CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

Size: px
Start display at page:

Download "CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA"

Transcription

1 CYBER SECURITY BRIEF Presented By: Curt Parkinson DCMA September 20, 2017

2 Agenda 2 DFARS Updates Cybersecurity Contracting DFARS Clause DFARS Clause DFARS Clause Adequate Security System Security Plan (SSP) Cyber Incident Questions

3 Cybersecurity DFARS Updates 3 DFARS Part Acquisition of Information Technology DFARS Security and Privacy for Computer Systems DFARS , General: Applies to all acquisitions for Information Technology includes security and privacy act considerations. DFARS , Compromising Emanations TEMPEST or other standard: For acquisitions requiring information assurance against compromising emanations, the requiring activity is responsible for providing to the contracting officer: The required protections (i.e. established National TEMPEST standard (e.g. NACSEM 5100, NACSIM 5100A) or standard used by another authority; The required identification markings Inspection and acceptance requirements A date through which the accreditation is considered current

4 Cybersecurity Contracting Applicable DFARS 4 DFARS: Protecting Against Compromising Emanations Tempest certification NASEM 5100 or compromising Emanations NACSEM 5100A(U) Contractor to provide test certification documentation Note usually referred to as TEMPEST DFARS: IA Contractor Training and Certification Requires DoD 8570/8140 training and certification of contractor IA Personnel Documentation from Contractor to DoD Non certified staff will be barred from DoD Information Systems Note a new qualification for Certification of Cyber Defense Firms not just staff DFARS: Safeguarding Covered Defense Information and Cyber Incident Reporting Reporting in 72 hours Flows down to the Subcontractors Note Covered Defense Information Controlled technical Information Export Control items (both ITAR and EAR) Note: DCMA is not performing technical assessment of the cyber-security standards, i.e. NIST

5 Cybersecurity Contracting Applicable DFARS Cont. 5 DFARS: Cloud Computing Services Requirements of this clause are applicable when using cloud computing If Contractor uses an external cloud service provider in performance of contract, Contractor shall ensure that the cloud service provider meets security requirements equivalent to those established by the Government and complies with requirements Contractor shall not access, use, or disclose Government data unless specifically authorized by the terms of this contract The Contractor shall report all cyber incidents The Contractor shall include this clause, in all subcontracts that involve or may involve cloud services, including subcontracts for commercial items

6 DFARS Clause When the contract includes DFARS , Safeguarding Covered Defense Information and Cyber Incident Reporting, the supplier must comply with the 14 CS requirements in NIST SP Compliant Assessment SP shall verify that the supplier has the required System Security Plan under CM SP shall issue a CAR and inform the AC if the Plan does not exist The SP does not conduct an assessment of the System Security Plan or issue a CAR against the Plan Non-compliant Assessment SP shall verify that the supplier notified the DoD CIO via within 30 days of contract award SP shall verify that the supplier submitted a POA&M to the AC SP shall otherwise issue a CAR and inform the AC Note : Initially released in Nov Three updates since to include preventative measures. (Aug15, Sep15, Dec15, Oct16) **DPAP provided 2 year relief for contractors to be compliant. Period ends 31 Dec 17. 9/20/2017

7 DFARS Clause

8 DFARS Clause Resource: Guidance to Stakeholders for Implementing Defense Federal Acquisition Regulation Supplement Clause (Safeguarding Unclassified Controlled Technical Information) Basic Supplier Requirements: Provide adequate security :: DFARS (b) Report cyber incidents :: DFARS (c) Flow down these requirements :: DFARS (m) DCMA software professionals primarily work with the b and m requirements Software - Policy Implementation Meeting (PIM) One team, one voice delivering global acquisition insight that matters.

9 9/20/2017 DFARS Clause When the contract includes DFARS , IA Contractor Training and Certification, The Contractor shall ensure that personnel accessing information systems have the proper and current information assurance certification to perform information assurance functions in accordance with DoD M The supplier will need to provide DoD-approved information assurance workforce certifications appropriate for each category and level SP shall verify that the supplier has the required certifications SP shall issue a CAR and inform the AC if the supplier does not provide certifications Note: Contractor personnel who do not have proper and current certifications shall be denied access to DoD information systems for the purpose of performing information assurance functions.

10 DFARS Clause Resource: DoD M Information Assurance Workforce Improvement Program Three basic supplier requirements: Meet the applicable IA certification requirements :: DFARS (a) Provide documentation supporting IA Certification status :: DFARS (b) Contractor personnel who do not have proper and current certifications shall be denied access to DoD information systems :: DFARS (c) DCMA software professionals primarily work with each requirements of this clause Software - Policy Implementation Meeting (PIM) One team, one voice delivering global acquisition insight that matters.

11 DFARS Clause When the contract includes DFARS , Cloud Computing Services, Cloud computing security requirements. The requirements of this clause are applicable when using cloud computing to provide information technology services in the performance of the contract. When the Contractor indicated in its offer that it does not anticipate the use of cloud computing services in the performance of a resultant contract, the Contractor shall obtain approval from the Contracting Officer prior to utilizing cloud computing services in performance of the contract. SP shall verify that the Contracting Officer has been notified and has provided approval for the use of Cloud Services SP shall issue a CAR and inform the AC if the supplier does not provide notification Software - Policy Implementation Meeting (PIM) One team, one voice delivering global acquisition insight that matters. 9/20/2017

12 DFARS Clause Applies when a cloud solution is being used to process data on the DoD's behalf or DoD is contracting with Cloud Service Provider to host/process data in a cloud Requires the cloud service provider to: Comply with the DoD Cloud Computing Security Requirements Guide Comply with requirements for cyber incident reporting and damage assessment NIST SP was not developed to accommodate the additional security requirements necessary to protect information when using an external Cloud Service Provider. The FedRAMP moderate baseline was developed to include these requirements. The contractor is required to ensure that the cloud services contracted to process and store covered defense information meet the same requirements as the FedRAMP moderate baseline. The contractor is not required to, or precluded from, use of a CSP service authorized/approved by the FedRAMP program Software - Policy Implementation Meeting (PIM) One team, one voice delivering global acquisition insight that matters.

13 DFARS Clause Resource: Cloud Computing Security Requirements Guide Three basic supplier requirements: If Contractor indicated in the offer that Cloud Services are not being used, then Contractor proposes the use shall notify the Contracting Officer :: DFARS (b)(1) Contractor shall implement and maintain administrative, technical, and physical safeguards and controls with the security level and services required in accordance with the Cloud Computing Security Requirements Guide (SRG) :: DFARS (b)(2) Contractor shall maintain within the United States or outlying areas all Government data that is not physically located on DoD premises, unless the Contractor receives written notification from the Contracting Officer to use another location :: DFARS (c)(3) DCMA software professionals primarily work with each requirements of this clause Software - Policy Implementation Meeting (PIM) One team, one voice delivering global acquisition insight that matters.

14 Adequate Security Resource: NIST SP , Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Requires supplier to be compliant with NIST NLT 31 DEC 2017 NIST describes 14 security sections (110 actual requirements) Additional requirement for contracts awarded before 01 OCT 2017 Require supplier self-assessment against NIST Require supplier to report to DoD CIO any shortcomings that existed at time of contract award Software - Policy Implementation Meeting (PIM) One team, one voice delivering global acquisition insight that matters.

15 System Security Plan (SSP) Resource: NIST Revision 1, Guide for Developing Security Plans for Federal Information Systems The objective of system security planning is to improve protection of information system resources Appendix A of NIST R1 contains a template for SSP Any to-do tasks that need to be accomplished before SSP is fully capable must be documented via a Plan of Action and Milestones (POA&M) Software - Policy Implementation Meeting (PIM) One team, one voice delivering global acquisition insight that matters.

16 Cyber Incident Cyber incident :: means actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. Cyber incident reporting requirement. (1) When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract, the Contractor shall Conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor s ability to provide operationally critical support; and Cloud computing services cyber incident reporting. The Contractor shall report all cyber incidents that are related to the cloud computing service provided under this contract. Rapidly report cyber incidents to DoD at Software - Policy Implementation Meeting (PIM) One team, one voice delivering global acquisition insight that matters.

17 Cyber Incident cont. (2) Cyber incident report. The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements at (3) Medium assurance certificate requirement. In order to report cyber incidents in accordance with this clause, the Contractor or subcontractor shall have or acquire a DoD-approved medium assurance certificate to report cyber incidents NOTE :: For information on obtaining a DoD-approved medium assurance certificate, see Software - Policy Implementation Meeting (PIM) One team, one voice delivering global acquisition insight that matters.

18 Cyber Incident cont. Reporting a Cyber Incident Elements of a cyber report :: Software - Policy Implementation Meeting (PIM) One team, one voice delivering global acquisition insight that matters.

19 DCMA Roles for DFARS: / / DCMA Where applicable, will verify that applicable cybersecurity clauses are in the contract. In addition, as part of normal software surveillance activities, personnel will engage with contractors to implement the following actions in regards to cyber-security: DFARS :: Verify contractor has a system security plan Verify contractor submitted to the DoD CIO within 30 days of any contract award made through October 2017, a list/notification of the security requirements not yet implemented DFARS :: Verify contractor possesses DoD approved External Certificate Authority (ECA) issued medium assurance public key infrastructure (PKI) certificate If DCMA detects or is made aware of potential cybersecurity issue, DCMA will notify the contractor, DoD program office, and the DoD CIO DFARS :: Review training record for Contractor IA workforce As required, facilitate the entry of government external assessment team into applicable contractor facilities via coordination with cognizant government and contractor stakeholders Software - Policy Implementation Meeting (PIM) One team, one voice delivering global acquisition insight that matters.

20 Risk Management Framework Incorporated into full system life cycle For Official Use Only

21 Cyber Key Dates Key Dates: Existing contracts have until 31 DEC 2017 to fully implement the NIST as required by (page 40 of 21

22 Cyber Resources Additional resources (i.e., most current cyber FAQs):

23 Questions 23

24 Backup 24

25 25 Reviewed Documents FAR/DFARS, JCIDS DoD M NISPOM NIST SP Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations NIST r1 Guide for Developing Security Plans for Federal Information Systems DoD Instruction Cybersecurity CNSSP 22, Policy on IA Risk Management for National Security Systems DoDD , IA Training, Certification, and Workforce Management Cloud Computing Security Requirements Guide DoDI , RMF for DoD IT DoD R, Industrial Security Regulation DODI , Operations of the Defense Acquisition System DoD PM s Guidebook for Integrating RMF into Acquisition Lifecycle DoD Cybersecurity Test and Evaluation Guidebook

26 Significant Requirements Impacts List any significant items that may impact mission: Items listed below will reflect the DFARS that will require awareness of these requirements and/or Contract Receipt and Review action: DFARS: , Disclosure of Information (Awareness Only and CRR/CTR) , Control of Government Personnel Work Product: (Awareness Only and CRR/CTR) , Safeguarding Defense Information and Cyber Incident Reporting (Awareness / Validation) , Information Assurance Contractor Training and Certification (Surveillance Required) , Cloud Computing Services (Awareness Only) 26

27 Significant Requirements Impacts Cont. PM Guidebook for Integrating the Cybersecurity Risk Management Framework (RMF) into the System Acquisition Lifecycle - September 2015 Chapter 2.1.3,ISSM Roles and Responsibilities in Support of the Program Manager (Potential Surveillance Required) Chapter 2.2.3, Functional Decomposition and Allocation of Cybersecurity Requirements (Potential Surveillance Required) Appendix 2.2, Include Cybersecurity in Preliminary Design and Final MS B Documentation (Potential Surveillance Required) Appendix 3.1 Include Cybersecurity in Detailed Final Design (Potential Surveillance Required) 27

28 Risk Management Framework For Official Use Only

29 RMF Integration across the Acquisition Lifecycle

Cybersecurity Challenges

Cybersecurity Challenges Cybersecurity Challenges Protecting DoD s Information NAVSEA Small Business Industry Day August 8, 2017 1 Outline Protecting DoD s Information DFARS Clause 252.204-7012 Contractor and Subcontractor Requirements

More information

Cyber Security Challenges

Cyber Security Challenges Cyber Security Challenges Navigating Information System Security Protections Vicki Michetti, DoD CIO, Director, DIB Cybersecurity Program Mary Thomas, OUSD(AT&L), Defense Procurement and Acquisition Policy

More information

Cyber Security Challenges

Cyber Security Challenges Cyber Security Challenges Protecting DoD s Information Melinda Reed, OUSD(AT&L), Systems Engineering Mary Thomas, OUSD(AT&L), Defense Procurement and Acquisition Policy 1 Outline Cybersecurity Landscape

More information

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

Department of Defense Cybersecurity Requirements: What Businesses Need to Know? Department of Defense Cybersecurity Requirements: What Businesses Need to Know? Why is Cybersecurity important to the Department of Defense? Today, more than ever, the Department of Defense (DoD) relies

More information

2017 SAME Small Business Conference

2017 SAME Small Business Conference 2017 SAME Small Business Conference Welcome to Cybersecurity Initiatives and Speakers: Requirements: Protecting DOD s Unclassified Information Vicki Michetti, Director, Defense Industrial Base Cybersecurity

More information

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013) Page 1 of 7 Section O Attach 2: SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013) 252.204-7012 Safeguarding of Unclassified Controlled Technical Information. As prescribed in 204.7303,

More information

ROADMAP TO DFARS COMPLIANCE

ROADMAP TO DFARS COMPLIANCE ROADMAP TO DFARS COMPLIANCE ARE YOU READY FOR THE 12/31/17 DEADLINE? In our ebook, we have answered the most common questions we receive from companies preparing for DFARS compliance. Don t risk terminated

More information

DFARS , NIST , CDI

DFARS , NIST , CDI DFARS 252.204-7012, NIST 800-171, CDI and You Overview Impacts Getting started Overview Impacts Getting started Overview & Evolving Requirements DFARS 252.204-7012 - Safeguarding Covered Defense Information

More information

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions DFARS 252.204.7012 Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions By Jonathan Hard, CEO And Carol Claflin, Director of Business Development H2L

More information

DOD s New Cyber Requirements: Impacts on DOD Contractors and Subcontractors

DOD s New Cyber Requirements: Impacts on DOD Contractors and Subcontractors McKenna Government Contracts, continuing excellence at Dentons DOD s New Cyber Requirements: Impacts on DOD Contractors and Subcontractors Phil Seckman Mike McGuinn Quincy Stott Dentons US LLP Date: January

More information

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC 20301-3000 ACQUISITION, TECHNO LOGY. A N D LOGISTICS SEP 2 1 2017 MEMORANDUM FOR COMMANDER, UNITED ST A TES SPECIAL OPERATIONS

More information

DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.

DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information. DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY Cyber Security Safeguarding Covered Defense Information 30-31 August 2016 WARFIGHTER FIRST PEOPLE & CULTURE STRATEGIC ENGAGEMENT FINANCIAL

More information

SAC PA Security Frameworks - FISMA and NIST

SAC PA Security Frameworks - FISMA and NIST SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance

More information

Get Compliant with the New DFARS Cybersecurity Requirements

Get Compliant with the New DFARS Cybersecurity Requirements Get Compliant with the New DFARS 252.204-7012 Cybersecurity Requirements Reginald M. Jones ( Reggie ) Chair, Federal Government Contracts Practice Group rjones@foxrothschild.com; 202-461-3111 August 30,

More information

Cybersecurity in Acquisition

Cybersecurity in Acquisition Kristen J. Baldwin Acting Deputy Assistant Secretary of Defense for Systems Engineering (DASD(SE)) Federal Cybersecurity Summit September 15, 2016 Sep 15, 2016 Page-1 Acquisition program activities must

More information

DFARS Cyber Rule Considerations For Contractors In 2018

DFARS Cyber Rule Considerations For Contractors In 2018 Portfolio Media. Inc. 111 West 19 th Street, 5th Floor New York, NY 10011 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com DFARS Cyber Rule Considerations For Contractors

More information

2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA

2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA 2018 SRAI Annual Meeting October 27-31 Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA Controlled Unclassified Information Regulations: Practical Processes and Negotiations

More information

COMPLIANCE IN THE CLOUD

COMPLIANCE IN THE CLOUD COMPLIANCE IN THE CLOUD 3:45-4:30PM Scott Edwards, President, Summit 7 Dave Harris Society for International Affairs COMPLIANCE IN THE CLOUD Scott Edwards scott.edwards@summit7systems.com 256-541-9638

More information

American Association for Laboratory Accreditation

American Association for Laboratory Accreditation R311 - Specific Requirements: Federal Risk and Authorization Management Program Page 1 of 10 R311 - Specific Requirements: Federal Risk and Authorization Management Program 2017 by A2LA. All rights reserved.

More information

Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017

Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017 Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017 March 23, 2017 By Keir Bancroft By Louverture Jones Partner Senior Manager, Deloitte Advisory Venable LLP Deloitte & Touche

More information

PilieroMazza Webinar Preparing for NIST SP December 14, 2017

PilieroMazza Webinar Preparing for NIST SP December 14, 2017 PilieroMazza Webinar Preparing for NIST SP 800-171 December 14, 2017 Presented by Jon Williams, Partner jwilliams@pilieromazza.com (202) 857-1000 Kimi Murakami, Counsel kmurakami@pilieromazza.com (202)

More information

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

existing customer base (commercial and guidance and directives and all Federal regulations as federal) ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of

More information

Cybersecurity Risk Management

Cybersecurity Risk Management Cybersecurity Risk Management NIST Guidance DFARS Requirements MEP Assistance David Stieren Division Chief, Programs and Partnerships National Institute of Standards and Technology (NIST) Manufacturing

More information

DFARS Defense Industrial Base Compliance Information

DFARS Defense Industrial Base Compliance Information DFARS 252.204-7012 Defense Industrial Base Compliance Information Protecting Controlled Unclassified Information (CUI) Executive Order 13556 "Controlled Unclassified Information, November 2010 Established

More information

NIST Special Publication

NIST Special Publication NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Ryan Bonner Brightline WHAT IS INFORMATION SECURITY? Personnel Security

More information

Safeguarding Unclassified Controlled Technical Information

Safeguarding Unclassified Controlled Technical Information Safeguarding Unclassified Controlled Technical Information (DFARS Case 2011-D039): The Challenges of New DFARS Requirements and Recommendations for Compliance Version 1 Authors: Justin Gercken, TSCP E.K.

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Deployment Deployment is the phase of the system development lifecycle in which solutions are placed into use to

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.

More information

Defense Information Systems Agency (DISA) Department of Defense (DoD) Cloud Service Offering (CSO) Initial Contact Form

Defense Information Systems Agency (DISA) Department of Defense (DoD) Cloud Service Offering (CSO) Initial Contact Form Defense Information Systems Agency (DISA) Department of Defense (DoD) Cloud Service Offering (CSO) Initial Contact Form Page 1 of 5 Submitted to DISA s DoD Cloud Support Office by: Signature (Prefer CAC

More information

Tinker & The Primes 2017 Innovating Together

Tinker & The Primes 2017 Innovating Together Tinker & The Primes 2017 Innovating Together Protecting Controlled Unclassified Information Systems and Organizations Larry Findeiss Bid Assistance Coordinator Oklahoma s Procurement Technical Assistance

More information

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

FedRAMP: Understanding Agency and Cloud Provider Responsibilities May 2013 Walter E. Washington Convention Center Washington, DC FedRAMP: Understanding Agency and Cloud Provider Responsibilities Matthew Goodrich, JD FedRAMP Program Manager US General Services Administration

More information

Cybersecurity and Program Protection

Cybersecurity and Program Protection Cybersecurity and Program Protection Melinda K. Reed Office of the Deputy Assistant Secretary of Defense for Systems Engineering 19 th Annual NDIA Systems Engineering Conference Springfield, Virginia October

More information

Handbook Webinar

Handbook Webinar 800-171 Handbook Webinar Pat Toth Cybersecurity Program Manager National Institute of Standards and Technology (NIST) Manufacturing Extension Partnership (MEP) NIST MEP 800-171 Assessment Handbook Step-by-step

More information

Agency Guide for FedRAMP Authorizations

Agency Guide for FedRAMP Authorizations How to Functionally Reuse an Existing Authorization Version 1.0 August 5, 2015 Revision History Date Version Page(s) Description Author 08/05/2015 1.0 All Initial Publication FedRAMP PMO 06/06/2017 1.0

More information

INTRODUCTION TO DFARS

INTRODUCTION TO DFARS INTRODUCTION TO DFARS 800-171 CTI VS. CUI VS. CDI OVERVIEW COPYRIGHT 2017 FLANK. ALL RIGHTS RESERVED. INTRODUCTION TO DFARS 800-171 CTI VS. CUI VS. CDI OVERVIEW Defense contractors having to comply with

More information

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations January 9 th, 2018 SPEAKER Chris Seiders, CISSP Security Analyst Computing Services and Systems Development

More information

Preparing for NIST SP January 23, 2018 For the American Council of Engineering Companies

Preparing for NIST SP January 23, 2018 For the American Council of Engineering Companies Preparing for NIST SP 800-171 January 23, 2018 For the American Council of Engineering Companies Presented by Jon Williams, Partner jwilliams@pilieromazza.com (202) 857-1000 Kimi Murakami, Counsel kmurakami@pilieromazza.com

More information

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com DFARS Compliance SLAIT Consulting SECURITY SERVICES Mike D Arezzo Director of Security Services Introduction 18+ year career in Information Technology and Security General Electric (GE) as Software Governance

More information

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency Mr. Ed Brindley Acting Deputy Cyber Security Department of Defense 7 March 2018 SUPPORT THE WARFIGHTER 2 Overview Secretary Mattis Priorities

More information

FedRAMP Security Assessment Framework. Version 2.0

FedRAMP Security Assessment Framework. Version 2.0 FedRAMP Security Assessment Framework Version 2.0 June 6, 2014 Executive Summary This document describes a general Security Assessment Framework (SAF) for the Federal Risk and Authorization Management

More information

Executive Order 13556

Executive Order 13556 Briefing Outline Executive Order 13556 CUI Registry 32 CFR, Part 2002 Understanding the CUI Program Phased Implementation Approach to Contractor Environment 2 Executive Order 13556 Established CUI Program

More information

Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)

Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1) https://www.csiac.org/ Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP800-171 Revision 1) Today s Presenter: Wade Kastorff SRC, Commercial Cyber Security

More information

FedRAMP Initial Review Standard Operating Procedure. Version 1.3

FedRAMP Initial Review Standard Operating Procedure. Version 1.3 FedRAMP Initial Review Standard Operating Procedure Version 1.3 August 27, 2015 Revision History Date Version Page(s) Description Author 08/07/2015 1.0 All Initial Release FedRAMP PMO 08/17/2015 1.1 All

More information

FedRAMP Security Assessment Framework. Version 2.1

FedRAMP Security Assessment Framework. Version 2.1 FedRAMP Security Assessment Framework Version 2.1 December 4, 2015 Executive Summary This document describes a general Security Assessment Framework (SAF) for the Federal Risk and Authorization Management

More information

ISA 201 Intermediate Information Systems Acquisition

ISA 201 Intermediate Information Systems Acquisition ISA 201 Intermediate Information Systems Acquisition 1 Lesson 8 (Part A) 2 Learning Objectives Today we will learn to: Overall: Apply cybersecurity analysis throughout acquisition lifecycle phases. Analyze

More information

Introduction to the Federal Risk and Authorization Management Program (FedRAMP)

