Click to edit Master title style
|
|
- Martina Bradley
- 5 years ago
- Views:
Transcription
1 Click to edit Master title style Fourth level
2 Click The to DFARS edit Master UCTI title Clause style How It Impacts the Subcontract Relationship Breakout Third Session level #F11 Fourth level Phillip R. Seckman Michael J. McGuinn Dentons US LLP Date: Tuesday, July 28, 2015 Time: 4:00pm 5:15pm 1
3 DFARS UCTI rule Requirements Agenda Cyber threats and risk management Regulatory landscape Supply Chain Fourth Compliance level Recent Developments NARA CUI Plan Cyber Legislation Compliance and breach response takeaways 2
4 Cyber Attacks: An Ever-Growing Threat GAO: 67,000 computer hacking incidents reported by federal agencies in 2014 (up from 5,500 incidents in 2006) Includes malware installation, improper use of computer resources and unauthorized access to systems Attacks are top concern of FBI and intelligence community Cyber attacks Fourth focused level on IP, critical infrastructure, and personal data Mandiant Report: APT1 in China responsible for estimated 80-90% of cyber incidents involving classified information, trade secrets, IP Office of Personnel Management Hack: Nation-state hackers stole personnel data and Social Security numbers for every federal employee Some organizations will be a target regardless of what they do, but most become a target because of what they do (or don t do). - Verizon 2013 DBIR 3
5 Regulatory Landscape Contractors faced with patchwork of legal requirements Federal Information Security Management Act of 2002 Primarily applicable to government information systems, but also applicable to contractors Federal Information Security Modernization Act of 2014 passed on 12/10/14, Third level new requirements likely forthcoming Fourth level Industry/agency-specific requirements (e.g., DOD, NASA, GSA, DOE) SEC disclosures for material cyber incidents HIPAA requirements FTC treatment of breaches as unfair trade practices State-specific breach notification laws International requirements Private sector requirements (e.g., PCI DSS) Developments overlay existing requirements, increase compliance obligations 4
6 DFARS Unclassified Controlled Technical Information ( UCTI ) Clause Issued on Nov. 18, 2013 (78 Fed. Reg. 69,273) Establishes new clause, DFARS Clause included in all DOD contracts issued after Nov. 18, Third 2013 level Including small business and commercial item contracts Fourth level DOD also implemented through contract modification in some cases 5
7 DFARS UCTI Clause: Identifying UCTI Clause applies to any contractor information system that may Click have to UCTI edit resident Master on or transiting text styles through it UCTI: Technical Information Technical data or computer software Controlled Technical Information Fourth level Military or space application Subject to controls on access, use, modification, release Marked with required distribution statement pursuant to DOD Instruction , Distribution Statements on Technical Documents UCTI may be furnished by the government or developed by the contractor (DFARS PGI (a)) DOD generally responsible for identifying whether contractor will be required to develop or handle UCTI Contractor also may develop technical information to be marked 6
8 DFARS UCTI Clause: IS Security Requirements Compliance with 50+ security controls from NIST SP : Access control Awareness and training Audit and Fourth accountability level Configuration management Identification and authentication Contingency planning Incident response Maintenance Media protection Physical and environmental protection Program management Risk assessment Systems/ communications protection Systems / information integrity Must otherwise explain: (1) why security control is inapplicable; or (2) an alternative control or protection achieves equivalent protection 7
9 Click DFARS to edit UCTI Master Clause: title IS Security style Requirements (cont.) Security control command media (the NIST dash-1 controls) not required, but strongly recommended Necessary to explain/defend systems to DOD Helpful to explain system requirements to subcontractors Documentation required in connection with certain controls (e.g., CM-2) Fourth level Number of controls allow for reasonable contractor discretion AC-7: Unsuccessful Logon Attempts: Does not impose a specific number of logon attempts that trigger lockout Certain controls incorporate base control and control enhancement E.g., AC-3(4): requires compliance with the AC-3 base control (access enforcement) and the (4) enhancement (discretionary access controls) 8
10 Click DFARS to edit UCTI Master Clause: title IS Security style Requirements (cont.) Additional IS security protections required when contractor: Click to edit Master text styles Reasonably determines Business discretion? Other IS security measures may be required to provide adequate Fourth security level in a dynamic environment Adequate» Fifth security: level protection commensurate with probability/consequences of loss, misuse, unauthorized access, or information modification Dynamic: adequacy must be constantly assessed/updated Based on an assessed risk or vulnerability Requires an understanding of known risks Look-back period? Specified NIST Controls Set the Baseline 9
11 Click DFARS to edit UCTI Master Clause: title Reporting style reportable Click to edit cyber Master incident text styles Requirements Reporting required within 72 hours of discovery of Possible exfiltration, manipulation, or other loss or Second level compromise of UCTI on prime/sub information system Any unauthorized access to system on which UCTI is present Fourth level Prime contractors must report up to 13 categories of information to DIB CS/IA website, including Affected contracts Description of technical information compromised Name of subcontractor, if incident was on a subcontractor network Threshold triggering reporting is low 10
12 Click DFARS to edit UCTI Master Clause: title Reporting style Requirements (cont.) More comprehensive contractor review required after Click initial to report edit Master text styles Scope of network compromise (e.g., affected servers, information systems, computers, user accounts) Specific UCTI impacted Preserve Fourth images level and relevant information for at least 90 days DOD (DSS) may elect to conduct damage assessment Contractor required to comply with damage assessment information requests, unless otherwise precluded by law Information protected from further disclosure Be prepared to explain why compromise occurred and company response 11
13 DFARS UCTI Clause: Compliance Measures Review contracts for clause Assess which systems have or may handle UCTI Review DOD Instruction to identify UCTI UCTI may be identified in CDRL or marked with a distribution statement Conduct gap Fourth analysis level using NIST SP standards Identify known» security Fifth level risks and loss probabilities Implement additional controls commensurate with these risks Promptly implement any security control deficiencies Contractors shall implement controls Contractors likely have reasonable discretion to prioritize control implementation Assess possible system compromises immediately, consider reporting obligation 12
14 DFARS UCTI Clause: Consequences of Noncompliance Consequences of non-compliance include: Click Breach to of contract edit Master text styles Termination for default FCA liability (no express certification currently required) Negative past performance evaluations Declination of options (USIS) Fourth level Suspension and debarment Purchasing system disapproval Government likely to review non-compliances in the context of a breach and with benefit of hindsight Contractor reasonableness likely to be touchstone for penalties Documentation of decision-making crucial DOD likely to have concerns about implementation approach that begins with specific safeguarding controls before the audit/detection controls (evades reporting requirement) 13
15 DFARS UCTI Clause: Supply Chain Issues UCTI Clause is mandatory flow down in all subcontracts, Click to edit regardless Master of text size styles Subcontractors also required to flow down to lower-tier subcontractors Includes commercial item subcontracts ISPs and Fourth cloud level service providers considered subcontractors Flow down requirement requires both safeguarding controls and mandatory reporting Many subcontractors are unable or unwilling to comply with these requirements 14
16 DFARS UCTI Clause: Supply Chain Issues (cont.) Prime contractors are responsible for flowing down clause: Clause does not require prime contractor to conduct assessment or verify system adequacy of subcontractors Obligation is on party receiving UCTI to explain why security control is inapplicable or that an alternative control achieves equivalent protection Government likely to argue prime contractors are responsible Fourth for ensuring level adequate protection of UCTI, wherever located Government Furnished Information ( GFI ) under DFARS requires contractors to indemnify government and third parties for violations of GFI use and disclosure restrictions Applies to any person/entity to whom contractor has released or disclosed GFI Similar also to government property systems FAR (f) makes contractors responsible for ensuring subcontractors have adequate property management systems in place for GP (including CAP) 15
17 DFARS UCTI Clause: Supply Chain Issues (cont.) Higher-Tier Contractor Options: Conduct some form of system verification through audit Significant risks associated with approving subcontractor system compliance Require subcontractor representation of compliance Unlikely to get it, then what? Require written explanation from sub consistent with DFARS (b)(1) Fourth level that (1) security control is inapplicable or (2) an alternative» Fifth control level achieves equivalent protection Establish contract mechanisms for system audit rights, NDA and indemnification for breaches/challenges DFARS as guide Educate suppliers Develop checklist or target profile of requirements and provide to subcontractors Make resources available to subcontractors (DHS C Cubed program, SBA training) Emphasize reporting requirements and preservation of data Flow down clause and do nothing more 16
18 DFARS UCTI Clause: Supply Chain Issues (cont.) Higher-Tier Contractor Options: If contractor learns that subcontractor cannot/will not comply with clause requirements, prime should: Find a compliant subcontractor Preclude Third level subcontractor from handling UCTI Identify/document Fourth level the subcontractor s security capabilities and ask supplier to attest to the adequacy of those capabilities Any other factors showing trustworthiness Confirm prompt reporting is in place Avoid integrating subcontractor cyber compliance into procurement system unless you are prepared to be audited to it Touchstone will be reasonableness 17
19 DFARS UCTI Clause: Supply Chain Issues (cont.) Subcontractor Options: Determine whether you are in fact a subcontractor Potentially difficult to support: ISPs and other external service providers are subcontractors according to preamble of the clause Almost certainly correct Assess whether you need UCTI for performance of your subcontract Fourth level Attempt to» resist Fifth inclusion level of clause or reach agreement that it is inapplicable if UCTI will not be provided/created Clarify existence of UCTI Does this subcontract require me to receive or generate UCTI? Don t assume, ask, and get specificity before award Limit/control UCTI locations Centralize UCTI in network with controls, no copies elsewhere Hard copies Possible to use higher-tier contractors networks directly? 18
20 DFARS UCTI Clause: Supply Chain Issues (cont.) Subcontractor Options: Click Self-assess to edit compliance Master with UCTI text controls styles If not in compliance, do you have adequate controls in place to address your company s cyber risks? Are these controls tied to UCTI requirements? Can Third you reasonably level and accurate represent that controls are inapplicable or that you have equivalent controls? Fourth level Avoid broad representations or over-promises of system compliance Ensure disclosures are controlled Limit prime contractor s ability to access systems for purposes of reporting cyber incident (government only) Consider NDA with enforceable provisions to ensure information disclosed to the prime is protected from further disclosure outside of the UCTI context Cyber Compliance Likely to be Significant Competitive Advantage for Suppliers 19
21 National Archives and Records Administration Controlled Unclassified Information EO 13556, Controlled Unclassified Information, designated NARA Click to develop to edit regulations Master for text consistent styles marking and safeguarding of CUI NARA issued proposed rule on May 11, 2015 that would establish Third uniform level marking requirements and require agencies to protect CUI using FIPS/NIST standards Fourth level NARA anticipates establishing single FAR clause incorporating CUI rule NARA rule likely to incorporate requirements from new NIST SP (draft issued April 2, 2015) NIST security controls drawn from NIST , broader than DFARS UCTI rule controls Unclear how NARA CUI program will be reconciled with FAR and DFARS rules and GAO/DOD Joint Working Group Report 20
22 Cyber Legislation Federal Information Security Modernization Act of 2014 Click (Dec. to edit 10, 2014) Master text styles Re-established OMB as oversight authority for agency information security policies Establishes DHS as authority for implementation of OMB standards Fourth level Requires agencies to provide congressional notification for major cyber incidents Protecting Cyber Networks Act (passed House on April 22, 2015) Would provide liability protections to companies sharing cyber threat data with government civilian agencies (except in cases of willful misconduct) 21
23 Cyber Legislation (cont.) FY15 NDAA 1632: Would require timely reporting on cyber incidents for operationally critical contractors Operationally critical contractor contractor designated as a critical source of supply for airlift, sealift, intermodal transportation, or logistical support that is essential to a contingency operation Cyber Third incident level action that results in actual or potentially adverse effect on an information system or the information residing therein Fourth level DFARS rule required within 90 days after NDAA is enacted, case pending FY13 NDAA 941: requires reporting of successful penetration of networks of cleared defense contractors Private entities with clearance to access, receive or store classified information in support of DOD programs Requires rapid reporting and DOD access to systems upon request DFARS case (No D018) pending to implement both sections 2016 NDAA provides for liability protections for contractors reporting under either 1632 or
24 Click Company to edit Master Compliance: title Final style requirements Click to edit Master text styles Considerations Know what data/information you have and applicable Need management buy-in, proactive approach Have a plan in place providing guidance if crisis develops Supply chain considerations: Fourth level Symantec report: small businesses are path of least resistance Required security profile vs. supplier s current profile? Are you protected from liability/indemnified for subcontractor issues? Are supplier obligations to notify, respond, cooperate/share information properly defined? Commercial companies and small businesses likely not exempt Document risk management decisions and compliance efforts Read your contracts! 23
25 Questions? Phillip R. Seckman (303) Second level Fourth level Michael J. McGuinn (303)
DOD s New Cyber Requirements: Impacts on DOD Contractors and Subcontractors
McKenna Government Contracts, continuing excellence at Dentons DOD s New Cyber Requirements: Impacts on DOD Contractors and Subcontractors Phil Seckman Mike McGuinn Quincy Stott Dentons US LLP Date: January
More informationAnother Cook in the Kitchen: The New FAR Rule on Cybersecurity
Another Cook in the Kitchen: The New FAR Rule on Cybersecurity Breakout Session #: F13 Erin B. Sheppard, Partner, Dentons US LLP Michael J. McGuinn, Counsel, Dentons US LLP Date: Tuesday, July 26 Time:
More informationThe FAR Basic Safeguarding Rule
The FAR Basic Safeguarding Rule Erin B. Sheppard, Partner Michael J. McGuinn, Counsel December 8, 2016 Agenda Regulatory landscape FAR Rule History Requirements Harmonization Subcontract issues What s
More informationSafeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)
Page 1 of 7 Section O Attach 2: SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013) 252.204-7012 Safeguarding of Unclassified Controlled Technical Information. As prescribed in 204.7303,
More informationDepartment of Defense Cybersecurity Requirements: What Businesses Need to Know?
Department of Defense Cybersecurity Requirements: What Businesses Need to Know? Why is Cybersecurity important to the Department of Defense? Today, more than ever, the Department of Defense (DoD) relies
More informationROADMAP TO DFARS COMPLIANCE
ROADMAP TO DFARS COMPLIANCE ARE YOU READY FOR THE 12/31/17 DEADLINE? In our ebook, we have answered the most common questions we receive from companies preparing for DFARS compliance. Don t risk terminated
More informationDFARS Cyber Rule Considerations For Contractors In 2018
Portfolio Media. Inc. 111 West 19 th Street, 5th Floor New York, NY 10011 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com DFARS Cyber Rule Considerations For Contractors
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationFederal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats
May 20, 2015 Georgetown University Law Center Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats Robert S. Metzger Rogers Joseph
More informationCybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017
Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017 March 23, 2017 By Keir Bancroft By Louverture Jones Partner Senior Manager, Deloitte Advisory Venable LLP Deloitte & Touche
More informationPilieroMazza Webinar Preparing for NIST SP December 14, 2017
PilieroMazza Webinar Preparing for NIST SP 800-171 December 14, 2017 Presented by Jon Williams, Partner jwilliams@pilieromazza.com (202) 857-1000 Kimi Murakami, Counsel kmurakami@pilieromazza.com (202)
More informationSafeguarding Unclassified Controlled Technical Information
Safeguarding Unclassified Controlled Technical Information (DFARS Case 2011-D039): The Challenges of New DFARS Requirements and Recommendations for Compliance Version 1 Authors: Justin Gercken, TSCP E.K.
More informationINTRODUCTION TO DFARS
INTRODUCTION TO DFARS 800-171 CTI VS. CUI VS. CDI OVERVIEW COPYRIGHT 2017 FLANK. ALL RIGHTS RESERVED. INTRODUCTION TO DFARS 800-171 CTI VS. CUI VS. CDI OVERVIEW Defense contractors having to comply with
More informationSafeguarding unclassified controlled technical information (UCTI)
Safeguarding unclassified controlled technical information (UCTI) An overview Government Contract Services Bulletin Safeguarding UCTI An overview On November 18, 2013, the Department of Defense (DoD) issued
More informationPreparing for NIST SP January 23, 2018 For the American Council of Engineering Companies
Preparing for NIST SP 800-171 January 23, 2018 For the American Council of Engineering Companies Presented by Jon Williams, Partner jwilliams@pilieromazza.com (202) 857-1000 Kimi Murakami, Counsel kmurakami@pilieromazza.com
More informationDFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions
DFARS 252.204.7012 Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions By Jonathan Hard, CEO And Carol Claflin, Director of Business Development H2L
More informationSafeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer
Safeguarding Controlled Unclassified Information and Cyber Incident Reporting Kevin R. Gamache, Ph.D., ISP Facility Security Officer Why Are We Seeing These Rules? Stolen data provides potential adversaries
More informationGet Compliant with the New DFARS Cybersecurity Requirements
Get Compliant with the New DFARS 252.204-7012 Cybersecurity Requirements Reginald M. Jones ( Reggie ) Chair, Federal Government Contracts Practice Group rjones@foxrothschild.com; 202-461-3111 August 30,
More informationCYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA
CYBER SECURITY BRIEF Presented By: Curt Parkinson DCMA September 20, 2017 Agenda 2 DFARS 239.71 Updates Cybersecurity Contracting DFARS Clause 252.204-7001 DFARS Clause 252.239-7012 DFARS Clause 252.239-7010
More informationCybersecurity Risk Management
Cybersecurity Risk Management NIST Guidance DFARS Requirements MEP Assistance David Stieren Division Chief, Programs and Partnerships National Institute of Standards and Technology (NIST) Manufacturing
More informationCybersecurity Challenges
Cybersecurity Challenges Protecting DoD s Information NAVSEA Small Business Industry Day August 8, 2017 1 Outline Protecting DoD s Information DFARS Clause 252.204-7012 Contractor and Subcontractor Requirements
More informationClick to edit Master title style
Click to edit Master title style Click to edit Master text styles Second level Click What to To edit Do Master When title They style Come For You: How to Safeguard Your UCTI Click to edit Master text styles
More informationClick to edit Master title style
Click to edit Master title style Click The Big to edit Cyber Master Mystery: title What style Contracting Professionals Need to Know Breakout Third Session level # E-10 Eric Crusius, Esq. Counsel Miles
More informationDFARS Defense Industrial Base Compliance Information
DFARS 252.204-7012 Defense Industrial Base Compliance Information Protecting Controlled Unclassified Information (CUI) Executive Order 13556 "Controlled Unclassified Information, November 2010 Established
More informationDEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.
DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY Cyber Security Safeguarding Covered Defense Information 30-31 August 2016 WARFIGHTER FIRST PEOPLE & CULTURE STRATEGIC ENGAGEMENT FINANCIAL
More information2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA
2018 SRAI Annual Meeting October 27-31 Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA Controlled Unclassified Information Regulations: Practical Processes and Negotiations
More informationRegulating Information: Cybersecurity, Internet of Things, & Exploding Rules. David Bodenheimer Evan Wolff Kate Growley
Regulating Information: Cybersecurity, Internet of Things, & Exploding Rules David Bodenheimer Evan Wolff Kate Growley Regulating Information The Internet of Things: Peering into the Future Cybersecurity
More informationCybersecurity in Higher Ed
Cybersecurity in Higher Ed 1 Overview Universities are a treasure trove of information. With cyber threats constantly changing, there is a need to be vigilant in protecting information related to students,
More informationHandbook Webinar
800-171 Handbook Webinar Pat Toth Cybersecurity Program Manager National Institute of Standards and Technology (NIST) Manufacturing Extension Partnership (MEP) NIST MEP 800-171 Assessment Handbook Step-by-step
More informationCyber Security Challenges
Cyber Security Challenges Navigating Information System Security Protections Vicki Michetti, DoD CIO, Director, DIB Cybersecurity Program Mary Thomas, OUSD(AT&L), Defense Procurement and Acquisition Policy
More informationDFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com
DFARS Compliance SLAIT Consulting SECURITY SERVICES Mike D Arezzo Director of Security Services Introduction 18+ year career in Information Technology and Security General Electric (GE) as Software Governance
More informationTinker & The Primes 2017 Innovating Together
Tinker & The Primes 2017 Innovating Together Protecting Controlled Unclassified Information Systems and Organizations Larry Findeiss Bid Assistance Coordinator Oklahoma s Procurement Technical Assistance
More informationCompliance with NIST
Compliance with NIST 800-171 1 What is NIST? 2 Do I Need to Comply? Agenda 3 What Are the Requirements? 4 How Can I Determine If I Am Compliant? 5 Corserva s NIST Assessments What is NIST? NIST (National
More informationProtecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations
Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations January 9 th, 2018 SPEAKER Chris Seiders, CISSP Security Analyst Computing Services and Systems Development
More informationProtecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014
Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014 2014, Mika Meyers Beckett & Jones PLC All Rights Reserved Presented
More informationWhy is the CUI Program necessary?
Why is the CUI Program necessary? Executive departments and agencies apply their own ad-hoc policies and markings to unclassified information that requires safeguarding or dissemination controls, resulting
More informationNIST Special Publication
NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Ryan Bonner Brightline WHAT IS INFORMATION SECURITY? Personnel Security
More informationCyber Security Challenges
Cyber Security Challenges Protecting DoD s Information Melinda Reed, OUSD(AT&L), Systems Engineering Mary Thomas, OUSD(AT&L), Defense Procurement and Acquisition Policy 1 Outline Cybersecurity Landscape
More informationcybersecurity challenges for government contractors
24 Contract Management May 2012 Contract Management May 2012 25 C ybersecurity is a hot topic these days for U.S. government contractors. While overall federal IT spending for 2013 is projected to decrease
More informationNYDFS Cybersecurity Regulations: What do they mean? What is their impact?
June 13, 2017 NYDFS Cybersecurity Regulations: What do they mean? What is their impact? Gus Coldebella Principal, Boston Caroline Simons Principal, Boston Agenda 1) Overview of the new regulations 2) Assessing
More informationOFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC
OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC 20301-3000 ACQUISITION, TECHNO LOGY. A N D LOGISTICS SEP 2 1 2017 MEMORANDUM FOR COMMANDER, UNITED ST A TES SPECIAL OPERATIONS
More informationConsideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014
Federal Energy Regulatory Commission Order No. 791 June 2, 2014 67 and 76 67. For the reasons discussed below, the Commission concludes that the identify, assess, and correct language, as currently proposed
More informationAuditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC
Auditing and Monitoring for HIPAA Compliance HCCA COMPLIANCE INSTITUTE 2003 April, 2003 Presented by: Suzie Draper Sheryl Vacca, CHC 1 The Elements of Corporate Compliance Program There are seven key elements
More information2017 SAME Small Business Conference
2017 SAME Small Business Conference Welcome to Cybersecurity Initiatives and Speakers: Requirements: Protecting DOD s Unclassified Information Vicki Michetti, Director, Defense Industrial Base Cybersecurity
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationDEFINITIONS AND REFERENCES
DEFINITIONS AND REFERENCES Definitions: Insider. Cleared contractor personnel with authorized access to any Government or contractor resource, including personnel, facilities, information, equipment, networks,
More informationCyber Risks in the Boardroom Conference
Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationSummary of FERC Order No. 791
Summary of FERC Order No. 791 On November 22, 2013, the Federal Energy Regulatory Commission ( FERC or Commission ) issued Order No. 791 adopting a rule that approved Version 5 of the Critical Infrastructure
More informationNovember 20, (Via DFARS Case 2013-D018)
November 20, 2015 (Via email osd.dfars@mail.mil, DFARS Case 2013-D018) Mr. Dustin Pitsch Defense Acquisition Regulations System OUSD(AT&L)DPAP/DARS Room 3B941 3060 Defense Pentagon Washington, DC 20301
More informationOracle Data Cloud ( ODC ) Inbound Security Policies
Oracle Data Cloud ( ODC ) Inbound Security Policies Contents Contents... 1 Overview... 2 Oracle Data Cloud Security Policy... 2 Oracle Information Security Practices - General... 2 Security Standards...
More informationConsideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015
Federal Energy Regulatory Commission Order No. 791 January 23, 2015 67 and 76 67. For the reasons discussed below, the Commission concludes that the identify, assess, and correct language, as currently
More informationExecutive Order 13556
Briefing Outline Executive Order 13556 CUI Registry 32 CFR, Part 2002 Understanding the CUI Program Phased Implementation Approach to Contractor Environment 2 Executive Order 13556 Established CUI Program
More informationData Security and Breach Notification Legislative Update: What You Need to Know (SESSION CODE CRM001)
Data Security and Breach Notification Legislative Update: What You Need to Know (SESSION CODE CRM001) Speakers: James T. McIntyre Partner McIntyre & Lemon, PLLC Janice Ochenkowski International Director
More informationIntegrating Information Security Protections In Supplier Agreements: Guidance for Business and Technology Counsel
Presenting a live 90-minute webinar with interactive Q&A Integrating Information Security Protections In Supplier Agreements: Guidance for Business and Technology Counsel Evaluating Data Security Risks
More informationOverview of Key E.U. and U.S. Privacy and Cybersecurity Laws. Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018
Overview of Key E.U. and U.S. Privacy and Cybersecurity Laws Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018 Agenda Principal Obligations Under GDPR Key U.S. Privacy & Cybersecurity Laws E.U.
More informationStrengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure Executive Order 13800 Update July 2017 In Brief On May 11, 2017, President Trump issued Executive Order 13800, Strengthening
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationDeveloping Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?
Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite? Minnesota RIMS 39 th Annual Seminar Risk 2011-2012: Can You Hack
More informationexisting customer base (commercial and guidance and directives and all Federal regulations as federal)
ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of
More informationISOO CUI Overview for ACSAC
ISOO CUI Overview for ACSAC Briefing Outline ISOO Overview Overview of the CUI Program CUI and IT Implementation CUI and NIST Standards and Guidelines NIST SP 800-171 CUI Approach for the Contractor Environment
More informationCyber Security in M&A. Joshua Stone, CIA, CFE, CISA
Cyber Security in M&A Joshua Stone, CIA, CFE, CISA Agenda About Whitley Penn, LLP The Threat Landscape Changed Cybersecurity Due Diligence Privacy Practices Cybersecurity Practices Costs of a Data Breach
More informationNew Process and Regulations for Controlled Unclassified Information
New Process and Regulations for Controlled Unclassified Information David Brady TJ Beckett Office of Export and Secure Research Compliance http://www.oesrc.researchcompliance.vt.edu/ Agenda Background
More informationExternal Supplier Control Obligations. Cyber Security
External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place
More informationTechnical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016
For Discussion Purposes Only Technical Reference [Draft] DRAFT CIP-013-1 Cyber Security - Supply Chain Management November 2, 2016 Background On July 21, 2016, the Federal Energy Regulatory Commission
More informationTIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE
TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE Association of Corporate Counsel NYC Chapter 11/1 NYC BDO USA, LLP, a Delaware limited liability partnership,
More informationHow Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner
How Cybersecurity Initiatives May Impact Operators Ross A. Buntrock, Partner ross.buntrock@agg.com 202.669.0495 Agenda Rise in Data Breaches Effects of Increase in Cybersecurity Threats Cybersecurity Framework
More informationTop Five Privacy and Data Security Issues for Nonprofit Organizations
Top Five Privacy and Data Security Issues for Nonprofit Organizations Julia K. Tama, Esq. Jeffrey S. Tenenbaum, Esq. Association of Corporate Counsel Nonprofit Organizations Committee Legal Quick Hit MAY
More informationCyber Security For Business
Cyber Security For Business In today s hostile digital environment, the importance of securing your data and technology cannot be overstated. From customer assurance, liability mitigation, and even your
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Signature Repository A Signature Repository provides a group of signatures for use by network security tools such
More informationManaging Cybersecurity Risk
Managing Cybersecurity Risk Maureen Brundage Andy Roth August 9, 2016 Managing Cybersecurity Risk Cybersecurity: The Current Legal and Regulatory Environment Cybersecurity Governance: Considerations for
More informationNISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015
NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015 Agenda Cybersecurity Information Sharing and the NISP NISP Working Group Update CUI Program Update 2 Executive Order 13691 Promoting Private
More informationHacking and Cyber Espionage
Hacking and Cyber Espionage September 19, 2013 Prophylactic and Post-Breach Concerns for In-House Counsel Raymond O. Aghaian, McKenna Long & Aldridge LLP Elizabeth (Beth) Ferrell, McKenna Long & Aldridge
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationCybersecurity in Acquisition
Kristen J. Baldwin Acting Deputy Assistant Secretary of Defense for Systems Engineering (DASD(SE)) Federal Cybersecurity Summit September 15, 2016 Sep 15, 2016 Page-1 Acquisition program activities must
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationGeneral Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant
General Data Protection Regulation April 3, 2018 Sarah Ackerman, Managing Director Ross Patz, Consultant Introductions Sarah Ackerman, CISSP, CISA Managing Director, Cincinnati Responsible for overall
More informationSTRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE
STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby
More information-Eight types of cyber data, (Sec. 708(7))
WHAT INFORMATION MAY BE SHARED H.R. 624, the Cyber Intelligence sharing and Protection Act of 2013 (CISPA) (Rogers- -Notwithstanding any provision of law, S. 3414, the Cybersecurity Act of 2012 (Lieberman-Collins-
More informationData Processing Agreement for Oracle Cloud Services
Data Processing Agreement for Oracle Cloud Services Version January 12, 2018 1. Scope, Order of Precedence and Term 1.1 This data processing agreement (the Data Processing Agreement ) applies to Oracle
More informationBusiness continuity management and cyber resiliency
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Business continuity management and cyber resiliency Introductions Eric Wunderlich,
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationIndustry Perspectives on Active and Expected Regulatory Actions
July 15, 2016 Industry Perspectives on Active and Expected Regulatory Actions Alan Chvotkin Executive Vice President and Counsel, Professional Services Council chvotkin@pscouncil.org Trey Hodgkins Senior
More informationSpecial Publication
Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Patricia Toth NIST MEP What is Information Security? Personnel Security Cybersecurity
More informationDFARS , NIST , CDI
DFARS 252.204-7012, NIST 800-171, CDI and You Overview Impacts Getting started Overview Impacts Getting started Overview & Evolving Requirements DFARS 252.204-7012 - Safeguarding Covered Defense Information
More informationThe HIPAA Omnibus Rule
The HIPAA Omnibus Rule What You Should Know and Do as Enforcement Begins Rebecca Fayed, Associate General Counsel and Privacy Officer Eric Banks, Information Security Officer 3 Biographies Rebecca C. Fayed
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationCOMPLIANCE IN THE CLOUD
COMPLIANCE IN THE CLOUD 3:45-4:30PM Scott Edwards, President, Summit 7 Dave Harris Society for International Affairs COMPLIANCE IN THE CLOUD Scott Edwards scott.edwards@summit7systems.com 256-541-9638
More informationNY DFS Cybersecurity Regulations August 8, 2017
NY DFS Cybersecurity Regulations August 8, 2017 23 NYCRR Part 500 Asking Questions Anti-Trust Policy As a CPCU approved education program related to The Institutes Chartered Property Casualty Underwriter
More informationHIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp
HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp Agenda Introductions HIPAA Background and History Overview of HIPAA Requirements
More informationData Use and Reciprocal Support Agreement (DURSA) Overview
Data Use and Reciprocal Support Agreement (DURSA) Overview 1 Steve Gravely, Troutman Sanders LLP Jennifer Rosas, ehealth Exchange Director January 12, 2017 Introduction Steve Gravely Partner and Healthcare
More informationThe Honest Advantage
The Honest Advantage READY TO CHALLENGE THE STATUS QUO GSA Security Policy and PCI Guidelines The GreenStar Alliance 2017 2017 GreenStar Alliance All Rights Reserved Table of Contents Table of Contents
More informationGeneral Data Protection Regulation (GDPR)
BCD Travel s Response to the EU General Data Protection Regulation (GDPR) November 2017 Page 1 Response to the EU GDPR Copyright 2017 by BCD Travel N.V. All rights reserved. November 2017 Copyright 2017
More informationIMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION
IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION Briefing for OFPP Working Group 19 Feb 2015 Emile Monette GSA Office of Governmentwide Policy emile.monette@gsa.gov Cybersecurity Threats are
More informationFinancial Regulations, Enforcement & Cybersecurity
Financial Regulations, Enforcement & Cybersecurity Elizabeth P. Gray May 16, 2017 Copyright 2017 by Willkie Farr & Gallagher LLP. All Rights Reserved. These course materials may not be reproduced or disseminated
More informationHow to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016
How to Respond to a HIPAA Breach Tuesday, Oct. 25, 2016 This Webinar is Brought to You By. About HealthInsight and Mountain-Pacific Quality Health HealthInsight and Mountain-Pacific Quality Health are
More informationSTATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)
ASSEMBLY, No. 0 STATE OF NEW JERSEY th LEGISLATURE INTRODUCED NOVEMBER 0, 0 Sponsored by: Assemblywoman ANNETTE QUIJANO District 0 (Union) SYNOPSIS Requires certain persons and business entities to maintain
More informationFISMAand the Risk Management Framework
FISMAand the Risk Management Framework The New Practice of Federal Cyber Security Stephen D. Gantz Daniel R. Phi I pott Darren Windham, Technical Editor ^jm* ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON
More informationInside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.
Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D. HIPAA GENERAL RULE PHI may not be disclosed without patient authorization
More information