Presentation is loading. Please wait.

Presentation is loading. Please wait.

Overview and Implementation

Published byEdgar Evans Modified over 5 years ago

Similar presentations

Presentation on theme: "Overview and Implementation"— Presentation transcript:

1 Overview and Implementation
DFARS Case 2013-D018 Overview and Implementation Bill Botke MFC Information Security Officer and Privacy Lead

2 Agenda Problem Statement Data…What’s the risk? Risk Posture
Adversarial Threats and “Quick Wins” Cyber DFARS Overview Summary

3 (2013 Lockheed Martin Supply Chain Conference)
The Problem "…I want to mention the serious problem of the loss of unclassified sensitive information to industrial espionage. Some have called the loss of this information through our networks the greatest transfer of wealth in history…providing potential adversaries with huge savings in time and money as they seek to develop weapon systems comparable and even superior to our own…" Mr. Frank Kendall, Undersecretary of Defense for Acquisition, Technology and Logistics (2013 Lockheed Martin Supply Chain Conference)

4 Data…It’s Everywhere…Every Minute…
45 New Viruses 200 New Malicious web sites 180 Personal Identities Stolen 5,000 Examples of Malware Created $2 Million Lost

5 Managing Our Risk Posture
There is no such thing as "perfect protection" Are you here? DFARS Baseline Ideal State High Risk Low Cost Low Maturity Lower Risk Higher Cost Higher Maturity GOAL: Build a sustainable IT Security Program that balances protection and compliance against the needs to run and support the business

6 Adversary Threats & “Quick Wins”
Top Threats to Defense Industrial Base (DIB) “Quick Wins” Mitigations Process Properly marked/distributed data Training and Awareness Restrict Information Flow-Down Shared Intelligence (Industry/Government) Technical Filtering Category “none” blocking Minimize Desktop Admins Two/Multifactor Authentication Eliminate “End of Life” Internet facing systems Spear Phishing Credential Harvesting Unsecured Perimeter

7 First…How did we get here?
Classified Data Protection Unclassified Data Protection June 2011 – DoD Proposes New DFARS Rule for Protecting Controlled, Unclassified Information May 2013 – Snowden articles published adding increased pressure to protect unclassified information Nov 2013 – DoD Publishes initial DFARS Cyber Rules Aug DoD issues interim rule under DFARS Case 2013-D018 – (NIST SP ) Dec 2015 – DoD issues updated rule Oct 2016 – Final Cyber DFARS issued Jan 1993 – DSS National Industrial Security Program Operating Manual (NISPOM) Apr Office of the Designated Approving Authority (ODAA) Process Manual (20) Twenty Year Gap in Unclassified Data Protection Requirements

8 Lockheed Martin Proprietary Information
Cyber DFARS Primer Covered Defense Information (CDI) Unclassified Covered Technical Information (“CTI”), operations security, export controlled information; and any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls used in the performance/ support of a contract Applied to all DoD Contracts NIST 110 Cyber DFARS Controls Safeguard Data Report Incidents within 72 Hours Report Incidents Flow down Cyber DFARS clause to all suppliers receiving or generating CDI Flow Down Cyber DFARS Clause Mandatory Unclassified Cyber Requirements…All DoD contracts

9 Covered Defense Information — Definition
Covered Defense Information (CDI) - Term used to identify information that requires protection under DFARS Clause Covered defense information means: Unclassified controlled technical information (CTI) or other information as described in the CUI Registry that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies and is − Marked or otherwise identified in the contract, task order, or delivery order and provided to contractor by or on behalf of, DoD in support of the performance of the contract; OR Collected, developed, received, transmitted, used, or stored by, or on behalf of, the contractor in support of the performance of the contract* * “In support of the performance of the contract” is not meant to include the contractor’s internal information (e.g., human resource or financial) that is incidental to contract performance

10 Compliance — Implementation of Cyber DFARS
By signing…contractor agrees to comply with terms of contract and all requirements of DFARS Clause Contractor’s responsibility to determine if they have implemented NIST SP DoD will not certify that a contractor is compliant with NIST SP requirements Third-party assessments or certifications are not required, authorized, or recognized by DoD If oversight related to these requirements is deemed necessary, it can be accomplished through existing FAR and DFARS allowances, or an additional requirement can be added to the terms of the contract Innovation Required for Success Revaluate and Re-Architect Perception of Risk has to adapt to Digital Business Tactics Exploit Trust Delivery Vectors Targeting Social Media

11 110 Requirements across 14 Families
Safeguard Data – NIST 110 Requirements across 14 Families Access Control Awareness & Training Audit & Accountability Configuration Management Identification & Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Risk Assessment Security Assessment System & Communication Protection System & Information Integrity

