Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to the Federal Defense Acquisition Regulation

Published byAnthony Benson Modified over 6 years ago

Similar presentations

Presentation on theme: "Introduction to the Federal Defense Acquisition Regulation"— Presentation transcript:

1 Introduction to the Federal Defense Acquisition Regulation
Clause 7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” Contractor Compliance Required by December 2017

2 Who Does the 7012 Clause Apply to?
Government Defense Contractors Educational Research Government Data Repositories Any entity who handles or accesses USG Unclassified Uncontrolled Technical Information Services “Adequate security” means protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.

3 What is the Purpose of the 7012 Clause?
DFARS clause was structured to ensure that unclassified DoD information residing on a contractor’s internal information system is safeguarded from cyber incidents, and that any consequences associated with the loss of this information are assessed and minimized via the cyber incident reporting and damage assessment processes. In addition, by providing a single DoD-wide approach to safeguarding covered contractor information systems, the clause prevents the proliferation of cyber security clauses and contract language by the various entities across DoD. Examine your Existing Contracts to Determine Compliance Requirements

4 What Needs To Be Done? Assess your Information Systems
Perform Risk Analysis /Define Priorities Define the Necessary Resources Create a Plan that fits your Budget Create Policies , Directives and Agreements Create Processes and Procedures Remediate and Mitigate Document Baselines Socialize the New Infrastructure Train Employees, Management and Partners Readdress Compliance Frequently ASSESS PLAN IMPLEMENT SUSTAIN

5 DFAR 7012 is Specific to Acquisition
Does not supersede other Contractual Requirements Does not replace other Responsibilities Designed to Reduce the Risk of Unintentional or intention Exploitation or Spillage May be covered as part of the Contractor Information Infrastructure Supported by many other Department of Defense Directives and Instructions

6 What is considered “Technical Information”
“Technical information” means technical data or computer software, as those terms are defined in the by the NIST Publication , Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Which describes Technical Data, Noncommercial Items, regardless of whether or not the clause is incorporated in this solicitation or contract. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.

7 Overview of the 7012 Control Set
DFAR Clause 7012 is supported by NIST SP “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” Access Control - Supports how users are Provisioned, Controlled, Monitored and Managed Awareness and Training - Supports the continued Security Training of all Contractor Personnel Audit and Accountability - Supports the functions of real time audit of the information environment - Also restricts the Audit Function from Administrators and Users Configuration Management - Supports requirements for diligent Configuration Management of all aspects of the Information Environment - Applies to Systems, Networks, Documentation, User Provisioning Contingency Planning - Supports the requirements for adequate Contingency Planning – (Includes DRPS and SOPs) CLICK HERE FOR EXPANDED GUIDANCE

8 Overview of the 7012 Control Set (Cont.)
Identification and Authentication - Supports the requirements for processes, procedures and methods of identification and Authentication of Users Incident Response - Supports the requirements for timely and accurate Incident Response - Scopes who and what needs to happen in situations considered “Cyber Security Incidents” Maintenance - Defines who, how and when maintenance is provided to existing information infrastructure - Applies to Systems, Networks, Documentation, User Provisioning Media Protection - Supports requirements for protecting media through Encryption and “Best Practice” Supported by other documentation i.e.. Data Classification Guides, DoD Instructions etc... Personnel Security - Supports the requirement for Personnel to be scanned, qualified and trained to handle data CLICK HERE FOR EXPANDED GUIDANCE

9 Overview of the 7012 Control Set (Cont.)
Physical Protection - Supports the requirement for data access to be limited and controlled in regard to equipment, access and reporting. Risk Assessment - Supports the requirement for Vulnerability Compliance, Patch Management, Scanning, and Reporting Security Assessment - Supports the periodic assessment of the security controls in organizational information systems to determine if the controls are effective in their application. Development of plans and processes which support the ongoing security posture of the information system System and Communication Protection - Supports the Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. Also includes the architectural design and change management of information systems. Systems and Information Integrity - Identify, report, and correct information and information system flaws in a timely manner. In addition to providing protection from malicious code and monitoring for system state changes CLICK HERE FOR EXPANDED GUIDANCE

10 Remediate Non compliant Findings
How to Respond to the 7012 Requirements Assess and document your company Information Management Systems against the applicable Security Controls Remediate Non compliant Findings and create a Plan of Action and Milestones to address on-going requirements Remember to address, Basic, Derived and Aggregate Security Requirements defined in NIST SP er Constantly Test and Re-evaluate your Compliance Posture

11 “Outsourcing” DFAR 7012 Requirements
Outsourcing may be an alternative for some or all the controls Important Factors when considering Outsourcing You will remain the Liable Entity Lack of Control – Audit Limitations Reduced Access to time sensitive information Available Partnerships Amazon Web Services - – Currently Accredited to a Moderate by the US Department of Health Other Technical Service Providers – May support some but not all of the controls

12 Ramifications of 7012 Noncompliance
Contract Cancellation or Suspension Penalties and Fines Restricted access to Contract Resources Data Breaches for which the Contractor is Liable

13 Need more information and assistance obtaining 7012 compliance?
Contact Peregrine Technical Solutions LLC Phone - (757) -

Download ppt "Introduction to the Federal Defense Acquisition Regulation"

Similar presentations

Annual Security Refresher Briefing Note: All classified markings contained within this presentation are for training purposes.

Annual Security Refresher Briefing Note: All classified markings contained within this presentation are for training purposes.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
© 2007-2011 Carnegie Mellon University The CERT Insider Threat Center.

© Carnegie Mellon University The CERT Insider Threat Center.
Security Controls – What Works

Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Information Systems Security Officer

Information Systems Security Officer
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Computer Security Fundamentals

Computer Security Fundamentals
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
DFARS 204.73 & 252.204-7012 What is Unclassified Controlled Technical Information (UCTI)?

DFARS & What is Unclassified Controlled Technical Information (UCTI)?
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.

Similar presentations

Ads by Google