ROADMAP TO DFARS COMPLIANCE

Similar documents
DFARS Cyber Rule Considerations For Contractors In 2018

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

Get Compliant with the New DFARS Cybersecurity Requirements

INTRODUCTION TO DFARS

DFARS , NIST , CDI

Cybersecurity Risk Management

Cybersecurity Challenges

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

SAC PA Security Frameworks - FISMA and NIST

Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017

NIST Special Publication

Safeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer

PilieroMazza Webinar Preparing for NIST SP December 14, 2017

Cyber Security Challenges

Safeguarding unclassified controlled technical information (UCTI)

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

DOD s New Cyber Requirements: Impacts on DOD Contractors and Subcontractors

2017 SAME Small Business Conference

Preparing for NIST SP January 23, 2018 For the American Council of Engineering Companies

Tinker & The Primes 2017 Innovating Together

Safeguarding Unclassified Controlled Technical Information

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA

DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.

DFARS Defense Industrial Base Compliance Information

Compliance with NIST

Cyber Security Challenges

Special Publication

Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats

Executive Order 13556

Handbook Webinar

Regulating Information: Cybersecurity, Internet of Things, & Exploding Rules. David Bodenheimer Evan Wolff Kate Growley

COMPLIANCE IN THE CLOUD

The FAR Basic Safeguarding Rule

Click to edit Master title style

Cybersecurity in Acquisition

Another Cook in the Kitchen: The New FAR Rule on Cybersecurity

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

November 20, (Via DFARS Case 2013-D018)

Quick Start Strategy to Compliance DFARS Rob Gillen

Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Why is the CUI Program necessary?

Data Processing Agreement

PRIVACY 102 TRAINING FOR SUPERVISORS. PRIVACY ACT OF U.S.C.552a

DFARS and the Aerospace & Defence Enterprise

Streamlined FISMA Compliance For Hosted Information Systems

Cyber Attacks & Breaches It s not if, it s When

FedRAMP Security Assessment Framework. Version 2.0

Cyber Security For Business

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

MDA Acquisition Updates

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

NYDFS Cybersecurity Regulations

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

FedRAMP Security Assessment Framework. Version 2.1

Supplier Training Excellence Program

SYSTEMS ASSET MANAGEMENT POLICY

Compliance with CloudCheckr

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

Appendix 12 Risk Assessment Plan

Controlled Unclassified Information (CUI) and FISMA: an update. May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

UCOP ITS Systemwide CISO Office Systemwide IT Policy

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

HIPAA Security and Privacy Policies & Procedures

Advanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin

Click to edit Master title style

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

Industry Perspectives on Active and Expected Regulatory Actions

ADIENT VENDOR SECURITY STANDARD

DFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017

American Association for Laboratory Accreditation

DATA PROCESSING AGREEMENT

New Process and Regulations for Controlled Unclassified Information

Outline. Other Considerations Q & A. Physical Electronic

01.0 Policy Responsibilities and Oversight

Putting It All Together:

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

Privacy Breach Policy

INFORMATION ASSURANCE DIRECTORATE

Cybersecurity in Higher Ed

Information Security Management Criteria for Our Business Partners

CCISO Blueprint v1. EC-Council

O0001(OCT

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Electronic Subcontracting Reporting System (esrs) Department of Defense Government Training

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

MNsure Privacy Program Strategic Plan FY

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Cyber Security Standards Drafting Team Update

Transcription:

ROADMAP TO DFARS COMPLIANCE ARE YOU READY FOR THE 12/31/17 DEADLINE? In our ebook, we have answered the most common questions we receive from companies preparing for DFARS compliance. Don t risk terminated contracts and lost business opportunities. Gain a major competitive advantage over non-compliant competitors and start on the path to compliance today! The clock is ticking.

According to the World Economic Forum s 2016 Global Risks Report, cybercrime will cost the global economy $445 billion in 2017, higher than many country s national incomes. 2017 has been marked by high profile cyberattacks, including the WannaCry ransomware attacks, multimillion dollar bank heists, and a series of major data breaches. In our increasingly connected world, the threat of cyberattack only increases, especially for those handling sensitive information. Federal defense contractors today are a prime target of sophisticated and coordinated cyberattacks. To protect our country s crown jewels, Department of Defense (DoD) contractors must demonstrate compliance with the newly issued Defense Federal Acquisition Regulation Supplement (DFARS) requirements by December 31, 2017. DFARS contains a number of provisions and clauses that can be complicated and confusing to navigate for large and small businesses alike. The regulation has two primary requirements for all contractors, subcontractors, and other relevant business partners: 1. The implementation of National Institute of Standards & Technology (NIST) Special Publication (SP) 800-171 controls 2. The establishment of cyber incident reporting procedures.

Table of Contents Does DFARS apply to my company?...4 What are the consequences of non-compliance?...4 What information does DFARS protect?...5 What clauses and provisions do I need to comply with?...6 What is the roadmap to DFARS compliance?...8 How can Aronson help my company achieve compliance?...9 AronsonLLC AronsonLLC.com 3

Does DFARS apply to my company? DFARS compliance requires all defense contractors to safeguard Covered Defense Information (CDI) within their custody. If you answer yes to any of these questions, then DFARS requirements apply to your company: Is your company a DoD contractor, subcontractor, or other business partner?...very Likely. Does your company work with CDI, Controlled Unclassified Information (CUI), or Unclassified Controlled Technical Information (UCTI)?...Absolutely. Is DFARS Provision 252.204-7008 in the language for a solicitation you are bidding on?...absolutely Is DFARS Clause 252.204-7012 used in your existing contract requirements?...absolutely. What are the consequences of non-compliance? The deadline for DFARS compliance is December 31, 2017. Non-compliant contractors will at this time be debarred or disqualified from any new DoD contracts. Companies who meet the DFARS requirements will enjoy a competitive advantage and continued business relationship with the DoD. Defense contractors should select teaming partners with great care to avoid teaming with non-compliant companies. Prime contractors should seek assurances from subcontractors that, to their knowledge, they have not been excluded from participation in any relevant procurement involving the DOD. AronsonLLC AronsonLLC.com 4

What information does DFARS protect? DFARS enforces standardized controls for how the following types of sensitive information are processed, stored, and transmitted in non-federal information systems (i.e. defense contractors systems). CDI: COVERED DEFENSE INFORMATION UCTI or other information (as described in the CUI Registry) requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies: Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract. Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. (DFARS 204.7301). CUI: CONTROLLED UNCLASSIFIED INFORMATION Information that law, regulation, or government wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended (NIST 800-171). CTI: CONTROLLED TECHNICAL INFORMATION Technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination (DFARS 204.7301). AronsonLLC AronsonLLC.com 5

What clauses and provisions do I need to comply with? DFARS will be enforced through clauses and provisions associated with the procurement process. Clauses are terms or conditions used in contracts and solicitations. A clause either applies after contract award or both before and after award. Provisions are terms or conditions used in solicitations that apply only before contract award. DFARS Section 204.7304 details the following solicitation provisions and clauses. DFARS 252.204-7008: Compliance with Safeguarding Covered Defense Information Controls This provision requires defense contractors to implement NIST SP 800-171 controls no later than December 31, 2017. NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations includes 110 controls organized by 14 families. Table 1 below lists the number of controls within each of the NIST SP 800-171 control families. NIST SP 800-171 CONTROL FAMILIES Access Control (22) Identification & Authentication (11) Personnel Security (2) Awareness & Training (3) Incident Response (3) Physical Protection (6) Audit & Accountability (9) Maintenance (6) Risk Assessment (3) Configuration Management (9) Media Protection (9) Security Assessment (4) System & Communications Protection (16) System & Information Integrity (7) Table 1 AronsonLLC AronsonLLC.com 6

DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting This clause requires contractors to implement adequate security on all covered contractor information systems by implementing NIST SP 800-171 controls. A covered contractor information system is an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits CDI. Adequate security is defined as protective measures that are commensurate with the consequences and probability of loss, misuse, unauthorized access to, or modification of information. These requirements do not apply to contractor information systems that are not part of an IT service or system operated on behalf of the government. This clause also details the approved medium for reporting cyber incidents, the types of incidents that should be reported (e.g. malicious software) along with media preservation and protection measures. Related requirements regarding post-incident analysis are included. All incidents must be rapidly reported, which equates to within 72 hours of cyber incident discovery. Finally, this clause allows for contractors to identify situations in which a required control might not be applicable or an alternative control exists. If a potential exemption has been determined, then the request must be submitted to the Contracting Officer (CO) for consideration. The request should sufficiently detail the rationale for the exemption, which could be due to compensating controls. Subcontractors must notify the prime contractor (or next higher tier) of the request submission. An authorized representative of the DoD Chief Information Officer (CIO) will provide the final decisions on exemption requests. DFARS 252.204-7009: Limitations on the Use or Disclosure of Third- Party Contractor Reported Cyber Incident Information This clause requires that defense contractors use CDI for appropriate purposes which are in accordance with contract requirements. It also details safeguards the contractor must implement to protect such information, which includes requiring employees to be aware of their non-disclosure obligations. This clause must also be included within any subcontracts. DFARS 252.239-7010: Cloud Computing Services This clause details cloud computing security requirements when used to perform a contract. The requirements include the implementation and maintenance of administrative, technical, and physical safeguards in accordance with the Cloud Computing Security Requirements Guide. Cyber incidents related to cloud computing must also be reported accordingly. For all contracts awarded prior to October 1, 2017, the contractor must notify the DoD CIO, via email at osd.dibcsia@mail.mil, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award. AronsonLLC AronsonLLC.com 7

What is the roadmap to DFARS compliance? In order to meet the December 31, 2017 deadline, time is of the essence! As there are 110 controls in NIST SP 800-171, there is no time to waste. Our structured approach, featuring a gap analysis, will help your business focus its efforts and make informed decisions on a remediation approach for deficient areas. Figure 1 below summarizes the Aronson DFARS Roadmap Compliance Stages. Applicability Continuous Monitoring ARONSON DFARS COMPLIANCE Readiness Assesment Remediation Figure 1 DID YOU KNOW: The cost of DFARS compliance is considered an allowable cost under Federal Acquisition Regulation (FAR) and Cost Accounting Standards (CAS)? AronsonLLC AronsonLLC.com 8

Evaluate Applicability Perform Readiness Assessment Review contracts to identify relevant DFARS clauses and provisions. Review DFARS to determine the type of CDI or CUI that may be in use. Confirm applicability with CO as needed to establish mutual understanding. Determine system boundaries support compliance. Conduct control gap analysis against NIST SP 800-171. Develop recommendations for identified deficiencies. Hold discussions with subcontractors and other business partners as needed to ensure they are on track for compliance as well; this includes coordin ation for breach management and notification. Execute Remediation Plans Conduct Continuous Monitoring Develop or revise controls as needed to remediate control gaps with NIST SP 800-171. Conduct validation testing after remediation is completed to confirm controls are designed and operating effectively (as determined by management). Develop continuous monitoring program including tools, templates, reports, and metrics. Conduct monitoring activities and provide status updates to relevant stakeholders on performance. How can Aronson help my company achieve compliance? For more than 35 years, Aronson has focused on serving the unique needs of the government contracting industry, which today is the single largest segment of our business. We work with more than 800 government contractors, including many emerging small businesses, established government contractors, and large commercial companies entering the government market for the first time. Our Technology Risk Services Group is committed to helping government contractors better manage technology risks and navigate the complexities of compliance. Our dedicated team members offer significant experience supporting both federal agencies and contractors with IT control compliance and remediation projects. Our combined experience in these areas provides our team with a unique perspective and a level of knowledge that is unparalleled. Whether your company needs help with conducting all or some of the compliance roadmap stages, our team is ready to partner with you to support your achievement of DFARS compliance on time and on budget. AronsonLLC AronsonLLC.com 9

Don t risk the consequences of non-compliance Contact Payal Vadhani today and secure a major competitive advantage against non-compliant competitors. Payal Vadhani Technology Risk Services Group Lead Partner 301.231.6259 pvadhani@aronsonllc.com AronsonLLC AronsonLLC.com 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback