Presentation is loading. Please wait.

Presentation is loading. Please wait.

Safeguarding Covered Defense Information

Similar presentations


Presentation on theme: "Safeguarding Covered Defense Information"— Presentation transcript:

1 Safeguarding Covered Defense Information
CYBER SECURITY Safeguarding Covered Defense Information March 2017

2 Goal Improve DLA’s business relationships with vendor base to better accomplish our shared mission of supporting warfighters worldwide by mitigating risk and reducing vulnerability to cybercrime

3 Who is Impacted DFARS applies to all DOD solicitations and contracts for commercial items Exception: solicitations and contracts solely for the acquisition of Commercial Off the Shelf (COTS) items Requires flow down to: Suppliers at all tiers including Commercial suppliers Subcontractors at all tiers

4 How? Provide updates to contractors for cybersecurity requirements
Define what is “Covered Defense Information” Where and how to apply “Adequate Security” Cyber incident reporting requirements

5 Covered Defense Information (CDI)
Defined as: Unclassified controlled technical information; or Information, as described in the Controlled Unclassified Information (CUI) Registry at: Requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies, AND IS: Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract

6 Covered Defense Information (CDI)
CDI Definition Continued… DLA L&M will apply DFARS requirement for safeguarding CDI as follows: National Stock Number (NSN) has demilitarization code other than A; or Technical Data Package contains document(s) with distribution statement other than A; or Identification of export control; or Information contained in the customer and/or applicable agency specific critical information list For DLA L&M, if CDI is included in the technical data package for an acquisition it will be specifically identified in the Purchase Item Description (PID) Note: CDI may also be contained in contractor-owned data and is identified with a similar contractor type coding as described above

7 CDI: Controlled Technical Information
Defined as: Technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction Distribution Statements on Technical Documents The term does not include information that is lawfully publicly available without restrictions

8 Controlled Technical Information
L&M Distribution Statements B-F Reasons for assignment of distribution statements B-F in L&M technical documents: Critical Technology Export Controlled Foreign Government Information Operations Security Premature Dissemination Proprietary Information Test and Evaluation Software Documentation Vulnerability Information Contractor Performance Evaluation Administrative or Operational Use Reference DoDI : See pages of the DoDI for additional details

9 CTI: Controlled Technical Information
Unclassified information not limited to: Design & Manufacturing Technical Data Keystone Equipment Inspection and Test Equipment Or data related to a specific military deficiency of a potential adversary

10 CTI: Export Control Unclassified information concerning: Certain items
Commodities Technology Software Or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives.

11 CTI: Test & Evaluation Information related to:
Protect Results of Test/Evaluation of Commercial Products or Military Hardware Occurs when disclosure may cause unfair advantage or disadvantage to the manufacturer of the products

12 Applying “Adequate Security”
Information Sharing/Collaboration Toolbox Only to information systems containing CDI Implement security protections on: IT operated on behalf of Government Not part of IT operated on behalf of Government On contractors assessed risk or vulnerability

13 IT Not Operated on Behalf of DoD
National Institute of Standards and Technology (NIST) NIST SP Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations Isolate CUI into own security domain Limit scope to CUI particular system or components Don’t try to boil the ocean

14 NIST SP 800-171 Basic Security
Basic Security Requirements Access Control Physical Protection Awareness and Training Risk Assessment Audit and Accountability Security Assessment Configuration Management System and Communication Protection Identification and Authentication System and Information Integrity Incident Response Maintenance

15 Implementation of NIST SP 800-171
Implement NIST SP , as soon as practical, but NTL December 31, 2017 Contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via at and the contracting officer within 30 days of contract award, of any security requirements specified by NIST SP not implemented at the time of contract award

16 Request to Varying from NIST SP 800-171
Contractors electing to vary/deviate from the NIST SP requirement must submit their requests in writing to the Contracting Officer of record The Contracting Officer will then submit the request on behalf of the contractor to the DoD CIO for consideration Contractor do not need to implement any security requirement adjudicated by an authorized representative of the DoD CIO to be nonapplicable or to have an alternative, but equally effective, security measure that may be implemented in its place If the DoD CIO has previously adjudicated the contractor’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Contracting Officer when requesting its recognition under the contract

17 Cyber Incident Reporting Requirements
Contractor discovers a cyber incident affecting: Contractor information system Covered Defense Information Required elements of cyber incident report DoD-approved medium assurance certificate For information on obtaining a DoD-approved medium assurance certificate, see:

18 When you have a Cyber Incident
Conduct a review for evidence of compromise of CDI Including, but not limited to: Compromised Computers Compromised Servers Specific Data User Accounts Covered contractor information systems Rapidly report to

19 What goes in Cyber Incident Report
Include elements required by

20 Within 72 Hours Within 72 hours report as much of the following:
Company name Ability to provide operationally critical support Company Point of Contact (POC) Date incident discovered Data Universal Numbering System (DUNS) Number Location(s) of compromise Contract number(s) or other type of agreement affected Incident location CAGE code DoD programs, platforms or systems involved Contracting Officer or other agreement POC Type of compromise USG Program Manager POC Description of technique or method used in incident Contract or other agreement clearance level Incident outcome Facility CAGE code Incident/Compromise narrative Facility Clearance Level Any additional information Impact to CDI

21 Questions/Resources For additional information on the cyber security requirement please see the following resources: FAQs: DoDI : CUI Registry: Medium Assurance Certificate: Cyber Incident Report: DOD CIO: DFARS Clause : DFARS PGI :


Download ppt "Safeguarding Covered Defense Information"

Similar presentations


Ads by Google