Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

Similar documents
ROADMAP TO DFARS COMPLIANCE

Cybersecurity Challenges

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

Safeguarding unclassified controlled technical information (UCTI)

Get Compliant with the New DFARS Cybersecurity Requirements

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

2017 SAME Small Business Conference

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Handbook Webinar

NIST Special Publication

Cyber Security Challenges

DFARS Cyber Rule Considerations For Contractors In 2018

Safeguarding Unclassified Controlled Technical Information

DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

DFARS , NIST , CDI

Cyber Attacks & Breaches It s not if, it s When

DOD s New Cyber Requirements: Impacts on DOD Contractors and Subcontractors

Cybersecurity Risk Management

Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017

Safeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer

Preparing for NIST SP January 23, 2018 For the American Council of Engineering Companies

Cybersecurity in Acquisition

Compliance with NIST

DFARS Defense Industrial Base Compliance Information

Cybersecurity: Incident Response Short

Executive Order 13556

PilieroMazza Webinar Preparing for NIST SP December 14, 2017

2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA

Tinker & The Primes 2017 Innovating Together

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Advanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin

Special Publication

Cyber Security Challenges

INTRODUCTION TO DFARS

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)

Click to edit Master title style

SYSTEMS ASSET MANAGEMENT POLICY

Cyber Security For Business

Compliance with CloudCheckr

COMPLIANCE IN THE CLOUD

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

November 20, (Via DFARS Case 2013-D018)

Technical Guidance and Examples

Quick Start Strategy to Compliance DFARS Rob Gillen

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

SAC PA Security Frameworks - FISMA and NIST

Notification of Issuance of Binding Operational Directive and Establishment of. AGENCY: National Protection and Programs Directorate, DHS.

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

New Guidance on Privacy Controls for the Federal Government

Information Assurance 101

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats

Cybersecurity and Program Protection

INFORMATION ASSURANCE DIRECTORATE

Regulating Information: Cybersecurity, Internet of Things, & Exploding Rules. David Bodenheimer Evan Wolff Kate Growley

Controlled Unclassified Information (CUI) and FISMA: an update. May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

Information Warfare Industry Day

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

INFORMATION ASSURANCE DIRECTORATE

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

American Association for Laboratory Accreditation

Rev.1 Solution Brief

Another Cook in the Kitchen: The New FAR Rule on Cybersecurity

FedRAMP Security Assessment Framework. Version 2.1

the SWIFT Customer Security

FedRAMP Training - Continuous Monitoring (ConMon) Overview

FedRAMP Security Assessment Framework. Version 2.0

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

DRAFT. NIST MEP CYBERSECURITY Self-Assessment Handbook

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Click to edit Master title style

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Best Practices in Securing a Multicloud World

Cyber Security Program

Cybersecurity in Higher Ed

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Industry Perspectives on Active and Expected Regulatory Actions

INFORMATION ASSURANCE DIRECTORATE

Automating the Top 20 CIS Critical Security Controls

Why is the CUI Program necessary?

The FAR Basic Safeguarding Rule

Agency Guide for FedRAMP Authorizations

Supplier Training Excellence Program

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

SECURITY & PRIVACY DOCUMENTATION

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET Managing Cybersecurity Risk

Information for entity management. April 2018

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Continuous protection to reduce risk and maintain production availability

Streamlined FISMA Compliance For Hosted Information Systems

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Transcription:

Department of Defense Cybersecurity Requirements: What Businesses Need to Know? Why is Cybersecurity important to the Department of Defense? Today, more than ever, the Department of Defense (DoD) relies upon external contractors and suppliers to carry out a wide range of missions. Sensitive data is shared with these companies and must be protected. Inadequate safeguards of this sensitive data may threaten America s national security and put service members lives at risk. What has DoD done to address this issue? DoD has implemented a basic set of cybersecurity controls through DoD policies and the Defense Federal Acquisition Regulation Supplement (DFARS). The DFARS rules and clauses apply to the safeguarding of contractor/supplier information systems that process, store or transmit Controlled Unclassified Information (CUI). https://www.archives.gov/cui/registry These security controls must be implemented at both the contractor and subcontractor levels based on information security guidance developed by the National Institute of Standards and Technology (NIST) Special Publication 800-171 Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations. How does this affect small businesses? DoD contractors and suppliers (including small businesses) must adhere to two basic cybersecurity requirements: (1) They must provide adequate security to safeguard covered defense information that resides in or transits through their internal unclassified information systems from unauthorized access and disclosure; and (2) They must rapidly report cyber incidents and cooperate with DoD to respond to these security incidents, including access to affected media and submitting malicious software. What is adequate security? The set of minimum cybersecurity standards are described in NIST Special Publication 800-171 and broken down into fourteen areas: Access Control Media Awareness & Training Audit & Accountability Configuration Management

