2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA
|
|
- Elaine O’Connor’
- 5 years ago
- Views:
Transcription
1 2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA
2 Controlled Unclassified Information Regulations: Practical Processes and Negotiations A DFAR Case Study a fairytale study about CUI Governmentlandia, its Gala 7012 Cybersecurity Ball, and Securella How Securella: navigated the cyber choices and the 7012 Ball intrigue acted boldly working with a magic IT wand of glittering Cyber controls hurried to meet midnight timelines slipped into a perfect cyber slipper for her research information foot CELEBRATED in a cyber secured research environment with glittering controls 2
3 What is Controlled Unclassified Information (CUI)? Controlled Unclassified Information (CUI)-32 CFR chap XX (c) - Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls ( 3
4 Controlled Unclassified Information Regulations: CUI Regulations-require management and safeguarding practices for CUI information which impact: federal agencies, state, tribal and local governments academia industry 4
5 Controlled Unclassified Information Regulations: CUI What is the Controlled Unclassified Information (CUI) program? CUI Program s initial goal: standardize procedures develop consistent CUI definitions provide a uniform method of marking and safeguarding CUI eliminate needless restrictions 5
6 CUI REGISTRY CUI Program, provides management tools for marking, safeguarding, sending, disseminating, using, destroying, managing and protecting unclassified information. CUI Registry -lists an index of categories and subcategories -provides descriptions -identifies the basis for CUI controls 6
7 Index of CUI From Registry Critical Infrastructure Defense Export Control Financial Immigration Intelligence International Agreements Law Enforcement Legal Natural and cultural Resources NATO Nuclear Patent Privacy Procurement and Acquisition Proprietary Business Information Provisional Statistical Tax Transportation 7
8 DFAR and Dept. of Defense Thanks to TPAC at Georgia Tech Enterprise Innovation Institute, the Georgia Tech Procurement Assistance Center (TPAC) for producing this short training video for compliance with DFAR
9 Controlled Unclassified Information (CUI) Program How did we get here (DFAR )? /11 Commission Report-recommended across agency data sharing Executive Order established Controlled Unclassified Information (CUI) program with: National Archives and Records Administration (NARA) was Executive Agent (EA) of compliance by agencies NARA formed CUI Office Director for the Information Security Oversight Office (ISOO) is Director of CUI Office CFR Part 2002-Controlled Unclassified Information is effective (NIST SP Revision 1 implementation deadline Dec. 2017) 9
10 Controlled Unclassified Information Regulations: CUI NARA joined with NIST and the Department of Defense to develop Special Publication (SP) , Revision 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. This outlines the Security information Systems and physical environment controls for managing the safeguarding requirements for CUI. 10
11 Defense Federal Acquistion Regulation Supplement DFARS DFARS requires contractors to protect CUI security. To protect CUI in nonfederal information systems, NIST (a non-regulatory agency of the U.S. Department of Commerce) developed a special publication- NIST SP Revision 1 NIST Revision 1 provides 14 families of security controls and 110 security requirements for adequate cybersecurity for information systems. 11
12 National Institute of Standards and Technology (NIST) Special Publication (SP) Revision 1 To comply with regulations to implement safeguards for the security of CUI, contractors had to comply with NIST SP Revision 1 s list of cybersecurity measures for 110 security requirements by Dec. 31,
13 NIST 14 Security Families Access Control Awareness and Training Audit and Accountability Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Risk Assessment Security Assessment System and Communications Protection System and Information Integrity 13
14 NIST Revision 1 Compliance Plans-SSP & POA DOD guidance indicates that compliance with NIST is shown with two plans: System Security Plan (SSP) Plan of Action (POA) (with Milestones) (POAM) System Security Plan (SSP)-describes implemented and not yet implemented security requirements. Plan of Action-lists when and how: unimplemented requirements will be implemented, planned mitigations will be used and deficiencies will be remedied. 14
15 Announcement of the Gala 7012 Cybersecurity Ball 15
16 Controlled Unclassified Information (CUI) related FAR and DFAR clauses. Controlled Unclassified Information (CUI)- Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government- wide policy requires or permits an agency to handle using safeguarding or dissemination controls ( DFARS Clause Safeguarding Covered Defense Information and Cyber Incident Reporting- at ISU triggers need for review by Export Control, and IT DFARS Clause Disclosure of Information- at ISU triggers need for publication waiver, Export control & IT review if not removable DFARS Clause Compliance With Safeguarding Covered Defense Information Controls- Found in Solicitation- If Project is not fundamental research, may want to consider budgeting for any appropriate IT compliance costs in proposal FARS Clause Basic Safeguarding of Contractor Information Systems- may want to consider IT Security
17 Gala 7012 Cybersecurity Ball bring choices 17
18 FAR Clause Basic Safeguarding of Covered Contractor Information Systems- If information cannot be publically released and it is provided by or generated for Federal agency under agreement then the associate University information/computer system must have minimum basic safeguards in place This clause will be flowed down to any subcontractor Applying the NIST SP Revision 1 security requirements, is suggested to comply with the CUI Federal Acquisition Regulation (FAR) clause NIST Self Assessment Handbook T.HB.162
19 The intrigue at the Gala 7012 Cybersecurity Ball! 19
20 DFARS Clause Disclosure of Information- WATCH OUT CLAUSE Under this Clause Information Cannot be Released At Iowa State University, if clause is not removable, this clause triggers Request for Publication Waiver consideration of use of graduate students on project Need for Export Control Review/IT Security Review Exceptions allowing release of information are: if you receive prior written approval to release information; or, If you receive prior written notice that: A) information is not CUI and B) the contracting officer in writing states information is fundamental research
21 The Sisters 21
22 DFARS Clause Safeguarding Covered Defense Information and Cyber Incident Reporting- Government has created a standard for treating CUI - information that needs safeguarding or dissemination controls- CUI can be from Government or created by PI Requires implementing NIST SP Revision 1 security on the relevant information systems - Government will mark covered information with Controlled either in contract or when provided- PI should likewise appropriately mark Need to control access to Information with adequate security including IT security if it is CUI CUI is present - security must be in place - IT will need to understand the Information environment and then put in place the appropriate IT security
23 ISU Process for CUI 23
24 Fairy Godmothers are welcome! 24
25 NIST Revision 1 NIST Revision 1 Checklist List which systems, labs, offices, and personnel will have CUI Minimize information systems and environment of CUI Limit Access to CUI Analyze Existing and Missing Controls under NIST SP Revision 1 Evaluate costs for needed physical and infrastructure controls Use template for System Security Plan, and Plan of Action for remedying missing controls Institute 72-hour Cyber incident reporting Train CUI users on CUI in best practices, security risks Build in continuous monitoring 25
26 Training on CUI security ISU has workshops provided by IT on NIST security controls ISOO provides 7 online videos to help researchers understand CUI Marking CUI Marking commingled CUI Controlled Environments Destruction of CUI Lawful Government Purpose Freedom of Information Act FAQs -about CUI and FOIA. Freedom of Information Act Panel Discussion (updated August 7, 2018): 26
27 Securella 27
28 Is a CUI waiver request appropriate? Is a CUI Waiver request needed? 1) Analyze: Is the research ITAR? Or otherwise export controlled? Get facts on statement of work from PI; Ask PI why this is Fundamental Research; Discuss Fundamental Research position & get export control s decision. Yes, move forward with CUI cybersecurity controls. No, analyze for CUI. 1) Analyze: Will CUI be received or generated? Yes, move forward with CUI cybersecurity controls. No, draft a CUI waiver request.
29 The cybersecurity dance 29
30 CUI Waiver Request Elements of a CUI Waiver request 1) Request Waiver of DFAR CUI and DFAR ) Cite-Fundamental Research memorandum May 24, 2010 from the Under Secretary of Defense 3) Provide Explanation and State Facts - To show why this research work is fundamental research Use factual, detailed explanation concerning deliverables under scope of research If any government information is to be received, show how information is in public knowledge Use any related previous publications on this type of research to show fundamental research Explain why the CUI category does not fit this research (if needed) Clearly establish and state researcher will not receive or generate CUI 4) Request A Written Statement from Contracting Officer Stating Research is fundamental research, not CUI and publication restriction is self deleting.
31 Waiver Request Letter Re: Request for Recognition of Fundamental Research Dear Sponsor: University (name) respectfully requests that Sponsor request the Contract Officer to remove of waiver the DFARS clauses and from the UNIVERSITY subcontract under Sponsor s prime (contract Title) CUSTOMER CONTRACT XXXXXX-XX-X-XXXX. The purpose of DFARS clause is to establish a policy for information that qualifies as controlled unclassified information (CUI). UNIVERSITY is conducting fundamental research under this subcontract. Because UNIVERSITY will not receive or generate CUI, the policy and the clauses implementing protection of such CUI are not applicable to this subcontract and should be removed through waiver or self-deletion. DFARS clause , and DFARS should not be used with fundamental research, when CUI is not involved in the work, according to NARA s comments in 32 CFR and he Undersecretary of Defense Memo of May 24, UNIVERSITY s Work is fundamental research and CUI will not be involved. A. NOTES: Why University s subcontract work is not CUI? Show that University s work is fundamental research. Provide the facts and explanation concerning subcontractor s work that is in the statement of work. Focus on nature of the subcontract work, and fully describe why it is fundamental research. If a lot of work under subcontract uses published techniques, cite publications of these techniques. Example: The University s research is fundamental research, to develop use of generic (not specific to any covered information) techniques to detect certain subclass of XXXX. These are fundamental, well known and published techniques applied at system level. University will only demonstrate these known techniques in a generic setting without the use of any CUI. University will then deliver these techniques and their results which fundamental research results and not CUI to Sponsor. UNIVERSITY will not have access to any sensitive, specific CUI of interest to Government or receive any such CUI from the Government. UNIVERSITY will not have access to any CUI or covered defense information in this work. B. OPTIONAL NOTES: If Contracting officer ask you to prove why this work should not be treated as CUI, then provide the category/ subcategory and an explanation concerning why subcontractor s work in the statement of work does not fit a category/subcategory. Focus on nature of the subcontract work, and fully describe why it is instead fundamental research outside of such category. C. As indicated above, this subcontractor work is fundamental research and as such the University anticipates that its researcher will publish, release and disseminate the work to the public. There is no anticipation that any covered defense information or controlled unclassified information will be needed, used or generated in this work. The University respectfully requests a waiver of thesedfars clauses, for this fundamental research work. Removal of these clauses complies with the comments of the National Archives and Records Administration s (NARA) Comments in 32 CFR which states contracts or solicitations for projects in which CUI will not be involved should not include requirements for handling CUI. and with the statements of the Undersecretary of Defense Memo of May 24, 2010 which states DoD fully supports free and scientific exchanges and dissemination of research results to the maximum extent possible. That letter also indicates that, The DoD will place no other restrictions on the conduct or reporting of unclassified fundamental research, except as otherwise required by applicable federal statutes, regulations, or executive orders II. Summary and Request for Action UNIVERSITY will not receive, access, or generate CUI; therefore, the UNIVERSITY requests the Contracting Officer to please remove the DFARS and the DFARS clauses from UNIVERSITY s subcontract and indicate in writing that University s work is fundamental research. Alternatively, if the Contracting Officer cannot delete or remove theses clauses, then the UNIVERSITY respectfully requests that the Government s Contracting Officer provide a written statement that this subcontract work is fundamental research that does not involve CUI and thus the mandatory flow down clauses associated with CUI handling requirements are waived or are to be considered self-deleting. Please contact me with your written response, or if you need any questions addressed. Thank you. Sincerely, 31
32 UNDER SECRETARY OF DEFENSE MEMO RE: FUNDAMENTAL RESEARCH 32
33 Hurry, Hurry! Time is running out! 33
34 Waiver Request Responses Case 1-Export Controlled status and DFARs and are retained Case 2-DFARs and are not clearly waived by contracting officer; thus are presumed retained Case 3-2-DFARs and are in writing by Contracting Officer waived. 34
35 Securella s slipper fits! 35
36 They contracted for Happily Ever After! 36
37 Resources NIST Handbook 162, NIST MEP Cybersecurity, Self-Assessment Handbook, For Assessing NIST SP Security Requirements in Response to DFARS Cybersecurity Requirements; CUI Registry (see istry/category-list) Under Secretary of Defense May 24, 2010 memo on fundamental Research Policy/2010%20Policy%20Memor anda/fundamentalresearch.pdf Under Secretary of Defense May 24, 2010 memo on fundamental Research Policy/2010%20Policy%20Memor anda/fundamentalresearch.pdf CUI training Videos from ISOO 018/08/06/cui-updated-trainingvideos/ Georgia Tech Enterprise Innovation Institute, the Georgia Tech Procurement Assistance Center (TPAC) 37
38 Thank you! Questions? Dana Rewoldt, CRA, Iowa State University, Ames, Iowa US 38
NIST Special Publication
NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Ryan Bonner Brightline WHAT IS INFORMATION SECURITY? Personnel Security
More informationWhy is the CUI Program necessary?
Why is the CUI Program necessary? Executive departments and agencies apply their own ad-hoc policies and markings to unclassified information that requires safeguarding or dissemination controls, resulting
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationGet Compliant with the New DFARS Cybersecurity Requirements
Get Compliant with the New DFARS 252.204-7012 Cybersecurity Requirements Reginald M. Jones ( Reggie ) Chair, Federal Government Contracts Practice Group rjones@foxrothschild.com; 202-461-3111 August 30,
More informationNISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015
NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015 Agenda Cybersecurity Information Sharing and the NISP NISP Working Group Update CUI Program Update 2 Executive Order 13691 Promoting Private
More informationINTRODUCTION TO DFARS
INTRODUCTION TO DFARS 800-171 CTI VS. CUI VS. CDI OVERVIEW COPYRIGHT 2017 FLANK. ALL RIGHTS RESERVED. INTRODUCTION TO DFARS 800-171 CTI VS. CUI VS. CDI OVERVIEW Defense contractors having to comply with
More informationDFARS Cyber Rule Considerations For Contractors In 2018
Portfolio Media. Inc. 111 West 19 th Street, 5th Floor New York, NY 10011 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com DFARS Cyber Rule Considerations For Contractors
More informationCybersecurity Risk Management
Cybersecurity Risk Management NIST Guidance DFARS Requirements MEP Assistance David Stieren Division Chief, Programs and Partnerships National Institute of Standards and Technology (NIST) Manufacturing
More informationDFARS Defense Industrial Base Compliance Information
DFARS 252.204-7012 Defense Industrial Base Compliance Information Protecting Controlled Unclassified Information (CUI) Executive Order 13556 "Controlled Unclassified Information, November 2010 Established
More informationExecutive Order 13556
Briefing Outline Executive Order 13556 CUI Registry 32 CFR, Part 2002 Understanding the CUI Program Phased Implementation Approach to Contractor Environment 2 Executive Order 13556 Established CUI Program
More informationROADMAP TO DFARS COMPLIANCE
ROADMAP TO DFARS COMPLIANCE ARE YOU READY FOR THE 12/31/17 DEADLINE? In our ebook, we have answered the most common questions we receive from companies preparing for DFARS compliance. Don t risk terminated
More informationDFARS , NIST , CDI
DFARS 252.204-7012, NIST 800-171, CDI and You Overview Impacts Getting started Overview Impacts Getting started Overview & Evolving Requirements DFARS 252.204-7012 - Safeguarding Covered Defense Information
More informationProtecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations
Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations January 9 th, 2018 SPEAKER Chris Seiders, CISSP Security Analyst Computing Services and Systems Development
More informationCYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA
CYBER SECURITY BRIEF Presented By: Curt Parkinson DCMA September 20, 2017 Agenda 2 DFARS 239.71 Updates Cybersecurity Contracting DFARS Clause 252.204-7001 DFARS Clause 252.239-7012 DFARS Clause 252.239-7010
More informationFederal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats
May 20, 2015 Georgetown University Law Center Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats Robert S. Metzger Rogers Joseph
More informationOutline. Other Considerations Q & A. Physical Electronic
June 2018 Outline What is CUI? CUI Program Implementation of the CUI Program NIST SP 800-171A (Draft) Federal Acquisition Regulation update Basic and Specified CUI Marking Destruction Controlled Environments
More informationSafeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)
Page 1 of 7 Section O Attach 2: SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013) 252.204-7012 Safeguarding of Unclassified Controlled Technical Information. As prescribed in 204.7303,
More informationOFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC
OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC 20301-3000 ACQUISITION, TECHNO LOGY. A N D LOGISTICS SEP 2 1 2017 MEMORANDUM FOR COMMANDER, UNITED ST A TES SPECIAL OPERATIONS
More informationISOO CUI Overview for ACSAC
ISOO CUI Overview for ACSAC Briefing Outline ISOO Overview Overview of the CUI Program CUI and IT Implementation CUI and NIST Standards and Guidelines NIST SP 800-171 CUI Approach for the Contractor Environment
More informationCybersecurity Challenges
Cybersecurity Challenges Protecting DoD s Information NAVSEA Small Business Industry Day August 8, 2017 1 Outline Protecting DoD s Information DFARS Clause 252.204-7012 Contractor and Subcontractor Requirements
More informationPilieroMazza Webinar Preparing for NIST SP December 14, 2017
PilieroMazza Webinar Preparing for NIST SP 800-171 December 14, 2017 Presented by Jon Williams, Partner jwilliams@pilieromazza.com (202) 857-1000 Kimi Murakami, Counsel kmurakami@pilieromazza.com (202)
More informationOutline. Why protect CUI? Current Practices. Information Security Reform. Implementation. Understanding the CUI Program. Impacts to National Security
Outline Why protect CUI? Impacts to National Security Current Practices CUI Program & Existing Agency Practices Information Security Reform CUI Registry 32CFR2002 NIST SP 800-171 (Rev 1) Federal Acquisition
More informationSpecial Publication
Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Patricia Toth NIST MEP What is Information Security? Personnel Security Cybersecurity
More informationDFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions
DFARS 252.204.7012 Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions By Jonathan Hard, CEO And Carol Claflin, Director of Business Development H2L
More informationPreparing for NIST SP January 23, 2018 For the American Council of Engineering Companies
Preparing for NIST SP 800-171 January 23, 2018 For the American Council of Engineering Companies Presented by Jon Williams, Partner jwilliams@pilieromazza.com (202) 857-1000 Kimi Murakami, Counsel kmurakami@pilieromazza.com
More informationNew Process and Regulations for Controlled Unclassified Information
New Process and Regulations for Controlled Unclassified Information David Brady TJ Beckett Office of Export and Secure Research Compliance http://www.oesrc.researchcompliance.vt.edu/ Agenda Background
More informationDEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.
DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY Cyber Security Safeguarding Covered Defense Information 30-31 August 2016 WARFIGHTER FIRST PEOPLE & CULTURE STRATEGIC ENGAGEMENT FINANCIAL
More informationDepartment of Defense Cybersecurity Requirements: What Businesses Need to Know?
Department of Defense Cybersecurity Requirements: What Businesses Need to Know? Why is Cybersecurity important to the Department of Defense? Today, more than ever, the Department of Defense (DoD) relies
More informationProtecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)
https://www.csiac.org/ Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP800-171 Revision 1) Today s Presenter: Wade Kastorff SRC, Commercial Cyber Security
More information2017 SAME Small Business Conference
2017 SAME Small Business Conference Welcome to Cybersecurity Initiatives and Speakers: Requirements: Protecting DOD s Unclassified Information Vicki Michetti, Director, Defense Industrial Base Cybersecurity
More informationHandbook Webinar
800-171 Handbook Webinar Pat Toth Cybersecurity Program Manager National Institute of Standards and Technology (NIST) Manufacturing Extension Partnership (MEP) NIST MEP 800-171 Assessment Handbook Step-by-step
More informationDOD s New Cyber Requirements: Impacts on DOD Contractors and Subcontractors
McKenna Government Contracts, continuing excellence at Dentons DOD s New Cyber Requirements: Impacts on DOD Contractors and Subcontractors Phil Seckman Mike McGuinn Quincy Stott Dentons US LLP Date: January
More informationDFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com
DFARS Compliance SLAIT Consulting SECURITY SERVICES Mike D Arezzo Director of Security Services Introduction 18+ year career in Information Technology and Security General Electric (GE) as Software Governance
More informationCOMPLIANCE IN THE CLOUD
COMPLIANCE IN THE CLOUD 3:45-4:30PM Scott Edwards, President, Summit 7 Dave Harris Society for International Affairs COMPLIANCE IN THE CLOUD Scott Edwards scott.edwards@summit7systems.com 256-541-9638
More informationSafeguarding Unclassified Controlled Technical Information
Safeguarding Unclassified Controlled Technical Information (DFARS Case 2011-D039): The Challenges of New DFARS Requirements and Recommendations for Compliance Version 1 Authors: Justin Gercken, TSCP E.K.
More informationTinker & The Primes 2017 Innovating Together
Tinker & The Primes 2017 Innovating Together Protecting Controlled Unclassified Information Systems and Organizations Larry Findeiss Bid Assistance Coordinator Oklahoma s Procurement Technical Assistance
More informationControlled Unclassified Information (CUI) and FISMA: an update. May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner
Controlled Unclassified Information (CUI) and FISMA: an update May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner What is FISMA? Federal Information Security Modernization Act
More informationSafeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer
Safeguarding Controlled Unclassified Information and Cyber Incident Reporting Kevin R. Gamache, Ph.D., ISP Facility Security Officer Why Are We Seeing These Rules? Stolen data provides potential adversaries
More informationCyber Security Challenges
Cyber Security Challenges Navigating Information System Security Protections Vicki Michetti, DoD CIO, Director, DIB Cybersecurity Program Mary Thomas, OUSD(AT&L), Defense Procurement and Acquisition Policy
More informationCyber Security Challenges
Cyber Security Challenges Protecting DoD s Information Melinda Reed, OUSD(AT&L), Systems Engineering Mary Thomas, OUSD(AT&L), Defense Procurement and Acquisition Policy 1 Outline Cybersecurity Landscape
More informationSafeguarding unclassified controlled technical information (UCTI)
Safeguarding unclassified controlled technical information (UCTI) An overview Government Contract Services Bulletin Safeguarding UCTI An overview On November 18, 2013, the Department of Defense (DoD) issued
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationQuick Start Strategy to Compliance DFARS Rob Gillen
WELCOME Quick Start Strategy to Compliance DFARS 252.204-7012 Rob Gillen Overview Meet Bill Harrison Meet FASTLANE Important Updates Overview of NIST 800-171 Case Studies 5 Items to a Quick Start Strategy
More informationIndustry Perspectives on Active and Expected Regulatory Actions
July 15, 2016 Industry Perspectives on Active and Expected Regulatory Actions Alan Chvotkin Executive Vice President and Counsel, Professional Services Council chvotkin@pscouncil.org Trey Hodgkins Senior
More informationFedRAMP: Understanding Agency and Cloud Provider Responsibilities
May 2013 Walter E. Washington Convention Center Washington, DC FedRAMP: Understanding Agency and Cloud Provider Responsibilities Matthew Goodrich, JD FedRAMP Program Manager US General Services Administration
More informationCybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017
Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017 March 23, 2017 By Keir Bancroft By Louverture Jones Partner Senior Manager, Deloitte Advisory Venable LLP Deloitte & Touche
More informationCompliance with NIST
Compliance with NIST 800-171 1 What is NIST? 2 Do I Need to Comply? Agenda 3 What Are the Requirements? 4 How Can I Determine If I Am Compliant? 5 Corserva s NIST Assessments What is NIST? NIST (National
More informationSTRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE
STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby
More informationexisting customer base (commercial and guidance and directives and all Federal regulations as federal)
ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of
More informationThe FAR Basic Safeguarding Rule
The FAR Basic Safeguarding Rule Erin B. Sheppard, Partner Michael J. McGuinn, Counsel December 8, 2016 Agenda Regulatory landscape FAR Rule History Requirements Harmonization Subcontract issues What s
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationFedRAMP Security Assessment Framework. Version 2.0
FedRAMP Security Assessment Framework Version 2.0 June 6, 2014 Executive Summary This document describes a general Security Assessment Framework (SAF) for the Federal Risk and Authorization Management
More informationCybersecurity in Acquisition
Kristen J. Baldwin Acting Deputy Assistant Secretary of Defense for Systems Engineering (DASD(SE)) Federal Cybersecurity Summit September 15, 2016 Sep 15, 2016 Page-1 Acquisition program activities must
More informationfips185 U.S. DEPARTMENT OF COMMERCE/National Institute of Standards and Technology
FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION 185 1994 February 9 U.S. DEPARTMENT OF COMMERCE/National Institute of Standards and Technology ESCROWED ENCRYPTION STANDARD CATEGORY: TELECOMMUNICATIONS
More informationImplementation Plan for the UW-Madison Cybersecurity Risk Management Policy. August 10, 2017 version
Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy August 10, 2017 version WORKING DOCUMENT Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy This working
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationUCOP ITS Systemwide CISO Office Systemwide IT Policy
UCOP ITS Systemwide CISO Office Systemwide IT Policy Revision History Date: By: Contact Information: Description: 08/16/17 Robert Smith robert.smith@ucop.edu Initial version, CISO approved Classification
More informationInformation Security Issues in Research
Information Security Issues in Research March 2019 The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific
More informationRegulating Information: Cybersecurity, Internet of Things, & Exploding Rules. David Bodenheimer Evan Wolff Kate Growley
Regulating Information: Cybersecurity, Internet of Things, & Exploding Rules David Bodenheimer Evan Wolff Kate Growley Regulating Information The Internet of Things: Peering into the Future Cybersecurity
More informationExhibit A1-1. Risk Management Framework
Appendix B presents the deliverables produced during the execution of the risk management approach to achieve the assessment and authorization process. The steps required by the risk management framework
More informationAnother Cook in the Kitchen: The New FAR Rule on Cybersecurity
Another Cook in the Kitchen: The New FAR Rule on Cybersecurity Breakout Session #: F13 Erin B. Sheppard, Partner, Dentons US LLP Michael J. McGuinn, Counsel, Dentons US LLP Date: Tuesday, July 26 Time:
More informationAssessing Security Requirements for Controlled Unclassified Information
Draft NIST Special Publication 800-171A Assessing Security Requirements for Controlled Unclassified Information RON ROSS KELLEY DEMPSEY VICTORIA PILLITTERI This publication contains procedures to assess
More informationHousecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009
Housecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009 Privacy Policy Intent: We recognize that privacy is an important issue, so we design and operate our services with
More informationNovember 20, (Via DFARS Case 2013-D018)
November 20, 2015 (Via email osd.dfars@mail.mil, DFARS Case 2013-D018) Mr. Dustin Pitsch Defense Acquisition Regulations System OUSD(AT&L)DPAP/DARS Room 3B941 3060 Defense Pentagon Washington, DC 20301
More informationFedRAMP Security Assessment Framework. Version 2.1
FedRAMP Security Assessment Framework Version 2.1 December 4, 2015 Executive Summary This document describes a general Security Assessment Framework (SAF) for the Federal Risk and Authorization Management
More informationSYSTEMS ASSET MANAGEMENT POLICY
SYSTEMS ASSET MANAGEMENT POLICY Policy: Asset Management Policy Owner: CIO Change Management Original Implementation Date: 7/1/2017 Effective Date: 7/1/2017 Revision Date: Approved By: NIST Cyber Security
More informationDepartment of Veterans Affairs VA DIRECTIVE April 17, 2006 WEB PAGE PRIVACY POLICY
Department of Veterans Affairs VA DIRECTIVE 6502.3 Washington, DC 20420 Transmittal Sheet WEB PAGE PRIVACY POLICY 1. REASON FOR ISSUE: To establish policy for the Department of Veterans Affairs (VA) for
More informationPost-Secondary Institution Data-Security Overview and Requirements
Post-Secondary Institution Data-Security Overview and Tiina K.O. Rodrigue, EdDc, CISSP, CISM, PMP, CSM, CEA, ITIL, ISC2 Compliance Mapper, A+ Senior Advisor Cybersecurity - 2017 Agenda Who needs to worry
More informationGreg Pannoni, Associate Director
Greg Pannoni, Associate Director May 2018 The Evolving NISP: Navigating the Road Ahead NISPOM revision Revision to NISP Directive (32 CFR 2004) CUI program implementation 3 National Industrial Security
More informationAmerican Association for Laboratory Accreditation
R311 - Specific Requirements: Federal Risk and Authorization Management Program Page 1 of 10 R311 - Specific Requirements: Federal Risk and Authorization Management Program 2017 by A2LA. All rights reserved.
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.
More informationProtecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations
NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations RON ROSS PATRICK VISCUSO GARY GUISSANIE KELLEY DEMPSEY MARK RIDDLE This
More informationFISMAand the Risk Management Framework
FISMAand the Risk Management Framework The New Practice of Federal Cyber Security Stephen D. Gantz Daniel R. Phi I pott Darren Windham, Technical Editor ^jm* ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON
More informationMNsure Privacy Program Strategic Plan FY
MNsure Privacy Program Strategic Plan FY 2018-2019 July 2018 Table of Contents Introduction... 3 Privacy Program Mission... 4 Strategic Goals of the Privacy Office... 4 Short-Term Goals... 4 Long-Term
More informationWebinar will start soon
OME Webinar: Migrant Student Information Exchange (MSIX) ISA / MOU 2017 Update Webinar will start soon Audio for this webinar will be provided through WebEx. Please test your computer audio speakers. The
More informationRocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency
Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency Mr. Ed Brindley Acting Deputy Cyber Security Department of Defense 7 March 2018 SUPPORT THE WARFIGHTER 2 Overview Secretary Mattis Priorities
More informationDFARS and the Aerospace & Defence Enterprise
DFARS and the Aerospace & Defence Enterprise Is Your Organisation Ready? October 2017 Lance Seelbach, CISSP, CISA, Client Security Officer Simon Aplin, Export Compliance Lead Aerospace & Defence ANZ Table
More informationMDA Acquisition Updates
MDA Acquisition Updates Laura M. DeSimone Director for Acquisition & Karla Smith Jackson Director of Contracts Missile Defense Agency May 15, 2018 Distribution Statement A:, distribution is unlimited.
More informationNew Cyber Rules. Are You Ready? Bob Metzger, RJO Dave Drabkin, DHG Tom Tollerton, DHG. Issues in Focus Webinar Series. government contracting
New Cyber Rules Are You Ready? Bob Metzger, RJO Dave Drabkin, DHG Tom Tollerton, DHG Issues in Focus Webinar Series 1 Speaker Information Robert S. Metzger Rogers Joseph O Donnell PC (202)777.8951 Rmetzger@rjo.com
More informationDoes a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?
Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? A brief overview of security requirements for Federal government agencies applicable to contracted IT services,
More information5/6/2013. Creating and preserving records that contain adequate and proper documentation of the organization.
Jay Olin National Archives Ramona Branch Oliver Department of Labor ASAP 6 th Annual National Training Conference May 12-15, 15, 2013 What Is a Federal Record? Records include all books, papers, maps,
More informationCyber Security For Business
Cyber Security For Business In today s hostile digital environment, the importance of securing your data and technology cannot be overstated. From customer assurance, liability mitigation, and even your
More informationDRAFT. NIST MEP CYBERSECURITY Self-Assessment Handbook
NIST MEP CYBERSECURITY Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in response to DFARS Cybersecurity Requirements Table of Contents Disclaimer...8 Acknowledgements...8
More informationThis section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Description of Current Draft
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationRev.1 Solution Brief
FISMA-NIST SP 800-171 Rev.1 Solution Brief New York FISMA Cybersecurity NIST SP 800-171 EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker delivers business critical
More informationStrengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure Executive Order 13800 Update July 2017 In Brief On May 11, 2017, President Trump issued Executive Order 13800, Strengthening
More informationMANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors
Page 1 of 6 Applies to: faculty staff students student employees visitors contractors Effective Date of This Revision: June 1, 2018 Contact for More Information: HIPAA Privacy Officer Board Policy Administrative
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationUW-Madison Cybersecurity Risk Management Policy
SUMMARY FINAL DRAFT (for ITSC and ITC Endorsement to UC) Cybersecurity is a collective responsibility which requires policy that applies to all components of the University of Wisconsin-Madison. The impact
More informationVirginia State University Policies Manual. Title: Information Security Program Policy: 6110
Purpose Virginia State University (VSU) uses information to perform the business services and functions necessary to fulfill its mission. VSU information is contained in many different mediums including
More informationDATA PROTECTION POLICY THE HOLST GROUP
DATA PROTECTION POLICY THE HOLST GROUP INTRODUCTION The purpose of this document is to provide a concise policy regarding the data protection obligations of The Holst Group. The Holst Group is a data controller
More informationIMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION
IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION Briefing for OFPP Working Group 19 Feb 2015 Emile Monette GSA Office of Governmentwide Policy emile.monette@gsa.gov Cybersecurity Threats are
More informationCloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015
Cloud Computing Standard Effective Date: July 28, 2015 1.1 INTRODUCTION Cloud computing services are application and infrastructure resources that users access via the Internet. These services, contractually
More informationHow to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
How to implement NIST Cybersecurity Framework using ISO 27001 WHITE PAPER Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
More informationCritical Cyber Asset Identification Security Management Controls
Implementation Plan Purpose On January 18, 2008, FERC (or Commission ) issued Order. 706 that approved Version 1 of the Critical Infrastructure Protection Reliability Standards, CIP-002-1 through CIP-009-1.
More informationUT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES
ACCESS MANAGEMENT Policy UT Health San Antonio shall adopt access management processes to ensure that access to Information Resources is restricted to authorized users with minimal access rights necessary
More informationAgency Guide for FedRAMP Authorizations
How to Functionally Reuse an Existing Authorization Version 1.0 August 5, 2015 Revision History Date Version Page(s) Description Author 08/05/2015 1.0 All Initial Publication FedRAMP PMO 06/06/2017 1.0
More informationEmployee Security Awareness Training Program
Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,
More informationStandard CIP 004 3a Cyber Security Personnel and Training
A. Introduction 1. Title: Cyber Security Personnel & Training 2. Number: CIP-004-3a 3. Purpose: Standard CIP-004-3 requires that personnel having authorized cyber or authorized unescorted physical access
More information