Presentation is loading. Please wait.

Presentation is loading. Please wait.

Of XX Cybersecurity in Government Contracting David Z. Bodenheimer, Partner, Crowell & Moring LLP ©2015 PubKLearning. All rights reserved.1 The Federal.

Published byMariah Cox Modified over 8 years ago

Similar presentations

Presentation on theme: "Of XX Cybersecurity in Government Contracting David Z. Bodenheimer, Partner, Crowell & Moring LLP ©2015 PubKLearning. All rights reserved.1 The Federal."— Presentation transcript:

1 of XX Cybersecurity in Government Contracting David Z. Bodenheimer, Partner, Crowell & Moring LLP ©2015 PubKLearning. All rights reserved.1 The Federal Cybersecurity Forest: Statutes, Regulations & Standards Federal Statutes –FISMA (44 USC §§ 3551-58) –Privacy Act (5 USC § 552a) –HIPAA (42 USC § 1320d-2(d) Federal Regulations –FAR §§ 7.103 & 39.101(d) (information security) & § 24.102 (privacy) –Agency regulations (information security, privacy, & healthcare) Federal & International Standards –NIST FIPS & Special Publications (40 USC § 11331(b)(1)(C) –Other Standards (ISO, COBIT, PCI, etc.)

2 of XX Cybersecurity in Government Contracting David Z. Bodenheimer, Partner, Crowell & Moring LLP ©2015 PubKLearning. All rights reserved.2 Cyber Statutes FAR Rules Agency Rules

3 of XX Cybersecurity in Government Contracting David Z. Bodenheimer, Partner, Crowell & Moring LLP ©2015 PubKLearning. All rights reserved.3 Federal Harmonization Imperative Cybersecurity Executive Order 13636 –“The report shall address what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity.” FAR Policy on Uniformity –FAR seeks “uniform policies and procedures for acquisition by all executive agencies.” FAR § 1.101. Cost-Effective Cybersecurity –Agency cybersecurity programs and risk analyses must consider cost-effectiveness. 44 USC § 3554 Better Cybersecurity –DoD/GSA Report acknowledged that harmonized acquisition regulations would enhance cybersecurity. See Final Report of the Department of Defense and General Services Administration, Improving Cybersecurity & Resilience through Acquisition (Nov. 2013)

4 of XX Cybersecurity in Government Contracting David Z. Bodenheimer, Partner, Crowell & Moring LLP ©2015 PubKLearning. All rights reserved.4 FAR Rules Agency Rules

5 of XX Cybersecurity in Government Contracting David Z. Bodenheimer, Partner, Crowell & Moring LLP ©2015 PubKLearning. All rights reserved.5 Agency Rules & Variations

6 of XX Cybersecurity in Government Contracting David Z. Bodenheimer, Partner, Crowell & Moring LLP ©2015 PubKLearning. All rights reserved.6 DoD Cyber Rules: Changes at Speed of Cyber DIACAP (2007) –DoD Instruction 8510.01 Shift to NIST (2012) –DoD Instruction 8582.01 (tasking DoD Undersecretary to consider NIST) DoD Safeguarding Unclassified Controlled Technical Information (2013) –DFARS § 204.73 –NIST 800-53 security controls DoD Network Penetration Reporting & Contracting for Cloud Services (2015) –DFARS § 204.73 (safeguarding “covered defense information”) –NIST 800-171 security controls

7 of XX Cybersecurity in Government Contracting David Z. Bodenheimer, Partner, Crowell & Moring LLP ©2015 PubKLearning. All rights reserved.7 DHS Cyber Regulations Acquisition Deviation

8 of XX Cybersecurity in Government Contracting David Z. Bodenheimer, Partner, Crowell & Moring LLP ©2015 PubKLearning. All rights reserved.8 GSA Cyber Audit Clause GSA Cyber Audits (GSAM 552.239-71(k) –“The Contractor shall afford GSA access to the Contractor’s and subcontractors’ facilities, installations, operations, documentation, databases, IT systems and devices, and personnel used in performance of the contract, regardless of the location. Access shall be provided to the extent required, in GSA’s judgment, to conduct an inspection, evaluation, investigation or audit, including vulnerability testing to safeguard against threats and hazards to the integrity, availability and confidentiality of GSA data or to the function of information technology systems operated on behalf of GSA, and to preserve evidence of computer crime. This information shall be available to GSA upon request.” Conflict with Commerciality –Commercial Terms: list of clauses (FAR §§ 12.302(b) & 52.212-4) –Commercial Practices: “consistent with customary commercial practices” (FAR § 12.301(a)) –Order of Precedence: FAR Part 12 takes precedence (FAR §§ 12.102(c))

9 of XX Cybersecurity in Government Contracting David Z. Bodenheimer, Partner, Crowell & Moring LLP ©2015 PubKLearning. All rights reserved.9 NASA Cyber Clause: NASA FARS 1852.204-76(b) “Applicable Document List”

Download ppt "Of XX Cybersecurity in Government Contracting David Z. Bodenheimer, Partner, Crowell & Moring LLP ©2015 PubKLearning. All rights reserved.1 The Federal."

Similar presentations

Annual Security Refresher Briefing Note: All classified markings contained within this presentation are for training purposes.

Annual Security Refresher Briefing Note: All classified markings contained within this presentation are for training purposes.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Reporting Requirements and Procedures. Trafficking in Persons Reporting Requirements FAR 52.222-50 Combating Trafficking in Persons* –Contractors shall.

Reporting Requirements and Procedures. Trafficking in Persons Reporting Requirements FAR Combating Trafficking in Persons* –Contractors shall.
DII Best Practices Forum: New Developments Peter J. Eyre Crowell & Moring © Crowell & Moring LLP 2011. All Rights Reserved. June 23, 2011.

DII Best Practices Forum: New Developments Peter J. Eyre Crowell & Moring © Crowell & Moring LLP All Rights Reserved. June 23, 2011.
CENTRAL CONTRACTOR REGISTRATION (CAGE CODES) DFARS Case 2003-D040 DFARS Parts 204, 212, 213 and 252 are amended to remove policy on Central Contractor.

CENTRAL CONTRACTOR REGISTRATION (CAGE CODES) DFARS Case 2003-D040 DFARS Parts 204, 212, 213 and 252 are amended to remove policy on Central Contractor.
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.

Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
BETHESDA NORTH MARRIOTT HOTEL & CONFERENCE CENTER  BETHESDA, MD.

BETHESDA NORTH MARRIOTT HOTEL & CONFERENCE CENTER  BETHESDA, MD.
Background June 2011– DoD Proposes New DFARS Rule for Protecting Controlled, Unclassified Information Industry meeting scheduled for November 15, 2011.

Background June 2011– DoD Proposes New DFARS Rule for Protecting Controlled, Unclassified Information Industry meeting scheduled for November 15, 2011.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.

Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
DFARS 204.73 & 252.204-7012 What is Unclassified Controlled Technical Information (UCTI)?

DFARS & What is Unclassified Controlled Technical Information (UCTI)?
Publication of Agency Procurement Regulations Karen L. Manos Acquisition Reform & Experimental Processes Committee November 30, 2004.

Publication of Agency Procurement Regulations Karen L. Manos Acquisition Reform & Experimental Processes Committee November 30, 2004.
1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.

1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
FAR Part 1 The Federal Acquisition Regulation System.

FAR Part 1 The Federal Acquisition Regulation System.
Federal Acquisition Service U.S. General Services Administration June 3, 2013 Joint Working Group on Improving Cybersecurity and Resilience through Acquisition.

Federal Acquisition Service U.S. General Services Administration June 3, 2013 Joint Working Group on Improving Cybersecurity and Resilience through Acquisition.
April 14, 2003- A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
National Institute of Standards and Technology 1 The Federal Information Security Management Act Reinforcing the Requirements for Security Awareness Training.

National Institute of Standards and Technology 1 The Federal Information Security Management Act Reinforcing the Requirements for Security Awareness Training.

Similar presentations

Ads by Google