Safeguarding unclassified controlled technical information (UCTI)

Similar documents
Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

ROADMAP TO DFARS COMPLIANCE

ISACA Cincinnati Chapter March Meeting

Safeguarding Unclassified Controlled Technical Information

DFARS Cyber Rule Considerations For Contractors In 2018

Get Compliant with the New DFARS Cybersecurity Requirements

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

Protecting your data. EY s approach to data privacy and information security

EY s data privacy service offering

What s new in EY Atlas. November 2018

INTRODUCTION TO DFARS

DFARS Defense Industrial Base Compliance Information

Introduction. When it comes to GDPR compliance, is OK for now enough? Minds made for protecting financial services

DOD s New Cyber Requirements: Impacts on DOD Contractors and Subcontractors

Demonstrating data privacy for GDPR and beyond

Cyber Security Challenges

Cybersecurity requirements for financial services companies

SAC PA Security Frameworks - FISMA and NIST

Big data privacy in Australia

Step 1: Open browser to navigate to the data science challenge home page

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

Cybersecurity Challenges

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

EY s Data Privacy Services. January 2019

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

Project Management Professional PMP. Exam preparatory course

Tax News Update: Global Edition (GTNU) User Guide

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Tinker & The Primes 2017 Innovating Together

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Preparing for NIST SP January 23, 2018 For the American Council of Engineering Companies

EY Training. Project Management Professional PMP. Exam preparatory course. 30 September 4 October 2018

Information for entity management. April 2018

2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Advanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin

DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.

PilieroMazza Webinar Preparing for NIST SP December 14, 2017

Cyber Security For Business

Quality Management Systems (ISO 9001:2015 and ISO 29001) Lead Auditor training (EY/IMSA Q03)

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Government Contracting. Tech-Savvy World. in a. October InterContinental Miami. Miami, Florida

2017 SAME Small Business Conference

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

The value of visibility. Cybersecurity risk management examination

Cybersecurity in Acquisition

Coworking 2.0. Stavební Fórum October

DFARS , NIST , CDI

Safeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

EY s data privacy service offering. How to transform your data privacy capabilities for an EU General Data Protection Regulation (GDPR) world

Handbook Webinar

CCISO Blueprint v1. EC-Council

Click to edit Master title style

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

Cyber Security Incident Response Fighting Fire with Fire

BHConsulting. Your trusted cybersecurity partner

Gujarat Forensic Sciences University

Cybersecurity Auditing in an Unsecure World

Cyber Attacks & Breaches It s not if, it s When

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

EY Norwegian Cloud Maturity Survey Current and planned adoption of cloud services

Cybersecurity Risk Management

Cybersecurity & Privacy Enhancements

Security Hygiene. Be in a defensible position. Be cyber resilient. November 8 th, 2017

Vulnerability Assessments and Penetration Testing

If you were under cyber attack would you ever know?

Developing your GDPR response for competitive advantage. EU General Data Protection Regulation (GDPR)

Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

Cybersecurity for Health Care Providers

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Public Safety Canada. Audit of the Business Continuity Planning Program

Cybersecurity, safety and resilience - Airline perspective

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Executive Order 13556

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

EY Consulting. Is your strategy planning for the future or creating it? #TransformativeAge

Does someone else own your company s reputation? EY Global Information Security Survey 2018

Why is the CUI Program necessary?

External Supplier Control Obligations. Cyber Security

MDA Acquisition Updates

SOC for cybersecurity

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

cybersecurity challenges for government contractors

CyberSecurity Training and Capacity Building: A Starting Point for Collaboration and Partnerships. from the most trusted name in information security

GDPR: A QUICK OVERVIEW

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Inspector General. Report on the Peace Corps Information Security Program. Peace Corps Office of. Background FISCAL YEAR 2017

NYDFS Cybersecurity Regulations

Cybersecurity: Incident Response Short

Transcription:

Safeguarding unclassified controlled technical information (UCTI) An overview Government Contract Services Bulletin

Safeguarding UCTI An overview On November 18, 2013, the Department of Defense (DoD) issued a final rule mandating the protection requirements around unclassified controlled technical information (UCTI) for all DoD contractors and subcontractors. In June 2011, the DoD proposed to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to add a new subpart and associated contract clauses addressing requirements for safeguarding unclassified DoD information. In November 2013, the rule was finalized and, effective immediately, clause 252.204 7012, Safeguarding of UCTI, was mandated to be included in all new solicitations and contracts, including those for commercial items. Primary requirements of DFARS 252.204 7012: DoD and its contractors and subcontractors must provide adequate security to safeguard DoD unclassified controlled technical information resident on or transiting through their unclassified information systems from unauthorized access and disclosure. Contractors must report to DoD certain cyber incidents that affect the protected information. What is UCTI? Controlled technical information has a military or space application or falls under the definition of research and engineering data or engineering drawings, including associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog items, identifications, data sets, studies/analyses and related information, and computer software executable code and source code. The DoD is expected to mark UCTI items requiring protection; however, it is unclear at this time how the requirements for marked data will be defined and applied. 2 Safeguarding UCTI An overview

Security and safeguarding To be compliant with DFARS 252.204 7012, contractors must establish reporting and accountability requirements and flow UCTI requirements to subcontractors. Contractors must also maintain knowledge of the company s and subcontractors current state of compliance, including gaps to the required controls and documented mitigating controls. Finally, contractors must actively monitor all systems that store, manipulate or transmit UCTI for cyber events. The 51 minimum required security controls for UCTI requiring safeguard are specified in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53. Cyber incident reporting In addition to security controls and safeguard requirements, contractors are required to report all cyber incidents. DFARS 252.204 7012 defines the information required to be reported and requires that contractors maintain incident evidence for at least 90 days from the date of the cyber incident to support the DoD in the event it conducts a damage assessment. When is cyber incident reporting required? Incident reporting is required within 72 hours of discovery of a cyber incident that affects DoD UCTI. What is a reportable cyber incident? It includes exfiltration, manipulation, or other loss or compromise of UCTI resident on or transiting through a contractor s, or its subcontractors, unclassified information systems. Any other activities that allow unauthorized access to the contractor s unclassified information system on which UCTI is resident on or transiting also apply. What is the risk of noncompliance? Contractors found to be noncompliant with DFARS 252.204 7012 may be removed from information technology procurements supporting national security systems and in some cases may be unable to protest their removal. Compliance challenges With the expansion of cybersecurity regulations for contractors comes new and compounded compliance challenges, including: Interpreting the definition of UCTI and marked data Identifying systems considered to be in-scope Overseeing and monitoring of subcontractor compliance Meeting incident reporting deadlines Safeguarding UCTI An overview 3

UCTI compliance framework considerations A framework is imperative to help establish and maintain compliance with the DFARS UCTI requirements. The steps below should be considered when developing your framework. Identify Identify confidential information assets and key systems where UCTI resides Evaluate security control effectiveness over systems that store, process and transmit UCTI Identify regulatory and disclosure requirements Identify threat groups, vulnerabilities and evidence to be analyzed Evaluate subcontractor risk and required processes Protect Design and implement compliant security controls Review cyber-monitoring processes for adequacy Review logs to detect access to sensitive information and filter suspicious events Remediate third-party contracting processes Document and communicate the rationale for excluding any required NIST controls Detect Develop a communications plan for reporting incidents to a contracting officer Examine and preserve key log data for hostile activity Identify suspicious events and incidents that may have occurred and that may be required to be reported within a 72-hour period Evaluate the current data preservation plan for compliance with evidence maintenance criteria Forensically preserve and maintain incident evidence for the required 90 days Respond to Defense Contract Audit Agency (DCAA) and contracting officer inquiries and audit results Respond Recover Restore any capabilities or services that were impaired due to a cybersecurity event Identify control improvements and develop remediation plans Update Government contracting processes to address compliance with key regulations Flow provisions to subcontracts and monitor subcontractor compliance and reporting Establish a plan for ongoing monitoring of DFARS 252.204 7012 UCTI requirements Periodically assess related controls and complete corrective action plans for identified deficiencies and control exceptions Monitor 4 Safeguarding UCTI An overview

About EY s UCTI response team The combination of distinct skills and integration across EY allows us to offer a seamless end-to-end approach to maintain compliance with government contracting challenges including UCTI regulations. Ernst & Young LLP Government Contract Services (GCS) Our team of experienced professionals has both the depth of knowledge and breadth of experience in applying the procurement rules and regulations of Government agencies. Contacts: Robert Malyska Government Contract Services Leader +1 214 969 8628 robert.malyska@ey.com Todd LaMastres +1 214 969 8484 todd.lamastres@ey.com Deborah Nixon +1 703 747 1478 deborah.nixon@ey.com Darl Rhoades Executive Director +1 720 931 4022 darl.rhoades@ey.com Frank Summers, Jr. Executive Director +1 617 375 1285 frank.summersjr@ey.com Steven Tremblay Executive Director +1 617 375 2420 steven.tremblay@ey.com Ernst & Young LLP Fraud Investigation and Dispute Services (FIDS) Our FIDS team has the capabilities to perform incident investigations, collect and preserve evidence, manage the reporting of an incident to the DoD, and manage the continued preservation and maintenance of evidence for the required 90 days. Contacts: David Remnitz Global & Americas Forensic Technology & Discovery Services Leader +1 212 773 1311 david.remnitz@ey.com Kenneth Feinstein +1 203 674 3177 kenneth.feinstein@ey.com Ken Zatyko +1 202 327 7185 ken.zatyko@ey.com Kelly Volz +1 202 327-5684 kelly.volz@ey.com Ernst & Young LLP Information Technology Risk Assurance (ITRA) Our ITRA team can assist with the identification of systems where UCTI is stored, assessments against the 51 required controls, documentation of compliance with required controls, identification of gaps and mitigating controls, development of ongoing compliance processes, control remediation, reviews of cyber-monitoring processes for adequacy, post-incident lessons learned, and the design of necessary control improvements. Contacts: Mark Johnson Principal +1 703 517 3442 mark.johnson@ey.com Michael Baker +1 703 747 0710 michael.baker@ey.com Safeguarding UCTI An overview 5

EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US. 2014 Ernst & Young LLP. All Rights Reserved. SCORE No. WW0339 CSG No. 1402-1206209 ED None This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice. ey.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback