again before you upload it before you give it to the AOS they want Microsoft Word for what we're experimenting with ah scowl as loss scale as a format for keeping track of the information for what's called the front matter the front matter is the introduction the system name the points of contact there the system description the technical description rule federal rules and regulations there's about 13 things I'm only showing one two and nine here

because that's as far as we've gotten so far but the format that austell has these in is in llamo and so this with this yamo file that we got from the AA scale community we created this we created a document which has a template for taking that oskol if you see in this template actually let me go back we can see at the top there's system name data data.gov multi-tenant system and description underneath with base lo and selected lo these go into the goes into the template and we get up near the top you can see this the system name I think and you can see the the information the information types with the general

services administration and the confidentiality confidentiality integrity and availability lo so we're actually hoping to be able to take men to be able to manage multiple systems with us this one template and different llamo files coming in based trying to cut the time from a year to two weeks and I think I think we might get our first two weeks down we might get there this year my next one I think is gonna take about four weeks so basically security demands agility we need we need to not use just pure compliant systems that exist right now but use systems that our machine readable can be written and write written written read by the machines can connect with the developers so the

developers can as they make changes they can see that their change is going to break we're very used to QA and the CIC D pipeline you need to move security and the CIO CD pipeline it's part of what part of the part of the next steps and boy I believe I felt like I was late and so I went fast but that's it that's written for this talk I could I would I can show a little bit of a hyper GRC I think yes

yes the question is the question is in NIST documentation in the 853 there's a lot of places says say things like the password length must be by by organization Delta and then it has square brackets organizational defined amounts or things have to be checked by organizational amount times those values will all be in the ammo files and so that will pull this from the mo file and feed them into the templates and create documentation

absolutely absolutely the question is when we're working on this if we see that a control doesn't really make sense are we trying to take a look at that control and change it all so the thing is that if there's a control if there's a new threat that exists that's not in the control system at all none of our none of our federal clients care about that because it's not in a check box we are looking at creating a community online in github where people are making changes and updating these things regularly our context of the DoD are now interested in hearing about this and they're seeing a demo in two weeks and and so and and they're gonna have some

people from the DHS there and that's really who has to be there because the Department of Homeland Security is going to be the ones that push it down problem is is that there's a big cultural change too and right now there is the law and the law is bhisma and until that law gets changed it's really probably going to have to come from the president and I'm not sure that's going to happen anytime soon but we are making inroads with the DoD and with DHS and I think that's and and the Department of Education listens they've been following what's going on so those those things may start trickling down and I think it's going to have I think I'll start

seeing things this year but it won't probably actually trickle down for a couple years because we've got a lot of a lot of cultural changes to make

you see if I can see if I'm gonna see if I can bring up GRC now this this is hyper GRC take this off this is hyper GRC I've got a bunch of different things in here right now I'm an open shift platform Fredonia is something you can download from open control the prime of Education Health and Human Services examples one of the better let me know let me go to the General Services Administration one here if this is this this is a lot of this is already on github so if we look at coming to pass while actually this in passwords but control implementation well you can see this is exactly what you were talking

about over here organizational defined auditable events and then the organization defines the audible events or failed login attempts sort successful login attempts etc these aren't defined by the organization here that defined by see can the app but we're actually because of that thinking of moving this to the organization section the code for this

it's what's what's nice is this is starting to come together where I can actually use it and I was hoping to actually have a more full-fledged demo for this but next year

and that that I think is the austell framework the nested miss is pushing yeah and we in true DevOps fashion we don't like the documentation as much as we like the code and so we're actually trying to we're using the code that comes out of a skel and we're making our code work with both a scale and open control I'll look it up now it's automation control for security control assessments

well thank you [Applause]