Safeguarding Covered Defense Information CYBER SECURITY Safeguarding Covered Defense Information November 2017

What DOD is Doing Securing DoD’s information systems and networks Organizing cybersecurity responsibilities and procedures for the acquisition workforce in defense acquisition policy Contractual requirements implemented through the Defense Federal Acquisition Regulation Supplement (DFARS) Leveraging security standards such as those identified in National Institute of Standards and Technology (NIST) Special Publication 800-171 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (Revision 1 published Dec 2016)

Adequate Security/Minimum Protections DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting Scope All solicitations/contracts except COTS What Information Covered Defense Information (CDI) Operational Critical Support Adequate Security/Minimum Protections NIST SP 800-171, Protecting Controlled Unclassified Information on Nonfederal Information Systems & Organizations When Required to Meet Minimum Protections As soon as practicable, but NLT Dec 31, 2017 Subcontractor/Flowdown Contractor to determine if information required for subcontractor performance retains its identity as CDI

Network Security Requirements to Safeguard CDI DFARS Clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting (b) Adequate security. The Contractor shall provide adequate security on all covered contractor information systems. To provide adequate security, the Contractor shall implement, at a minimum, the following information security protections: (2) For covered contractor information systems that are not part of an IT service or system operated on behalf of the Government (ii)(A) The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. (3) Apply other information systems security measures when the Contractor reasonably determines that information systems security measures, in addition to those identified … may be required to provide adequate security in a dynamic environment or to accommodate special circumstances (e.g., medical devices) and any individual, isolated, or temporary deficiencies based on an assessed risk or vulnerability. These measures may be addressed in a system security plan.

What is Covered Defense Information? Unclassified controlled technical information (CTI) or other information as described in the CUI Registry at http://www.archives.gov/cui/registry/category-list.html that requires safeguarding or dissemination controls*, AND is either * Pursuant to and consistent with law, regulations, and Government wide policies ______________________________________________________ Marked or otherwise identified in the contract, task order, or delivery order and provided to contractor by or on behalf of, DoD in support of the performance of the contract; OR Collected, developed, received, transmitted, used, or stored by, or on behalf of, the contractor in support of the performance of the contract.

Controlled Technical Information Reasons for assignment of distribution statements B-F in technical documents: Critical Technology Export Controlled Foreign Government Information Operations Security Premature Dissemination Proprietary Information Test and Evaluation Software Documentation Vulnerability Information Contractor Performance Evaluation Administrative or Operational Use Subset of CDI Defined as: Technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination Controlled technical information is to be marked with one of the distribution statements B through F The term does not include information that is lawfully publicly available without restrictions

NIST SP 800-171 Developed for use on contractor and other nonfederal information systems to protect CUI (Revision 1 published December 2016) Standardized set of performance based requirements for all CUI security needs Most requirements are about policy, process, and configuring IT securely, but some may require security-related software or hardware Enables contractors to comply using systems and practices likely already in place

NIST SP 800-171 14 Families of Security Requirements Access Control Physical Protection Awareness and Training Personnel Security Audit and Accountability Risk Assessment Configuration Management Security Assessment System and Communication Protection Identification and Authentication Incident Response System and Information Integrity Maintenance Media Protection

Approach to Implementing NIST SP 800-171 Most requirements in NIST SP 800-171 are about policy, process, and configuring IT securely, but some may require security-related software or hardware. For companies new to the requirements, a reasonable approach would be to: 1. Examine each of the requirements to determine — Policy or process requirements — Policy/process requirements that require an implementation in IT (typically by either configuring the IT in a certain way or through use of specific software) — IT configuration requirements — Any additional software or hardware required Note: The complexity of the company IT system may determine whether additional software or tools are required. 2. Determine which of requirements can readily be accomplished by in-house IT personnel and which require additional research

Approach to Implementing NIST SP 800-171 3. Develop a plan of action and milestones to implement the requirements. 4. Limit scope to the policies & process requirements, and IT configuration of systems the transmit, process, display , and/or displays CDI 5. Consider isolating systems the transmit, process, display , and/or displays CDI into own security domain Don’t try to boil the ocean

Network Security Requirements to Safeguard CDI For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via email at osd.dibcsia@mail.mil, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award (see 252.204-7012(b)(2)(ii)(A)) __________________________________________________________________ If the offeror proposes to vary from NIST SP 800-171, the offeror shall submit to the Contracting Officer, a written explanation of - - Why security requirement is not applicable; or How an alternative but equally effective security measure is used to achieve equivalent protection (see 252.204-7008(c)(2)(i) and 252.204-7012(b)(2)(ii)(B))

Cyber Incident Reporting DFARS 252.204-7012 (c) Cyber incident reporting requirement Contractor discovers a cyber incident affecting: Contractor information system Covered Defense Information Required elements of cyber incident report DoD-approved medium assurance certificate For information on obtaining a DoD-approved medium assurance certificate, see: http://iase.disa.mil/pki/eca/Pages/index.aspx

When you have a Cyber Incident Conduct a review for evidence of compromise of CDI Including, but not limited to: Compromised Computers Compromised Servers Specific Data User Accounts Covered contractor information systems Rapidly report to http://dibnet.dod.mil

Within 72 Hours Within 72 hours report as much of the following: Company name Ability to provide operationally critical support Company Point of Contact (POC) Date incident discovered Data Universal Numbering System (DUNS) Number Location(s) of compromise Contract number(s) or other type of agreement affected Incident location CAGE code DoD programs, platforms or systems involved Contracting Officer or other agreement POC Type of compromise USG Program Manager POC Description of technique or method used in incident Contract or other agreement clearance level Incident outcome Facility CAGE code Incident/Compromise narrative Facility Clearance Level Any additional information Impact to CDI

Resources Defense Federal Acquisition Regulation Related Information For Cyber Security FAQs: http://www.acq.osd.mil/dpap/pdi/docs/FAQs_Network_Penetration_Reporting_and_Contracting_for_Cloud_Services_(01-27-2017).pdf 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting - http://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012 DFARS PGI 204.73: http://www.acq.osd.mil/dpap/dars/pgi/pgi_htm/PGI204_73.htm#204.7303-3 Webinar: What is NIST SP 800-171 and how does it apply to small business? - https://cset.inl.gov/SitePages/Webinar2.aspx Controlled Unclassified Information (CUI) Registry - http://www.archives.gov/cui/registry/category-list.html National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations - https://doi.org/10.6028/NIST.SP.800-171r1 NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations - http://dx.doi.org/10.6028/NIST.SP.800-53r4 NIST Special Publication 800-53A Assessing Security and Privacy Controls in Federal Information Systems and Organizations - http://dx.doi.org/10.6028/NIST.SP.800-53Ar4

Additional Resources Collaboration Cyber Information Sharing and Collaboration Program (CISCP) - https://www.dhs.gov/ciscp Department of Defense Cyber Crime Center's DoD-Defense Industrial Base (DIB) Collaborative Information Sharing Environment (DCISE) - http://www.dc3.mil/cyber-security/ Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) - https://ics-cert.us-cert.gov/ Information Sharing and Analysis Centers (ISACs) - https://www.nationalisacs.org/ Information Sharing and Analysis Organizations (ISAOs) - https://www.dhs.gov/isao INFRAGARD - https://www.infragard.org/

Additional Resources Training Center for Development of Security Excellence (CDSE) - http://www.cdse.edu/catalog/cybersecurity.html Federal Communications Commission's Cyberplanner - https://www.fcc.gov/cyberplanner Information Assurance Support Environment Online Training - http://iase.disa.mil/eta/Pages/online-catalog.aspx National Initiative for Cybersecurity Education (NICE) - http://csrc.nist.gov/nice/index.htm Small Business Community (SBC) Computer Security Workshops - http://csrc.nist.gov/groups/SMA/sbc/workshops.html U.S. Computer Emergency Readiness Team's Resources for Business - https://www.us-cert.gov/ccubedvp/business U.S. Small Business Administration's Cybersecurity for Small Businesses - https://www.sba.gov/tools/sba-learning-center/training/cybersecurity-small-businesses