Presentation is loading. Please wait.

Presentation is loading. Please wait.

Supplier Information Session Safeguarding Covered Defense Information and Cyber Incident Reporting, DFARS 252.204-7012 August 16, 2016 Christian Ortego.

Similar presentations


Presentation on theme: "Supplier Information Session Safeguarding Covered Defense Information and Cyber Incident Reporting, DFARS 252.204-7012 August 16, 2016 Christian Ortego."— Presentation transcript:

1 Supplier Information Session Safeguarding Covered Defense Information and Cyber Incident Reporting, DFARS August 16, 2016 Christian Ortego Senior Counsel

2 DFARS Cybersecurity Rule
Evolution of a Rule Covered Contractor Information Systems NIST Standards Reporting Requirements The content discussed in this presentation is provided for informational purposes only and does not constitute legal advice or counsel. For legal advice or counsel related to issues discussed herein, please consult your attorney.

3 Evolution of a Rule – DFARS 252.204-7012
November 2013 – initial rule August/September 2015 – major change December 2015 – major change Rule Evolved as DoD Received Comments/Feedback from Industry

4 Evolution of a Rule – DFARS 252.204-7012
November 2013 – initial rule Established Concepts for: Information Technology System Standards Reporting Requirement for Cyber Incidents Applied to “cleared contractors” and Systems that store or transmit Unclas Controlled Technical Information Rule Evolved as DoD Received Comments/Feedback from Industry

5 Evolution of a Rule – DFARS 252.204-7012
September 2015 – updated standards/expanded scope Amended Standards from NIST SP to SP (DoD CIO must approve exceptions and alternative measures) Expanded scope of information to “covered defense information” from unclas controlled tech info Expanded regulatory coverage to all contractors and subcontractors 72 Hour Incident Reporting Requirement to both: DoD Higher Tier Contractor September Change Greatly Broadened Scope of Rule

6 Evolution of a Rule – DFARS 252.204-7012
December 2015 – current rule Extended Deadline to meet NIST SP to December 31, 2017 Report areas of non-compliance to DoD CIO Same scope of information covered as September rule Required Inclusion in all DoD Contracts Mandatory Flowdown to all Subcontractor Tiers December Change Maintained Rule but Extended NIST Standards Deadline

7 Covered Contractor Information Systems
Current Rule: Systems owned or operated by, or for, a contractor and that processes, stores or transmits: “Covered Defense Information” which is: Controlled Technical Info Critical Information Export Controlled Info; or “Any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies (e.g., privacy, proprietary business information).” The type of information subject to safeguarding and the additional reporting obligations are not the interim rule’s only material changes. Under the previous regime, contractors were only required to report cyber incidents affecting UCTI. The interim rule, on the other hand, requires contractors to report any cyber incidents affecting (i) covered defense information (a broader category of data than UCTI), (ii) contractor information systems that contain covered defense information, and/or (iii) information that affects the contractor’s ability to provide operationally critical support. For example, under the interim rule, the reporting requirement would be triggered by a cyber incident that affects the contractor’s information system housing covered defense information, even if the information itself was not affected. “Covered Information Systems” is Broad Concept

8 Over 100 Items Included in the Standards
NIST Standards Current Rule: NIST SP Deadline to meet NIST SP is as soon as possible but NLT December 31, 2017 Covers a variety of factors: Access control Awareness and Training Audit and Accountability Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Risk and Security Assessments System and Communication Protection System and Information Integrity Over 100 Items Included in the Standards

9 Reporting Requirements
Current Rule – Two Main Requirements 1. Report to DoD CIO within 30 days of contract award from HII/NNS/Ingalls: YES or NO: In compliance with NIST Standards If NO: must report areas of non-compliance to DoD CIO 2. Report Cyber Incidents within 72 Hours to BOTH DoD (through and NNS/Ingalls The Reporting Requirements are in effect upon award of a contract with the clause (i.e. the December 2017 deadline DOES NOT change the reporting requirements) Reporting Requirements are in Effect Now

10 Questions? Questions?

11


Download ppt "Supplier Information Session Safeguarding Covered Defense Information and Cyber Incident Reporting, DFARS 252.204-7012 August 16, 2016 Christian Ortego."

Similar presentations


Ads by Google