Scenario
You are a security professional for Blue Stripe Tech, an IT services provider with approximately 400 employees. Blue Stripe Tech partners with industry leaders to provide storage, networking, virtualization, and cybersecurity to clients.
Blue Stripe Tech recently won a large DoD contract, which will add 30 percent to the revenue of the organization. It is a high-priority, high-visibility project. Blue Stripe Tech will be allowed to make its own budget, project timeline, and tollgate decisions.
As a security professional for Blue Stripe Tech, you are responsible for developing security policies for this project. These policies are required to meet DoD standards for delivery of IT technology services to the U.S. Air Force Cyber Security Center (AFCSC), a DoD agency.
To do this, you must develop DoD-approved policies, standards, and control descriptions for your IT infrastructure (see the “Tasks” section in this document). The policies you create must pass DoD-based requirements. Currently, your organization does not have any DoD contracts and thus has no DoD-compliant security policies, standards, or controls in place.
Blue Stripe Tech's computing environment includes the following:
12 servers running the latest edition of Microsoft Server, providing the following:
Active Directory (AD)
Domain Name System (DNS)
Dynamic Host Configuration Protocol (DHCP)
Enterprise resource planning (ERP) application (Oracle)
A research and development (R&D) engineering network segment for testing, separate from the production environment
Microsoft Exchange Server for email
Email filter
Cloud-based secure web gateway (web security, data loss protection, next-generation firewall, cloud application security, advanced threat protection)
Two Linux servers running Apache Server to host your website
400 PCs/laptops running Microsoft Windows 10, Microsoft 365 office applications, and other productivity tools
Tasks
Develop a list of compliance laws required for DoD contracts.
Determine which policy framework(s) will be used for this project.
List controls placed on domains in the IT infrastructure.
List required standards for common devices, categorized by IT domain.
Develop DoD-compliant policies for the organization’s IT infrastructure.
Describe the policies, standards, and controls that would make the organization DoD compliant.
Develop a high-level deployment plan for implementation of these polices, standards, and controls
Full Answer Section
- Cybersecurity Maturity Model Certification (CMMC): While evolving, CMMC aims to standardize cybersecurity maturity across the DoD supply chain. The level of CMMC compliance depends on the type of information being handled.
2. Policy Framework(s) to Be Used:
- NIST SP 800-53: This is the primary framework. Blue Stripe Tech should adopt the controls relevant to their environment and the sensitivity of the DoD data.
- NIST SP 800-171: This should be used to provide guidance on the protection of CUI.
- ISO 27001/27002: Although not a direct DoD requirement, aligning with ISO 27001 can provide a robust information security management system (ISMS) that complements NIST.
3. Controls Placed on Domains in the IT Infrastructure:
- Active Directory (AD):
- Strong password policies (complexity, length, rotation).
- Multi-factor authentication (MFA) for privileged accounts.
- Least privilege access control.
- Regular security audits and log monitoring.
- Group Policy implementation for security configurations.
- DNS/DHCP:
- DNSSEC implementation.
- DHCP scope and reservation management.
- DNS logging and monitoring.
- DHCP snooping and ARP inspection.
- ERP (Oracle):
- Role-based access control (RBAC).
- Data encryption at rest and in transit.
- Regular patching and vulnerability scanning.
- Audit logging and monitoring.
- R&D Network Segment:
- Network segmentation and isolation from the production environment.
- Strict access control.
- Regular vulnerability scanning and penetration testing.
- Limited internet access.
- Exchange Server/Email Filter:
- Email encryption (TLS, S/MIME).
- Anti-malware and anti-spam filtering.
- Data loss prevention (DLP) policies.
- Email archiving and retention.
- Cloud-Based Secure Web Gateway:
- Ensure that the cloud provider meets FedRAMP requirements.
- Proper configuration of all security features.
- Regular review of logs.
- Linux Servers (Website):
- Secure configurations of Apache Server.
- Regular patching and vulnerability scanning.
- Web application firewall (WAF).
- Intrusion detection/prevention system (IDS/IPS).
- PCs/Laptops:
- Endpoint protection (anti-virus, anti-malware).
- Full disk encryption.
- Patch management.
- User access control.
- Implement STIGS (Security Technical Implementation Guides) for hardening.
4. Required Standards for Common Devices (Categorized by IT Domain):
- Network:
- Firewall configuration standards.
- Router and switch hardening standards.
- VPN configuration standards.
- Wireless network security standards (WPA3).
- Servers:
- Operating system hardening standards (STIGs).
- Patch management standards.
- Log management standards.
- Virtualization security standards.
- Endpoints:
- Operating system hardening standards (STIGs).
- Software installation standards.
- Mobile device management (MDM) standards.
- Removable media policies.
- Applications:
- Secure coding standards.
- Vulnerability scanning standards.
- Application patching standards.
- Data encryption standards.
5. DoD-Compliant Policies for the Organization’s IT Infrastructure:
- Access Control Policy: Defines user access rights, password policies, and MFA requirements.
- Incident Response Policy: Outlines procedures for handling security incidents.
- Configuration Management Policy: Establishes standards for configuring and maintaining IT systems.
- Vulnerability Management Policy: Defines procedures for identifying and remediating vulnerabilities.
- Data Protection Policy: Establishes standards for protecting CUI and other sensitive data.
- Contingency Planning Policy: Defines procedures for disaster recovery and business continuity.
- Security Awareness and Training Policy: Mandates security training for all employees.
- Audit and Logging Policy: Outlines procedures for collecting and reviewing security logs.
- Remote Access Policy: Defines rules for remote access to the network.
- Media Protection Policy: Defines standards for protecting physical and electronic media.
6. Description of DoD Compliance:
- Implementation of all applicable NIST SP 800-53 controls.
- Protection of CUI according to NIST SP 800-171.
- Regular security assessments and audits.
- Continuous monitoring of security controls.
- Development and maintenance of a security awareness and training program.
- Achieving the required CMMC level.
- Proper documentation of all security controls.
7. High-Level Deployment Plan:
- Phase 1: Planning and Assessment:
- Conduct a gap analysis to identify areas of non-compliance.
- Develop a detailed security plan.
- Establish a project team.
- Phase 2: Policy and Standards Development:
- Develop and document all required policies and standards.
- Obtain management approval.
- Phase 3: Control Implementation:
- Implement technical controls (firewalls, IDS/IPS, etc.).
- Configure systems according to STIGs.
- Implement security awareness training.
- Phase 4: Testing and Validation:
- Conduct vulnerability scans and penetration tests.
- Perform security audits.
- Validate compliance with DoD requirements.
- Phase 5: Continuous Monitoring and Improvement:
- Implement continuous monitoring tools.
- Regularly review and update policies and standards.
- Conduct periodic security assessments.
- Prepare for CMMC certification.