Click to edit Master title style

Similar documents
DOD s New Cyber Requirements: Impacts on DOD Contractors and Subcontractors

Another Cook in the Kitchen: The New FAR Rule on Cybersecurity

The FAR Basic Safeguarding Rule

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

ROADMAP TO DFARS COMPLIANCE

DFARS Cyber Rule Considerations For Contractors In 2018

SAC PA Security Frameworks - FISMA and NIST

Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats

Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017

PilieroMazza Webinar Preparing for NIST SP December 14, 2017

Safeguarding Unclassified Controlled Technical Information

INTRODUCTION TO DFARS

Safeguarding unclassified controlled technical information (UCTI)

Preparing for NIST SP January 23, 2018 For the American Council of Engineering Companies

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

Safeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer

Get Compliant with the New DFARS Cybersecurity Requirements

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

Cybersecurity Risk Management

Cybersecurity Challenges

Click to edit Master title style

Click to edit Master title style

DFARS Defense Industrial Base Compliance Information

DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.

2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA

Regulating Information: Cybersecurity, Internet of Things, & Exploding Rules. David Bodenheimer Evan Wolff Kate Growley

Cybersecurity in Higher Ed

Handbook Webinar

Cyber Security Challenges

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Tinker & The Primes 2017 Innovating Together

Compliance with NIST

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

Why is the CUI Program necessary?

NIST Special Publication

Cyber Security Challenges

cybersecurity challenges for government contractors

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

2017 SAME Small Business Conference

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

DEFINITIONS AND REFERENCES

Cyber Risks in the Boardroom Conference

SECURITY & PRIVACY DOCUMENTATION

Summary of FERC Order No. 791

November 20, (Via DFARS Case 2013-D018)

Oracle Data Cloud ( ODC ) Inbound Security Policies

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

Executive Order 13556

Data Security and Breach Notification Legislative Update: What You Need to Know (SESSION CODE CRM001)

Integrating Information Security Protections In Supplier Agreements: Guidance for Business and Technology Counsel

Overview of Key E.U. and U.S. Privacy and Cybersecurity Laws. Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Information Security Policy

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

ISOO CUI Overview for ACSAC

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

New Process and Regulations for Controlled Unclassified Information

External Supplier Control Obligations. Cyber Security

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

Top Five Privacy and Data Security Issues for Nonprofit Organizations

Cyber Security For Business

INFORMATION ASSURANCE DIRECTORATE

Managing Cybersecurity Risk

NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015

Hacking and Cyber Espionage

HIPAA Security and Privacy Policies & Procedures

Cybersecurity in Acquisition

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

-Eight types of cyber data, (Sec. 708(7))

Data Processing Agreement for Oracle Cloud Services

Business continuity management and cyber resiliency

01.0 Policy Responsibilities and Oversight

Industry Perspectives on Active and Expected Regulatory Actions

Special Publication

DFARS , NIST , CDI

The HIPAA Omnibus Rule

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

COMPLIANCE IN THE CLOUD

NY DFS Cybersecurity Regulations August 8, 2017

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Data Use and Reciprocal Support Agreement (DURSA) Overview

The Honest Advantage

General Data Protection Regulation (GDPR)

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

Financial Regulations, Enforcement & Cybersecurity

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

FISMAand the Risk Management Framework

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Transcription:

Click to edit Master title style Fourth level

Click The to DFARS edit Master UCTI title Clause style How It Impacts the Subcontract Relationship Breakout Third Session level #F11 Fourth level Phillip R. Seckman Michael J. McGuinn Dentons US LLP Date: Tuesday, July 28, 2015 Time: 4:00pm 5:15pm 1

DFARS UCTI rule Requirements Agenda Cyber threats and risk management Regulatory landscape Supply Chain Fourth Compliance level Recent Developments NARA CUI Plan Cyber Legislation Compliance and breach response takeaways 2

Cyber Attacks: An Ever-Growing Threat GAO: 67,000 computer hacking incidents reported by federal agencies in 2014 (up from 5,500 incidents in 2006) Includes malware installation, improper use of computer resources and unauthorized access to systems Attacks are top concern of FBI and intelligence community Cyber attacks Fourth focused level on IP, critical infrastructure, and personal data Mandiant Report: APT1 in China responsible for estimated 80-90% of cyber incidents involving classified information, trade secrets, IP Office of Personnel Management Hack: Nation-state hackers stole personnel data and Social Security numbers for every federal employee Some organizations will be a target regardless of what they do, but most become a target because of what they do (or don t do). - Verizon 2013 DBIR 3

Regulatory Landscape Contractors faced with patchwork of legal requirements Federal Information Security Management Act of 2002 Primarily applicable to government information systems, but also applicable to contractors Federal Information Security Modernization Act of 2014 passed on 12/10/14, Third level new requirements likely forthcoming Fourth level Industry/agency-specific requirements (e.g., DOD, NASA, GSA, DOE) SEC disclosures for material cyber incidents HIPAA requirements FTC treatment of breaches as unfair trade practices State-specific breach notification laws International requirements Private sector requirements (e.g., PCI DSS) Developments overlay existing requirements, increase compliance obligations 4

DFARS Unclassified Controlled Technical Information ( UCTI ) Clause Issued on Nov. 18, 2013 (78 Fed. Reg. 69,273) Establishes new clause, DFARS 252.204-7012 Clause included in all DOD contracts issued after Nov. 18, Third 2013 level Including small business and commercial item contracts Fourth level DOD also implemented through contract modification in some cases 5

DFARS UCTI Clause: Identifying UCTI Clause applies to any contractor information system that may Click have to UCTI edit resident Master on or transiting text styles through it UCTI: Technical Information Technical data or computer software Controlled Technical Information Fourth level Military or space application Subject to controls on access, use, modification, release Marked with required distribution statement pursuant to DOD Instruction 5230.24, Distribution Statements on Technical Documents UCTI may be furnished by the government or developed by the contractor (DFARS PGI 204.7303-1(a)) DOD generally responsible for identifying whether contractor will be required to develop or handle UCTI Contractor also may develop technical information to be marked 6

DFARS UCTI Clause: IS Security Requirements Compliance with 50+ security controls from NIST SP 800-53: Access control Awareness and training Audit and Fourth accountability level Configuration management Identification and authentication Contingency planning Incident response Maintenance Media protection Physical and environmental protection Program management Risk assessment Systems/ communications protection Systems / information integrity Must otherwise explain: (1) why security control is inapplicable; or (2) an alternative control or protection achieves equivalent protection 7

Click DFARS to edit UCTI Master Clause: title IS Security style Requirements (cont.) Security control command media (the NIST dash-1 controls) not required, but strongly recommended Necessary to explain/defend systems to DOD Helpful to explain system requirements to subcontractors Documentation required in connection with certain controls (e.g., CM-2) Fourth level Number of controls allow for reasonable contractor discretion AC-7: Unsuccessful Logon Attempts: Does not impose a specific number of logon attempts that trigger lockout Certain controls incorporate base control and control enhancement E.g., AC-3(4): requires compliance with the AC-3 base control (access enforcement) and the (4) enhancement (discretionary access controls) 8

Click DFARS to edit UCTI Master Clause: title IS Security style Requirements (cont.) Additional IS security protections required when contractor: Click to edit Master text styles Reasonably determines Business discretion? Other IS security measures may be required to provide adequate Fourth security level in a dynamic environment Adequate» Fifth security: level protection commensurate with probability/consequences of loss, misuse, unauthorized access, or information modification Dynamic: adequacy must be constantly assessed/updated Based on an assessed risk or vulnerability Requires an understanding of known risks Look-back period? Specified NIST 800-53 Controls Set the Baseline 9

Click DFARS to edit UCTI Master Clause: title Reporting style reportable Click to edit cyber Master incident text styles Requirements Reporting required within 72 hours of discovery of Possible exfiltration, manipulation, or other loss or Second level compromise of UCTI on prime/sub information system Any unauthorized access to system on which UCTI is present Fourth level Prime contractors must report up to 13 categories of information to DIB CS/IA website, including Affected contracts Description of technical information compromised Name of subcontractor, if incident was on a subcontractor network Threshold triggering reporting is low 10