Introduction to the Federal Risk and Authorization Management Program (FedRAMP) Introduction to the Federal Risk and Authorization Management Program (FedRAMP) 8/2/2015 Presented by: FedRAMP PMO 1 Today s Training Welcome! This training session is part one of the FedRAMP Training

More information

Continuous Monitoring Strategy & Guide

Continuous Monitoring Strategy & Guide Version 1.0 June 27, 2012 Executive Summary The OMB memorandum M-10-15, issued on April 21, 2010, changed from static point in time security authorization processes to Ongoing Assessment and Authorization

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Physical Enterprise Physical Enterprise Monitoring is the monitoring of the physical and environmental controls that

More information

Job Aid: Introduction to the RMF for Special Access Programs (SAPs)

Job Aid: Introduction to the RMF for Special Access Programs (SAPs) Contents Terminology... 2 General Terminology... 2 Documents and Deliverables... 2 Changes in Terminology... 3 Key Concepts... 3 Roles... 4 Cybersecurity for SAPs: Roles... 5 Support/Oversight Roles...

More information

Safeguarding unclassified controlled technical information (UCTI)

Safeguarding unclassified controlled technical information (UCTI) Safeguarding unclassified controlled technical information (UCTI) An overview Government Contract Services Bulletin Safeguarding UCTI An overview On November 18, 2013, the Department of Defense (DoD) issued

More information

FISMAand the Risk Management Framework

FISMAand the Risk Management Framework FISMAand the Risk Management Framework The New Practice of Federal Cyber Security Stephen D. Gantz Daniel R. Phi I pott Darren Windham, Technical Editor ^jm* ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON

More information

FedRAMP Digital Identity Requirements. Version 1.0

FedRAMP Digital Identity Requirements. Version 1.0 FedRAMP Digital Identity Requirements Version 1.0 January 31, 2018 DOCUMENT REVISION HISTORY DATE VERSION PAGE(S) DESCRIPTION AUTHOR 1/31/2018 1.0 All Initial document FedRAMP PMO i ABOUT THIS DOCUMENT

More information

SYSTEMS ASSET MANAGEMENT POLICY

SYSTEMS ASSET MANAGEMENT POLICY SYSTEMS ASSET MANAGEMENT POLICY Policy: Asset Management Policy Owner: CIO Change Management Original Implementation Date: 7/1/2017 Effective Date: 7/1/2017 Revision Date: Approved By: NIST Cyber Security

More information

Partner Information Manager Supplier Guide October 2017

Partner Information Manager Supplier Guide October 2017 Partner Information Manager Supplier Guide October 2017 Copyright 2017 Exostar, LLC All rights reserved. Contents Exostar s Partner Information Manager (PIM)... 2 Cybersecurity Questionnaire... 2 NIST

More information

Compliance & Security in Azure. April 21, 2018

Compliance & Security in Azure. April 21, 2018 Compliance & Security in Azure April 21, 2018 Presenter Bio Jeff Gainer, CISSP Senior Information Security & Risk Management Consultant Senior Security Architect Have conducted multiple Third-Party risk

More information

NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015

NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015 NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015 Agenda Cybersecurity Information Sharing and the NISP NISP Working Group Update CUI Program Update 2 Executive Order 13691 Promoting Private

More information

Safeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer

Safeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer Safeguarding Controlled Unclassified Information and Cyber Incident Reporting Kevin R. Gamache, Ph.D., ISP Facility Security Officer Why Are We Seeing These Rules? Stolen data provides potential adversaries

More information

Service Description: CNS Federal High Touch Technical Support

Service Description: CNS Federal High Touch Technical Support Page 1 of 1 Service Description: CNS Federal High Touch Technical Support This service description ( Service Description ) describes Cisco s Federal High Touch Technical support (CNS-HTTS), a tier 2 in

More information

Special Publication

Special Publication Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Patricia Toth NIST MEP What is Information Security? Personnel Security Cybersecurity

More information

Introduction to AWS GoldBase

Introduction to AWS GoldBase Introduction to AWS GoldBase A Solution to Automate Security, Compliance, and Governance in AWS October 2015 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document

More information

Streamlined FISMA Compliance For Hosted Information Systems

Streamlined FISMA Compliance For Hosted Information Systems Streamlined FISMA Compliance For Hosted Information Systems Faster Certification and Accreditation at a Reduced Cost IT-CNP, INC. WWW.GOVDATAHOSTING.COM WHITEPAPER :: Executive Summary Federal, State and

More information

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf

More information

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION Briefing for OFPP Working Group 19 Feb 2015 Emile Monette GSA Office of Governmentwide Policy emile.monette@gsa.gov Cybersecurity Threats are

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Host Intrusion The Host Intrusion employs a response to a perceived incident of interference on a host-based system

More information

DIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C)

DIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C) DIACAP and the GIG IA Architecture 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) 210-9252417 (C) 210-396-0254 jwierum@cygnacom.com OMB Circular A-130 (1996) OMB A-130 required systems and applications

More information

Cyber Security For Business

Cyber Security For Business Cyber Security For Business In today s hostile digital environment, the importance of securing your data and technology cannot be overstated. From customer assurance, liability mitigation, and even your

More information

DoDD DoDI

DoDD DoDI DoDD 8500.1 DoDI 8500.2 Tutorial Lecture for students pursuing NSTISSI 4011 INFOSEC Professional 1 Scope of DoDD 8500.1 Information Classes: Unclassified Sensitive information Classified All ISs to include:

More information

Another Cook in the Kitchen: The New FAR Rule on Cybersecurity

Another Cook in the Kitchen: The New FAR Rule on Cybersecurity Another Cook in the Kitchen: The New FAR Rule on Cybersecurity Breakout Session #: F13 Erin B. Sheppard, Partner, Dentons US LLP Michael J. McGuinn, Counsel, Dentons US LLP Date: Tuesday, July 26 Time:

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Network Mapping The Network Mapping helps visualize the network and understand relationships and connectivity between

More information

Compliance with NIST

Compliance with NIST Compliance with NIST 800-171 1 What is NIST? 2 Do I Need to Comply? Agenda 3 What Are the Requirements? 4 How Can I Determine If I Am Compliant? 5 Corserva s NIST Assessments What is NIST? NIST (National

More information

Advanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin

Advanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin Advanced Technology Academic Research Council Federal CISO Summit Ms. Thérèse Firmin Acting Deputy DoD CIO Cyber Security Department of Defense 25 January 2018 2 Overview Secretary Mattis Priorities Cybersecurity

More information

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016 How to Respond to a HIPAA Breach Tuesday, Oct. 25, 2016 This Webinar is Brought to You By. About HealthInsight and Mountain-Pacific Quality Health HealthInsight and Mountain-Pacific Quality Health are

More information

Cyber Update Mr. Paul Phillips AFLCMC/WNSA (937) May 17

Cyber Update Mr. Paul Phillips AFLCMC/WNSA (937) May 17 Cyber Update Mr. Paul Phillips AFLCMC/WNSA (937) 255-2328 Paul.phillips.12@us.af.mil 9 May 17 Disclaimer: The information provided herein represents the Government s best understanding of the procurement

More information

Student Guide Course: Introduction to the NISP Certification and Accreditation Process

Student Guide Course: Introduction to the NISP Certification and Accreditation Process Course: Introduction to the NISP Certification and Accreditation Process Lesson 1: Course Introduction Course Information Purpose Audience Pass/Fail % 75% Estimated completion time Provides training on

More information

FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.1

FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.1 FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide Version 1.1 September 3, 2015 FedRAMP Plan of Action & Milestones (POA&M) Template Completion Guide v1.1 September 3, 2015 Document

More information

ISACA Cincinnati Chapter March Meeting

ISACA Cincinnati Chapter March Meeting ISACA Cincinnati Chapter March Meeting Recent and Proposed Changes to SOC Reports Impacting Service and User Organizations. March 3, 2015 Presenters: Sayontan Basu-Mallick Lori Johnson Agenda SOCR Overview

More information

FiXs - Federated and Secure Identity Management in Operation

FiXs - Federated and Secure Identity Management in Operation FiXs - Federated and Secure Identity Management in Operation Implementing federated identity management and assurance in operational scenarios The Federation for Identity and Cross-Credentialing Systems

More information

Student Guide. Course: NISP C&A Process: A Walk-Through. Lesson 1: Course Introduction. Course Information. Course Overview

Student Guide. Course: NISP C&A Process: A Walk-Through. Lesson 1: Course Introduction. Course Information. Course Overview Course: NISP C&A Process: A Walk-Through Lesson 1: Course Introduction Course Information Purpose Audience Provides training on the policies and standards used throughout the U.S. Government to protect

More information

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

UNCLASSIFIED. FY 2016 Base FY 2016 OCO Exhibit R-2, RDT&E Budget Item Justification: PB 2016 Defense Security Service Date: February 2015 0400: Research, Development, Test & Evaluation, Defense-Wide / BA 7: Operational Systems Development COST

More information

SECURITY & PRIVACY DOCUMENTATION

SECURITY & PRIVACY DOCUMENTATION Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE Digital Policy Management consists of a set of computer programs used to generate, convert, deconflict, validate, assess

More information

FedRAMP Training - Continuous Monitoring (ConMon) Overview

FedRAMP Training - Continuous Monitoring (ConMon) Overview FedRAMP Training - Continuous Monitoring (ConMon) Overview 1. FedRAMP_Training_ConMon_v3_508 1.1 FedRAMP Continuous Monitoring Online Training Splash Screen Transcript Title of FedRAMP logo. Text

More information

SIPRNet Contractor Approval Process (SCAP) December 2011 v2. Roles and Responsibilities

SIPRNet Contractor Approval Process (SCAP) December 2011 v2. Roles and Responsibilities Roles and Responsibilities PARTICIPANT RESPONSIBILITIES Defense Security Service (DSS) DAA for Information Systems (IS) used to process classified information in the National Industrial Security Program

More information

Exhibit A1-1. Risk Management Framework

Exhibit A1-1. Risk Management Framework Appendix B presents the deliverables produced during the execution of the risk management approach to achieve the assessment and authorization process. The steps required by the risk management framework

More information

November 20, (Via DFARS Case 2013-D018)

November 20, (Via  DFARS Case 2013-D018) November 20, 2015 (Via email osd.dfars@mail.mil, DFARS Case 2013-D018) Mr. Dustin Pitsch Defense Acquisition Regulations System OUSD(AT&L)DPAP/DARS Room 3B941 3060 Defense Pentagon Washington, DC 20301

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS IA Policies, Procedures, The Information Assurance (IA) Policies, Procedures, encompasses existing policies, procedures,

More information

FedRAMP JAB P-ATO Process TIMELINESS AND ACCURACY OF TESTING REQUIREMENTS. VERSION 1.0 October 20, 2016

FedRAMP JAB P-ATO Process TIMELINESS AND ACCURACY OF TESTING REQUIREMENTS. VERSION 1.0 October 20, 2016 FedRAMP JAB P-ATO Process TIMELINESS AND ACCURACY OF TESTING REQUIREMENTS VERSION 1.0 October 20, 2016 MONTH 2015 Table of Contents 1. PURPOSE 3 2. BACKGROUND 3 3. TIMELINESS AND ACCURACY OF TESTING OVERVIEW

More information

A Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management

A Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management A Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management D r. J o h n F. M i l l e r T h e M I T R E C o r p o r a t i o n P e t e r D. K e r t z n e r T h

More information

FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.2

FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.2 FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide Version 1.2 October 21, 2016 FedRAMP POA&M Template Completion Guide v1.1 September 1, 2015 Document Revision History Date Description

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Signature Repository A Signature Repository provides a group of signatures for use by network security tools such

More information

Engineering Cyber Resilient Weapon Systems

Engineering Cyber Resilient Weapon Systems Engineering Cyber Resilient Weapon Systems Melinda K. Reed Office of the Deputy Assistant Secretary of Defense for Systems Engineering (DASD(SE)) 20th Annual NDIA Systems Engineering Conference Springfield,

More information

Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER

Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER Continuous Monitoring & Security Authorization >> TOTAL COST OF OWNERSHIP Xacta IA Manager

More information

DRAFT DEPARTMENT OF DEFENSE (DOD) CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE (SRG) Version 1, Release December, 2014

DRAFT DEPARTMENT OF DEFENSE (DOD) CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE (SRG) Version 1, Release December, 2014 DRAFT DEPARTMENT OF DEFENSE (DOD) CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE (SRG) Version 1, Release 0.36 7 December, 2014 Developed by the Defense Information Systems Agency (DISA) for the Department

More information

MIS Week 9 Host Hardening

MIS Week 9 Host Hardening MIS 5214 Week 9 Host Hardening Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls

More information

Appendix 12 Risk Assessment Plan

Appendix 12 Risk Assessment Plan Appendix 12 Risk Assessment Plan DRAFT December 13, 2006 Revision XX Qwest Government Services, Inc. 4250 North Fairfax Drive Arlington, VA 22203 A12-1 RFP: TQC-JTB-05-0001 December 13, 2006 REVISION HISTORY

More information

ManTech Advanced Systems International 2017 Security Training Schedule

ManTech Advanced Systems International 2017 Security Training Schedule ManTech Advanced Systems International 2017 Security Training Schedule Risk Management Framework Course Course Dates Course Location Course Cost October 16 19, 2017 Joint Base Anacostia-Bolling, Washington,

More information

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions

More information

Click to edit Master title style

Click to edit Master title style Click to edit Master title style Click to edit Master text styles Second level Click What to To edit Do Master When title They style Come For You: How to Safeguard Your UCTI Click to edit Master text styles

More information

ManTech Advanced Systems International 2018 Security Training Schedule

ManTech Advanced Systems International 2018 Security Training Schedule ManTech Advanced Systems International 2018 Security Training Schedule Risk Management Framework Course Dates Course Location Course Cost February 12 15, 2018 Las Vegas, NV $1,950.00 March 12 15, 2018

More information

Solutions Technology, Inc. (STI) Corporate Capability Brief

Solutions Technology, Inc. (STI) Corporate Capability Brief Solutions Technology, Inc. (STI) Corporate Capability Brief STI CORPORATE OVERVIEW Located in the metropolitan area of Washington, District of Columbia (D.C.), Solutions Technology Inc. (STI), women owned

More information