Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017
|
|
- George Walters
- 6 years ago
- Views:
Transcription
1 Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017 March 23, 2017 By Keir Bancroft By Louverture Jones Partner Senior Manager, Deloitte Advisory Venable LLP Deloitte & Touche LLP
2 Keir X. Bancroft Keir Bancroft provides a range of services to government contractors, including litigation, transactional, and compliance matters. Mr. Bancroft works with large, mid-sized and small business, and often handles small business-related issues Within the broad rubric of cybersecurity, Mr. Bancroft specializes in information security and privacy compliance for government contractors. He helps clients address information safeguarding and incident response requirements under the Federal Information Security Act (FISMA) and subsequent amendments, the Risk Management Framework, the Privacy Act, and similar requirements. Mr. Bancroft also focuses on national security and industrial security issues arising under the National Industrial Security Program Operating Manual (NISPOM). 2
3 Louverture Jones Louverture Jones is an executive level leader in cyber risk and security services; having 17 years of capturing and delivering transformative security strategy, governance/risk compliance and technical integration for clients within the public and private sectors. His portfolio of industry exposure includes Energy, Financial Services, Healthcare, and DoD customers working as the President of a Cyber Security Services Company and as the Cyber Security Director for a large technical services company. Mr. Jones past successes include the integration of cyber governance and risk management programs, enterprise security technology investment planning, computer forensics, data breach investigations, secure application design, penetration and compliance testing, vulnerability assessments, security incident and event monitoring system (SIEM) deployments and Network Admission Control (NAC). 3
4 Contents Cybersecurity for Government Contractors: Tips to Prepare to Cyber Incidents in Understanding the Rules 2. Learning About Incident Response 3. Demonstrating Safeguarding 4. Managing Compliance Throughout the Supply Chain 5. Consider Cloud Computing 4
5 Understanding the Rules DoD Rule on Network Penetration Reporting: A Model for Safeguarding CUI A Brief History: 2013 NDAA Sec. 941: Cleared contractors; network cyber penetration 2013: DoD Rule on Safeguarding Unclassified Controlled Technical Information 2015 NDAA Sec. 1632: Operationally critical contractors; rapid reporting August December 2015: Interim rule, class deviation, and second interim rule issued applying to reporting and cloud October 2016: Final rule issued 5
6 Understanding the Rules DoD Rule on Network Penetration Reporting: A Model for Safeguarding CUI What Is The Importance of the Rules? Information Security Consequences Prescribes safeguarding controls One reporting obligation, but it may be one of many reporting obligations Contract Compliance Issues Termination for Default Suspension and Debarment False Claims Act or Qui Tam actions Adds to the mix of non-federal contracting implications. 6
7 Understanding the Rules DoD Rule on Network Penetration Reporting: A Model for Safeguarding CUI Provisions and Clauses Subpart Safeguarding Covered Defense Information and Cyber Incident Reporting Subpart Cloud Computing Compliance With Safeguarding Covered Defense Information Controls (Oct 2016) Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information (Oct 2016) Safeguarding Covered Defense Information and Cyber Incident Reporting (Oct 2016) Representation of Use of Cloud Computing (Sep 2015) Cloud Computing Services (Oct 2016) 7
8 Understanding the Rules DoD Rule on Network Penetration Reporting: A Model for Safeguarding CUI Covered Defense Information ( CDI ) Unclassified controlled technical information or Other information, as described in the Controlled Unclassified Information (CUI) Registry at that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is 1. Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of the DoD in support of the performance of the contract; or 2. Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. 8
9 Understanding the Rules DoD Rule on Network Penetration Reporting: A Model for Safeguarding CUI NARA CUI Registry Per E.O , establishes a common taxonomy of CUI across federal agencies, DoD and civilian. Gives contractors greater insight into CUI across federal agencies. Agencies may apply limited dissemination controls. 9
10 Understanding the Rules DoD Rule on Network Penetration Reporting: A Model for Safeguarding CUI Implementation Resources DoD FAQs. Last Updated January Part of DoD outreach efforts to clarify implementation of the rule. Available at: cting.html 10
11 Understanding the Rules Multiple Approaches to CUI: DFARs Network Penetration Reporting and FAR Basic Safeguarding Clause Covered Contractor Information System Definition under FAR amended to clarify it is an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information. FAR Basic Safeguarding Clause FAR (JUN 2016) defines a covered contractor information system as an information system that is owned or operated by a contractor that processes, stores, or transmits Federal contract information. 11
12 Understanding the Rules Multiple Approaches to CUI: DFARS Network Penetration Reporting and FAR Basic Safeguarding Clause Basic Safeguarding Requirements Requirements under FAR , Basic Safeguarding of Covered Contractor Information Systems: 1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems); 2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute; 3. Verify and control/limit connections to and use of external information systems; 4. Control information posted or processed on publicly accessible information systems; 5. Identify information system users, processes acting on behalf of users, or devices; 12
13 Understanding the Rules Multiple Approaches to CUI: DFARS Network Penetration Reporting and FAR Basic Safeguarding Clause Basic Safeguarding Requirements (Continued) 6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems; 7. Sanitize or destroy information system media containing Federal contract Information before disposal or release for reuse; 8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals; 9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices; 10. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems; 13
14 Understanding the Rules Multiple Approaches to CUI: DFARS Network Penetration Reporting and FAR Basic Safeguarding Clause Basic Safeguarding Requirements (Continued) 11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks; 12. Identify, report, and correct information and information system flaws in a timely manner; 13. Provide protection from malicious code at appropriate locations within organizational information systems; 14. Update malicious code protection mechanisms when new releases are available; 15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened or executed. 14
15 Learning About Incident Response Considerations Before and During Your 72-Hour Reporting Window 72 Hour Cyber Incident Reporting Obligations Cyber Incident: Action taken through the use of computer networks that results in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. Investigate any cyber incident that affects: A covered contractor information system or CDI residing on that system; or The contractor s ability to perform any parts of a contract designated as operationally critical support. Operationally Critical Support is defined as: supplies or services designated by the Government as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation. 15
16 Learning About Incident Response Considerations Before and During Your 72-Hour Reporting Window Notes on Operationally Critical Support Note there are additional, non-dod considerations. E.g., definition of a contractor s capabilities may define a cause of action by FTC. DoD clarification: Operationally critical support is an activity, not an information type, performed by the contractor or subcontractor. Requires reporting of cyber incidents that affect the contractor s ability to perform contract requirements designated as operationally critical support. Operationally critical support requirements must be marked or otherwise identified in the contract, task order, or delivery order. 16
17 Learning About Incident Response Considerations Before and During Your 72-Hour Reporting Window Cyber Incident Reviews Seek evidence of a compromise of CDI. A compromise includes: Disclosure of information to unauthorized persons; Violation of system security policy; Unauthorized (either intentional or unintentional) disclosure, modification, destruction or loss of an object ; Copying of information to unauthorized media. 17
18 Learning About Incident Response Considerations Before and During Your 72-Hour Reporting Window Scope of a Review Identify compromised computers, servers, specific data, user accounts; Analyzing covered contractor information systems that were part of the cyber incident; Analyzing other information systems that may have been accessed as a result of the incident; Identifying all compromised CDI, and any details that may affect contractor ability to provide operationally critical support. 18
19 Learning About Incident Response Considerations Before and During Your 72-Hour Reporting Window Nuts and Bolts of Reporting Obtain a DoD-Approved Medium Assurance Certificate Take time to obtain this NOW; do not wait until you experience a cyber incident. Report through the DoD-DIB Cyber Incident Reporting & Cyber Threat Information Sharing Portal Subcontractor Reporting Remember, subcontractors report directly to DoD 19
20 Learning About Incident Response Considerations Before and During Your 72-Hour Reporting Window Sample: IASE Certification Authority Website 20
21 Learning About Incident Response Considerations Before and During Your 72-Hour Reporting Window Sample: Incident Reporting Portal 21
22 Learning About Incident Response Post-Reporting Considerations (to think about NOW) Post-Reporting Obligations 90-Day Image Protection: preserve images of affected systems. Forensic Analysis: give DoD access to affected systems and equipment. DoD contractors performing forensic analysis are restricted from disclosing information. Information Requests: provide relevant information at DoD request. Report Malicious Software: isolate any malicious software identified in a review. 22
23 Learning About Incident Response Post-Reporting Considerations (to think about NOW) Protect Attributional or Proprietary Information! Defined as information identifying: the contractor, its trade secrets, its commercially sensitive information. DoD will try to reduce attributional/proprietary information when it shares cyber incident information with: Affected entities; Forensic analysts; Law enforcement/counterintelligence agencies; Defense Industrial Base ( DIB ) participants. Make it easy for DoD to identify and withhold attributional or proprietary information; mark the information clearly. 23
24 Learning About Incident Response Post-Reporting Considerations (to think about NOW) Protect Attributional or Proprietary Information DoD Support Service Contractors, beware! DoD contracts with support service providers ( Recipient Contractors ) to assist in handling cyber incidents. Recipient Contractors must ensure employees are subject to nondisclosure obligations. Breach of nondisclosure obligations may subject Recipient Contractor to: Criminal, civil, administrative, contractual actions by the Government; Civil actions from the contractor reporting the cyber incident. 24
25 Demonstrating Safeguarding Complying with NIST SP Part of an IT service or system operated on behalf of the Government Cloud Computing Services: apply new DFARS , Cloud Computing Services Non-Cloud: Look to other contract requirements NOT part of an IT service or system operated on behalf of the Government Apply NIST Special Publication security controls 25
26 Demonstrating Safeguarding Complying with NIST SP SP , Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Replaces SP , Security and Privacy Controls for Federal Information Systems and Organizations in safeguarding rules Focuses on nonfederal systems 14 Security Objectives, addressing safeguarding of controlled unclassified information ( CUI ) December 30, 2017 deadline for contractors to implement
27 Demonstrating Safeguarding Complying with NIST SP NIST Families of Security Requirements Access Control Awareness and Training Audit and Accountability Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Risk Assessment Security Assessment System and Communications Protection System and Information Integrity 27
28 Demonstrating Safeguarding Complying with NIST SP DoD Class Deviations, October 2015 Deviations implemented to grant contractors 9 additional months to comply with Security Requirement 3.5.3, Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts Requires notification to the contracting officer if additional time is necessary. A key indicator of the DoD s focus on some of the higher-profile security requirements under NIST SP
29 Demonstrating Safeguarding Complying with NIST SP Day Notification Requirement All contracts awarded prior to October 1, 2017 Within 30 days of contract award, The contractor must provide DoD CIO with a list of security requirements the contractor is not implementing at the time of award. Notification via to osd.dibcsia@mail.mil. 29
30 Demonstrating Safeguarding Complying with NIST SP , Compliance With Safeguarding Covered Defense Information Controls (OCT 2016) Directs that security requirements covered under shall be implemented for all CDI on all covered contractor information systems supporting the contract performance. Provides the process for seeking a variance from the DoD CIO before award. If the Offeror proposes to vary from any of the security requirements specified by NIST that are in effect at the time the solicitation is issued An authorized representative of the DoD CI will adjudicate offeror requests to vary from NIST SP requirements in writing prior to contract award. Any accepted variance from NIST SP shall be incorporated into the resulting contract. 30
31 Demonstrating Safeguarding Complying with NIST SP Post-Award Variances (b)(2)(ii)(B), (C) has been updated to provide for post-award variance requests. The Contractor shall submit requests to vary from NIST SP in writing to the Contracting Officer, for consideration by the DoD CIO. The Contractor need not implement any security requirement adjudicated by an authorized representative of the DoD CIO to be nonapplicable or to have an alternative, but equally effective, security measure that may be implemented in its place. If the DoD CIO has previously adjudicated the contractor's requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Contracting Officer when requesting its recognition under this contract. 31
32 Demonstrating Safeguarding Complying with NIST SP Seeking Variance from application of SP Alternative, equally effective, security measures to protect CDI. Propose in order to compensate for an inability to satisfy a requirement under a clause. Propose why a particular safeguarding requirement in some cases is not applicable. Why do this? You as the prime contractor may not be able/have a reason to protect certain information. Your subcontractor(s) may push back on safeguarding requirements. 32
33 Demonstrating Safeguarding Complying with NIST SP DoD Obligations Clarified Under Final Rule Variance requests submitted to the contracting officer, who refers to the DoD CIO for adjudication. Contracting officer will act as liaison if DoD CIO requests more information in support of contractor s request for variance. 5-Business-Day response time is the typical response time for DoD CIO. 33
34 Demonstrating Safeguarding Complying with NIST SP DoD Basis for Variance Determination Basis for determining if an alternative is acceptable: whether the alternative is equally effective. Basis for determining if a security requirement is not applicable: whether the basis or condition for the requirement is absent. DoD CIO is responsible for ensuring consistent adjudication of proposed non-applicable or alternative security measures. Evaluation may impact the award decision. Not a requirement of the rule, but a solicitation may be drafted to provide for an evaluation to impact an award decision. 34
35 Managing Compliance Throughout the Supply Chain Negotiating Obligations With Subcontractors Obligations flow down to certain subcontractors: Subcontractors whose efforts will involve CDI; or Subcontractors that will provide operationally critical support. The contracting officer may be consulted to determine if the subcontractor is handling CID, or providing operationally critical support. Obligations must be flowed down without alteration (except to identify the parties). No tailoring. 35
36 Managing Compliance Throughout the Supply Chain Negotiating Obligations With Subcontractors Considerations for Prime Contractors Be mindful of whether subcontractor efforts will involve CDI, or if the subcontractor will provide operationally critical support. Consider subcontractor ability to comply with requirements. Ascertain if the subcontractor needs to request a variance from any security requirements. Negotiate reporting obligations. Arrange for subcontractor to furnish prime contractor a redacted copy of cyber incident report. Seek confirmation from subcontractor that the prime contractor s attributional information will not be disclosed. 36
37 Managing Compliance Throughout the Supply Chain Negotiating Obligations With Subcontractors Considerations for Subcontractors Seek confirmation from the Agency of whether the scope of the subcontract involves CID, or if the subcontractor is obligated to provide operationally critical support. Do the clauses have to be flowed down to second-tier subcontractors? Negotiate with the prime to provide redacted copies of its cyber incident reports. Obtain confirmation that the prime contractor will protect attributional information. 37
38 Consider Cloud Computing Cloud Computing Requirements Under DoD Rules DFARS Representation of Use of Cloud Computing Allows contractors to represent whether they intend to use cloud computing services in performance of the contract. DFARS , Cloud Computing Services Addresses access, security, reporting requirements Applies to all solicitations for information technology services (including commercial items solicitations) 38
39 Consider Cloud Computing Cloud Computing Requirements Under DoD Rules Applying Controls Contractor using cloud computing services must implement and maintain administrative, technical, and physical safeguards and controls. Requirements established in the Cloud Computing Security Requirements Guide ( SRG) ( Physical Location Maintain within the U.S. or outlying areas all government data not located on DoD premises. Contracting Officer may provide written instructions to use another location. 39
40 Consider Cloud Computing Cloud Computing Requirements Under DoD Rules Access and Disclosure Limitations on Government Data and Government-Related Data, including: Government Data - defined as information, document, media, or machine readable material regardless of physical form or characteristics, that is created or obtained by the Government in the course of official Government business. Government-Related Data defined as information, document, media, or machine readable material regardless of physical form or characteristics that is created or obtained by a contractor through the storage, processing, or communication of Government data. Excludes contractor's business records e.g. financial records, legal records etc. or data such as operating procedures, software coding or algorithms that are not uniquely applied to the Government data. Contractor must impose access, use, and disclosure obligations on employees. Contractor may not access, use, or disclose Government data unless specifically authorized by the terms of this contract or a task order or delivery order issued hereunder. 40
41 Consider Cloud Computing Cloud Computing Requirements Under DoD Rules Compared to DFARS Obligations Reporting obligations, but not on a 72-Hour timeline; Specifies that contractors must submit malicious software per contracting officer instructions; Requirement to preserve and maintain images of affected systems, and relevant monitoring/packet capture data for at least 90 days from submission of cyber incident report; Granting DoD access for forensic analysis; Providing damage assessment information. 41
42 Consider Cloud Computing Cloud Computing Requirements Under DoD Rules Spillage In addition to cyber incidents Defined as an incident that results in the transfer of classified or controlled unclassified information onto an information system not accredited for the appropriate security level. May be detected by the contractor or the government. Contractor must cooperate with the contracting officer to address the spillage. 42
43 Consider Cloud Computing Cloud Computing Requirements Under DoD Rules Records Management and Facility Access Contractor is subject to transmission and disposal obligations with respect to government data and government-related data Access to data, personnel, and facilities must be granted for purposes of audits, investigations, inspections, or other similar activities as authorized by law or regulation. Third-Party access: Government must be informed of warrants, seizures, or subpoenas for government data or government-related data. Contractor must protect against unauthorized disclosure. 43
44 Consider Cloud Computing Cloud Computing Requirements Under DoD Rules Subcontract Flowdown Obligations Prime must flow down requirements under DFARS to all subcontracts that involve, or may involve cloud services. Includes subcontracts for commercial items. 44
45 Take-Aways Key Tips for Consideration 1. Understand the Rules Understand CUI and Covered System; register for Medium Assurance Certificate. 2. Incident Response Prepare an incident response plan, identify all Attributional/Proprietary Information. 3. Demonstrate Safeguarding Assess compliance; prepare request for variance from safeguarding standards. 4. Manage Compliance Negotiate flowdown terms with subcontractors; obtain buy in on subcontract applicability. 5. Consider Cloud Computing Assess appropriate locations for cloud storage; understand concepts of spillage and prepare for reporting. 45
46 Questions? Keir Bancroft Partner Venable LLP Louverture Jones Senior Manager, Deloitte Advisory Deloitte & Touche LLP
Get Compliant with the New DFARS Cybersecurity Requirements
Get Compliant with the New DFARS 252.204-7012 Cybersecurity Requirements Reginald M. Jones ( Reggie ) Chair, Federal Government Contracts Practice Group rjones@foxrothschild.com; 202-461-3111 August 30,
More informationNIST Special Publication
NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Ryan Bonner Brightline WHAT IS INFORMATION SECURITY? Personnel Security
More informationPilieroMazza Webinar Preparing for NIST SP December 14, 2017
PilieroMazza Webinar Preparing for NIST SP 800-171 December 14, 2017 Presented by Jon Williams, Partner jwilliams@pilieromazza.com (202) 857-1000 Kimi Murakami, Counsel kmurakami@pilieromazza.com (202)
More informationROADMAP TO DFARS COMPLIANCE
ROADMAP TO DFARS COMPLIANCE ARE YOU READY FOR THE 12/31/17 DEADLINE? In our ebook, we have answered the most common questions we receive from companies preparing for DFARS compliance. Don t risk terminated
More informationPreparing for NIST SP January 23, 2018 For the American Council of Engineering Companies
Preparing for NIST SP 800-171 January 23, 2018 For the American Council of Engineering Companies Presented by Jon Williams, Partner jwilliams@pilieromazza.com (202) 857-1000 Kimi Murakami, Counsel kmurakami@pilieromazza.com
More informationDFARS Cyber Rule Considerations For Contractors In 2018
Portfolio Media. Inc. 111 West 19 th Street, 5th Floor New York, NY 10011 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com DFARS Cyber Rule Considerations For Contractors
More informationDFARS , NIST , CDI
DFARS 252.204-7012, NIST 800-171, CDI and You Overview Impacts Getting started Overview Impacts Getting started Overview & Evolving Requirements DFARS 252.204-7012 - Safeguarding Covered Defense Information
More informationDOD s New Cyber Requirements: Impacts on DOD Contractors and Subcontractors
McKenna Government Contracts, continuing excellence at Dentons DOD s New Cyber Requirements: Impacts on DOD Contractors and Subcontractors Phil Seckman Mike McGuinn Quincy Stott Dentons US LLP Date: January
More informationCybersecurity Challenges
Cybersecurity Challenges Protecting DoD s Information NAVSEA Small Business Industry Day August 8, 2017 1 Outline Protecting DoD s Information DFARS Clause 252.204-7012 Contractor and Subcontractor Requirements
More informationAnother Cook in the Kitchen: The New FAR Rule on Cybersecurity
Another Cook in the Kitchen: The New FAR Rule on Cybersecurity Breakout Session #: F13 Erin B. Sheppard, Partner, Dentons US LLP Michael J. McGuinn, Counsel, Dentons US LLP Date: Tuesday, July 26 Time:
More informationDFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com
DFARS Compliance SLAIT Consulting SECURITY SERVICES Mike D Arezzo Director of Security Services Introduction 18+ year career in Information Technology and Security General Electric (GE) as Software Governance
More informationThe FAR Basic Safeguarding Rule
The FAR Basic Safeguarding Rule Erin B. Sheppard, Partner Michael J. McGuinn, Counsel December 8, 2016 Agenda Regulatory landscape FAR Rule History Requirements Harmonization Subcontract issues What s
More informationSafeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)
Page 1 of 7 Section O Attach 2: SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013) 252.204-7012 Safeguarding of Unclassified Controlled Technical Information. As prescribed in 204.7303,
More informationINTRODUCTION TO DFARS
INTRODUCTION TO DFARS 800-171 CTI VS. CUI VS. CDI OVERVIEW COPYRIGHT 2017 FLANK. ALL RIGHTS RESERVED. INTRODUCTION TO DFARS 800-171 CTI VS. CUI VS. CDI OVERVIEW Defense contractors having to comply with
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationCybersecurity Risk Management
Cybersecurity Risk Management NIST Guidance DFARS Requirements MEP Assistance David Stieren Division Chief, Programs and Partnerships National Institute of Standards and Technology (NIST) Manufacturing
More information2017 SAME Small Business Conference
2017 SAME Small Business Conference Welcome to Cybersecurity Initiatives and Speakers: Requirements: Protecting DOD s Unclassified Information Vicki Michetti, Director, Defense Industrial Base Cybersecurity
More informationCyber Security Challenges
Cyber Security Challenges Navigating Information System Security Protections Vicki Michetti, DoD CIO, Director, DIB Cybersecurity Program Mary Thomas, OUSD(AT&L), Defense Procurement and Acquisition Policy
More informationFederal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats
May 20, 2015 Georgetown University Law Center Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats Robert S. Metzger Rogers Joseph
More informationHandbook Webinar
800-171 Handbook Webinar Pat Toth Cybersecurity Program Manager National Institute of Standards and Technology (NIST) Manufacturing Extension Partnership (MEP) NIST MEP 800-171 Assessment Handbook Step-by-step
More informationCYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA
CYBER SECURITY BRIEF Presented By: Curt Parkinson DCMA September 20, 2017 Agenda 2 DFARS 239.71 Updates Cybersecurity Contracting DFARS Clause 252.204-7001 DFARS Clause 252.239-7012 DFARS Clause 252.239-7010
More informationSafeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer
Safeguarding Controlled Unclassified Information and Cyber Incident Reporting Kevin R. Gamache, Ph.D., ISP Facility Security Officer Why Are We Seeing These Rules? Stolen data provides potential adversaries
More informationDepartment of Defense Cybersecurity Requirements: What Businesses Need to Know?
Department of Defense Cybersecurity Requirements: What Businesses Need to Know? Why is Cybersecurity important to the Department of Defense? Today, more than ever, the Department of Defense (DoD) relies
More informationDFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions
DFARS 252.204.7012 Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions By Jonathan Hard, CEO And Carol Claflin, Director of Business Development H2L
More informationCyber Security Challenges
Cyber Security Challenges Protecting DoD s Information Melinda Reed, OUSD(AT&L), Systems Engineering Mary Thomas, OUSD(AT&L), Defense Procurement and Acquisition Policy 1 Outline Cybersecurity Landscape
More informationDEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.
DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY Cyber Security Safeguarding Covered Defense Information 30-31 August 2016 WARFIGHTER FIRST PEOPLE & CULTURE STRATEGIC ENGAGEMENT FINANCIAL
More informationOFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC
OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC 20301-3000 ACQUISITION, TECHNO LOGY. A N D LOGISTICS SEP 2 1 2017 MEMORANDUM FOR COMMANDER, UNITED ST A TES SPECIAL OPERATIONS
More informationNew Cyber Rules. Are You Ready? Bob Metzger, RJO Dave Drabkin, DHG Tom Tollerton, DHG. Issues in Focus Webinar Series. government contracting
New Cyber Rules Are You Ready? Bob Metzger, RJO Dave Drabkin, DHG Tom Tollerton, DHG Issues in Focus Webinar Series 1 Speaker Information Robert S. Metzger Rogers Joseph O Donnell PC (202)777.8951 Rmetzger@rjo.com
More informationExecutive Order 13556
Briefing Outline Executive Order 13556 CUI Registry 32 CFR, Part 2002 Understanding the CUI Program Phased Implementation Approach to Contractor Environment 2 Executive Order 13556 Established CUI Program
More informationTinker & The Primes 2017 Innovating Together
Tinker & The Primes 2017 Innovating Together Protecting Controlled Unclassified Information Systems and Organizations Larry Findeiss Bid Assistance Coordinator Oklahoma s Procurement Technical Assistance
More informationO0001(OCT
Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013 D018) Frequently Asked Questions (FAQs) regarding the implementation of DFARS Subpart 204.73, and PGI Subpart 204.73 DFARS
More informationCOMPLIANCE IN THE CLOUD
COMPLIANCE IN THE CLOUD 3:45-4:30PM Scott Edwards, President, Summit 7 Dave Harris Society for International Affairs COMPLIANCE IN THE CLOUD Scott Edwards scott.edwards@summit7systems.com 256-541-9638
More informationSpecial Publication
Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Patricia Toth NIST MEP What is Information Security? Personnel Security Cybersecurity
More informationIndustry Perspectives on Active and Expected Regulatory Actions
July 15, 2016 Industry Perspectives on Active and Expected Regulatory Actions Alan Chvotkin Executive Vice President and Counsel, Professional Services Council chvotkin@pscouncil.org Trey Hodgkins Senior
More informationSafeguarding Unclassified Controlled Technical Information
Safeguarding Unclassified Controlled Technical Information (DFARS Case 2011-D039): The Challenges of New DFARS Requirements and Recommendations for Compliance Version 1 Authors: Justin Gercken, TSCP E.K.
More informationDFARS Defense Industrial Base Compliance Information
DFARS 252.204-7012 Defense Industrial Base Compliance Information Protecting Controlled Unclassified Information (CUI) Executive Order 13556 "Controlled Unclassified Information, November 2010 Established
More information2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA
2018 SRAI Annual Meeting October 27-31 Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA Controlled Unclassified Information Regulations: Practical Processes and Negotiations
More informationEXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
EXCERPT NIST Special Publication 800-171 R1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations An Excerpt Listing All: Security Requirement Families & Controls Security
More informationClick to edit Master title style
Click to edit Master title style Fourth level Click The to DFARS edit Master UCTI title Clause style How It Impacts the Subcontract Relationship Breakout Third Session level #F11 Fourth level Phillip R.
More informationProtecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations
Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations January 9 th, 2018 SPEAKER Chris Seiders, CISSP Security Analyst Computing Services and Systems Development
More informationNovember 20, (Via DFARS Case 2013-D018)
November 20, 2015 (Via email osd.dfars@mail.mil, DFARS Case 2013-D018) Mr. Dustin Pitsch Defense Acquisition Regulations System OUSD(AT&L)DPAP/DARS Room 3B941 3060 Defense Pentagon Washington, DC 20301
More informationADIENT VENDOR SECURITY STANDARD
Contents 1. Scope and General Considerations... 1 2. Definitions... 1 3. Governance... 2 3.1 Personnel... 2 3.2 Sub-Contractors... 2 3.3. Development of Applications... 2 4. Technical and Organizational
More informationCompliance with NIST
Compliance with NIST 800-171 1 What is NIST? 2 Do I Need to Comply? Agenda 3 What Are the Requirements? 4 How Can I Determine If I Am Compliant? 5 Corserva s NIST Assessments What is NIST? NIST (National
More informationCybersecurity in Acquisition
Kristen J. Baldwin Acting Deputy Assistant Secretary of Defense for Systems Engineering (DASD(SE)) Federal Cybersecurity Summit September 15, 2016 Sep 15, 2016 Page-1 Acquisition program activities must
More informationAmerican Association for Laboratory Accreditation
R311 - Specific Requirements: Federal Risk and Authorization Management Program Page 1 of 10 R311 - Specific Requirements: Federal Risk and Authorization Management Program 2017 by A2LA. All rights reserved.
More informationRocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency
Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency Mr. Ed Brindley Acting Deputy Cyber Security Department of Defense 7 March 2018 SUPPORT THE WARFIGHTER 2 Overview Secretary Mattis Priorities
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationVirginia State University Policies Manual. Title: Information Security Program Policy: 6110
Purpose Virginia State University (VSU) uses information to perform the business services and functions necessary to fulfill its mission. VSU information is contained in many different mediums including
More informationNISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015
NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015 Agenda Cybersecurity Information Sharing and the NISP NISP Working Group Update CUI Program Update 2 Executive Order 13691 Promoting Private
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationData Processing Agreement
In accordance with the European Parliament- and Council s Directive (EU) 2016/679 of 27th April 2016 (hereinafter GDPR) on the protection of physical persons in connection with the processing of personal
More informationSafeguarding unclassified controlled technical information (UCTI)
Safeguarding unclassified controlled technical information (UCTI) An overview Government Contract Services Bulletin Safeguarding UCTI An overview On November 18, 2013, the Department of Defense (DoD) issued
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More information1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010
Standard CIP 011 1 Cyber Security Protection Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes
More informationexisting customer base (commercial and guidance and directives and all Federal regulations as federal)
ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of
More informationCyber Risks in the Boardroom Conference
Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks
More informationProtecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors
Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors Presented by the Office of Housing Counseling and The Office of the Chief Information Officer Privacy Program
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationHIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp
HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp Agenda Introductions HIPAA Background and History Overview of HIPAA Requirements
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationInformation Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC
Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/protect/ndcbf_
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationRegulating Information: Cybersecurity, Internet of Things, & Exploding Rules. David Bodenheimer Evan Wolff Kate Growley
Regulating Information: Cybersecurity, Internet of Things, & Exploding Rules David Bodenheimer Evan Wolff Kate Growley Regulating Information The Internet of Things: Peering into the Future Cybersecurity
More informationDoes a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?
Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? A brief overview of security requirements for Federal government agencies applicable to contracted IT services,
More informationIMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION
IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION Briefing for OFPP Working Group 19 Feb 2015 Emile Monette GSA Office of Governmentwide Policy emile.monette@gsa.gov Cybersecurity Threats are
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Signature Repository A Signature Repository provides a group of signatures for use by network security tools such
More informationProtecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)
https://www.csiac.org/ Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP800-171 Revision 1) Today s Presenter: Wade Kastorff SRC, Commercial Cyber Security
More informationNational Policy On Classified Information Spillage
June 2006 National Policy On Classified Information Spillage This document prescribes minimum standards. Your department or agency may require further implementation. CHAIR FOREWORD 1. The handling of
More informationDRAFT. NIST MEP CYBERSECURITY Self-Assessment Handbook
NIST MEP CYBERSECURITY Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in response to DFARS Cybersecurity Requirements Table of Contents Disclaimer...8 Acknowledgements...8
More informationRev.1 Solution Brief
FISMA-NIST SP 800-171 Rev.1 Solution Brief New York FISMA Cybersecurity NIST SP 800-171 EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker delivers business critical
More informationData Use and Reciprocal Support Agreement (DURSA) Overview
Data Use and Reciprocal Support Agreement (DURSA) Overview 1 Steve Gravely, Troutman Sanders LLP Jennifer Rosas, ehealth Exchange Director January 12, 2017 Introduction Steve Gravely Partner and Healthcare
More informationComputer Security Incident Response Plan. Date of Approval: 23-FEB-2014
Computer Security Incident Response Plan Name of Approver: Mary Ann Blair Date of Approval: 23-FEB-2014 Date of Review: 31-MAY-2016 Effective Date: 23-FEB-2014 Name of Reviewer: John Lerchey Table of Contents
More information2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY
2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY Purpose: The purpose of this policy is to provide instruction and information to staff, auditors, consultants, contractors and tenants on
More informationMANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors
Page 1 of 6 Applies to: faculty staff students student employees visitors contractors Effective Date of This Revision: June 1, 2018 Contact for More Information: HIPAA Privacy Officer Board Policy Administrative
More informationData Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory
Audience: NDCBF IT Security Team Last Reviewed/Updated: March 2018 Contact: Henry Draughon hdraughon@processdeliveysystems.com Overview... 2 Sensitive Data Inventory and Classification... 3 Applicable
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Physical Enterprise Physical Enterprise Monitoring is the monitoring of the physical and environmental controls that
More informationVersion 1/2018. GDPR Processor Security Controls
Version 1/2018 GDPR Processor Security Controls Guidance Purpose of this document This document describes the information security controls that are in place by an organisation acting as a processor in
More informationThe Apple Store, Coombe Lodge, Blagdon BS40 7RG,
1 The General Data Protection Regulation ( GDPR ) is the new legal framework that will come into effect on the 25th of May 2018 in the European Union ( EU ) and will be directly applicable in all EU Member
More informationPolicy and Procedure: SDM Guidance for HIPAA Business Associates
Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:
More informationNew Process and Regulations for Controlled Unclassified Information
New Process and Regulations for Controlled Unclassified Information David Brady TJ Beckett Office of Export and Secure Research Compliance http://www.oesrc.researchcompliance.vt.edu/ Agenda Background
More informationNIST Security Certification and Accreditation Project
NIST Security Certification and Accreditation Project An Integrated Strategy Supporting FISMA Dr. Ron Ross Computer Security Division Information Technology Laboratory 1 Today s Climate Highly interactive
More informationTIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE
TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE Association of Corporate Counsel NYC Chapter 11/1 NYC BDO USA, LLP, a Delaware limited liability partnership,
More informationMIS Week 9 Host Hardening
MIS 5214 Week 9 Host Hardening Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls
More informationDeveloping Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?
Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite? Minnesota RIMS 39 th Annual Seminar Risk 2011-2012: Can You Hack
More informationDEFINITIONS AND REFERENCES
DEFINITIONS AND REFERENCES Definitions: Insider. Cleared contractor personnel with authorized access to any Government or contractor resource, including personnel, facilities, information, equipment, networks,
More informationDHS Cybersecurity: Services for State and Local Officials. February 2017
DHS Cybersecurity: Services for State and Local Officials February 2017 Department of Established in March of 2003 and combined 22 different Federal departments and agencies into a unified, integrated
More informationHP Standard for Information Protection and Security for Suppliers/Partners
HP Standard 14-04 for Information Protection and Security for Suppliers/Partners Document Identifier HX-00014-04 Revision and Date D, 01-Oct 2017 Last Re-validation date Abstract This standard describes
More informationData Processing Agreement for Oracle Cloud Services
Data Processing Agreement for Oracle Cloud Services Version January 12, 2018 1. Scope, Order of Precedence and Term 1.1 This data processing agreement (the Data Processing Agreement ) applies to Oracle
More informationBoerner Consulting, LLC Reinhart Boerner Van Deuren s.c.
Catherine M. Boerner, Boerner Consulting LLC Heather Fields, 1 Discuss any aggregate results of the desk audits Explore the Sample(s) Requested and Inquire of Management requests for the full on-site audits
More informationDATA PROCESSING AGREEMENT
DATA PROCESSING AGREEMENT This Data Processing Agreement ( DPA ) is entered into between: A. The company stated in the Subscription Agreement (as defined below) ( Data Controller ) and B. Umbraco A/S Haubergsvej
More informationNYDFS Cybersecurity Regulations
SPEAKERS NYDFS Cybersecurity Regulations Lisa J. Sotto Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com www.huntonprivacyblog.com March 9, 2017 The Privacy Team at Hunton & Williams Over 30 privacy
More informationBuilding Information Modeling and Digital Data Exhibit
Document E203 2013 Building Information Modeling and Digital Data Exhibit This Exhibit dated the day of in the year is incorporated into the agreement (the Agreement ) between the Parties for the following
More informationData Security and Privacy Principles IBM Cloud Services
Data Security and Privacy Principles IBM Cloud Services 2 Data Security and Privacy Principles: IBM Cloud Services Contents 2 Overview 2 Governance 3 Security Policies 3 Access, Intervention, Transfer
More informationThe HIPAA Omnibus Rule
The HIPAA Omnibus Rule What You Should Know and Do as Enforcement Begins Rebecca Fayed, Associate General Counsel and Privacy Officer Eric Banks, Information Security Officer 3 Biographies Rebecca C. Fayed
More informationCYBER SECURITY POLICY REVISION: 12
1. General 1.1. Purpose 1.1.1. To manage and control the risk to the reliable operation of the Bulk Electric System (BES) located within the service territory footprint of Emera Maine (hereafter referred
More informationData Breach Preparation and Response. April 21, 2017
Data Breach Preparation and Response April 21, 2017 King & Spalding Data, Privacy & Security King & Spalding s 60 plus lawyer Data, Privacy & Security ( DPS ) Practice is best known for: Experienced crisis
More information79th OREGON LEGISLATIVE ASSEMBLY Regular Session. Senate Bill 90
th OREGON LEGISLATIVE ASSEMBLY-- Regular Session Senate Bill 0 Printed pursuant to Senate Interim Rule. by order of the President of the Senate in conformance with presession filing rules, indicating neither
More informationSupplier Training Excellence Program
Supplier Training Excellence Program Cybersecurity Webinar February 9, 2017 Agenda Why must my company complete the Cyber Questionnaire(s)? What are the Cyber Questionnaire(s)? How do I get help? What
More information