PilieroMazza Webinar Preparing for NIST SP December 14, 2017

Similar documents
Preparing for NIST SP January 23, 2018 For the American Council of Engineering Companies

DFARS Cyber Rule Considerations For Contractors In 2018

ROADMAP TO DFARS COMPLIANCE

SAC PA Security Frameworks - FISMA and NIST

NIST Special Publication

Get Compliant with the New DFARS Cybersecurity Requirements

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017

Cybersecurity Risk Management

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

The FAR Basic Safeguarding Rule

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats

INTRODUCTION TO DFARS

2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA

Cybersecurity Challenges

DOD s New Cyber Requirements: Impacts on DOD Contractors and Subcontractors

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

Another Cook in the Kitchen: The New FAR Rule on Cybersecurity

Tinker & The Primes 2017 Innovating Together

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

DFARS , NIST , CDI

Special Publication

Why is the CUI Program necessary?

Compliance with NIST

Handbook Webinar

Safeguarding Unclassified Controlled Technical Information

Cyber Security Challenges

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

DFARS Defense Industrial Base Compliance Information

Industry Perspectives on Active and Expected Regulatory Actions

DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.

New Process and Regulations for Controlled Unclassified Information

Safeguarding unclassified controlled technical information (UCTI)

Executive Order 13556

Outline. Other Considerations Q & A. Physical Electronic

Regulating Information: Cybersecurity, Internet of Things, & Exploding Rules. David Bodenheimer Evan Wolff Kate Growley

Cyber Risks in the Boardroom Conference

NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015

COMPLIANCE IN THE CLOUD

2017 SAME Small Business Conference

Cyber Security Challenges

UCOP ITS Systemwide CISO Office Systemwide IT Policy

Quick Start Strategy to Compliance DFARS Rob Gillen

MDA Acquisition Updates

Agency Guide for FedRAMP Authorizations

ISOO CUI Overview for ACSAC

Click to edit Master title style

Outline. Why protect CUI? Current Practices. Information Security Reform. Implementation. Understanding the CUI Program. Impacts to National Security

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Solutions Technology, Inc. (STI) Corporate Capability Brief

Cyber Security For Business

Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)

Cybersecurity in Acquisition

Controlled Unclassified Information (CUI) and FISMA: an update. May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Virginia Commonwealth University School of Medicine Information Security Standard

The HIPAA Omnibus Rule

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Safeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer

Information Systems Security Requirements for Federal GIS Initiatives

New Cyber Rules. Are You Ready? Bob Metzger, RJO Dave Drabkin, DHG Tom Tollerton, DHG. Issues in Focus Webinar Series. government contracting

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

Defense Security Service. Strategic Plan Addendum, April Our Agency, Our Mission, Our Responsibility

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

DRAFT. NIST MEP CYBERSECURITY Self-Assessment Handbook

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Rev.1 Solution Brief

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

O0001(OCT

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

November 20, (Via DFARS Case 2013-D018)

cybersecurity challenges for government contractors

The Value of ANSI Accreditation. Top 10 Advantages. of accredited third-party conformity assessment

Care Recruitment Matters Limited Privacy Notice

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Supplier Training Excellence Program

Partner Information Manager Supplier Guide October 2017

Appendix 12 Risk Assessment Plan

Compliance with CloudCheckr

IASM Support for FISMA

IT-CNP, Inc. Capability Statement

Akin Gump Client Update Alert

Accelerate GDPR compliance with the Microsoft Cloud

NIST RISK ASSESSMENT TEMPLATE

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

SECURITY & PRIVACY DOCUMENTATION

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Integrating HIPAA into Your Managed Care Compliance Program

Streamlined FISMA Compliance For Hosted Information Systems

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Re: Special Publication Revision 4, Security Controls of Federal Information Systems and Organizations: Appendix J, Privacy Control Catalog

FedRAMP Digital Identity Requirements. Version 1.0

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

DFARS and the Aerospace & Defence Enterprise

Cyber Secure Dashboard Cyber Insurance Portfolio Analysis of Risk (CIPAR) Cyber insurance Legal Analytics Database (CLAD)

Click to edit Master title style

Eliminating the Blame Game: Creating your Company Strategy for Documented Defense

Transcription:

PilieroMazza Webinar Preparing for NIST SP 800-171 December 14, 2017

Presented by Jon Williams, Partner jwilliams@pilieromazza.com (202) 857-1000 Kimi Murakami, Counsel kmurakami@pilieromazza.com (202) 857-1000 2

About PilieroMazza PilieroMazza PLLC is a full-service law firm with offices in Washington, DC and Boulder, CO. We are most well known as a government contracting firm and for 25 years we have helped our clients navigate the complexities of doing business with the federal government. We also provide a full range of legal services including advice on corporate, labor and employment, SBA procurement programs, and litigation matters. Our clients value the diverse array of legal guidance they receive from us and our responsiveness as we guide their growth and secure their success. Our primary practice areas are: Government Contracting Small Business Programs Labor & Employment Business & Corporate Litigation Sign up for our newsletters and blog at www.pilieromazza.com 3

Overview What is NIST SP 800-171? Who has to comply? What to do if you have to comply Q&A 4

Happy Cybersecurity New Year! When the ball drops in Times Square on New Year s Eve this year, certain DoD contractors need to ensure they are in compliance with NIST SP 800-171 DFARS 252.204-7012 requires compliance by 12/31/17 Ghost of contracts past For all contracts awarded prior to 10/1/17, contractors should have notified the DoD CIO via email within 30 days of award if the contractor had not implemented any of the security requirements in NIST SP 800-171 by the time of contract award 5

What Is NIST SP 800-171? Developed by NIST together with National Archives and Records Administration ( NARA ) Living document; latest version is Revision 1, issued December 2016 Geared specifically toward nonfederal systems to provide standardized security requirements for protecting controlled unclassified information ( CUI ) Outgrowth of Congress direction to NIST in the Federal Information Security Management Act ( FISMA ) Security requirements are derived from Federal Information Processing Standards ( FIPS ) Publication 200 ( basic security requirements ) and NIST Publication SP 800-53 ( derived security requirements ) 6

What Is NIST SP 800-171? Performance-based to avoid mandating specific solutions and to facilitate use of contractor s existing security practices/systems Organized into 14 security families : Access Control Awareness and Training Audit and Accountability Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Risk Management Security Assessment System and Communications Protection System and Information Integrity 7

Who Has to Comply by 12/31/17? 1. Contractors with DoD contracts containing DFARS 252.204 7012 This DFARS clause should be in all DoD contracts, including commercial item procurements, except for contracts solely for the acquisition of Commercial Off the Shelf ( COTS ) items 2. That own or operate a nonfederal contractor information system Different security requirements apply to contractor information systems part of an IT service or system operated on behalf of the Government (i.e., a federal system) 3. And have CUI in their nonfederal contractor information system 8

Drill Down on CUI Covered defense information means unclassified controlled technical information or other information as described in the CUI Registry Available at: www.archives.gov/cui/registry/category-list.html The CUI Registry organizes CUI into 25 different industry categories (some with subcategories) such as agriculture, immigration, intelligence, tax, and transportation Two key points on CUI: Government must mark or otherwise identify the CUI in the contract, task order, or delivery order and provide it to the contractor in support of contract performance; or The contractor (or another party on its behalf) collects, develops, receives, transmits, uses, or stores CUI in support of the contract 9

Real-World Examples of CUI CUI is a broad category that encompasses many different types of sensitive, but not classified, information, including: Personally identifiable information such as health records Engineering drawings Technical reports and analyses Law enforcement procedures and enforcement actions Software code developed under the contract 10

Who Is Not Covered (Yet)? Contractors that do not perform on DoD contracts containing DFARS 252.204-7012 do not need to comply The clause does not apply retroactively However, a CO could modify your contract to add the clause For Non-DoD contractors, NIST SP 800-171 is coming to the FAR (potentially as soon as next year) and could already be required by a civilian agency or contract In the meantime, FAR 52.204-21 (implemented in June 2016) should be in most civilian agency contracts and contains basic safeguarding requirements for contractor information systems based on NIST SP 800-171, but does not explicitly require compliance with NIST SP 800-171 11

Exception for COTS DFARS 252.204-7012 (and its requirement to comply with NIST SP 800-171 by 12/31/17) does not apply to contractors that only perform contracts that are solely for COTS, which are: A commercial item; Sold in substantial quantities in the commercial marketplace; and Offered to the federal government, under a contract or subcontract at any tier, without modification, in the same form as it is sold in the commercial marketplace If you have some contracts that are not for COTS, or not solely for COTS, the blanket exception does not apply 12

Exception for Commercial Item Contracts? Unlike for COTS, there is no blanket exception for commercial items All COTS are commercial items, but all commercial items are not necessarily COTS DFARS 252.204-7012 recognizes that, on many commercial item procurements, DoD does not provide covered defense information to the contractor as a necessary component of performing the work In this scenario, DFARS 252.204-7012 (and the requirement to comply with NIST SP 800-171 by 12/31/17) does not apply 13

Applicability to Subcontractors DFARS 252.204-7012 (and the requirement to comply with NIST SP 800-171 by 12/31/17) must be flowed down to subcontractors, but only when subcontract performance is for operationally critical support or CUI is necessary for performance of the subcontract Operationally critical support is essential to mobilization, deployment, or sustainment of the Armed Forces in a contingency operation Contractor may consult with the CO if uncertain about whether to flow down the clause to subcontractors 14

Applicability to Small Businesses No exceptions for small businesses if the requirements apply, they apply the same to large and small contractors Solicitations should advise when compliance is necessary, which DoD believes gives small businesses time to bring their system into compliance and negotiate the terms of the contract Negotiation may mean submitting a request to be excluded from certain requirements in NIST SP 800-171 or to use alternatives 15

Why Compliance is Critical Compliance creates a competitive advantage for prime contracts and subcontracts Non-compliance could lead to the parade of horribles Breach of contract damages Termination for default and reprocurement costs Negative past performance reviews Poor evaluation rating Vulnerability in post-award protests False Claims Act exposure Suspension and/or debarment 16

Understand NIST SP 800-171 Examine the requirements Perform a gap assessment of your system and practices compared to requirements Your current system/practices may not be as far off as you fear Need to determine what your company policy should be and how to configure your system to implement the policy Outside consultants specialize in this assessment if you cannot do it all internally but no third party certificate required for NIST SP 800-171 compliance Costs of compliance should be allowable costs 17

Utilize NIST Special Publication 800-171A Draft of NIST SP 800-171A published a few days ago Public comment period: November 28 through December 27, 2017 This publication is an assessment tool to help when evaluating compliance with NIST SP 800-171 Think of it as a companion guide to NIST SP 800-171 Available here: https://csrc.nist.gov/publications/detail/sp/800-171a/draft 18

Utilize NIST Handbook 162 Another guide for NIST SP 800-171 compliance, geared toward U.S. manufacturers but may be useful for others as well Provides guidance for assessing IT systems against NIST SP 800-171 for manufacturers Tracks the security requirements within each family Gives questions to be answered to assess whether a company is meeting that security requirement with suggestions Available here: https://doi.org/10.6028/nist.hb.162 19

Make Important Policy and Security Decisions NIST guidance helps you walk through the company policy and security decisions you will need to make and implement, such as: Do you use passwords? Do you require users to log in to gain access? Do you maintain a list of authorized users? Do you only grant enough privileges to users to allow them to do their jobs? Do you restrict access to privileged functions to authorized users? Does your system lock out after a certain number of failed login attempts? 20

Requests for Variance Contractors are not expected to follow one defined path, that is why the requirements are performance based If you should be excepted from a requirement, or have a suitable alternative, request a variance Requests must be submitted in writing to the CO For new contracts, DFARS 252.204-7008 indicates a variance should be requested early in the selection process so approval can be included in the contract DoD will consider if the alternative is equally effective or if the condition requiring the security control is not present 21

Compliance Tips for Small Businesses Compliance can be difficult and costly for small businesses, but you may already have systems in place to protect your information that also satisfies NIST SP 800-171, so leverage your existing systems and practices as much as you can For companies new to the requirements, DoD suggests a reasonable approach provided in FAQ Available here: http://www.acq.osd.mil/dpap/pdi/docs/faqs_network_ Penetration_Reporting_and_Contracting_for_Cloud_Ser vices_(01-27-2017).pdf 22

DoD s Reasonable Approach For Compliance Does the company have proper policies or processes? Has the IT been configured securely? Does the company need security-related software (e.g., anti-virus) or additional hardware (e.g., firewall)? Refer to the mapping table in Appendix D to NIST SP 800-171 and check the corresponding control in NIST SP 800-53 Can in-house IT personnel accomplish changes or does company need outside assistance? 23

Other Applicable Requirements If you are subject to DFARS 252.204-7012, be mindful of other requirements you have to meet under the clause beyond NIST SP 800-171, including: Rapid reporting (72 hours) of any cyber incident that affects a covered contractor information system, the covered defense information, or that affects the contractor s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract Preservation and government inspection requirements Reporting on malicious software Ensure cloud service providers, if used, follow certain security requirements 24

What PM Can Do to Help Review your contracts with agencies and third parties Are the cybersecurity FAR or DFARS clauses included, or are any other contract-specific cybersecurity requirements imposed? Did the government mark CUI? Do your contracts with primes, subs, JV partners, etc., include proper flow down clauses and allocation of risk/liability? Assist with development of a written plan for implementing necessary security measures Facilitate technical gap assessments for your IT system Answer questions as you explore cybersecurity and online property insurance 25

What PM Can Do to Help Prepare and negotiate variance requests Draft, revise, and update internal controls, procedures, and policies to ensure compliance with the applicable security requirements Critical to have buy-in at all levels of the organization and clear company policies in support Incorporate into your employee handbook Train your people Spell out processes and chain of command for oversight and responding to a security issue 26

Questions? Jon Williams jwilliams@pilieromazza.com Kimi Murakami kmurakami@pilieromazza.com 888 17th Street, NW 11th Floor Washington, DC 20006 202-857-1000 This material is presented with the understanding that the author is not rendering any legal, accounting, or other professional service or advice. Because of the rapidly changing nature of the law, information contained in this presentation may become outdated. As a result, the user of this material must always research original sources of authority and update information to ensure accuracy when dealing with a specific legal matter. In no event will the author be liable for any damages resulting from the use of this material.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback