Background June 2011– DoD Proposes New DFARS Rule for Protecting Controlled, Unclassified Information Industry meeting scheduled for November 15, 2011.

Slides:



Advertisements
Similar presentations
U.S. Energy Information Administration Independent Statistics & Analysis Controlled Unclassified Information FCSM Conference Jacob Bournazian,
Advertisements

Policies and Procedures for Proper Use of Non-DoD Contracts Revised April 19, 2005 Deidre A. Lee Director, Defense Procurement and Acquisition Policy Office.
0 Cost, Price, and Finance DFARS Cases of Interest Date: 24 October 2006 Bill Sain Senior Procurement Analyst Defense Procurement and Acquisition Policy,
CENTRAL CONTRACTOR REGISTRATION (CAGE CODES) DFARS Case 2003-D040 DFARS Parts 204, 212, 213 and 252 are amended to remove policy on Central Contractor.
U.S. General Services Administration Presentation to: Software and Supply Chain Assurance Forum Improving Cybersecurity through Acquisition December 17,
U.S. General Services Administration Presentation to: ACT-IAC Cybersecurity SIG Improving Cybersecurity through Acquisition Emile Monette Senior Advisor.
National Infrastructure Protection Plan
The U.S. Coast Guard’s Role in Cybersecurity
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
Defense Critical Infrastructure Program (DCIP)
NSF CYBER-SECURITY SUMMIT: INFORMATION SECURITY CLAUSE  Influenced by recommendations from previous Cyber-Security Summit meetings, the clause was added.
Security Issues on Campus: Government Initiatives Rodney J. Petersen University of Maryland Educause/Internet2 Security Task Force Copyright Rodney J.
Standards for Shared ICT Jeju, 13 – 16 May 2013 Gale Lightfoot Senior Staff Program Manager, Office of the CTO, SPB Cisco ATIS Cybersecurity Standards.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
DFARS & What is Unclassified Controlled Technical Information (UCTI)?
Jeju, 13 – 16 May 2013Standards for Shared ICT CYBERSECURITY-RELATED STANDARDS ACTIVITY IN THE TELECOMMUNICATIONS INDUSTRY ASSOCIATION Eric Barnhart, Fellow.
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
SERVICES ACQUISITION REFORM ACT OF 2003 A STATUS REPORT Alan Chvotkin Senior Vice President and Counsel Professional Services Council DEFENSE ACQUISITION.
New FAR Ethics Requirements Richard W. Oehler Perkins Coie LLP 1201 Third Avenue Suite 4800 Seattle, WA (206)
Introduction to the National Cybersecurity & Communications Integration Center (NCCIC) “A Partnership for Strength” 1.
Singapore: Benefits from Secure Clouds
Controlled Unclassified Information (CUI): An Overview.
Federal Acquisition Service U.S. General Services Administration June 3, 2013 Joint Working Group on Improving Cybersecurity and Resilience through Acquisition.
Homeland Security UNCLASSIFIED Executive Order Presidential Policy Directive (PPD) - 21 Implementing the Presidential Executive Order (EO) on cybersecurity.
EECS 710: Information Security and Assurance Assignment #3 Brent Frye 10/13/
Jerry Cochran Principal Security Strategist Trustworthy Computing Group Microsoft Corporation.
Earned Value Management Update Nancy L. Spruill Director, Acquisition Resources and Analysis Office of the Under Secretary of Defense (Acquisition, Technology.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
2 2 Eleanor Spector Vice President, Contracts Lockheed Martin Corporation August 5, :30-10:15AM Industry Acquisition Issues.
Unclassified  1 Critical Infrastructure Protection Chuck Whitley EMS User’s Group June 9, 1999.
Of XX Cybersecurity in Government Contracting David Z. Bodenheimer, Partner, Crowell & Moring LLP ©2015 PubKLearning. All rights reserved.1 The Federal.
The Challenging Landscape of Critical Information Infrastructure: Are We Ready? Leonard Bailey Senior Counsel Computer Crime & Intellectual Property Section.
Earned Value Management Update Nancy L. Spruill Director, Acquisition Resources and Analysis Office of the Under Secretary of Defense (Acquisition, Technology.
Of XX Government Contracts Statutes, Regulations, Executive Orders & Policies Stu Nibley, Partner, K&L Gates LLP ©2015 PubKLearning. All rights reserved.1.
Business & Contracting – Module 7 ELO-170Identify risks of not having a direct contractual relationship with the cloud service provider. ELO-180Match cloud-related.
Of XX Data Rights, Intellectual Property, Information Technology and Export Controls in Government Contracting Fernand Lavallee, Partner, Jones Day ©2015.
Policies and Procedures for Proper Use of Non-DoD Contract Vehicles July 13, 2004 Deidre Lee Director, Defense Procurement and Policy Office of the Under.
What is “national security”?  No longer defined only by threat of arms  It really is the economy  Infrastructure not controlled by the government.
1 “Acquisition Update,” Mark J. Lumer, DAU Conference, 19 February 2004 “Secure the High Ground” UNCLASSIFIED “ACQUISITION UPDATE” Mark J. Lumer Contracting.
1 Amy Williams, Senior Procurement Analyst March 25, 2008 Defense Acquisition Regulations System
Advancing Government through Collaboration, Education and Action Cybersecurity SIG Priority Area Project/Activity Report SIG Leadership Meeting July 17,
The United States Trade Representative  Is an agency within the Executive Office of the President  Approximately 200 people work at USTR  Negotiate.
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
Standards Coordination Office NIST presentation to the FGDC September 25, 2014.
1 Presented by David Thompson, TIA December 14, 2005 NFPA 1600 and Emergency Communications.
Laura Freeman Department of Energy Contractor Contracts Specialist Policy Analyst Contracting Officer National Aeronautics and Space Administration Contracting.
TGIC Cyber-Security for Government Contractor Information Systems
Safeguarding CDI - compliance with DFARS
SERVICES ACQUISITION REFORM ACT OF 2003 A STATUS REPORT
Safeguarding Covered Defense Information
Commercial Item Acquisitions: A Brief Update
Small Business Committee
Defense Acquisition Regulations
California Cybersecurity Integration Center (Cal-CSIC)
Hot Topic Research Assignment
Introduction to the Federal Defense Acquisition Regulation
Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Dr. Ron Ross Computer Security.
Safeguarding Covered Defense Information
ATD session 2: compliancy versus mission assurance
The National Network of
Supplier Information Session Safeguarding Covered Defense Information and Cyber Incident Reporting, DFARS August 16, 2016 Christian Ortego.
DFARS Cybersecurity Requirements
NERC Critical Infrastructure Protection Advisory Group (CIP AG)
Jennifer Stradtman, Director, Technical Barriers to Trade
Competition Michael L. Benavides Senior Procurement Analyst
Cybersecurity Challenges
Cybersecurity ATD technical
Security of Department of Defense Acquisition Ecosystem
Anti-Counterfeit Policy Framework
Cybersecurity Challenges
Presentation transcript:

DFARS Unclassified Controlled Technical Information (UCTI) Process and Procedures Update

Background June 2011– DoD Proposes New DFARS Rule for Protecting Controlled, Unclassified Information Industry meeting scheduled for November 15, 2011 Comments due December 2011 February 2013 – Executive Order 13636 on Improving Critical Infrastructure Cybersecurity Executive Branch response to Congressional inability to pass legislation October 10, 2013 – SecDef Memo on Protecting Unclassified Controlled Technical Information Instructs AT&L to “take immediate action to improve the protection of unclassified controlled technical information that resides on or passes through defense contractor systems or networks.” November 18, 2013 – DoD Publishes New DFARS Cyber Rule December 16, 2014 – PGI, FAQs, and Media Submission Instructions released February 20, 2015 – Executive Order 13691 on Promoting Private Sector Cybersecurity Information Sharing Cyber Threat Intelligence Integration Center (CTIIC) & Information Sharing & Analysis Organizations (ISAOs) May 12, 2015 – Comments due for NIST 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (Final Public Draft)

DIB Collaboration - US Govt (Today) Utilize a Trusted Community among Government, Public, and/or Private Sector Entities that Enhances Collaboration and Builds Threat Knowledge to Enable DIB Cyber Defense DoD Secretary of Defense Dept of Homeland Security White House/Capitol Hill Critical Infrastructure Partnership Advisory Council (CIPAC) … Agency U S Cyber Command (USCYBERCOM) Senate/House Legislation CIO Defense Industrial Base (DIB) Cyber Program Sector Coordinating Councils (SCCs, ie. DIB SCC) Cyber Security Coordinator Defense Cyber Crime Center (DC3) National Defense Industrial Association (NDIA) Federal Acquisition Regulation (FAR), Defense (DFARS) Defense Security Service (DSS) & Federal Bureau of Investigations (FBI) Critical Infrastructure Information Sharing & Analysis Center (ISAC) International 5EYE DIB Information Sharing Analysis Organization (ISAO) Aerospace & Defense Companies - Partners/Suppliers/Competitors

H.R. 1731: National Cybersecurity Protection Advancement Act of 2015 Tracking Cybersecurity Legislation To Date Cyber Legislation Summary 44 Introduced/Proposed Bills 38 in Committee 4 Passed One Chamber 1 Vetoed & Override Failed in Senate – Keystone Pipeline 1 Acts/Law (Energy Appropriation & Authorization Only) Pending Activity/Regulation NIST 800-171 NDAA Section 941 & 1645 Incident Reporting SECDEF DOD Cyber Strategy (Classification for Critical) Critical Infrastructure Potential Regulation (Framework & C3) Current Concerns Customer Requirements/ Contract Language 2. DFARS/FAR Safeguarding Unclassified Controlled Technical Information (UCTI) & Controlled Unclassified Information (CUI) 3. DOD AT&L Better Buying Power 3.0 includes Cyber for the Product Life Cycle 4. ~30 Cyber related Legislative Proposals 5. Executive Orders focused on Cybersecurity Proposal Sponsor Status H.R. 1560: Protecting Cyber Networks Act Rep. Devin Nunes [R-CA22] Passed House Apr 22, 2015 S. 754: Cybersecurity Information Sharing Act of 2015 Sen. Richard Burr [R-NC] Reported by Committee: Mar 17, 2015 S. 456: Cyber Threat Sharing Act of 2015 Sen. Thomas Carper [D-DE] Referred to Committee: Feb 11, 2015 H.R. 1731: National Cybersecurity Protection Advancement Act of 2015 Rep. Michael McCaul [R-TX] Apr 23, 2015

Cybersecurity Regulation Status PGI & FAQ Released Addressed ambiguities in certain areas but questions remain within industry DoD / industry working practical implementation issues to include Marking DFARS Unclassified Controlled Technical Information (UCTI) AIA DFARS Working Group meeting working on marking and commercial item clarifications UCTI Update at DOD DIB POWG 7 May 2015 MDA DFARS UCTI Regulation Guideline Draft Addressing Supplier Questions and Concerns Working Through Incident Reporting Ambiguity Encrypted laptops; Compromise with no data loss Defense Acquisition University DOD Training planned for Dec 2015

Watch Items Cyber Security Contract Language Agencies / Programs Including Additional Cyber Language in Contracts to Address Protection of Unclassified Program Information Scope Greater than Program Specific Systems Requirements Contradictory / Duplicative Potential for Significant Cost Impact (e.g., Supply Chain) Incident Reporting Inconsistencies with DFARs incident reporting requirements (who, what, when, how) Damage Assessment Program/CO/DAMO independent DOD Backend Process Disparate Agency/Program Guidelines (CUI, definitions, compliance, & reporting) References to both DIACAP & DFARS without RMF PPP, IA Plan, SSP, IA Questions, etc – varied requests NDAA – National Defense Authorization Acts

DFARS UCTI: 65% of new awards DOD wide Source: http://www.acq.osd.mil/dpap/pdi/eb/monthly_contract_distribution_metrics.html

Subcontractors and Supplier The contract clause is in effect as of November 18, 2013, and must be included in all new DoD contracts, including contracts for commercial items.  The contract clause also must be flowed down to all subcontractors regardless of size and to all tiers of the supply chain.  Do I as a supplier need to notify my prime of my status on DFARS Clause 252.204-7012? If a supplier is non-compliant with the NIST cyber security controls outlined in the DFARS Clause 252.204-7012, then the supplier should immediately notify the prime. What are the incident reporting requirements? A supplier must report an incident to the prime within 72 hours of discovery of any cyber incident that affects UCTI and cooperate with the investigation process.  Please note: the cyber incident reporting requirements associated with this DFARS Clause do not negate any additional reporting requirements found in the contract between the prime, subcontractor and the supplier.

Summary Ongoing Progress… DOD & DIB Working Together Contract Language in addition to DFARS UCTI Supply Chain concerns Technology/Architecture Impacts (Cloud Services, Mobility, Enterprise/Segments/Programs) Marking Commercial Items Incident Reporting for UCTI on multiple contracts Damage Assessment by Programs, DOD Program Offices, and/or COs Future Requirements/Potential FAR in Yr 2015 with the NIST 800-171 CUI implies additional controls Better Buying Power 3.0 with Cybersecurity Area Legislative focus on information sharing; upon Law will protection and controls be the focus for legislative proposals

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.