DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Similar documents
Defense in Depth. Constructing Your Walls for Your Enterprise. Mike D Arezzo Director of Security April 21, 2016

ROADMAP TO DFARS COMPLIANCE

NIST Special Publication

DFARS , NIST , CDI

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017

Get Compliant with the New DFARS Cybersecurity Requirements

PilieroMazza Webinar Preparing for NIST SP December 14, 2017

SAC PA Security Frameworks - FISMA and NIST

INTRODUCTION TO DFARS

Cybersecurity Risk Management

Designing and Building a Cybersecurity Program

Tinker & The Primes 2017 Innovating Together

Preparing for NIST SP January 23, 2018 For the American Council of Engineering Companies

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

ISACA Arizona May 2016 Chapter Meeting

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Cyber Security Challenges

DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

DFARS Cyber Rule Considerations For Contractors In 2018

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Cyber Security For Business

Quick Start Strategy to Compliance DFARS Rob Gillen

Cybersecurity Auditing in an Unsecure World

Special Publication

COMPLIANCE IN THE CLOUD

Executive Order 13556

Compliance with NIST

Automating the Top 20 CIS Critical Security Controls

Safeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer

Handbook Webinar

DFARS Defense Industrial Base Compliance Information

Compliance & Security in Azure. April 21, 2018

NW NATURAL CYBER SECURITY 2016.JUNE.16

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Controlled Unclassified Information (CUI) and FISMA: an update. May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner

Regulating Information: Cybersecurity, Internet of Things, & Exploding Rules. David Bodenheimer Evan Wolff Kate Growley

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

Cybersecurity Challenges

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

IT Security Mandatory Solutions. Andris Soroka 2nd of July, RIGA

Vulnerability Assessments and Penetration Testing

NIST Special Publication

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

Must Have Items for Your Cybersecurity or IT Budget in 2018

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Ingram Micro Cyber Security Portfolio

locuz.com SOC Services

INFORMATION ASSURANCE DIRECTORATE

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Reinvent Your 2013 Security Management Strategy

Supplier Training Excellence Program

ISE North America Leadership Summit and Awards

BHConsulting. Your trusted cybersecurity partner

Cybersecurity in Acquisition

Advanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin

The FAR Basic Safeguarding Rule

University of Pittsburgh Security Assessment Questionnaire (v1.7)

How to Prepare a Response to Cyber Attack for a Multinational Company.

Cybersecurity Today Avoid Becoming a News Headline

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

Take Risks in Life, Not with Your Security

Cybersecurity Threat Modeling ISACA Atlanta Chapter Geek Week Conference

align security instill confidence

Cyber Security Program

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

MIS Week 9 Host Hardening

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Information Technology Branch Organization of Cyber Security Technical Standard

What It Takes to be a CISO in 2017

EU General Data Protection Regulation (GDPR) Achieving compliance

2017 SAME Small Business Conference

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Sage Data Security Services Directory

Safeguarding unclassified controlled technical information (UCTI)

External Supplier Control Obligations. Cyber Security

Cyber Risks in the Boardroom Conference

Rev.1 Solution Brief

RISK MANAGEMENT FRAMEWORK COURSE

to protect the well-being of citizens. Fairfax is also home to some Fortune 500 and large

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Safeguarding Unclassified Controlled Technical Information

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

UCOP ITS Systemwide CISO Office Systemwide IT Policy

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

Information Warfare Industry Day

Assessing Your Incident Response Capabilities Do You Have What it Takes?

Compliance with CloudCheckr

NIST RISK ASSESSMENT TEMPLATE

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

LTI Security Services. Intelligent & integrated Approach to Cyber & Digital Security

Transcription:

DFARS Compliance SLAIT Consulting SECURITY SERVICES Mike D Arezzo Director of Security Services

Introduction 18+ year career in Information Technology and Security General Electric (GE) as Software Governance Leader and Third Party Risk Compliance University of Richmond Go Spiders! ISC2 CISSP & ISACA CISA

Building a Compliance Program Develop a comprehensive program that is secure and compliant A program your organization can support A maintainable program that is developed to be future proof There are 14 families of controls and 110 individual controls supporting NIST 800-171, the framework that provides guidance on supporting DFARS Compliance. In this presentation, Mike will walk through the controls and discuss some of the tricky points and questions you may have in supporting compliance for DFARS. Are you prepared to respond within 72 hours to a Cyber Incident and what is that defined as? The goal of this presentation is to walk new and/or unsure users through the compliance and begin preparations for the Dec 31 2017 deadline.

CDI versus CUI Controlled Unclassified Information Information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. Much broader than CDI Think Category

CDI versus CUI Covered Defense Information Unclassified controlled technical information or other information () that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is: (1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. As described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html

NIST 800-171 DFARS Compliance (DFARS 252.239-701) Deadline: December 31 st 2017

Control Families Access Control Awareness and Training Audit and Accountability Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Risk Assessment Security Assessment System and Communications Protection System and Information Integrity

Access Data Classification Asset Management Access Levels and Compartmentalizing Network Segmentation Know Thyself

Data Lifecycle Data Lifecycle Requirements Storage requirements Transfer or cryptographic requirements Data Destruction requirements

Physical Security Privilege based access Visitor access processes Data center access Maintain logging of activities

Monitoring of Systems and Messaging Review of monitoring methodology Monitoring of internal to external communication Security Awareness and Training on Phishing attacks for your employees Protection from Whaling or attacks on management targets

Network Security Logical network design and road maps for growth Validation of network segmentation to avoid spillage Endpoint and network security for protection against virus and malicious code

Risk vs. Security Assessment Risk measures what may potentially affect you Loss X Potential = Risk Threat Dictionary Security Assessment reviews you environment Defense in Depth Test of Design and Test of Effectiveness

System and Communications Protection & Incident Response Network Intrusion Detection Log Management Vulnerability and Asset Management Scanning Incident Response Analysis and Prioritization Tabletop Exercise/ Threat Simulation

How Do I Get There? Visibility - Understand your data and projects Simplify - Create workflows to build new projects Observe, Analyze, Redirect, Review Sample Test to ensure controls are effective Collaborate!

Where to Get Help DoDI 8582.01, Security of Unclassified DoD Information on Non-DoD Information Systems National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Federal Information Systems and Organizations NIST SP 800-171, Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations NIST Framework for Improving Critical Infrastructure Cybersecurity Federal Risk and Authorization Management Program (FedRAMP) DoD Cloud Computing Security Requirements Guide (SRG) Unclassified 4 DoDI 8582.01, Security of Unclassified DoD From http://dodcio.defense.gov/portals/0/documents/public%20meeting%20- %20Jun%2023%202017%20Final.pdf?ver=2017-06-25-022504-940

Six Security Pillars in the SLAIT ThreatManage USM Platform SLAIT ThreatManage USM SIEM Log Collection OTX Threat Data SIEM Event Correlation Incident Response ASSET DISCOVERY Active Network Scanning Passive Network Scanning Asset Inventory Software Inventory BEHAVIORAL MONITORING Netflow Analysis Service Availability Monitoring ENDPOINT RESPONSE SLAIT Threat Intelligence Flight Data Recorder Live Response Threat Actor Detection / Remediation THREAT DETECTION Network IDS Host IDS File Integrity Monitoring VULNERABILITY ASSESSMENT Continuous Vulnerability Monitoring Authenticated / Unauthenticated Active Scanning

SLAIT Security Offerings Governance Prevention Response Risk Assessment Policy and Procedure PCI Prep HIPAA Gap Analysis Audit Preparation Assistance Security Organization Review Security Checkup Managed Firewall and Endpoint Secure Infrastructure Design & Review viso Program Awareness Training Assessment Vulnerability Scanning Penetration Testing Phishing Exercises ThreatRecon Pre-breach Preparation ThreatManage Breach Response Cyber Forensics

Innovative Solutions for Forward Thinking Companies Some of SLAIT s Technology Partners

References http://www.acq.osd.mil/dpap/dars/dfars/html/current/204_73.htm https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm https://www.archives.gov/cui/about https://federalnewsradio.com/records-managementmonth/2016/11/classified-vs-controlled-unclassified-information-know/ http://www.acq.osd.mil/dpap/pdi/docs/faqs_network_penetration_report ing_and_contracting_for_cloud_services_(01-27-2017).pdf http://dodcio.defense.gov/portals/0/documents/public%20meeting%20- %20Jun%2023%202017%20Final.pdf?ver=2017-06-25-022504-940

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback