Presentation is loading. Please wait.

Presentation is loading. Please wait.

Safeguarding Covered Defense Information

Similar presentations


Presentation on theme: "Safeguarding Covered Defense Information"— Presentation transcript:

1 Safeguarding Covered Defense Information
CYBER SECURITY Safeguarding Covered Defense Information November 2017

2 What DOD is Doing Securing DoD’s information systems and networks
Organizing cybersecurity responsibilities and procedures for the acquisition workforce in defense acquisition policy Contractual requirements implemented through the Defense Federal Acquisition Regulation Supplement (DFARS) Leveraging security standards such as those identified in National Institute of Standards and Technology (NIST) Special Publication “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (Revision 1 published Dec 2016)

3 Adequate Security/Minimum Protections
DFARS Clause , Safeguarding Covered Defense Information and Cyber Incident Reporting Scope All solicitations/contracts except COTS What Information Covered Defense Information (CDI) Operational Critical Support Adequate Security/Minimum Protections NIST SP , Protecting Controlled Unclassified Information on Nonfederal Information Systems & Organizations When Required to Meet Minimum Protections As soon as practicable, but NLT Dec 31, 2017 Subcontractor/Flowdown Contractor to determine if information required for subcontractor performance retains its identity as CDI

4 Network Security Requirements to Safeguard CDI
DFARS Clause Safeguarding Covered Defense Information and Cyber Incident Reporting (b) Adequate security. The Contractor shall provide adequate security on all covered contractor information systems. To provide adequate security, the Contractor shall implement, at a minimum, the following information security protections: (2) For covered contractor information systems that are not part of an IT service or system operated on behalf of the Government (ii)(A) The Contractor shall implement NIST SP , as soon as practical, but not later than December 31, 2017. (3) Apply other information systems security measures when the Contractor reasonably determines that information systems security measures, in addition to those identified … may be required to provide adequate security in a dynamic environment or to accommodate special circumstances (e.g., medical devices) and any individual, isolated, or temporary deficiencies based on an assessed risk or vulnerability. These measures may be addressed in a system security plan.

5 What is Covered Defense Information?
Unclassified controlled technical information (CTI) or other information as described in the CUI Registry at that requires safeguarding or dissemination controls*, AND is either * Pursuant to and consistent with law, regulations, and Government wide policies ______________________________________________________ Marked or otherwise identified in the contract, task order, or delivery order and provided to contractor by or on behalf of, DoD in support of the performance of the contract; OR Collected, developed, received, transmitted, used, or stored by, or on behalf of, the contractor in support of the performance of the contract.

6 Controlled Technical Information
Reasons for assignment of distribution statements B-F in technical documents: Critical Technology Export Controlled Foreign Government Information Operations Security Premature Dissemination Proprietary Information Test and Evaluation Software Documentation Vulnerability Information Contractor Performance Evaluation Administrative or Operational Use Subset of CDI Defined as: Technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination Controlled technical information is to be marked with one of the distribution statements B through F The term does not include information that is lawfully publicly available without restrictions

7 NIST SP Developed for use on contractor and other nonfederal information systems to protect CUI (Revision 1 published December 2016) Standardized set of performance based requirements for all CUI security needs Most requirements are about policy, process, and configuring IT securely, but some may require security-related software or hardware Enables contractors to comply using systems and practices likely already in place

8 NIST SP 800-171 14 Families of Security Requirements
Access Control Physical Protection Awareness and Training Personnel Security Audit and Accountability Risk Assessment Configuration Management Security Assessment System and Communication Protection Identification and Authentication Incident Response System and Information Integrity Maintenance Media Protection

9 Approach to Implementing NIST SP 800-171
Most requirements in NIST SP are about policy, process, and configuring IT securely, but some may require security-related software or hardware. For companies new to the requirements, a reasonable approach would be to: 1. Examine each of the requirements to determine — Policy or process requirements — Policy/process requirements that require an implementation in IT (typically by either configuring the IT in a certain way or through use of specific software) — IT configuration requirements — Any additional software or hardware required Note: The complexity of the company IT system may determine whether additional software or tools are required. 2. Determine which of requirements can readily be accomplished by in-house IT personnel and which require additional research

10 Approach to Implementing NIST SP 800-171
3. Develop a plan of action and milestones to implement the requirements. 4. Limit scope to the policies & process requirements, and IT configuration of systems the transmit, process, display , and/or displays CDI 5. Consider isolating systems the transmit, process, display , and/or displays CDI into own security domain Don’t try to boil the ocean

11 Network Security Requirements to Safeguard CDI
For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via at within 30 days of contract award, of any security requirements specified by NIST SP not implemented at the time of contract award (see (b)(2)(ii)(A)) __________________________________________________________________ If the offeror proposes to vary from NIST SP , the offeror shall submit to the Contracting Officer, a written explanation of - - Why security requirement is not applicable; or How an alternative but equally effective security measure is used to achieve equivalent protection (see (c)(2)(i) and (b)(2)(ii)(B))

12 Cyber Incident Reporting
DFARS (c) Cyber incident reporting requirement Contractor discovers a cyber incident affecting: Contractor information system Covered Defense Information Required elements of cyber incident report DoD-approved medium assurance certificate For information on obtaining a DoD-approved medium assurance certificate, see:

13 When you have a Cyber Incident
Conduct a review for evidence of compromise of CDI Including, but not limited to: Compromised Computers Compromised Servers Specific Data User Accounts Covered contractor information systems Rapidly report to

14 Within 72 Hours Within 72 hours report as much of the following:
Company name Ability to provide operationally critical support Company Point of Contact (POC) Date incident discovered Data Universal Numbering System (DUNS) Number Location(s) of compromise Contract number(s) or other type of agreement affected Incident location CAGE code DoD programs, platforms or systems involved Contracting Officer or other agreement POC Type of compromise USG Program Manager POC Description of technique or method used in incident Contract or other agreement clearance level Incident outcome Facility CAGE code Incident/Compromise narrative Facility Clearance Level Any additional information Impact to CDI

15 Resources Defense Federal Acquisition Regulation Related Information
For Cyber Security FAQs: Safeguarding Covered Defense Information and Cyber Incident Reporting - DFARS PGI : Webinar: What is NIST SP and how does it apply to small business? - Controlled Unclassified Information (CUI) Registry - National Institute of Standards and Technology (NIST) Special Publication (SP) Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations - NIST Special Publication Security and Privacy Controls for Federal Information Systems and Organizations - NIST Special Publication A Assessing Security and Privacy Controls in Federal Information Systems and Organizations -

16 Additional Resources Collaboration
Cyber Information Sharing and Collaboration Program (CISCP) - Department of Defense Cyber Crime Center's DoD-Defense Industrial Base (DIB) Collaborative Information Sharing Environment (DCISE) - Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) - Information Sharing and Analysis Centers (ISACs) - Information Sharing and Analysis Organizations (ISAOs) - INFRAGARD -

17 Additional Resources Training
Center for Development of Security Excellence (CDSE) - Federal Communications Commission's Cyberplanner - Information Assurance Support Environment Online Training - National Initiative for Cybersecurity Education (NICE) - Small Business Community (SBC) Computer Security Workshops - U.S. Computer Emergency Readiness Team's Resources for Business - U.S. Small Business Administration's Cybersecurity for Small Businesses -


Download ppt "Safeguarding Covered Defense Information"

Similar presentations


Ads by Google