Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017

Similar documents
Get Compliant with the New DFARS Cybersecurity Requirements

NIST Special Publication

PilieroMazza Webinar Preparing for NIST SP December 14, 2017

ROADMAP TO DFARS COMPLIANCE

Preparing for NIST SP January 23, 2018 For the American Council of Engineering Companies

DFARS Cyber Rule Considerations For Contractors In 2018

DFARS , NIST , CDI

DOD s New Cyber Requirements: Impacts on DOD Contractors and Subcontractors

Cybersecurity Challenges

Another Cook in the Kitchen: The New FAR Rule on Cybersecurity

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

The FAR Basic Safeguarding Rule

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

INTRODUCTION TO DFARS

SAC PA Security Frameworks - FISMA and NIST

Cybersecurity Risk Management

2017 SAME Small Business Conference

Cyber Security Challenges

Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats

Handbook Webinar

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

Safeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

Cyber Security Challenges

DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

New Cyber Rules. Are You Ready? Bob Metzger, RJO Dave Drabkin, DHG Tom Tollerton, DHG. Issues in Focus Webinar Series. government contracting

Executive Order 13556

Tinker & The Primes 2017 Innovating Together

O0001(OCT

COMPLIANCE IN THE CLOUD

Special Publication

Industry Perspectives on Active and Expected Regulatory Actions

Safeguarding Unclassified Controlled Technical Information

DFARS Defense Industrial Base Compliance Information

2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Click to edit Master title style

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

November 20, (Via DFARS Case 2013-D018)

ADIENT VENDOR SECURITY STANDARD

Compliance with NIST

Cybersecurity in Acquisition

American Association for Laboratory Accreditation

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015

Checklist: Credit Union Information Security and Privacy Policies

HIPAA Security and Privacy Policies & Procedures

Data Processing Agreement

Safeguarding unclassified controlled technical information (UCTI)

The Common Controls Framework BY ADOBE

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Cyber Risks in the Boardroom Conference

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

SECURITY & PRIVACY DOCUMENTATION

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Information Security Policy

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Regulating Information: Cybersecurity, Internet of Things, & Exploding Rules. David Bodenheimer Evan Wolff Kate Growley

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

INFORMATION ASSURANCE DIRECTORATE

Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)

National Policy On Classified Information Spillage

DRAFT. NIST MEP CYBERSECURITY Self-Assessment Handbook

Rev.1 Solution Brief

Data Use and Reciprocal Support Agreement (DURSA) Overview

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

INFORMATION ASSURANCE DIRECTORATE

Version 1/2018. GDPR Processor Security Controls

The Apple Store, Coombe Lodge, Blagdon BS40 7RG,

Policy and Procedure: SDM Guidance for HIPAA Business Associates

New Process and Regulations for Controlled Unclassified Information

NIST Security Certification and Accreditation Project

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

MIS Week 9 Host Hardening

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

DEFINITIONS AND REFERENCES

DHS Cybersecurity: Services for State and Local Officials. February 2017

HP Standard for Information Protection and Security for Suppliers/Partners

Data Processing Agreement for Oracle Cloud Services

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

DATA PROCESSING AGREEMENT

NYDFS Cybersecurity Regulations

Building Information Modeling and Digital Data Exhibit

Data Security and Privacy Principles IBM Cloud Services

The HIPAA Omnibus Rule

CYBER SECURITY POLICY REVISION: 12

Data Breach Preparation and Response. April 21, 2017

79th OREGON LEGISLATIVE ASSEMBLY Regular Session. Senate Bill 90

Supplier Training Excellence Program

Transcription:

Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017 March 23, 2017 By Keir Bancroft By Louverture Jones Partner Senior Manager, Deloitte Advisory Venable LLP Deloitte & Touche LLP KXBancroft@Venable.com loujones@deloitte.com 202.344.4826 305.808.2548

Keir X. Bancroft Keir Bancroft provides a range of services to government contractors, including litigation, transactional, and compliance matters. Mr. Bancroft works with large, mid-sized and small business, and often handles small business-related issues Within the broad rubric of cybersecurity, Mr. Bancroft specializes in information security and privacy compliance for government contractors. He helps clients address information safeguarding and incident response requirements under the Federal Information Security Act (FISMA) and subsequent amendments, the Risk Management Framework, the Privacy Act, and similar requirements. Mr. Bancroft also focuses on national security and industrial security issues arising under the National Industrial Security Program Operating Manual (NISPOM). 2

Louverture Jones Louverture Jones is an executive level leader in cyber risk and security services; having 17 years of capturing and delivering transformative security strategy, governance/risk compliance and technical integration for clients within the public and private sectors. His portfolio of industry exposure includes Energy, Financial Services, Healthcare, and DoD customers working as the President of a Cyber Security Services Company and as the Cyber Security Director for a large technical services company. Mr. Jones past successes include the integration of cyber governance and risk management programs, enterprise security technology investment planning, computer forensics, data breach investigations, secure application design, penetration and compliance testing, vulnerability assessments, security incident and event monitoring system (SIEM) deployments and Network Admission Control (NAC). 3

Contents Cybersecurity for Government Contractors: Tips to Prepare to Cyber Incidents in 2017 1. Understanding the Rules 2. Learning About Incident Response 3. Demonstrating Safeguarding 4. Managing Compliance Throughout the Supply Chain 5. Consider Cloud Computing 4

Understanding the Rules DoD Rule on Network Penetration Reporting: A Model for Safeguarding CUI A Brief History: 2013 NDAA Sec. 941: Cleared contractors; network cyber penetration 2013: DoD Rule on Safeguarding Unclassified Controlled Technical Information 2015 NDAA Sec. 1632: Operationally critical contractors; rapid reporting August December 2015: Interim rule, class deviation, and second interim rule issued applying to reporting and cloud October 2016: Final rule issued 5

Understanding the Rules DoD Rule on Network Penetration Reporting: A Model for Safeguarding CUI What Is The Importance of the Rules? Information Security Consequences Prescribes safeguarding controls One reporting obligation, but it may be one of many reporting obligations Contract Compliance Issues Termination for Default Suspension and Debarment False Claims Act or Qui Tam actions Adds to the mix of non-federal contracting implications. 6

Understanding the Rules DoD Rule on Network Penetration Reporting: A Model for Safeguarding CUI Provisions and Clauses Subpart 204.73 Safeguarding Covered Defense Information and Cyber Incident Reporting Subpart 239.76 Cloud Computing 252.204-7008 Compliance With Safeguarding Covered Defense Information Controls (Oct 2016) 252.204-7009 Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information (Oct 2016) 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting (Oct 2016) 252.239-7009 Representation of Use of Cloud Computing (Sep 2015) 252.239-7010 Cloud Computing Services (Oct 2016) 7

Understanding the Rules DoD Rule on Network Penetration Reporting: A Model for Safeguarding CUI Covered Defense Information ( CDI ) Unclassified controlled technical information or Other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is 1. Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of the DoD in support of the performance of the contract; or 2. Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. 8

Understanding the Rules DoD Rule on Network Penetration Reporting: A Model for Safeguarding CUI NARA CUI Registry Per E.O. 13566, establishes a common taxonomy of CUI across federal agencies, DoD and civilian. Gives contractors greater insight into CUI across federal agencies. Agencies may apply limited dissemination controls. 9

Understanding the Rules DoD Rule on Network Penetration Reporting: A Model for Safeguarding CUI Implementation Resources DoD FAQs. Last Updated January 2017. Part of DoD outreach efforts to clarify implementation of the rule. Available at: http://www.acq.osd.mil/dpap/pdi/network_penetration_reporting_and_contra cting.html 10

Understanding the Rules Multiple Approaches to CUI: DFARs Network Penetration Reporting and FAR Basic Safeguarding Clause Covered Contractor Information System Definition under FAR 252.204-7012 amended to clarify it is an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information. FAR Basic Safeguarding Clause FAR 52.204-21 (JUN 2016) defines a covered contractor information system as an information system that is owned or operated by a contractor that processes, stores, or transmits Federal contract information. 11

Understanding the Rules Multiple Approaches to CUI: DFARS Network Penetration Reporting and FAR Basic Safeguarding Clause Basic Safeguarding Requirements Requirements under FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems: 1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems); 2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute; 3. Verify and control/limit connections to and use of external information systems; 4. Control information posted or processed on publicly accessible information systems; 5. Identify information system users, processes acting on behalf of users, or devices; 12

Understanding the Rules Multiple Approaches to CUI: DFARS Network Penetration Reporting and FAR Basic Safeguarding Clause Basic Safeguarding Requirements (Continued) 6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems; 7. Sanitize or destroy information system media containing Federal contract Information before disposal or release for reuse; 8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals; 9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices; 10. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems; 13

Understanding the Rules Multiple Approaches to CUI: DFARS Network Penetration Reporting and FAR Basic Safeguarding Clause Basic Safeguarding Requirements (Continued) 11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks; 12. Identify, report, and correct information and information system flaws in a timely manner; 13. Provide protection from malicious code at appropriate locations within organizational information systems; 14. Update malicious code protection mechanisms when new releases are available; 15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened or executed. 14

Learning About Incident Response Considerations Before and During Your 72-Hour Reporting Window 72 Hour Cyber Incident Reporting Obligations Cyber Incident: Action taken through the use of computer networks that results in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. Investigate any cyber incident that affects: A covered contractor information system or CDI residing on that system; or The contractor s ability to perform any parts of a contract designated as operationally critical support. Operationally Critical Support is defined as: supplies or services designated by the Government as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation. 15

Learning About Incident Response Considerations Before and During Your 72-Hour Reporting Window Notes on Operationally Critical Support Note there are additional, non-dod considerations. E.g., definition of a contractor s capabilities may define a cause of action by FTC. DoD clarification: Operationally critical support is an activity, not an information type, performed by the contractor or subcontractor. Requires reporting of cyber incidents that affect the contractor s ability to perform contract requirements designated as operationally critical support. Operationally critical support requirements must be marked or otherwise identified in the contract, task order, or delivery order. 16

Learning About Incident Response Considerations Before and During Your 72-Hour Reporting Window Cyber Incident Reviews Seek evidence of a compromise of CDI. A compromise includes: Disclosure of information to unauthorized persons; Violation of system security policy; Unauthorized (either intentional or unintentional) disclosure, modification, destruction or loss of an object ; Copying of information to unauthorized media. 17

Learning About Incident Response Considerations Before and During Your 72-Hour Reporting Window Scope of a Review Identify compromised computers, servers, specific data, user accounts; Analyzing covered contractor information systems that were part of the cyber incident; Analyzing other information systems that may have been accessed as a result of the incident; Identifying all compromised CDI, and any details that may affect contractor ability to provide operationally critical support. 18

Learning About Incident Response Considerations Before and During Your 72-Hour Reporting Window Nuts and Bolts of Reporting Obtain a DoD-Approved Medium Assurance Certificate Take time to obtain this NOW; do not wait until you experience a cyber incident. http://iase.disa.mil/pki/eca/pages/index.aspx Report through the DoD-DIB Cyber Incident Reporting & Cyber Threat Information Sharing Portal http://dibnet.dod.mil/ Subcontractor Reporting Remember, subcontractors report directly to DoD 19

Learning About Incident Response Considerations Before and During Your 72-Hour Reporting Window Sample: IASE Certification Authority Website 20

Learning About Incident Response Considerations Before and During Your 72-Hour Reporting Window Sample: Incident Reporting Portal 21

Learning About Incident Response Post-Reporting Considerations (to think about NOW) Post-Reporting Obligations 90-Day Image Protection: preserve images of affected systems. Forensic Analysis: give DoD access to affected systems and equipment. DoD contractors performing forensic analysis are restricted from disclosing information. Information Requests: provide relevant information at DoD request. Report Malicious Software: isolate any malicious software identified in a review. 22

Learning About Incident Response Post-Reporting Considerations (to think about NOW) Protect Attributional or Proprietary Information! Defined as information identifying: the contractor, its trade secrets, its commercially sensitive information. DoD will try to reduce attributional/proprietary information when it shares cyber incident information with: Affected entities; Forensic analysts; Law enforcement/counterintelligence agencies; Defense Industrial Base ( DIB ) participants. Make it easy for DoD to identify and withhold attributional or proprietary information; mark the information clearly. 23

Learning About Incident Response Post-Reporting Considerations (to think about NOW) Protect Attributional or Proprietary Information DoD Support Service Contractors, beware! DoD contracts with support service providers ( Recipient Contractors ) to assist in handling cyber incidents. Recipient Contractors must ensure employees are subject to nondisclosure obligations. Breach of nondisclosure obligations may subject Recipient Contractor to: Criminal, civil, administrative, contractual actions by the Government; Civil actions from the contractor reporting the cyber incident. 24

Demonstrating Safeguarding Complying with NIST SP 800-171 Part of an IT service or system operated on behalf of the Government Cloud Computing Services: apply new DFARS 252.239-7010, Cloud Computing Services Non-Cloud: Look to other contract requirements NOT part of an IT service or system operated on behalf of the Government Apply NIST Special Publication 800-171 security controls 25

Demonstrating Safeguarding Complying with NIST SP 800-171 SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Replaces SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations in safeguarding rules Focuses on nonfederal systems 14 Security Objectives, addressing safeguarding of controlled unclassified information ( CUI ) December 30, 2017 deadline for contractors to implement 800-171. 26

Demonstrating Safeguarding Complying with NIST SP 800-171 NIST 800-171 Families of Security Requirements Access Control Awareness and Training Audit and Accountability Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Risk Assessment Security Assessment System and Communications Protection System and Information Integrity 27

Demonstrating Safeguarding Complying with NIST SP 800-171 DoD Class Deviations, October 2015 Deviations implemented to grant contractors 9 additional months to comply with 800-171 Security Requirement 3.5.3, Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts Requires notification to the contracting officer if additional time is necessary. A key indicator of the DoD s focus on some of the higher-profile security requirements under NIST SP 800-171. 28

Demonstrating Safeguarding Complying with NIST SP 800-171 30-Day Notification Requirement All contracts awarded prior to October 1, 2017 Within 30 days of contract award, The contractor must provide DoD CIO with a list of security requirements the contractor is not implementing at the time of award. Notification via e-mail to osd.dibcsia@mail.mil. 29

Demonstrating Safeguarding Complying with NIST SP 800-171 252.204-7008, Compliance With Safeguarding Covered Defense Information Controls (OCT 2016) Directs that security requirements covered under 252.204-7012 shall be implemented for all CDI on all covered contractor information systems supporting the contract performance. Provides the process for seeking a variance from the DoD CIO before award. If the Offeror proposes to vary from any of the security requirements specified by NIST 800-171 that are in effect at the time the solicitation is issued...... An authorized representative of the DoD CI will adjudicate offeror requests to vary from NIST SP 800-171 requirements in writing prior to contract award. Any accepted variance from NIST SP 800-171 shall be incorporated into the resulting contract. 30

Demonstrating Safeguarding Complying with NIST SP 800-171 Post-Award Variances 252.204-7012(b)(2)(ii)(B), (C) has been updated to provide for post-award variance requests. The Contractor shall submit requests to vary from NIST SP 800-171 in writing to the Contracting Officer, for consideration by the DoD CIO. The Contractor need not implement any security requirement adjudicated by an authorized representative of the DoD CIO to be nonapplicable or to have an alternative, but equally effective, security measure that may be implemented in its place. If the DoD CIO has previously adjudicated the contractor's requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Contracting Officer when requesting its recognition under this contract. 31

Demonstrating Safeguarding Complying with NIST SP 800-171 Seeking Variance from application of SP 800-171 Alternative, equally effective, security measures to protect CDI. Propose in order to compensate for an inability to satisfy a requirement under a clause. Propose why a particular safeguarding requirement in some cases is not applicable. Why do this? You as the prime contractor may not be able/have a reason to protect certain information. Your subcontractor(s) may push back on 800-171 safeguarding requirements. 32

Demonstrating Safeguarding Complying with NIST SP 800-171 DoD Obligations Clarified Under Final Rule Variance requests submitted to the contracting officer, who refers to the DoD CIO for adjudication. Contracting officer will act as liaison if DoD CIO requests more information in support of contractor s request for variance. 5-Business-Day response time is the typical response time for DoD CIO. 33

Demonstrating Safeguarding Complying with NIST SP 800-171 DoD Basis for Variance Determination Basis for determining if an alternative is acceptable: whether the alternative is equally effective. Basis for determining if a security requirement is not applicable: whether the basis or condition for the requirement is absent. DoD CIO is responsible for ensuring consistent adjudication of proposed non-applicable or alternative security measures. Evaluation may impact the award decision. Not a requirement of the rule, but a solicitation may be drafted to provide for an evaluation to impact an award decision. 34

Managing Compliance Throughout the Supply Chain Negotiating Obligations With Subcontractors Obligations flow down to certain subcontractors: Subcontractors whose efforts will involve CDI; or Subcontractors that will provide operationally critical support. The contracting officer may be consulted to determine if the subcontractor is handling CID, or providing operationally critical support. Obligations must be flowed down without alteration (except to identify the parties). No tailoring. 35

Managing Compliance Throughout the Supply Chain Negotiating Obligations With Subcontractors Considerations for Prime Contractors Be mindful of whether subcontractor efforts will involve CDI, or if the subcontractor will provide operationally critical support. Consider subcontractor ability to comply with 800-171 requirements. Ascertain if the subcontractor needs to request a variance from any 800-171 security requirements. Negotiate reporting obligations. Arrange for subcontractor to furnish prime contractor a redacted copy of cyber incident report. Seek confirmation from subcontractor that the prime contractor s attributional information will not be disclosed. 36

Managing Compliance Throughout the Supply Chain Negotiating Obligations With Subcontractors Considerations for Subcontractors Seek confirmation from the Agency of whether the scope of the subcontract involves CID, or if the subcontractor is obligated to provide operationally critical support. Do the clauses have to be flowed down to second-tier subcontractors? Negotiate with the prime to provide redacted copies of its cyber incident reports. Obtain confirmation that the prime contractor will protect attributional information. 37

Consider Cloud Computing Cloud Computing Requirements Under DoD Rules DFARS 252.239-7009 Representation of Use of Cloud Computing Allows contractors to represent whether they intend to use cloud computing services in performance of the contract. DFARS 252.239-7010, Cloud Computing Services Addresses access, security, reporting requirements Applies to all solicitations for information technology services (including commercial items solicitations) 38

Consider Cloud Computing Cloud Computing Requirements Under DoD Rules Applying Controls Contractor using cloud computing services must implement and maintain administrative, technical, and physical safeguards and controls. Requirements established in the Cloud Computing Security Requirements Guide ( SRG) (http://iase.disa.mil/cloud_security/pages/index.aspx) Physical Location Maintain within the U.S. or outlying areas all government data not located on DoD premises. Contracting Officer may provide written instructions to use another location. 39

Consider Cloud Computing Cloud Computing Requirements Under DoD Rules Access and Disclosure Limitations on Government Data and Government-Related Data, including: Government Data - defined as information, document, media, or machine readable material regardless of physical form or characteristics, that is created or obtained by the Government in the course of official Government business. Government-Related Data defined as information, document, media, or machine readable material regardless of physical form or characteristics that is created or obtained by a contractor through the storage, processing, or communication of Government data. Excludes contractor's business records e.g. financial records, legal records etc. or data such as operating procedures, software coding or algorithms that are not uniquely applied to the Government data. Contractor must impose access, use, and disclosure obligations on employees. Contractor may not access, use, or disclose Government data unless specifically authorized by the terms of this contract or a task order or delivery order issued hereunder. 40

Consider Cloud Computing Cloud Computing Requirements Under DoD Rules Compared to DFARS 252.204-7012 Obligations Reporting obligations, but not on a 72-Hour timeline; Specifies that contractors must submit malicious software per contracting officer instructions; Requirement to preserve and maintain images of affected systems, and relevant monitoring/packet capture data for at least 90 days from submission of cyber incident report; Granting DoD access for forensic analysis; Providing damage assessment information. 41

Consider Cloud Computing Cloud Computing Requirements Under DoD Rules Spillage In addition to cyber incidents Defined as an incident that results in the transfer of classified or controlled unclassified information onto an information system not accredited for the appropriate security level. May be detected by the contractor or the government. Contractor must cooperate with the contracting officer to address the spillage. 42

Consider Cloud Computing Cloud Computing Requirements Under DoD Rules Records Management and Facility Access Contractor is subject to transmission and disposal obligations with respect to government data and government-related data Access to data, personnel, and facilities must be granted for purposes of audits, investigations, inspections, or other similar activities as authorized by law or regulation. Third-Party access: Government must be informed of warrants, seizures, or subpoenas for government data or government-related data. Contractor must protect against unauthorized disclosure. 43

Consider Cloud Computing Cloud Computing Requirements Under DoD Rules Subcontract Flowdown Obligations Prime must flow down requirements under DFARS 252.239-7010 to all subcontracts that involve, or may involve cloud services. Includes subcontracts for commercial items. 44

Take-Aways Key Tips for Consideration 1. Understand the Rules Understand CUI and Covered System; register for Medium Assurance Certificate. 2. Incident Response Prepare an incident response plan, identify all Attributional/Proprietary Information. 3. Demonstrate Safeguarding Assess 800-171 compliance; prepare request for variance from safeguarding standards. 4. Manage Compliance Negotiate flowdown terms with subcontractors; obtain buy in on subcontract applicability. 5. Consider Cloud Computing Assess appropriate locations for cloud storage; understand concepts of spillage and prepare for reporting. 45

Questions? Keir Bancroft Partner Venable LLP KXBancroft@Venable.com 202.344.4826 Louverture Jones Senior Manager, Deloitte Advisory Deloitte & Touche LLP loujones@deloitte.com 305.808.2548 46

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback