Overview and Implementation DFARS Case 2013-D018 Overview and Implementation Bill Botke MFC Information Security Officer and Privacy Lead
Agenda Problem Statement Data…What’s the risk? Risk Posture Adversarial Threats and “Quick Wins” Cyber DFARS Overview Summary
(2013 Lockheed Martin Supply Chain Conference) The Problem "…I want to mention the serious problem of the loss of unclassified sensitive information to industrial espionage. Some have called the loss of this information through our networks the greatest transfer of wealth in history…providing potential adversaries with huge savings in time and money as they seek to develop weapon systems comparable and even superior to our own…" Mr. Frank Kendall, Undersecretary of Defense for Acquisition, Technology and Logistics (2013 Lockheed Martin Supply Chain Conference)
Data…It’s Everywhere…Every Minute… 45 New Viruses 200 New Malicious web sites 180 Personal Identities Stolen 5,000 Examples of Malware Created $2 Million Lost
Managing Our Risk Posture There is no such thing as "perfect protection" Are you here? DFARS Baseline Ideal State High Risk Low Cost Low Maturity Lower Risk Higher Cost Higher Maturity GOAL: Build a sustainable IT Security Program that balances protection and compliance against the needs to run and support the business
Adversary Threats & “Quick Wins” Top Threats to Defense Industrial Base (DIB) “Quick Wins” Mitigations Process Properly marked/distributed data Training and Awareness Restrict Information Flow-Down Shared Intelligence (Industry/Government) Technical E-mail Filtering Category “none” blocking Minimize Desktop Admins Two/Multifactor Authentication Eliminate “End of Life” Internet facing systems Spear Phishing Credential Harvesting Unsecured Perimeter
First…How did we get here? Classified Data Protection Unclassified Data Protection June 2011 – DoD Proposes New DFARS Rule for Protecting Controlled, Unclassified Information May 2013 – Snowden articles published adding increased pressure to protect unclassified information Nov 2013 – DoD Publishes initial DFARS Cyber Rules Aug 2015 - DoD issues interim rule under DFARS Case 2013-D018 – (NIST SP 800-171) Dec 2015 – DoD issues updated rule Oct 2016 – Final Cyber DFARS issued Jan 1993 – DSS National Industrial Security Program Operating Manual (NISPOM) Apr 2006 - Office of the Designated Approving Authority (ODAA) Process Manual (20) Twenty Year Gap in Unclassified Data Protection Requirements
Lockheed Martin Proprietary Information Cyber DFARS Primer Covered Defense Information (CDI) Unclassified Covered Technical Information (“CTI”), operations security, export controlled information; and any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls used in the performance/ support of a contract Applied to all DoD Contracts NIST 800-171 110 Cyber DFARS Controls Safeguard Data Report Incidents within 72 Hours Report Incidents Flow down Cyber DFARS clause to all suppliers receiving or generating CDI Flow Down Cyber DFARS Clause Mandatory Unclassified Cyber Requirements…All DoD contracts
Covered Defense Information — Definition Covered Defense Information (CDI) - Term used to identify information that requires protection under DFARS Clause 252.204-7012 Covered defense information means: Unclassified controlled technical information (CTI) or other information as described in the CUI Registry that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies and is − Marked or otherwise identified in the contract, task order, or delivery order and provided to contractor by or on behalf of, DoD in support of the performance of the contract; OR Collected, developed, received, transmitted, used, or stored by, or on behalf of, the contractor in support of the performance of the contract* * “In support of the performance of the contract” is not meant to include the contractor’s internal information (e.g., human resource or financial) that is incidental to contract performance
Compliance — Implementation of Cyber DFARS By signing…contractor agrees to comply with terms of contract and all requirements of DFARS Clause 252.204-7012 Contractor’s responsibility to determine if they have implemented NIST SP 800-171 DoD will not certify that a contractor is compliant with NIST SP 800-171 requirements Third-party assessments or certifications are not required, authorized, or recognized by DoD If oversight related to these requirements is deemed necessary, it can be accomplished through existing FAR and DFARS allowances, or an additional requirement can be added to the terms of the contract Innovation Required for Success Revaluate and Re-Architect Perception of Risk has to adapt to Digital Business Tactics Exploit Trust Delivery Vectors Targeting Social Media
110 Requirements across 14 Families Safeguard Data – NIST 800-171 110 Requirements across 14 Families Access Control Awareness & Training Audit & Accountability Configuration Management Identification & Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Risk Assessment Security Assessment System & Communication Protection System & Information Integrity
Subcontractor Flowdown Required only when performance will involve operationally critical support or covered defense information Contractor shall determine if information required for subcontractor performance is, or retains its identify as, covered defense information and requires safeguarding Flowdown is a requirement of the terms of the contract…must be enforced by prime contractor If a subcontractor does not agree to comply with the terms of DFARS Clause 252.204–7012, then covered defense information shall not be shared with the subcontractor or otherwise reside on it’s information system
DCMA Oversight of DFARS Clause MITIGATE RISK Encourage corporate, segment, or facility-level system security plans…more consistent implementation and reduced cost Verify SSP / POA&Ms are in place…will not assess plans against NIST 800-171 requirements If potential cyber issue is detected…notify contractor, DoD program office, & DoD CIO During Contract Receipt/Review, verify clause is flowed to subs/suppliers as appropriate For contracts before 10/2017, verify contractor submitted to DoD CIO notification of security requirements not yet implemented Verify DoD-approved medium assurance certificate to report cyber incidents When required, facilitate entry of government assessment team via coordination with cognizant government and contractor stakeholders
Resources Cybersecurity in DoD Acquisition Regulations page at http://dodprocurementtoolbox.com for Related Regulations, Policy, Frequently Asked Questions, and Resources; Email questions to osd.dibcsia@mail.mil NIST Publications - https://csrc.nist.gov/publications NIST Manufacturing Extension Partnership at https://www.nist.gov/mep NARA CUI Program - www.archives.gov/cui Cybersecurity Evaluation Tool (CSET) – Download https://ics-cert.us-cert.gov or request physical copy of software at cset@dhs.gov — Select “Advanced Mode” to display option to select NIST 800-171
Develop a Resilient Mindset Every Control Will Fail If the adversary has access to: The internal corporate network Any username and password All documentation & specifications What would you do differently?
Summary As an Aerospace and Defense Supplier, YOU are a target of our adversaries Have responsibility to improve/maintain cybersecurity posture DFARS non-compliance not only increases risk…could result in contract default, withheld payments or brand/reputation impacts thru CPARS Lockheed Martin is working with partners and suppliers Risk to LM and customer information from cyber attackers continues to increase Regulations such as the Cyber DFARS are here to stay and will continue to evolve Ensure a heightened sense of cybersecurity awareness Contractors are responsible DFARS Compliance – full conformity with all clause requirements and NIST SP 800-171 required as of 31 Dec 2017 Incident Reporting – must be reported within 72-hours to the DoD Flow Down - cyber DFARS must be flowed down to all suppliers / subcontractors who store, process and/or generate Covered Defense Information (CDI) as part of contract performance