DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.

Similar documents
DEFENSE LOGISTICS AGENCY

Get Compliant with the New DFARS Cybersecurity Requirements

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

DFARS , NIST , CDI

ROADMAP TO DFARS COMPLIANCE

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

Cyber Security Challenges

NIST Special Publication

Cybersecurity Challenges

INTRODUCTION TO DFARS

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

Cybersecurity in Acquisition

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Cybersecurity Risk Management

DOD s New Cyber Requirements: Impacts on DOD Contractors and Subcontractors

2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA

SAC PA Security Frameworks - FISMA and NIST

Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)

Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017

Safeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer

Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats

DFARS Cyber Rule Considerations For Contractors In 2018

2017 SAME Small Business Conference

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

DFARS Defense Industrial Base Compliance Information

DLA Internet Bid Board System (DIBBS)

Cyber Security Challenges

Special Publication

Tinker & The Primes 2017 Innovating Together

COMPLIANCE IN THE CLOUD

DOD Lawyers Roundtable Defense Logistics Agency (DLA Energy)

Defense Security Service. Strategic Plan Addendum, April Our Agency, Our Mission, Our Responsibility

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

PilieroMazza Webinar Preparing for NIST SP December 14, 2017

Safeguarding unclassified controlled technical information (UCTI)

Regulating Information: Cybersecurity, Internet of Things, & Exploding Rules. David Bodenheimer Evan Wolff Kate Growley

Cyber Attacks & Breaches It s not if, it s When

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

Supplier Training Excellence Program

A Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management

INFORMATION ASSURANCE DIRECTORATE

Preparing for NIST SP January 23, 2018 For the American Council of Engineering Companies

Handbook Webinar

IT-CNP, Inc. Capability Statement

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

Verizon Software Defined Perimeter (SDP).

Why is the CUI Program necessary?

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Advanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin

Safeguarding Unclassified Controlled Technical Information

Cybersecurity Overview

Executive Order 13556

Critical Information Infrastructure Protection Law

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

NW NATURAL CYBER SECURITY 2016.JUNE.16

Defense Information Systems Agency (DISA) Department of Defense (DoD) Cloud Service Offering (CSO) Initial Contact Form

Cyber Security For Business

Cybersecurity and Data Protection Developments

The NIST Cybersecurity Framework

Compliance with NIST

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Industry Perspectives on Active and Expected Regulatory Actions

Cyber Security Requirements for Supply Chain. June 17, 2015

Securing Content in the Department of Defense s Global Information Grid

Cyber Security Summit 2014 USCENTCOM Cybersecurity Cooperation

Cybersecurity and Program Protection

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

New Guidance on Privacy Controls for the Federal Government

Supply Chain (In)Security

Systems Security Engineering: A Framework to Protect Hardware Down to the Last Tactical Inch

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

The NIS Directive and Cybersecurity in

SYSTEMS ASSET MANAGEMENT POLICY

Seagate Supply Chain Standards and Operational Systems

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Your Challenge. Our Priority.

TRIAEM LLC Corporate Capabilities Briefing

Cybersecurity & Privacy Enhancements

Migrating Applications to the Cloud

NIST RISK ASSESSMENT TEMPLATE

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

DRAFT. NIST MEP CYBERSECURITY Self-Assessment Handbook

Integrated C4isr and Cyber Solutions

NCCoE TRUSTED CLOUD: A SECURE SOLUTION

Vulnerability Assessments and Penetration Testing

Appendix 12 Risk Assessment Plan

General Framework for Secure IoT Systems

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

MIS Week 9 Host Hardening

Exploring Emerging Cyber Attest Requirements

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Davidson Technologies: A Medium Sized Business Experience with DFARS 7012/NIST

The Honest Advantage

O0001(OCT

TEL2813/IS2621 Security Management

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

The FAR Basic Safeguarding Rule

Engineering Cyber Resilient Weapon Systems

Information Warfare Industry Day

Transcription:

DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY Cyber Security Safeguarding Covered Defense Information 30-31 August 2016 WARFIGHTER FIRST PEOPLE & CULTURE STRATEGIC ENGAGEMENT FINANCIAL STEWARDSHIP PROCESS EXCELLENCE 1

NATO: 'New Realities' Make Internet a Potential Front Line in Conflict "Our interconnectedness means that we are only as strong as our weakest link. We will work together to better protect our networks and thereby contribute to the success of allied operations." 2

Goal Improve DLA s business relationships with vendor base to better accomplish our shared mission of supporting warfighters worldwide by mitigating risk and reducing vulnerability to cybercrime. 3

How Provide Vendor s Updates to Cybersecurity Requirements Define what is Cover Defense Information Where and how to apply Adequate Security Cyber incident reporting requirements 4

Covered Defense Information (CDI) Unclassified Information Associated to Performance of Contract Provided to Contractor by or on Behalf of DoD Collected, Developed, Received, Transmitted, Used, or Stored by or on Behalf of Contractor AND: Controlled technical information Critical information (OPSEC) Export Control Information identified in the contract, that requires safeguarding or dissemination controls 5

Who is Affected DFARS 252.204-7012 Requires Flow Down to: Subcontractors at all Tiers Suppliers at all Tiers Including: Commercial suppliers Commercial-off-the-shelfitem suppliers 6

CDI: Controlled Technical Information Defined in DFARS 252.227-7013 Examples: Research and engineering data Engineering drawings, and associated lists Purchase Item Description (PID) Catalog-item identification NSN with Demilitarization Code Other than A 7

CDI: Critical Information (OPSEC) Specific Facts Identified through OPSEC Process: Friendly intentions Capabilities and activities Needed by adversaries to plan and act effectively 8

CDI: Export Control Unclassified Information Concerning: Certain items Commodities Technology Software Or other information Whose Export Could Reasonably be Expected to Adversely Affect the United States National Security and Nonproliferation Objectives. 9

CDI: Information Identified in Contract Any information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies (e.g., privacy, proprietary business information). 10

Applying Adequate Security Information Sharing / Collaboration Toolbox Only to Information Systems Containing CDI Implement Security Protections on: IT operated on behalf of Government Not part of IT operated on behalf of Government On Contractors Assessed Risk or Vulnerability 11

Information Sharing / Collaboration Defense Industrial Base Collaboration Information Sharing Environment (DCISE) Information Sharing and Analysis Organizations (IASOs) Information Sharing and Analysis Centers (ISACs): Defense Industrial Base ISAC Maritime Security ISAC Supply Chain ISAC Surface Transportation ISAC Cyber Information Sharing and Collaboration Program FBI Infragard DHS Cyber Security Evaluation Tool / NSA GRASSMARLIN Local Colleges/Universities, SANS, (ISC)², etc. 12

IT Operated on Behalf of DoD Cloud Computing Services Security requirements specified in DFAR 252.239-7010 Security requirements specified in contract 13

IT Not Operated on Behalf of DoD National Institute of Standards and Technology (NIST) NIST SP 800-171 Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations Isolate CUI into Own Security Domain Limit Scope to CUI Particular System or Components Don t try to boil the ocean 14

NIST SP 800-171 Basic Security Basic Security Requirements Access Control Awareness and Training Audit and Accountability Configuration Management Identification and Authentication Incident Response Maintenance Physical Protection Risk Assessment Security Assessment System and Communication Protection System and Information Integrity 15

Cyber Incident Reporting Requirements Contractor Discovers a Cyber Incident Affecting: Contractor information system Covered Defense Information Required Elements of Cyber Incident Report DoD-approved Medium Assurance Certificate 16

When You Have a Cyber Incident Conduct a review for evidence of compromise of CDI Including, but not limited to: Compromised Computers Compromised Servers Specific Data User Accounts Covered contractor information systems Rapidly Report to http://dibnet.dod.mil 17

What Goes in Cyber Incident Report Include Elements Required by http://dibnet.dod.mil 18

Within 72 Hours Within 72 Hours Report as Much of the Following Company name Company Point of Contact (POC) Data Universal Numbering System (DUNS) Number Contract number(s) or other type of agreement affected Contracting Officer or other agreement POC USG Program Manager POC Contract or other agreement clearance level Facility CAGE code Facility Clearance Level Impact to CDI Ability to provide operationally critical support Date incident discovered Location(s) of compromise Incident location CAGE code DoD programs, platforms or systems involved Type of compromise Description of technique or method used in incident Incident outcome Incident/Compromise narrative Any additional information 19

Summary Defined What is Cover Defense Information More Knowledgeable on Adequate Security More Knowledgeable on Cyber Incident Reporting Requirements 20

Have We Achieved Our Goal? Improve DLA s business relationships with vendor base to better accomplish our shared mission of supporting warfighters worldwide by mitigating risk and reducing vulnerability to cybercrime. 21

22

WARFIGHTER LOGISTICS EXCELLENCE ACCOUNTABILITY TEAMWORK URGENCY AGILITY INNOVATION COMMITMENT INTEGRITY DIVERSITY MUTUAL TRUST & RESPECT Financial Stewardship 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback