The FAR Basic Safeguarding Rule

Similar documents
Another Cook in the Kitchen: The New FAR Rule on Cybersecurity

DOD s New Cyber Requirements: Impacts on DOD Contractors and Subcontractors

Click to edit Master title style

Get Compliant with the New DFARS Cybersecurity Requirements

DFARS Cyber Rule Considerations For Contractors In 2018

PilieroMazza Webinar Preparing for NIST SP December 14, 2017

Preparing for NIST SP January 23, 2018 For the American Council of Engineering Companies

Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017

Industry Perspectives on Active and Expected Regulatory Actions

ROADMAP TO DFARS COMPLIANCE

Regulating Information: Cybersecurity, Internet of Things, & Exploding Rules. David Bodenheimer Evan Wolff Kate Growley

Compliance with NIST

Tinker & The Primes 2017 Innovating Together

INTRODUCTION TO DFARS

SAC PA Security Frameworks - FISMA and NIST

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

New Process and Regulations for Controlled Unclassified Information

COMPLIANCE IN THE CLOUD

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

NIST Special Publication

Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats

Executive Order 13556

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA

Cybersecurity Risk Management

New Cyber Rules. Are You Ready? Bob Metzger, RJO Dave Drabkin, DHG Tom Tollerton, DHG. Issues in Focus Webinar Series. government contracting

Information Security Issues in Research

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Overview of Key E.U. and U.S. Privacy and Cybersecurity Laws. Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018

Access to University Data Policy

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

cybersecurity challenges for government contractors

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

Safeguarding Unclassified Controlled Technical Information

DFARS , NIST , CDI

Safeguarding unclassified controlled technical information (UCTI)

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

Cybersecurity Challenges

Handbook Webinar

Controlled Unclassified Information (CUI) and FISMA: an update. May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner

DRAFT. NIST MEP CYBERSECURITY Self-Assessment Handbook

Safeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer

Cyber Security Challenges

DoD Guidance for Reviewing System Security Plans and the NIST SP Security Requirements Not Yet Implemented This guidance was developed to

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.

Introduction to AWS GoldBase

Data Processing Agreement

Business Partner Security Standard

DFARS and the Aerospace & Defence Enterprise

Don t Become a Poster Child for a Cyber Breach

Compliance with CloudCheckr

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Cyber Security Challenges

ISO27001:2013 The New Standard Revised Edition

The Honest Advantage

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Top Five Privacy and Data Security Issues for Nonprofit Organizations

Integrating Information Security Protections In Supplier Agreements: Guidance for Business and Technology Counsel

Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

DFARS Defense Industrial Base Compliance Information

Data Privacy and Cybersecurity

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Click to edit Master title style

Document Cloud (including Adobe Sign) Additional Terms of Use. Last updated June 5, Replaces all prior versions.

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

UCOP ITS Systemwide CISO Office Systemwide IT Policy

Outline. Other Considerations Q & A. Physical Electronic

Data Use and Reciprocal Support Agreement (DURSA) Overview

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Hacking and Cyber Espionage

Integrating HIPAA into Your Managed Care Compliance Program

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

SYSTEMS ASSET MANAGEMENT POLICY

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Defense Security Service. Strategic Plan Addendum, April Our Agency, Our Mission, Our Responsibility

Red Flags/Identity Theft Prevention Policy: Purpose

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Post-Secondary Institution Data-Security Overview and Requirements

ISOO CUI Overview for ACSAC

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Why is the CUI Program necessary?

Rev.1 Solution Brief

ISACA Cincinnati Chapter March Meeting

SECURITY & PRIVACY DOCUMENTATION

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

Identifying and Implementing FAR Basic Safeguarding Requirements

Appendix 12 Risk Assessment Plan

USA HEAD OFFICE 1818 N Street, NW Suite 200 Washington, DC 20036

INFORMATION ASSURANCE DIRECTORATE

Emsi Privacy Shield Policy

Supplier Training Excellence Program

Housecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Business continuity management and cyber resiliency

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

Transcription:

The FAR Basic Safeguarding Rule Erin B. Sheppard, Partner Michael J. McGuinn, Counsel December 8, 2016

Agenda Regulatory landscape FAR Rule History Requirements Harmonization Subcontract issues What s next? 2

Regulatory Landscape Contractors faced with patchwork of legal requirements FISMA Industry/agency-specific requirements (e.g., DOD, NASA, GSA, DOE) SEC disclosures for material cyber incidents HIPAA requirements FTC treatment of breaches as unfair trade practice State-specific breach notification laws International requirements Private sector requirements (e.g., PCI DSS, subcontract requirements) 3

The Proposed FAR Safeguarding Rule Proposed rule (77 Fed. Reg. 51,496 (Aug. 24, 2012)) Done under authority of FISMA Proposed rule intended to be broadly applicable to information systems containing non-public information provided by or generated for the government Rule contained security standards applicable to various information security areas: Use of public computers or websites Transmission of electronic information Transmission of voice/fax information Physical and electronic barriers Sanitization Intrusion protection Transfer limitations Basis for security controls unclear 4

The Final FAR Safeguarding Rule Effective June 15, 2016 (81 Fed. Reg. 30,439 (May 16, 2016)) Intended to establish a basic level of safeguarding for all federal government contractors Intent is that the scope and applicability of this rule [will] be very broad. Prime and subcontract level Commercial items (but not COTS) Small businesses 5