Click DFARS to edit UCTI Master Clause: title Reporting style Requirements (cont.) More comprehensive contractor review required after Click initial to report edit Master text styles Scope of network compromise (e.g., affected servers, information systems, computers, user accounts) Specific UCTI impacted Preserve Fourth images level and relevant information for at least 90 days DOD (DSS) may elect to conduct damage assessment Contractor required to comply with damage assessment information requests, unless otherwise precluded by law Information protected from further disclosure Be prepared to explain why compromise occurred and company response 11

DFARS UCTI Clause: Compliance Measures Review contracts for clause Assess which systems have or may handle UCTI Review DOD Instruction 5230.24 to identify UCTI UCTI may be identified in CDRL or marked with a distribution statement Conduct gap Fourth analysis level using NIST SP 800-53 standards Identify known» security Fifth level risks and loss probabilities Implement additional controls commensurate with these risks Promptly implement any security control deficiencies Contractors shall implement controls Contractors likely have reasonable discretion to prioritize control implementation Assess possible system compromises immediately, consider reporting obligation 12

DFARS UCTI Clause: Consequences of Noncompliance Consequences of non-compliance include: Click Breach to of contract edit Master text styles Termination for default FCA liability (no express certification currently required) Negative past performance evaluations Declination of options (USIS) Fourth level Suspension and debarment Purchasing system disapproval Government likely to review non-compliances in the context of a breach and with benefit of hindsight Contractor reasonableness likely to be touchstone for penalties Documentation of decision-making crucial DOD likely to have concerns about implementation approach that begins with specific safeguarding controls before the audit/detection controls (evades reporting requirement) 13

DFARS UCTI Clause: Supply Chain Issues UCTI Clause is mandatory flow down in all subcontracts, Click to edit regardless Master of text size styles Subcontractors also required to flow down to lower-tier subcontractors Includes commercial item subcontracts ISPs and Fourth cloud level service providers considered subcontractors Flow down requirement requires both safeguarding controls and mandatory reporting Many subcontractors are unable or unwilling to comply with these requirements 14

DFARS UCTI Clause: Supply Chain Issues (cont.) Prime contractors are responsible for flowing down clause: Clause does not require prime contractor to conduct assessment or verify system adequacy of subcontractors Obligation is on party receiving UCTI to explain why security control is inapplicable or that an alternative control achieves equivalent protection Government likely to argue prime contractors are responsible Fourth for ensuring level adequate protection of UCTI, wherever located Government Furnished Information ( GFI ) under DFARS 252.227-7025 requires contractors to indemnify government and third parties for violations of GFI use and disclosure restrictions Applies to any person/entity to whom contractor has released or disclosed GFI Similar also to government property systems FAR 52.245-1(f) makes contractors responsible for ensuring subcontractors have adequate property management systems in place for GP (including CAP) 15

DFARS UCTI Clause: Supply Chain Issues (cont.) Higher-Tier Contractor Options: Conduct some form of system verification through audit Significant risks associated with approving subcontractor system compliance Require subcontractor representation of compliance Unlikely to get it, then what? Require written explanation from sub consistent with DFARS 252.204-7012(b)(1) Fourth level that (1) security control is inapplicable or (2) an alternative» Fifth control level achieves equivalent protection Establish contract mechanisms for system audit rights, NDA and indemnification for breaches/challenges DFARS 252.227-7025 as guide Educate suppliers Develop checklist or target profile of requirements and provide to subcontractors Make resources available to subcontractors (DHS C Cubed program, SBA training) Emphasize reporting requirements and preservation of data Flow down clause and do nothing more 16

DFARS UCTI Clause: Supply Chain Issues (cont.) Higher-Tier Contractor Options: If contractor learns that subcontractor cannot/will not comply with clause requirements, prime should: Find a compliant subcontractor Preclude Third level subcontractor from handling UCTI Identify/document Fourth level the subcontractor s security capabilities and ask supplier to attest to the adequacy of those capabilities Any other factors showing trustworthiness Confirm prompt reporting is in place Avoid integrating subcontractor cyber compliance into procurement system unless you are prepared to be audited to it Touchstone will be reasonableness 17

DFARS UCTI Clause: Supply Chain Issues (cont.) Subcontractor Options: Determine whether you are in fact a subcontractor Potentially difficult to support: ISPs and other external service providers are subcontractors according to preamble of the clause Almost certainly correct Assess whether you need UCTI for performance of your subcontract Fourth level Attempt to» resist Fifth inclusion level of clause or reach agreement that it is inapplicable if UCTI will not be provided/created Clarify existence of UCTI Does this subcontract require me to receive or generate UCTI? Don t assume, ask, and get specificity before award Limit/control UCTI locations Centralize UCTI in network with controls, no copies elsewhere Hard copies Possible to use higher-tier contractors networks directly? 18

DFARS UCTI Clause: Supply Chain Issues (cont.) Subcontractor Options: Click Self-assess to edit compliance Master with UCTI text controls styles If not in compliance, do you have adequate controls in place to address your company s cyber risks? Are these controls tied to UCTI requirements? Can Third you reasonably level and accurate represent that controls are inapplicable or that you have equivalent controls? Fourth level Avoid broad representations or over-promises of system compliance Ensure disclosures are controlled Limit prime contractor s ability to access systems for purposes of reporting cyber incident (government only) Consider NDA with enforceable provisions to ensure information disclosed to the prime is protected from further disclosure outside of the UCTI context Cyber Compliance Likely to be Significant Competitive Advantage for Suppliers 19

National Archives and Records Administration Controlled Unclassified Information EO 13556, Controlled Unclassified Information, designated NARA Click to develop to edit regulations Master for text consistent styles marking and safeguarding of CUI NARA issued proposed rule on May 11, 2015 that would establish Third uniform level marking requirements and require agencies to protect CUI using FIPS/NIST standards Fourth level NARA anticipates establishing single FAR clause incorporating CUI rule NARA rule likely to incorporate requirements from new NIST SP 800-171 (draft issued April 2, 2015) NIST 800-171 security controls drawn from NIST 800-53, broader than DFARS UCTI rule controls Unclear how NARA CUI program will be reconciled with FAR and DFARS rules and GAO/DOD Joint Working Group Report 20

Cyber Legislation Federal Information Security Modernization Act of 2014 Click (Dec. to edit 10, 2014) Master text styles Re-established OMB as oversight authority for agency information security policies Establishes DHS as authority for implementation of OMB standards Fourth level Requires agencies to provide congressional notification for major cyber incidents Protecting Cyber Networks Act (passed House on April 22, 2015) Would provide liability protections to companies sharing cyber threat data with government civilian agencies (except in cases of willful misconduct) 21

Cyber Legislation (cont.) FY15 NDAA 1632: Would require timely reporting on cyber incidents for operationally critical contractors Operationally critical contractor contractor designated as a critical source of supply for airlift, sealift, intermodal transportation, or logistical support that is essential to a contingency operation Cyber Third incident level action that results in actual or potentially adverse effect on an information system or the information residing therein Fourth level DFARS rule required within 90 days after NDAA is enacted, case pending FY13 NDAA 941: requires reporting of successful penetration of networks of cleared defense contractors Private entities with clearance to access, receive or store classified information in support of DOD programs Requires rapid reporting and DOD access to systems upon request DFARS case (No. 2013-D018) pending to implement both sections 2016 NDAA provides for liability protections for contractors reporting under either 1632 or 941 22

Click Company to edit Master Compliance: title Final style requirements Click to edit Master text styles Considerations Know what data/information you have and applicable Need management buy-in, proactive approach Have a plan in place providing guidance if crisis develops Supply chain considerations: Fourth level Symantec report: small businesses are path of least resistance Required security profile vs. supplier s current profile? Are you protected from liability/indemnified for subcontractor issues? Are supplier obligations to notify, respond, cooperate/share information properly defined? Commercial companies and small businesses likely not exempt Document risk management decisions and compliance efforts Read your contracts! 23

Questions? Phillip R. Seckman (303) Second 634-4338 level phil.seckman@dentons.com Fourth level Michael J. McGuinn (303) 634-4333 michael.mcguinn@dentons.com 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback