New Cyber Rules. Are You Ready? Bob Metzger, RJO Dave Drabkin, DHG Tom Tollerton, DHG. Issues in Focus Webinar Series. government contracting
|
|
- Candace Dalton
- 6 years ago
- Views:
Transcription
1 New Cyber Rules Are You Ready? Bob Metzger, RJO Dave Drabkin, DHG Tom Tollerton, DHG Issues in Focus Webinar Series 1
2 Speaker Information Robert S. Metzger Rogers Joseph O Donnell PC (202) Rmetzger@rjo.com This presentation reflects Mr. Metzger s personal views and should not be attributed to any client of his firm or organization with which he is involved or affiliated. Dave Drabkin, Director Dixon Hughes Goodman LLP (703) dave.drabkin@dhgllp.com Tom Tollerton, Manager Dixon Hughes Goodman LLP (704) tom.tollerton@dhgllp.com 2
3 The Basic Proposition The Federal Government has valid and important reasons to protect sensitive but unclassified information when shared with non-federal entities. DoD s interests are paramount but not exclusive as other federal agencies share this objective. DoD and civilian agencies are using regulations and acquisition authority to require federal contractors to improve cybersecurity of information systems that host all forms of Controlled Unclassified Information (CUI). What should contractors do to prepare, respond and comply? 3
4 Domains of Contractor Cyber Risk On Premises Information Systems Cloud On or Off Premises Supply Chain Y O U Rogers RogersJoseph JosephO Donnell O Donnell All AllRights RightsReserved Reserved 4
5 Roles & Missions & Vector to Contractors Federal Responsibilities: OMB: sets federal acquisition policy OMB NARA: to define and categorize the varieties of CUI and establish workable guidelines & mechanisms NARA NIST: security controls and practices for adoption DoD: lead agency for contract requirements NIST DHS: key agency for reporting and infrastructure GSA: prominent role in developing general FAR PRIME CONTRACTOR Agency Contracts ACQUISITION METHODS SOLICITATION REQUIREMENTS CONTRACT TERMS & CONDITIONS Contractors become subject to cyber security obligations as these are imposed by solicitation requirement and contract term. F L O W D O W N Supply Chain 5
6 Key Federal Cyber Actions NIST issued cyber safeguards (Special Publication ) in June 2015 to protect CUI in non-federal information systems. DoD issued the Network Penetration DFARS in Aug. and Dec and these were revised on Oct. 21, Federal civilian agencies issued a new FAR Basic Safeguarding clause, effective June 15, 2016, requiring all contractors to protect Federal Contract Information on Information Systems. NARA issued the Final Rule on Controlled Unclassified Information (CUI) on Sep. 14, A General FAR Rule is in development that will obligate all federal agencies to require cyber protection of CUI, per SP , in all contracts and agreements. Expect this Rule to be final in
7 Safeguarding CUI The Basic Policy Policy: All unclassified information throughout the executive branch that requires any safeguarding or dissemination control is CUI. Law, regulation (to include this part), or Government-wide policy must require or permit such controls. Safeguards include physical and cyber protection Cyber includes both information and information systems FISMA (40 U.S.C ) dictates that federal agencies protect confidentiality, availability and integrity of CUI. These standards apply to CUI on federal information systems operated by the or on behalf of the federal government. The Final CUI Rule applies NIST SP to CUI provided to non-executive branch entities, e.g. private organizations. When the Government provides controlled information to a nonexecutive branch entity, sometimes pursuant to a contract or other agreement, it does not make sense for the protection requirements to disappear or lessen just because the Government has shared the information. In fact, the protection requirements do not disappear or lessen. CUI Final Rule, 81 Fed. Reg
8 WHAT INFORMATION MUST BE PROTECTED? CDI and CUI 8
9 Categories of Controlled Unclassified Information NARA Proposed Rule: Controlled Unclassified Information ), 32 CFR Part 2002, 80 Fed. Reg (May 8, 2015) NARA s CUI Registry, tegory-list.html, identified 23 Categories and 82 Subcategories of CUI Who has access to CUI? Federal contractors State & Local governments State & Local contractors Tribal governments Colleges & Universities Interstate Organizations NGOs Foreign governments Agriculture Controlled Technical Information Critical Infrastructure (7 sub) Emergency Management Export Control (1 sub) Financial (8 sub) Foreign Government Information Geodetic Product Information Immigration (7 sub) Information Systems Vulnerability Intelligence (5 sub) Law Enforcement (15 sub) Legal (11 sub) NATO (2 sub) Nuclear (5 sub) Patent (3 sub) Privacy (8 sub) Procurement & Acquisition (2 sub) Proprietary Business (3 sub) SAFETY Act Information Statistical (3 sub) Tax (1 sub) Transportation (2 sub) CUI categories and subcategories are those types of information for which laws, regulations, or Government-wide policies requires safeguarding or dissemination controls. Proposed 32 C.F.R (Definitions) NARA estimates that 300,000 contractors & grantees hold Controlled Unclassified Information Rev. 1 9
10 The Final CUI Rule Sep. 14, 2016: NARA Final Rule ( Controlled Unclassified Information ) All agencies are obligated to protect CUI, including CUI in non-federal entities) 32 CFR explains that the CUI rule (inc g safeguards) applies through incorporation into agreements 32 CFR (h)(2) provides that agencies may not treat non-federal information systems as though they are agency systems, but agencies must use NIST SP to protect CUI s confidentiality on non-federal information systems (unless there are different legal requirements or higher standards by agreement) The [CUI] rule now says that it applies only to executive branch agencies, but that, in written agreements (including contracts, grants, licenses, certificates, and other agreements) that involve CUI, agencies must include provisions that require the non-executive branch entity to handle the CUI in accordance with this rule, the Order, and the CUI Registry. Controlled Unclassified Information (Final Rule), 81 Fed. Reg (gg) Non-executive branch entity is a person or organization established, operated, and controlled by individual(s) acting outside the scope of any official capacity as officers, employees, or agents of the executive branch of the Federal Government. Such entities may include: Elements of the legislative or judicial branches of the Federal Government; state, interstate, tribal, or local government elements; and private organizations. CUI Final Rule, at (gg) 10
11 The CUI Agreement (5) Agreements. Agencies should enter into agreements with any nonexecutive branch or foreign entity with which the agency shares or intends to share CUI, as follows (except as provided in paragraph (a)(7) of this section): (i) Information-sharing agreements. When agencies intend to share CUI with a non-executive branch entity, they should enter into a formal agreement (see (c) for more information on agreements), whenever feasible. Such an agreement may take any form the agency head approves, but when established, it must include a requirement to comply with Executive Order 13556, Controlled Unclassified Information, November 4, 2010 (3 CFR, 2011 Comp., p. 267) or any successor order (the Order), this part, and the CUI Registry. (6) Agreement content. At a minimum, agreements with nonexecutive branch entities must include provisions that state: (i) Non-executive branch entities must handle CUI in accordance with the Order, this part, and the CUI Registry; (ii) Misuse of CUI is subject to penalties established in applicable laws, regulations, or Governmentwide policies; and (iii) The non-executive branch entity must report any non-compliance with handling requirements to the disseminating agency using methods approved by that agency s SAO. When the disseminating agency is not the designating agency, the disseminating agency must notify the designating agency. CUI Final Rule, at (a)(5)(i) CUI Final Rule, at (a)(6) Reaction of non-executive branch entities? Not yet known. Very likely, the import of the CUI rule is not widely understood. And today the rule anticipates controls by agreement that as yet are not implemented by many (any?) federal civilian agencies. Consider: the CUI rule seeks to impose on 300,000 or more recipients essentially the same safeguards as DoD does in the Net. Pen. DFARS. 11
12 Categories of Controlled Unclassified Information Covered Defense Information Covered defense information means unclassified controlled technical information or other information as described in the Controlled Unclassified Information (CUI) Registry that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is (1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. DFARS Definitions Covered defense information means unclassified information that (1) Is (i) Provided to the contractor by or on behalf of DoD in connection with the performance of the contract; or (ii) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract; and (2) Falls in any of the following categories: (i) Controlled technical information means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction , Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions. (ii) Critical information (operations security). Specific facts identified through the Operations Security process about friendly intentions, capabilities, and activities vitally needed by adversaries for them to plan and act effectively so as to guarantee failure or unacceptable consequences for friendly mission accomplishment (part of Operations Security process). Revised Oct. 21, 2016 Now superseded Aug definitions of CDI: (iii) Export control. Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual use items; items identified in export administration regulations, international traffic in arms regulations, and munitions list; license applications; and sensitive nuclear technology information.. (iv) Any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies (e.g., privacy, proprietary business information). 12
13 HOW MUST CUI & CDI BE PROTECTED? NIST SP
14 NIST SP : Introduction SP treats all CUI as having Moderate Impact under FIPS-199. SP uses 14 of the 17 security families of FIPS-200 to focus on the confidentiality of information (and not integrity or availability ). 109 safeguards are stated by SP ; each is 1-sentence long. NARA intends that 171 safeguards apply to any non-federal entity that hosts, uses or transmits any form of CUI. Only DoD now imposes this obligation generally. SP explicitly recognizes commercial use of non-federal methods. The safeguards are performance objectives not prescriptive. Contractors with systems that already satisfy SP should exceed SP requirements. Separation into domains may be problematic. The Oct. 21 DFARS revision requires cloud security equivalent to FedRAMP Moderate (+reporting, preservation, access, etc.). What might be equivalent is unknown. SP does not address commercial cloud as such. 14
15 NIST SP : 14 Families, 109/*110 Controls SP describes 30 basic and 79 derived security requirements. Basic tracks to control families in FIPS-200; derived reflect NIST SP rev4. Access Control (2/20) Awareness & Training (2/1) Audit & Accountability (2/7) Configuration Management (2/7) Identification & Authentication (2/9) Incident Response (2/1) Maintenance (2/4) Media Protection (3/6) Personnel Security (2/0) Physical Protection (2/4) Risk Assessment (1/2) Security Assessment (3[*4]/0) Systems & Comm Protection (2/14) System & Information Integrity (3/4) SP relies on self-assessment and self-attestation. It does not (now) require submission of a System Security Plan (SSP) and has no mechanism for 3d party authorization, accreditation or for government review or approval. The Network Penetration DFARS requires that the DoD CIO adjudicate offeror requests to vary from SP prior to contract award. * NIST has issued proposed Rev. 1 to SP that adds a SSP & Plan of Action/Milestones (POAM). DoD can require. 15
16 A Comparative Example NIST SP r4 Family: Incident Response NIST SP Incident Response Basic Security Requirement 9 pages of controls & enhancements Establish an operational incidenthandling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization. Derived Security Requirements Test the organizational incident response capability. Compare: Basic Safeguarding FAR control: Identify, report and correct information and information system flaws in a timely manner. FAR (b)(xii) 16
17 THE NETWORK PENETRATION DFARS 17
18 -7008 Compliance Clause Security requirements of must be implemented for all covered defense information on all covered contractor information systems that support the performance of this contract. By submission of offer, contractor commits to implement the requirements of SP no later than Dec. 31, If the Offeror proposes to vary from any of the security requirements specified by NIST SP that are in effect at the time the solicitation is issued or as authorized by the Contracting Officer, the Offeror shall submit to the Contracting Officer, for consideration by the DoD Chief Information Officer (CIO), a written explanation of (A) Why a particular security requirement is not applicable; or (B) How an alternative but equally effective, security measure is used to compensate for the inability to satisfy a particular requirement and achieve equivalent protection. (ii) An authorized representative of the DoD CIO will adjudicate offeror requests to vary from NIST SP requirements in writing prior to contract award. Any accepted variance from NIST SP shall be incorporated into the resulting contract. 18
19 -7012 Safeguarding Clause The Clause requires adequate security on all covered contractor information systems and requires prompt (72-hour) cyber incident reporting Adequate security means protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information. For contractor systems not operated on behalf of the Government, at a minimum the contractor shall (1) (A) implement the security requirements in NIST SP as soon as practical, but not later than December 31, The Contractor shall notify the DoD CIO within 30 days of contract award, of any security requirements specified by NIST SP not implemented at the time of contract award; or (B) "submit requests to vary from NIST SP in writing to the Contracting Officer, for consideration by the DoD CIO. The Contractor need not implement any security requirement adjudicated by an authorized representative of the DoD CIO to be nonapplicable or to have an alternative, but equally effective, security measure that may be implemented in its place (2) Apply other security measures when the Contractor reasonably determines that such measures, in addition to those identified in paragraph (b)(1) of this clause, may be required to provide adequate security in a dynamic environment based on an assessed risk or vulnerability. These measures may be addressed in a system security plan. 19
20 -7012 Cyber Incident Reporting (c) Cyber incident reporting requirement. (1) When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract, the Contractor shall (i) Conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor s ability to provide operationally critical support; and (ii) Rapidly report cyber incidents to DoD at (2) Cyber incident report. The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements at ***. (d) Malicious software. When the Contractor or subcontractors discover and isolate malicious software in connection with a reported cyber incident, submit the malicious software to DoD Cyber Crime Center (DC3) in accordance with instructions provided by DC3 or the Contracting Officer. Do not send the malicious software to the Contracting Officer. (e) Media preservation and protection. When a Contractor discovers a cyber incident has occurred, the Contractor shall preserve and protect images of all known affected information systems identified in paragraph (c)(1)(i) of this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest. (f) Access to additional information or equipment necessary for forensic analysis. Upon request by DoD, the Contractor shall provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis. 20
21 How Will Industry React? DoD was surprised at the negative industry reaction to the Network Penetration DFARS. They figured it was a follow-on to the 2013 UCTI Rule and that the substitution of the new NIST SP for SP would be seen as making industry s job easier, notwithstanding the greater number of controls. DoD did not anticipate that contractors would react to the Aug DFARS with alarm that they (and their subcontractors) would be held to new cyber safeguards that many in the defense supply chain did not understand and had not prepared for. As a result, by action on Dec. 30, 2015, DoD blinked and postponed compliance to Dec. 31, Contractor response to the Oct. 21, 2016 DFARS revision is tbd. Very likely, the reaction will be negative among many segments of the defense supply chain, who will not understand requirements or know how to proceed. 21
22 THE BASIC SAFEGUARDING FAR 22
23 Federal Contract Information (FCI) What is Federal contract information? FCI is defined very broadly as nonpublic information that is provided for or generated for the government all agencies under a contract to develop or deliver a product or service to the government, but not including information provided to the public or simple transactional information. It does not include information made available by the Government to the public or simple transactional information, such as necessary to process payments. FAR (a) Information also is defined broadly to include any communication or representation of knowledge such as facts, data, or opinions, in any medium or form. FAR ; (a) What is protected? The new FAR protects information systems rather than carefully defined information types. If a contractor processes, stores or transmits any FCI, its information system becomes covered by the Rule and subject to minimum enumerated safeguards. FAR ; (a), (b) Where a contractor information system hosts FCI and other, non-federal information, the rule applies to the whole system. 81 Fed. Reg Who is subject to the FAR? The Basic Safeguarding rule applies to all acquisitions (including commercial items other than COTS) when a contractor s information system may contain FCI; the FAR contract clause is to be inserted in when the contractor or a subcontractor at any tier may have Federal contract information residing in or transiting through its information system. FAR ,
24 Federal Contract Information (FCI) How is protection achieved? The federal government has a surfeit of cyber controls. Those designed for federal information systems, e.g., NIST SP , are too costly and burdensome to impose on contractors to protect FCI. Instead, the new rule calls out 15 safeguards, each derived from the SP (next slide). How will industry respond? The Network Penetration DFARS met with strong industry resistance because of uncertainty over costs and how to comply. The Basic Safeguarding Rule applies to many more contracting actions, contracts and contractors and undoubtedly will surprise (and may alarm) some. The FAR invokes only 15 cyber safeguards and these are stated as performance standards goals. The Rule presumes these safeguards are consistent with prudent business practices. Even so, some companies will object to perceived federal interference and cyber mandates. Are there problems with the Basic Safeguarding Rule? Yes. The Rule seeks to apply simple security propositions to highly complex subject and diverse business circumstances. There are drafting issues that will surface as more and different companies confront compliance obligations that are now imposed. Is this Rule important? While self-described as just one step in a series of coordinated regulatory actions being taken or planned, it reflects a government decision to use its regulatory power and acquisition authority to mandate minimum cyber defenses for all private companies that do government business 24
25 Controls of the Basic Safeguarding FAR (i) (ii) (iii) (iv) (v) (vi) (vii) (viii) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Verify and control/limit connections to and use of external information systems. Control information posted or processed on publicly accessible information systems. Identify information system users, processes acting on behalf of users, or devices. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. Access Controls dominate the Basic Safeguarding Rule ix. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices. x. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. xi. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. xii. Identify, report, and correct information and information system flaws in a timely manner. xiii. Provide protection from malicious code at appropriate locations within organizational information systems. xiv. Update malicious code protection mechanisms when new releases are available. xv. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. 25
26 COMPLIANCE WITH THE NEW FEDERAL CYBER REQUIREMENTS 26
27 Cyber Compliance: Overview Special attention is required to address small business compliance. 27
28 Cyber Compliance: Obligations The Network Penetration DFARS applies to 10,000 contractors in the DoD supply chain. Of these, about 1,200 are CAS-covered. Primes who take contracts subject to the DFARS are responsible to flowdown, without variation, and can be accountable should a supplier fail to protect information The DFARS are not accompanied by any means for DoD assessment or authorization. However, the DFARS include an obligation, effective upon receipt of a contract with the 7012 clause, that contractors provide notice of a cyber incident within 72 hours of detection. If there is a major event, accompanied by loss or compromise to Covered Defense Information, DoD must be informed (above) and very likely will at least review if not investigate the loss. Often, the FBI participates in the forensic analysis after a breach. In the course of such an investigation, federal officials can be expected to assess the nature of the vulnerability and the security measures of the affected company. The DFARS does not require full compliance with SP until Dec. 31, However: The obligation to provide adequate security is present, from the clause, immediately upon acceptance of a contract with the clause; and Companies must advise DoD within 30 days of fit/gap against SP requirements NIST has proposed Revision 1 to SP that would add a requirement that companies prepare a System Security Plan (SSP) and Plan of Actions and Milestones (POAM) that may be requested by Contracting Officers 28
29 Cyber Compliance: Scenarios A breach occurs at a company with CDI that has DoD contracts subject to the DFARS National interests may be affected by the loss of confidentiality of CDI Information encompassed within CDI implicates important government interests Some of the information types can be subject to other federal protections, e.g., PII, HIPAA) Investigators will seek an explanation of the company s security practices: They will ask for documentation of security practices at the time of event. They may ask for the fit/gap report against SP requirements. They may find additional cyber requirements in other federal contracts; They may recommend action against a company should they find: No system security measures in place NWS DFARS requirement of adequate security ; Failure to take security measures sufficient to be adequate (post-hoc review); Failed to timely perform and provide the fit/gap analysis as required by the DFARS; Lacked ability to detect a cyber breach and therefore did not notify within 72-hours; Failed to take necessary, timely actions to close vulnerabilities identified in fit/gap analysis; On such facts, the Government could (i) seek damages for identifiable loss caused by the breach; (ii) terminate for default; (iii) exclude the contractor from future awards (non-responsibility); (iv) cite poor cyber hygiene in a performance review; (v) upon a material misrepresentation, bring an action under the False Claims Act for reckless disregard of Net Pen DFARS and SP
30 Cyber Compliance: 10 Responsive Measures In light of new requirements and risks, prudent defense contractors should promptly: ① identify where they host, transmit or use CDI subject to Net Pen DFARS obligations; ② act as necessary to isolate CDI into domains configured for required NIST safeguards; ③ conduct fit/gap assessment to compare existing security to SP requirements; ④ report to DoD CIO within 30 days of subject contract award of fit/gap results; ⑤ document system security assessment, prepare and document SSP and POAM; ⑥ provide notification or seek instruction where appropriate from PA, COs and/or CIO ⑦ establish means to monitor system security, test for and respond to vulnerability ⑧ confirm ability to detect and give timely notice of any cyber breach and exercise same; ⑨ review supply chain distribution of CDI and act to flowdown CDI safeguard requirements; and ⑩ consider independent 3d party review for compliance and security. Companies should consider a risk-based analysis of their vulnerability to attack and compliance exposure. It may be appropriate to engage third party resources to evaluate alternative enterprise strategies, e.g., cloud-based security, or to implement technical methods to enhance security such as advanced Identity Access Management (IAM) and Information Rights Management (IRM). Counsel and consultants can advise requirements, identify compliance risks, assess solutions, help with supply chain compliance and represent the company in dealings with the Government. 30
31 Taxonomy CUI: Controlled Unclassified Information CDI: Covered Defense Information DFARS: Defense Federal Acquisition Regulation Supplement FAR: Federal Acquisition Regulation FCI: Federal Contract Information FIPS: Federal Information Processing Standards FISMA: Federal Information Systems Modernization Act GSA: General Services Administration NARA: National Archives & Records Administration NIST: National Institute of Standards & Technology OMB: Office of Management and Budget OPM: Office of Personnel Management 31
32 Chronology of Cyber/Supply Chain Initiatives March 3, 2010 Advanced Notice of Proposed Rulemaking: Basic Safeguarding of Contractor Information Systems November 4, 2010 Executive Order 13556: Controlled Unclassified Information August 24, 2012 Proposed Rule, Basic Safeguarding of Contractor Information Systems February 2013 November 18, 2013 Executive Order 13636: Improving Critical Infrastructure Cybersecurity Interim Rule: DFARS Supply Chain Risk (Sec. 806 NDAA FY 2011) November 18, 2013 Final Rule: Safeguarding Unclassified Controlled Technical Information February 12, 2014 Framework for Improving Critical Infrastructure Cybersecurity May 6, 2014 Final Rule: Detection and Avoidance of Counterfeit Electronic Parts May 8, 2015 NARA Proposed Rule: Controlled Unclassified Information June 19, 2015 NIST SP : Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (Final) August 11, 2015 OMB draft Guidance: Improving Cybersecurity Protections in Federal Acquisitions August 26, 2015 September 21, 2015 Interim Rule: DFARS Network Penetration Reporting and Contracting for Cloud Services Proposed Rule: Detection and Avoidance of Counterfeit Electronic Parts Further Implementation (deletes embedded software from definition) October 8, 2015 DoD Class Deviation Multifactor authentication (local/network access) 9 mos. October 30, 2015 Final Rule: Requirements Relating to Supply Chain Risk (Sec. 806 NDAA FY 2011) October 30, 2015 OMB Memorandum: Cybersecurity Strategy and Implementation Plan (CSIP) November 2015 President Obama signs NDAA FY 2016 (includes cyber risk assessment) December 18, 2015 Cybersecurity Information Sharing Act (CISA) signed into law December 30, 2015 May 16, 2016 Amended Interim Rule: Network Penetration (defers cyber obligation to 12/31/2017) Final Rule, Basic Safeguarding of Contractor Information Systems (81 Fed. Reg ) Aug. 16, 2016 Proposed Rev. 1 to NIST SP Sep. 14, 2016 Final Rule, Controlled Unclassified Information (81 Fed. Reg ) Oct. 21, 2016 Final Rule, Network Penetration Reporting and Contracting for Cloud Services (81 Fed. Reg ) 32
33 Links to Key Federal Actions o EO 13636: (Feb. 2013) o DoD UCTI Rule: (Nov. 2013) o NARA Proposed Rule: Controlled Unclassified Information: (May 2015) o NIST SP : (June 2015) o OMB Draft Acquisition Guidance: (Sep. 2015) o Cybersecurity Information Sharing Act of 2015 (CISA) (Dec. 18, 2015), ( p.694) o DoD Network Penetration Rule: (Aug. 26, 2015), (Dec. 30, 2015) o FAR Basic Safeguarding Rule: (May 2016) o OMB Circular A-130: (July 2016) o Rev. 1 to NIST SP : (Aug. 2016) o Final Rule, Network Penetration Reporting and Contracting for Cloud Services, (Oct. 21, 2016) o Proposed Rule, Withholding of Unclassified Technical Data and Technology from Public Disclosure, (Oct. 31, 2016) 33
34 Questions... 34
35 Join Us Next Time December 14 th - Issues in Focus 35
Industry Perspectives on Active and Expected Regulatory Actions
July 15, 2016 Industry Perspectives on Active and Expected Regulatory Actions Alan Chvotkin Executive Vice President and Counsel, Professional Services Council chvotkin@pscouncil.org Trey Hodgkins Senior
More informationFederal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats
May 20, 2015 Georgetown University Law Center Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats Robert S. Metzger Rogers Joseph
More informationGet Compliant with the New DFARS Cybersecurity Requirements
Get Compliant with the New DFARS 252.204-7012 Cybersecurity Requirements Reginald M. Jones ( Reggie ) Chair, Federal Government Contracts Practice Group rjones@foxrothschild.com; 202-461-3111 August 30,
More informationCybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017
Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017 March 23, 2017 By Keir Bancroft By Louverture Jones Partner Senior Manager, Deloitte Advisory Venable LLP Deloitte & Touche
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationDFARS Cyber Rule Considerations For Contractors In 2018
Portfolio Media. Inc. 111 West 19 th Street, 5th Floor New York, NY 10011 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com DFARS Cyber Rule Considerations For Contractors
More informationPilieroMazza Webinar Preparing for NIST SP December 14, 2017
PilieroMazza Webinar Preparing for NIST SP 800-171 December 14, 2017 Presented by Jon Williams, Partner jwilliams@pilieromazza.com (202) 857-1000 Kimi Murakami, Counsel kmurakami@pilieromazza.com (202)
More informationROADMAP TO DFARS COMPLIANCE
ROADMAP TO DFARS COMPLIANCE ARE YOU READY FOR THE 12/31/17 DEADLINE? In our ebook, we have answered the most common questions we receive from companies preparing for DFARS compliance. Don t risk terminated
More informationNIST Special Publication
NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Ryan Bonner Brightline WHAT IS INFORMATION SECURITY? Personnel Security
More informationSafeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)
Page 1 of 7 Section O Attach 2: SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013) 252.204-7012 Safeguarding of Unclassified Controlled Technical Information. As prescribed in 204.7303,
More informationCybersecurity Risk Management
Cybersecurity Risk Management NIST Guidance DFARS Requirements MEP Assistance David Stieren Division Chief, Programs and Partnerships National Institute of Standards and Technology (NIST) Manufacturing
More informationDOD s New Cyber Requirements: Impacts on DOD Contractors and Subcontractors
McKenna Government Contracts, continuing excellence at Dentons DOD s New Cyber Requirements: Impacts on DOD Contractors and Subcontractors Phil Seckman Mike McGuinn Quincy Stott Dentons US LLP Date: January
More informationTinker & The Primes 2017 Innovating Together
Tinker & The Primes 2017 Innovating Together Protecting Controlled Unclassified Information Systems and Organizations Larry Findeiss Bid Assistance Coordinator Oklahoma s Procurement Technical Assistance
More informationCybersecurity Challenges
Cybersecurity Challenges Protecting DoD s Information NAVSEA Small Business Industry Day August 8, 2017 1 Outline Protecting DoD s Information DFARS Clause 252.204-7012 Contractor and Subcontractor Requirements
More informationExecutive Order 13556
Briefing Outline Executive Order 13556 CUI Registry 32 CFR, Part 2002 Understanding the CUI Program Phased Implementation Approach to Contractor Environment 2 Executive Order 13556 Established CUI Program
More informationINTRODUCTION TO DFARS
INTRODUCTION TO DFARS 800-171 CTI VS. CUI VS. CDI OVERVIEW COPYRIGHT 2017 FLANK. ALL RIGHTS RESERVED. INTRODUCTION TO DFARS 800-171 CTI VS. CUI VS. CDI OVERVIEW Defense contractors having to comply with
More informationCYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA
CYBER SECURITY BRIEF Presented By: Curt Parkinson DCMA September 20, 2017 Agenda 2 DFARS 239.71 Updates Cybersecurity Contracting DFARS Clause 252.204-7001 DFARS Clause 252.239-7012 DFARS Clause 252.239-7010
More informationCyber Security Challenges
Cyber Security Challenges Navigating Information System Security Protections Vicki Michetti, DoD CIO, Director, DIB Cybersecurity Program Mary Thomas, OUSD(AT&L), Defense Procurement and Acquisition Policy
More informationThe FAR Basic Safeguarding Rule
The FAR Basic Safeguarding Rule Erin B. Sheppard, Partner Michael J. McGuinn, Counsel December 8, 2016 Agenda Regulatory landscape FAR Rule History Requirements Harmonization Subcontract issues What s
More informationDepartment of Defense Cybersecurity Requirements: What Businesses Need to Know?
Department of Defense Cybersecurity Requirements: What Businesses Need to Know? Why is Cybersecurity important to the Department of Defense? Today, more than ever, the Department of Defense (DoD) relies
More informationProtecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)
https://www.csiac.org/ Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP800-171 Revision 1) Today s Presenter: Wade Kastorff SRC, Commercial Cyber Security
More informationNISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015
NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015 Agenda Cybersecurity Information Sharing and the NISP NISP Working Group Update CUI Program Update 2 Executive Order 13691 Promoting Private
More informationWhy is the CUI Program necessary?
Why is the CUI Program necessary? Executive departments and agencies apply their own ad-hoc policies and markings to unclassified information that requires safeguarding or dissemination controls, resulting
More informationAnother Cook in the Kitchen: The New FAR Rule on Cybersecurity
Another Cook in the Kitchen: The New FAR Rule on Cybersecurity Breakout Session #: F13 Erin B. Sheppard, Partner, Dentons US LLP Michael J. McGuinn, Counsel, Dentons US LLP Date: Tuesday, July 26 Time:
More informationProtecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations
Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations January 9 th, 2018 SPEAKER Chris Seiders, CISSP Security Analyst Computing Services and Systems Development
More informationPreparing for NIST SP January 23, 2018 For the American Council of Engineering Companies
Preparing for NIST SP 800-171 January 23, 2018 For the American Council of Engineering Companies Presented by Jon Williams, Partner jwilliams@pilieromazza.com (202) 857-1000 Kimi Murakami, Counsel kmurakami@pilieromazza.com
More information2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA
2018 SRAI Annual Meeting October 27-31 Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA Controlled Unclassified Information Regulations: Practical Processes and Negotiations
More informationDEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.
DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY Cyber Security Safeguarding Covered Defense Information 30-31 August 2016 WARFIGHTER FIRST PEOPLE & CULTURE STRATEGIC ENGAGEMENT FINANCIAL
More informationDFARS Defense Industrial Base Compliance Information
DFARS 252.204-7012 Defense Industrial Base Compliance Information Protecting Controlled Unclassified Information (CUI) Executive Order 13556 "Controlled Unclassified Information, November 2010 Established
More informationDFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions
DFARS 252.204.7012 Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions By Jonathan Hard, CEO And Carol Claflin, Director of Business Development H2L
More informationDFARS , NIST , CDI
DFARS 252.204-7012, NIST 800-171, CDI and You Overview Impacts Getting started Overview Impacts Getting started Overview & Evolving Requirements DFARS 252.204-7012 - Safeguarding Covered Defense Information
More informationOFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC
OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC 20301-3000 ACQUISITION, TECHNO LOGY. A N D LOGISTICS SEP 2 1 2017 MEMORANDUM FOR COMMANDER, UNITED ST A TES SPECIAL OPERATIONS
More information2017 SAME Small Business Conference
2017 SAME Small Business Conference Welcome to Cybersecurity Initiatives and Speakers: Requirements: Protecting DOD s Unclassified Information Vicki Michetti, Director, Defense Industrial Base Cybersecurity
More informationISOO CUI Overview for ACSAC
ISOO CUI Overview for ACSAC Briefing Outline ISOO Overview Overview of the CUI Program CUI and IT Implementation CUI and NIST Standards and Guidelines NIST SP 800-171 CUI Approach for the Contractor Environment
More informationCyber Security Challenges
Cyber Security Challenges Protecting DoD s Information Melinda Reed, OUSD(AT&L), Systems Engineering Mary Thomas, OUSD(AT&L), Defense Procurement and Acquisition Policy 1 Outline Cybersecurity Landscape
More informationSpecial Publication
Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Patricia Toth NIST MEP What is Information Security? Personnel Security Cybersecurity
More informationOutline. Why protect CUI? Current Practices. Information Security Reform. Implementation. Understanding the CUI Program. Impacts to National Security
Outline Why protect CUI? Impacts to National Security Current Practices CUI Program & Existing Agency Practices Information Security Reform CUI Registry 32CFR2002 NIST SP 800-171 (Rev 1) Federal Acquisition
More informationAgency Guide for FedRAMP Authorizations
How to Functionally Reuse an Existing Authorization Version 1.0 August 5, 2015 Revision History Date Version Page(s) Description Author 08/05/2015 1.0 All Initial Publication FedRAMP PMO 06/06/2017 1.0
More informationSafeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer
Safeguarding Controlled Unclassified Information and Cyber Incident Reporting Kevin R. Gamache, Ph.D., ISP Facility Security Officer Why Are We Seeing These Rules? Stolen data provides potential adversaries
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationSafeguarding Unclassified Controlled Technical Information
Safeguarding Unclassified Controlled Technical Information (DFARS Case 2011-D039): The Challenges of New DFARS Requirements and Recommendations for Compliance Version 1 Authors: Justin Gercken, TSCP E.K.
More informationSTRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE
STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby
More informationHandbook Webinar
800-171 Handbook Webinar Pat Toth Cybersecurity Program Manager National Institute of Standards and Technology (NIST) Manufacturing Extension Partnership (MEP) NIST MEP 800-171 Assessment Handbook Step-by-step
More informationDFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com
DFARS Compliance SLAIT Consulting SECURITY SERVICES Mike D Arezzo Director of Security Services Introduction 18+ year career in Information Technology and Security General Electric (GE) as Software Governance
More informationNovember 20, (Via DFARS Case 2013-D018)
November 20, 2015 (Via email osd.dfars@mail.mil, DFARS Case 2013-D018) Mr. Dustin Pitsch Defense Acquisition Regulations System OUSD(AT&L)DPAP/DARS Room 3B941 3060 Defense Pentagon Washington, DC 20301
More informationexisting customer base (commercial and guidance and directives and all Federal regulations as federal)
ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of
More informationFedRAMP: Understanding Agency and Cloud Provider Responsibilities
May 2013 Walter E. Washington Convention Center Washington, DC FedRAMP: Understanding Agency and Cloud Provider Responsibilities Matthew Goodrich, JD FedRAMP Program Manager US General Services Administration
More informationNew Process and Regulations for Controlled Unclassified Information
New Process and Regulations for Controlled Unclassified Information David Brady TJ Beckett Office of Export and Secure Research Compliance http://www.oesrc.researchcompliance.vt.edu/ Agenda Background
More informationCOMPLIANCE IN THE CLOUD
COMPLIANCE IN THE CLOUD 3:45-4:30PM Scott Edwards, President, Summit 7 Dave Harris Society for International Affairs COMPLIANCE IN THE CLOUD Scott Edwards scott.edwards@summit7systems.com 256-541-9638
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationDepartment of Veterans Affairs VA DIRECTIVE April 17, 2006 WEB PAGE PRIVACY POLICY
Department of Veterans Affairs VA DIRECTIVE 6502.3 Washington, DC 20420 Transmittal Sheet WEB PAGE PRIVACY POLICY 1. REASON FOR ISSUE: To establish policy for the Department of Veterans Affairs (VA) for
More informationNY DFS Cybersecurity Regulations August 8, 2017
NY DFS Cybersecurity Regulations August 8, 2017 23 NYCRR Part 500 Asking Questions Anti-Trust Policy As a CPCU approved education program related to The Institutes Chartered Property Casualty Underwriter
More informationNYDFS Cybersecurity Regulations: What do they mean? What is their impact?
June 13, 2017 NYDFS Cybersecurity Regulations: What do they mean? What is their impact? Gus Coldebella Principal, Boston Caroline Simons Principal, Boston Agenda 1) Overview of the new regulations 2) Assessing
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationNEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE
COMPLIANCE ADVISOR NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE A PUBLICATION BY THE EXCESS LINE ASSOCIATION OF NEW YORK One Exchange Plaza 55 Broadway 29th Floor New York, New York 10006-3728 Telephone:
More informationFISMAand the Risk Management Framework
FISMAand the Risk Management Framework The New Practice of Federal Cyber Security Stephen D. Gantz Daniel R. Phi I pott Darren Windham, Technical Editor ^jm* ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON
More informationIMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION
IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION Briefing for OFPP Working Group 19 Feb 2015 Emile Monette GSA Office of Governmentwide Policy emile.monette@gsa.gov Cybersecurity Threats are
More informationQuick Start Strategy to Compliance DFARS Rob Gillen
WELCOME Quick Start Strategy to Compliance DFARS 252.204-7012 Rob Gillen Overview Meet Bill Harrison Meet FASTLANE Important Updates Overview of NIST 800-171 Case Studies 5 Items to a Quick Start Strategy
More informationEXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
EXCERPT NIST Special Publication 800-171 R1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations An Excerpt Listing All: Security Requirement Families & Controls Security
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.
More informationInformation Systems Security Requirements for Federal GIS Initiatives
Requirements for Federal GIS Initiatives Alan R. Butler, CDP Senior Project Manager Penobscot Bay Media, LLC 32 Washington Street, Suite 230 Camden, ME 04841 1 Federal GIS "We are at risk," advises the
More informationData Processing Agreement for Oracle Cloud Services
Data Processing Agreement for Oracle Cloud Services Version January 12, 2018 1. Scope, Order of Precedence and Term 1.1 This data processing agreement (the Data Processing Agreement ) applies to Oracle
More informationSafeguarding unclassified controlled technical information (UCTI)
Safeguarding unclassified controlled technical information (UCTI) An overview Government Contract Services Bulletin Safeguarding UCTI An overview On November 18, 2013, the Department of Defense (DoD) issued
More informationDoes a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?
Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? A brief overview of security requirements for Federal government agencies applicable to contracted IT services,
More informationOutline. Other Considerations Q & A. Physical Electronic
June 2018 Outline What is CUI? CUI Program Implementation of the CUI Program NIST SP 800-171A (Draft) Federal Acquisition Regulation update Basic and Specified CUI Marking Destruction Controlled Environments
More informationUCOP ITS Systemwide CISO Office Systemwide IT Policy
UCOP ITS Systemwide CISO Office Systemwide IT Policy Revision History Date: By: Contact Information: Description: 08/16/17 Robert Smith robert.smith@ucop.edu Initial version, CISO approved Classification
More informationProtecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors
Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors Presented by the Office of Housing Counseling and The Office of the Chief Information Officer Privacy Program
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Host Intrusion The Host Intrusion employs a response to a perceived incident of interference on a host-based system
More informationClick to edit Master title style
Click to edit Master title style Fourth level Click The to DFARS edit Master UCTI title Clause style How It Impacts the Subcontract Relationship Breakout Third Session level #F11 Fourth level Phillip R.
More informationUSER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.
These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy. I. OBJECTIVE ebay s goal is to apply uniform, adequate and global data protection
More informationControlled Unclassified Information (CUI) and FISMA: an update. May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner
Controlled Unclassified Information (CUI) and FISMA: an update May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner What is FISMA? Federal Information Security Modernization Act
More informationCompliance with NIST
Compliance with NIST 800-171 1 What is NIST? 2 Do I Need to Comply? Agenda 3 What Are the Requirements? 4 How Can I Determine If I Am Compliant? 5 Corserva s NIST Assessments What is NIST? NIST (National
More informationStandard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard is adopted by the NERC Board of Trustees (Board).
More informationAmerican Association for Laboratory Accreditation
R311 - Specific Requirements: Federal Risk and Authorization Management Program Page 1 of 10 R311 - Specific Requirements: Federal Risk and Authorization Management Program 2017 by A2LA. All rights reserved.
More informationRev.1 Solution Brief
FISMA-NIST SP 800-171 Rev.1 Solution Brief New York FISMA Cybersecurity NIST SP 800-171 EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker delivers business critical
More informationPresidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure EXECUTIVE ORDER [13800] - - - - - - - STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS
More informationCybersecurity in Acquisition
Kristen J. Baldwin Acting Deputy Assistant Secretary of Defense for Systems Engineering (DASD(SE)) Federal Cybersecurity Summit September 15, 2016 Sep 15, 2016 Page-1 Acquisition program activities must
More informationFISMA Cybersecurity Performance Metrics and Scoring
DOT Cybersecurity Summit FISMA Cybersecurity Performance Metrics and Scoring Office of the Federal Chief Information Officer, OMB OMB Cyber and National Security Unit, OMBCyber@omb.eop.gov 2. Cybersecurity
More informationNIST Security Certification and Accreditation Project
NIST Security Certification and Accreditation Project An Integrated Strategy Supporting FISMA Dr. Ron Ross Computer Security Division Information Technology Laboratory 1 Today s Climate Highly interactive
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationMark Your Calendars: NY Cybersecurity Regulations to Go into Effect
Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect CLIENT ALERT January 25, 2017 Angelo A. Stio III stioa@pepperlaw.com Sharon R. Klein kleins@pepperlaw.com Christopher P. Soper soperc@pepperlaw.com
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationDoD Internet Protocol Version 6 (IPv6) Contractual Language
DoD Internet Protocol Version 6 (IPv6) Contractual Language 1. Purpose: Contents of this document shall be incorporated in Government Acquisition Programs, Procurements, Services, and Contracts (including
More informationTHE WHITE HOUSE Office of the Press Secretary EXECUTIVE ORDER
FOR IMMEDIATE RELEASE May 11, 2017 THE WHITE HOUSE Office of the Press Secretary EXECUTIVE ORDER - - - - - - - STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE By the authority
More informationNYS DFS Cybersecurity Requirements. Stephen Head Senior Manager Risk Advisory Services
NYS DFS Cybersecurity Requirements Stephen Head Senior Manager Risk Advisory Services December 5, 2017 About Me Stephen W. Head Mr. Head is a Senior Manager with Experis Finance, and has over thirty-five
More informationDATA PROCESSING AGREEMENT
DATA PROCESSING AGREEMENT This Data Processing Agreement ( DPA ) is entered into between: A. The company stated in the Subscription Agreement (as defined below) ( Data Controller ) and B. Umbraco A/S Haubergsvej
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationTHE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER
THE WHITE HOUSE Office of the Press Secretary FOR IMMEDIATE RELEASE May 11, 2017 EXECUTIVE ORDER - - - - - - - STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE By the authority
More information1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010
Standard CIP 011 1 Cyber Security Protection Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes
More informationRegulating Information: Cybersecurity, Internet of Things, & Exploding Rules. David Bodenheimer Evan Wolff Kate Growley
Regulating Information: Cybersecurity, Internet of Things, & Exploding Rules David Bodenheimer Evan Wolff Kate Growley Regulating Information The Internet of Things: Peering into the Future Cybersecurity
More informationFedRAMP Security Assessment Framework. Version 2.0
FedRAMP Security Assessment Framework Version 2.0 June 6, 2014 Executive Summary This document describes a general Security Assessment Framework (SAF) for the Federal Risk and Authorization Management
More informationCYBER SECURITY POLICY REVISION: 12
1. General 1.1. Purpose 1.1.1. To manage and control the risk to the reliable operation of the Bulk Electric System (BES) located within the service territory footprint of Emera Maine (hereafter referred
More informationHow to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016
How to Respond to a HIPAA Breach Tuesday, Oct. 25, 2016 This Webinar is Brought to You By. About HealthInsight and Mountain-Pacific Quality Health HealthInsight and Mountain-Pacific Quality Health are
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Signature Repository A Signature Repository provides a group of signatures for use by network security tools such
More informationDISADVANTAGED BUSINESS ENTERPRISE PROGRAM. Unified Certification Program OKLAHOMA
DISADVANTAGED BUSINESS ENTERPRISE PROGRAM Unified Certification Program OKLAHOMA TABLE OF CONTENTS General... 1 Ratification Process... 1 Implementation Schedule... 2 Regulatory Requirements... 2 DBE Directory...
More informationGovernment Contracting. Tech-Savvy World. in a. October InterContinental Miami. Miami, Florida
Government Contracting in a Tech-Savvy World October 30-31 2014 InterContinental Miami Miami, Florida 2014 Fall Program Government Contracting in a Tech-Savvy World October 30-31, 2014 InterContinental
More informationDFARS and the Aerospace & Defence Enterprise
DFARS and the Aerospace & Defence Enterprise Is Your Organisation Ready? October 2017 Lance Seelbach, CISSP, CISA, Client Security Officer Simon Aplin, Export Compliance Lead Aerospace & Defence ANZ Table
More informationMANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors
Page 1 of 6 Applies to: faculty staff students student employees visitors contractors Effective Date of This Revision: June 1, 2018 Contact for More Information: HIPAA Privacy Officer Board Policy Administrative
More informationRed Flags/Identity Theft Prevention Policy: Purpose
Red Flags/Identity Theft Prevention Policy: 200.3 Purpose Employees and students depend on Morehouse College ( Morehouse ) to properly protect their personal non-public information, which is gathered and
More information