Applicability Applies to contractor information systems that process, store, or transmit federal contract information Nonpublic information that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government Contract must be for development or delivery of product or services Information need not be No marking requirements 6

Applicability (cont.) Information provided by the government would include any government-furnished information Information generated for the government would cover: Any information required by a CDRL Technical data Cost data (labor rates, indirect costs) Project controls reporting/evms data Does not include simple transactional information, such as necessary to process payments 7

Requirements Intended to create a baseline of controls for federal contractors Other controls (e.g., DOD) will overlay Imposes 15 different security requirements on contractors Selected from NIST 800-171 basic and derived controls Compliance with all 100+ controls not required Controls are static, not cross-referenced to NIST 800-171 No grace period for implementation; controls mandatory at the time of award 8

Requirements (cont.) Required controls: Limit system access to authorized users Limit system access to the types of transactions/functions users are permitted to execute Verify/control/limit connections to external systems Control publicly accessible information Identify users, devices, or processes Authenticate or verify user identifies prior to permitting access to information systems Sanitize or destroy information system media Limit physical access to authorized individuals Escort visitors and monitor visitor activity; maintain audit logs of access 9

Requirements (cont.) Required controls (cont.): Monitor and protect organization communications at external and key internal boundaries Implement subnetworks for publicly accessible system components that are physically/logically separated from internal networks Identify, report, and correct information and information system flaws in a timely manner Protect from malicious code Update malicious code protection mechanisms Perform periodic/real-time scans of information system and files 10

The FAR Safeguarding Rule Requirements (cont.) Controls do not include: Security policies and procedures Training requirements Multi-factor authentication Incident response plans Tracking of incidents internally and externally Control of removable media/prohibition on use of portable storage devices Personnel screening Security assessments Prohibition of password reuse 11

Relationship to DOD Rule DFARS CDI clause requires compliance with all 15 FAR clause requirements Contractors should prioritize implementation of FAR controls in any implementation plan FAR rule more limited than DFARS rule No cyber incident reporting No grace period No pre-award representation of compliance/use of alternative approaches No post-award disclosures of non-compliances No broad government audit/access right 12

Supply Chain Issues Prime contractor responsible for flowing down clauses but who will government hold responsible for incident? Possible prime contractor approaches: Conduct some form of system verification through audit Require subcontractor representation of compliance Establish contract mechanisms for system audit rights, NDA and indemnification for breaches/challenges Educate suppliers Flow down clause and do nothing more 13

Supply Chain Issues (cont.) If contractor learns that subcontractor cannot/will not comply with clause requirements, prime should: Find a compliant subcontractor Preclude subcontractor from handling federal contract information (if possible) Identify/document the subcontractor s security capabilities and ask subcontractor to attest to the adequacy of those capabilities Any other factors showing trustworthiness Confirm prompt reporting is in place 14

Supply Chain Issues (cont.) Subcontractor avoidance options: Determine whether you are in fact a subcontractor Assess whether you need/will have federal contract information Attempt to resist inclusion of clause or reach agreement that it is inapplicable Clarify existence of covered defense information (if applicable) Limit/control covered defense information locations (if applicable) Self-assess compliance with FAR clause controls and develop implementation plan FAR rule likely the first step A prudent business person would employ this most basic level of safeguarding, even if not covered by this rule. 15

Consequences of Noncompliance Source selection impacts But see Discover Technologies LLC, GAO B-412773 Breach of contract Termination for default FCA liability (no express certification currently required) Negative past performance evaluations Declination of options (USIS) Suspension and debarment 16

Final Considerations Know what data/information you have and applicable requirements Obtain management buy-in, proactive approach Have a plan providing guidance if crisis develops Consider supply chain considerations/partner Document risk management decisions and compliance efforts More developments coming Read your contracts! 17

What s Next? Additional FAR rule forthcoming in conjunction with NARA program for controlled unclassified information (CUI) Final NARA rule (32 C.F.R. Part 2002) confirms that a forthcoming FAR clause will extend the federal CUI security controls to contractors The FAR rule will require contractors dealing with CUI to implement at least some subset of the NIST SP 800-171 controls FAR Council will look to NIST SP 800-171 as source for any mandatory controls for CUI basic and CUI specified information, as established in the CUI Registry The timeline of the forthcoming FAR rule remains uncertain Contractors would be wise to prepare a plan for implementation of both the CUI basic and CUI specified controls 18

Questions? Erin B. Sheppard 202-496-7533 erin.sheppard@dentons.com Michael J. McGuinn 303-634-4333 michael.mcguinn@dentons.com 19

Month Day, Year 20 Thank you Dentons US LLP 1900 K Street, NW Washington, DC 20006-1102 United States Dentons is the world's largest law firm, delivering quality and value to clients around the globe. Dentons is a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. Dentons' polycentric approach and world-class talent challenge the status quo to advance client interests in the communities in which we live and work. www.dentons.com. 2016 Dentons. Dentons is a global legal practice providing client services worldwide through its member firms and affiliates. This publication is not designed to provide legal advice and you should not take, or refrain from taking, action based on its content. Please see dentons.com for Legal Notices.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback