BLUF: unless there was gross negligence (meh, just put any score in there) that they can prove, a 98 can be explained very easily.
To give a bit of context, the score they are talking about (98) is an entry on DISA's Supplier Performance Risk System (SPRS) score [0].
The score almost certainly is based on self-assessment using the NIST SP 800-171v2 (and 800-171a). This is a document that looks at 110 cybersecurity controls across 16 families. Comes out to be about 300 or so explicit items that needs to be looked at.
The score is from -203 (that is a minus) to 110. The scoring starts at 110, then deductions of 1, 3, or 5 points are made when a specific control audit fails.
This is only and only for the confidentiality of Controlled Unclassified Information(CUI).[1]
Because of this special carve out for just CUI, scoping what is and is not in scope is hard. I have heard audits where the auditor (DCMA DIBCAC) stated "everything is in scope", and in an elsewhere the auditor stated "only that is directly generated by the Government".
Not only this there is a feud amongst agencies who does what, where, and how, when it comes to cybersecurity.
The negligence is pretty gross and pretty provable.
For example, the IT security administrator simply did not install the anti virus because a professor did not want it. The claim was that this wouldn’t be a problem since the Georgia tech network had security. This is a problem for 2 reasons. 1, the Georgia Tech network did not have the claimed security. 2. The laptops were allowed to and were taken and used off the network.
Note that even the Georgia Tech response is not disputing the security facts. It’s simply stating that there wasn’t anything confidential about this because the government published the research. Which of course has no bearing on whether or not they lived up to their contractual security and confidentiality requirements.
Your example would be a failure on a DIBCAC high audit, if they sampled the professor's system. In DIBCAC medium audit, the only thing they look at is your System Security Plan (SSP). The article sounds like it referred to a Basic, self-assessment, because it was self-entered.
Self-assessment are attested to that the information provided are in good faith, that the SSP is developed, documented, and maintained, and that for identified missing or failing controls there are plan of action and milestones (POA&Ms) are created.
> Note that even the Georgia Tech response is not disputing the security facts. It’s simply stating that there wasn’t anything confidential about this because the government published the research. Which of course has no bearing on whether or not they lived up to their contractual security and confidentiality requirements.
This is exactly what I was trying to explain. My apologies I failed. Compliance with NIST SP 800-171, as required under DFARS clause 252.204-7012, is primarily focused on systems that store, process, or transmit CUI. However, intermediary systems that could impact the security of those systems or the CUI they handle are also in scope.
Although contracts can call out additional things to be treated as CUI, it have never seen it. Too much paperwork on the Gov side, and creates headaches for contractors.
And, this is where the rub comes in. Primary systems and resources no one argues about. The problem of scope comes in with intermediary systems, shared services and infrastructure, and boundary systems.
For example, if the CUI data is encrypted in transit, traveling through a private WAN, managed by a third party, does the third party needs to also comply? When remote government workers connect to a government site with their government furnished equipment on public WiFi accessing CUI, where is the edge of that environment that is in scope for audit?
Again, if they were clearly negligent, let's pillory them. My conjecture is that this a low hanging fruit to be vengeful. The rules and regs are so convoluted and out of order, there are entire industries (plural) just for getting to understand the requirements.
And, if we really want to get into a mess, I am going to be crude but mention the four letter word - CMMC.
The government is unserious about this stuff in their own networks, this really sounds like somebody got a bee under their bonnet and is trying to make an example.
You need antivirus on security research laptops? How does that work exactly? I've worked .gov for decades and in many systems we don't put AV on them because we're working with things the AV will destroy while we work on them.
The facts will come out, GTRI has the money to fight this, and we'll see, but my general position when the gov starts talking about cyber security is they're probably full of shit.
To give a bit of context, the score they are talking about (98) is an entry on DISA's Supplier Performance Risk System (SPRS) score [0].
The score almost certainly is based on self-assessment using the NIST SP 800-171v2 (and 800-171a). This is a document that looks at 110 cybersecurity controls across 16 families. Comes out to be about 300 or so explicit items that needs to be looked at.
The score is from -203 (that is a minus) to 110. The scoring starts at 110, then deductions of 1, 3, or 5 points are made when a specific control audit fails.
This is only and only for the confidentiality of Controlled Unclassified Information(CUI).[1]
Because of this special carve out for just CUI, scoping what is and is not in scope is hard. I have heard audits where the auditor (DCMA DIBCAC) stated "everything is in scope", and in an elsewhere the auditor stated "only that is directly generated by the Government".
Not only this there is a feud amongst agencies who does what, where, and how, when it comes to cybersecurity.
[0] https://www.sprs.csd.disa.mil/
[1] https://www.archives.gov/cui/about