Identification & Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Risk Assessment Security Assessment System & Communications Protection System & Information Integrity In each of these areas, there are specific security requirements that DoD contractors/suppliers must implement. What is the deadline? Full compliance was initially required no later than December 31, 2017. The contractor/supplier were to notify the DoD CIO within 30 days of contract award, of any security requirements not implemented at the time of contract award. They can propose alternate, equally effective, measures to DoD s CIO through their contracting officer If DoD determines that other measures are required to provide adequate security in a dynamic environment based on an assessed risk or vulnerability, contractors may also be required to implement additional security precautions. How do small businesses attain these standards? NIST SP 800-171 can be found at: http://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-171r1.pdf SP 800-171 references another document (NIST Special Publication 800-53) which goes into more detail about the security controls. In addition, NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, Sections 3.3 to 3.6 may provide small business a systematic step-by-step approach to implementing, assessing and monitoring the controls.

Assess Develop & Update Security Assessment Process Plans of Action Monitor How do I meet the SP 800-171 Requirements? Meeting the SP 800-171 is not a one-time fix, rather it is a continuous assessment, monitoring and improvement process. Periodically assess the security controls in your company s systems to determine if the controls are effective in their application. Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in systems. Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. Although these requirements may initially seem overwhelming, small businesses can use this framework to divide the project into small, manageable chunks and work toward attaining compliance. Incurred costs may also be recoverable under a cost reimbursement contract pursuant to FAR 31.201-2. May small businesses outsource these requirements? Small businesses may use subcontractors and/or outsource information technology requirements, but they are responsible for ensuring that these entities they use meet the cybersecurity standards. If

they anticipate using cloud computing, they should ensure the cloud service meets FedRAMP moderate security requirements and complies with incident reporting, media, and malware submission requirements. What if there is a potential breach? Don t panic. Cybersecurity occurs in a dynamic environment. Hackers are constantly coming up with new ways to attack information systems and DoD is constantly responding to these threats. So, even if you do everything right and institute the strongest checks and controls, it is possible that someone will come up with a new way to penetrate these measures. DoD does not penalize small businesses acting in good faith. The key is to work in partnership with DoD so that new strategies can be developed to stay one step ahead of the hackers. Contact DoD immediately. Bad news does not get any better with time. These attacks threaten America s national security and put service members lives at risk. DoD should respond quickly to change operational plans and to implement measures to respond to new threats and vulnerabilities So, small businesses should report any potential breaches to DoD within seventy-two (72) hours of discovery of any incident. Report these incidents directly on-line: https://dibnet.dod.mil/ Interpret potential breaches broadly to include all actions taken using computer networks that result in actual or potentially adverse effects on information systems and/or the information residing therein. These include possible ex-filtration, manipulation, or other loss or compromise of controlled technical information from an unclassified information system and any unauthorized access to an unclassified information system on which such controlled technical information is resident or transiting. Be helpful and transparent. Businesses must also cooperate with DoD to respond to these security incidents. They should immediately preserve and protect all evidence and capture as much information about the incident as possible. They should review their networks to identify compromised computers, services, data, and user accounts and identify specific covered defense information that may have been lost or compromised. What is a System Security Plan? A document that describes how a small manufacturer meets the security requirements for a system or how a small manufacturer plans to meet the requirements. The system security plan describes the system boundary; the environment in which the system operates; how the security requirements are implemented; and the relationships with or connections to other systems What are Plans of Action? A small manufacturer should develop Plans of Action that describe how any unimplemented security requirements will be met and how any planned mitigations will be implemented. Companies can document the system security plan and plan of action as separate or combined documents and in any chosen format. When requested, the System Security plan and any associated Plans of Action for any planned implementations or mitigations should be submitted to the responsible federal agency/contracting

officer. The Plans of Action help to demonstrate implementation or planned implementation of the security requirements. Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system. Where can businesses get additional help? Cyber Management Systems can provide additional guidance on meeting the NIST SP 800-171 requirements. Please contact us for a free assessment. Cyber Management Systems 1-866-CYBERMS (866-292-3767) https://cybermanagementsystems.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback