The URL can be used to link to this page

Home My WebLink AboutItem #10 Approval of Proposed Inter-Governmental Agreement with the U.S. Department of Homeland Security for Cyber-Security Services ocoee florida AGENDA ITEM COVER SHEET Meeting Date: January 3, 2017 Item # /0 Reviewed By: / / / Contact Name: Al Butler, Support Services Department Director: ' ��' Contact Number: 407-554-7063 City Manager: / / /'Subject: Proposed inter-governmental agreement with the U.S. Department of Homeland Security for cyber-security services. Background Summary: The city is a member of the Multi-state Information Sharing and Analysis Center (MS-ISAC), which is funded by the U.S. Department of Homeland Security. The city is also involved in other programs involving the U.S. Secret Service and the Federal Bureau of Investigation, in addition to local and regional organizations involved in cyber-terrorism, both foreign and domestic. These various programs inter-operate with our own internal controls and devices, in addition to those of the companies that provide telecommunications services to the city, such as CenturyLink and Spectrum (nee Bright House Networks) to protect the city from damaging attacks. One problem with these various protections is that we cannot determine their effectiveness until they fail to protect the city from a denial of service attack, virus, Trojan horse, or direct attempts to enter the secure network and commit crimes, like corrupting our data, encrypting the data and holding it for ransom, posing as a city employee to commit other acts, and numerous other offenses. In order to test the city's network, data, and device security in a safe and structured manner, the U.S. Department of Homeland has offered to install software, train staff in its use, and conduct the initial assessment of the city's computer resources and telecommunications network. This work will be done onsite without cost to the city. The city will need to become a member of the Protected Critical Information Infrastructure (PCII) Program prior to executing the agreement. Due to the nature of these investigations, the methods and results affiliated with PCII are protected from public disclosure. Many of the communications and technical documents provided by MS-ISAC and other cyber security organizations are also subject to federal security laws and may not be disclosed. Portions of the proposed agreement have been redacted in compliance with these requirements. Issue: Should the City Commission approve an inter-governmental agreement with the U.S. Department of Homeland Security to conduct threat assessments of the city's computer network? 1 Recommendations Staff recommends the City Commission approve the proposed inter-governmental agreement and the city's participation in the Protected Critical Information Infrastructure (PCII) Program. Staff additionally recommends that the City Manager or his designee be authorized to enter similar future agreements with federal and state agencies to augment the city's capabilities to detect and resist cyber threats; the Mayor should be authorized to execute any agreements necessary to implement this recommendation. Attachment: Proposed inter-governmental agreement (portions redacted). Financial Impact: There is no cost to the city for the proposed services. Type of Item: (please mark with an Y) Public Hearing For Clerk's Dept Use: Ordinance First Reading X Consent Agenda Ordinance Second Reading Public Hearing Resolution Regular Agenda X Commission Approval Discussion&Direction Original Document/Contract Attached for Execution by City Clerk X Original Document/Contract Held by Department for Execution Reviewed by City Attorney N/A Reviewed by Finance Dept. N/A Reviewed by — N/A Reviewed by N/A 2 DOCUMENT VERSION 3.0-6/22/2016 CYBER HYGIENE Authorization to Conduct Continuous Scans of Public-Facing Networks and Systems The National Cybersecurity & Communications Integration Center (NCCIC) of the Department of Homeland Security (DHS), under authority of the Homeland Security Act (6 U.S.C. § 101 et seq., esp. 6 U.S.C. § 148) would like to gain authorization from City of Ocoee ( Ocoee) to conduct continuous network and vulnerability scanning of Ocoee 's publicly accessible networks and systems. The goals of these activities are to: 1. Catalog Ocoee 's publicly accessible networks and systems, including services running and version/patch levels 2. Identify vulnerabilities on Ocoee 's publicly accessible networks and systems 3. Identify potential configuration issues with Ocoee 's public facing networks and systems 4. Maintain tactical awareness of the operational risks and cyber health of individual entities 5. Inform the government's common operational view of cyberspace 6. Integrate relevant information, analysis, and vulnerability assessments, in order to identify priorities for protective and support measures regarding potential or actual threats 7. Provide"early warning"of specific actionable vulnerabilities to Ocoee DHS activities will originate from IP addresses that will be made known to (Ocoee ), DHS will also notify Ocoee should the IP addresses change. Scanning will be openly attributable to the authorized scanning source, and should be detected by Ocoee 's network monitoring solutions. Connections and data will be sent to Ocoee 's publicly facing networks and systems. The process has been designed to be as non-obtrusive as possible—scheduling, intensity and frequency have been carefully planned to minimize the possibility of service disruption. Activities under this authorization will be limited to scanning; no attempts to connect to Ocoee 's internal network, penetrate Ocoee 's systems, or monitor Ocoee 's network traffic will be made under this authorization. NOTE: If a third-party, such as a Managed Security Services Provider (MSSP) or Security Operations Center (SOC), operates or maintains Ocoee 's public and/or leased IP range, make sure that such third parties are promptly notified and authorize in writing the scanning activity. Forward the written third- party authorization along with Ocoee 's authorization to the DHS Point of Contact listed below. If any such third party should fail to authorize in writing the scanning activity, promptly notify the DHS point of contact listed below. 1 `\ DOCUMENT VERSION 3.0-8/22/2016 t 1 Q\ In a separate Appendix to this authorization Ocoee will provide: the point of contact for activities performed under this authorization; an email address for the delivery of reports;the public IP addresses relating to this activity; and any other relevant information. Ocoee may provide updates to this information from time to time, in writing. DHS acknowledges that Ocoee may withdraw this authorization at any time for any reason. The DHS Point of Contact for this activity can be reached at NCATS info @hq.dhs.gov. By signing below,the approving Ocoee official agrees to the following: Ocoee authorizes DHS to conduct the scanning activities described above; ▪ Ocoee agrees to promptly notify and secure written authorization for the scanning activities described above from any third-party, such as a MSSP or SOC, that operates or maintains Ocoee's public and/or leased IP range,and to forward that authorization to DHS; • Ocoee accepts that, while DHS teams will use their best efforts to conduct scans in a way that minimizes risk to Ocoee's systems and networks,the scanning activities described above create some risk of degradation in performance to Ocoee's systems and networks; • Ocoee accepts all risks to its systems and networks for the activities described above; • Ocoee acknowledges that DHS provides no warranties of any kind relating to any aspect of the assistance provided under this authorization; Ocoee accepts the risk of any damage that may result from implementing any guidance provided by DHS; • Ocoee hereby holds harmless the U.S. Government and those acting on its behalf from any and all claims arising out of or in any way related to this authorization;and • Ocoee has authorized you to make the above certifications on its behalf. Signature: Name: Rusty Johnson Date: 1/3/2017 Title: Mayor Entity: City of Ocoee City: Ocoee County: Orange State: Florida 2 DOCUMENT VERSION 3.0-8/33/3016 Appendix A Authorization to Conduct Continuous Scans of Public-Facing Networks and Systems Ocoee provides the following information to facilitate the authorized scanning activities: Please provide a technical point of contact at Ocoee for the NCCIC team to follow-up with: Name: John Haas Email: jhaas @ocoee.org Phone: 407 554-7119 We recommend your organization create/use a distribution list email address to receive our reports. This allows your organization to manage the recipients of our report. We will only deliver reports to a single address. Distro email: helpdesk @ocoee.org Your report will be encrypted with a password which we will provide to you. How would you like this password delivered (select one)? cPhone(tech POC) @ Email Text/SMS Tech POC nom sm. Call, leave voicemail • Distro POC ElCall, but don't leave a voicemail Enter your organization's public IPv4 addresses in CIDR notation: [This Internet security information has been withheld from public disclosure in accordance with federal and state laws.] 3