12 Subcontractor Flowdown
Required only when performance will involve operationally critical support or covered defense information Contractor shall determine if information required for subcontractor performance is, or retains its identify as, covered defense information and requires safeguarding Flowdown is a requirement of the terms of the contract…must be enforced by prime contractor If a subcontractor does not agree to comply with the terms of DFARS Clause –7012, then covered defense information shall not be shared with the subcontractor or otherwise reside on it’s information system

13 DCMA Oversight of DFARS Clause
MITIGATE RISK Encourage corporate, segment, or facility-level system security plans…more consistent implementation and reduced cost Verify SSP / POA&Ms are in place…will not assess plans against NIST requirements If potential cyber issue is detected…notify contractor, DoD program office, & DoD CIO During Contract Receipt/Review, verify clause is flowed to subs/suppliers as appropriate For contracts before 10/2017, verify contractor submitted to DoD CIO notification of security requirements not yet implemented Verify DoD-approved medium assurance certificate to report cyber incidents When required, facilitate entry of government assessment team via coordination with cognizant government and contractor stakeholders

14 Resources Cybersecurity in DoD Acquisition Regulations page at for Related Regulations, Policy, Frequently Asked Questions, and Resources; questions to NIST Publications - NIST Manufacturing Extension Partnership at NARA CUI Program - Cybersecurity Evaluation Tool (CSET) – Download or request physical copy of software at — Select “Advanced Mode” to display option to select NIST

15 Develop a Resilient Mindset
Every Control Will Fail If the adversary has access to: The internal corporate network Any username and password All documentation & specifications What would you do differently?

16 Summary As an Aerospace and Defense Supplier, YOU are a target of our adversaries Have responsibility to improve/maintain cybersecurity posture DFARS non-compliance not only increases risk…could result in contract default, withheld payments or brand/reputation impacts thru CPARS Lockheed Martin is working with partners and suppliers Risk to LM and customer information from cyber attackers continues to increase Regulations such as the Cyber DFARS are here to stay and will continue to evolve Ensure a heightened sense of cybersecurity awareness Contractors are responsible DFARS Compliance – full conformity with all clause requirements and NIST SP required as of 31 Dec 2017 Incident Reporting – must be reported within 72-hours to the DoD Flow Down - cyber DFARS must be flowed down to all suppliers / subcontractors who store, process and/or generate Covered Defense Information (CDI) as part of contract performance

17

Download ppt "Overview and Implementation"

Similar presentations

NCMA Philadelphia Lunch & Learn What Does the Contract Say? E. Jean Labadini, Senior Advisor November 25, 2014.

NCMA Philadelphia Lunch & Learn What Does the Contract Say? E. Jean Labadini, Senior Advisor November 25, 2014.
What’s the path to a SSP? Information System Profile Contractor: Lockheed Martin, Missiles and Fire Control Address: 1701 W. Marshall Dr. Grand Prairie,

What’s the path to a SSP? Information System Profile Contractor: Lockheed Martin, Missiles and Fire Control Address: 1701 W. Marshall Dr. Grand Prairie,
Security Controls – What Works

Security Controls – What Works
Background June 2011– DoD Proposes New DFARS Rule for Protecting Controlled, Unclassified Information Industry meeting scheduled for November 15, 2011.

Background June 2011– DoD Proposes New DFARS Rule for Protecting Controlled, Unclassified Information Industry meeting scheduled for November 15, 2011.
Information Systems Security Officer

Information Systems Security Officer
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.

1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.
DFARS 204.73 & 252.204-7012 What is Unclassified Controlled Technical Information (UCTI)?

DFARS & What is Unclassified Controlled Technical Information (UCTI)?
Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.

Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.
BITS Proprietary and Confidential © BITS 2003. Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Certification and Accreditation CS-7493-01 Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
UNCLASSIFIED DITSCAP Primer. UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 2 DITSCAP* Authority ASD/C3I Memo, 19 Aug 92 –Develop Standardized C&A Process DODI.

UNCLASSIFIED DITSCAP Primer. UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 2 DITSCAP* Authority ASD/C3I Memo, 19 Aug 92 –Develop Standardized C&A Process DODI.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.

Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Of XX Cybersecurity in Government Contracting David Z. Bodenheimer, Partner, Crowell & Moring LLP ©2015 PubKLearning. All rights reserved.1 The Federal.

Of XX Cybersecurity in Government Contracting David Z. Bodenheimer, Partner, Crowell & Moring LLP ©2015 PubKLearning. All rights reserved.1 The Federal.

Similar presentations

Ads by Google