TGIC Cyber-Security for Government Contractor Information Systems

Slides:



Advertisements
Similar presentations
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Advertisements

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Contractor Code of Business Ethics and Conduct Laura K. Kennedy Senior Vice President, Ethics and Compliance SAIC.
FAR Part 44: Subcontracting Policies & Procedures February 5, 2012.
FEDERAL TECHNICAL DATA SOLUTION (FedTeDS) - FINAL RULE FAR 5.102, Availability of solicitations Implements President’s Management Agenda & eGov Initiative.
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Background June 2011– DoD Proposes New DFARS Rule for Protecting Controlled, Unclassified Information Industry meeting scheduled for November 15, 2011.
ISO 9001 Interpretation : Exclusions
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies
Complying With The Federal Information Security Act (FISMA)
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Privacy Foundations Samuel P. Jenkins Director for Privacy Defense Privacy and Civil Liberties Office Identity.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
FAR PART 45 – Government Property
DFARS & What is Unclassified Controlled Technical Information (UCTI)?
WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, :30 am – 12:30 pm.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Software Quality Assurance Lecture 4. Lecture Outline ISO ISO 9000 Series of Standards ISO 9001: 2000 Overview ISO 9001: 2008 ISO 9003: 2004 Overview.
HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.
Of XX Cybersecurity in Government Contracting David Z. Bodenheimer, Partner, Crowell & Moring LLP ©2015 PubKLearning. All rights reserved.1 The Federal.
Business & Contracting – Module 7 ELO-170Identify risks of not having a direct contractual relationship with the cloud service provider. ELO-180Match cloud-related.
Of XX Data Rights, Intellectual Property, Information Technology and Export Controls in Government Contracting Fernand Lavallee, Partner, Jones Day ©2015.
Business & Contracting – Module 6 ELO 6.1Identify the Cloud-related guidance when contracting for cloud services ELO 6.2Identify contract and legal considerations.
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
ISO 9001:2015 Subject: Quality Management System Clause 8 - Operation
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Regulation Highlights Kimberly Heifetz May 15, 2012.
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
1DoD Cloud Computing Read the provided excerpts from - The “25 Point Implementation Plan to Reform Federal IT” - DoD Cloud Computing Strategy - The National.
Subcontracting Program Updates Janice Buffler, Associate Director Subcontracting/Regional Councils DoD Office of Small Business Programs 1.
NCMA-RI Ocean State Workshop
Adler Pollock & Sheehan P.C. One Citizens Plaza, 8th Floor
Information ITIL Technology Infrastructure Library ITIL.
Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Patricia Toth NIST MEP.
Safeguarding CDI - compliance with DFARS
An Information Security Management System
Got DoD Contracts in Your Supply Chain
Safeguarding Covered Defense Information
Consent to Subcontract
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
Data Compromises: A Tax Practitioners “Nightmare”
Introduction to the Federal Defense Acquisition Regulation
Risk Management and Compliance
Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Dr. Ron Ross Computer Security.
Safeguarding Covered Defense Information
Bob Siegel President Privacy Ref, Inc.
Supplier Information Session Safeguarding Covered Defense Information and Cyber Incident Reporting, DFARS August 16, 2016 Christian Ortego.
DFARS Cybersecurity Requirements
County HIPAA Review All Rights Reserved 2002.
It’s Midnight…. do you know where your Federal Safeguards are?
NDIA Cyber DFARS Workshop: Countdown to Compliance
EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO
Discussion points for Interpretation Document on Cybersecurity
Compliance and Enforcement of the Privacy Rule
Neopay Practical Guides #2 PSD2 (Should I be worried?)
HQ Expectations of DOE Site IRBs
Overview of the recommendations on software updates
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
IT Management Services Infrastructure Services
Part 1: Controlled Unclassified Information (CUI)
Presentation transcript:

TGIC Cyber-Security for Government Contractor Information Systems TGIC June and July 2017 Presentations

Regulatory Overview FAR 4.10 – sets forth basic requirements for safeguarding of contractor information systems. Requires clause 52.204-21 in solicitations and contracts when the contractor or subcontractor (at any tier) may have federal contract information residing in or transiting though its information systems. 52.204-21(a) definitions 52.204-21(b) checklist of safeguard procedures 52.204-21(c) substance of this clause flows down to subcontractors

DFARS 252.204-7008 Compliance DFARS 252.204-7012(b)(2) (a) Definitions (b) Follow DFARS 252.204-7012 security requirements DFARS 252.204-7012(b)(2) Offeror must follow NIST (Nat’l. Insti. Of Standards and Tech.) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems… Implement by Dec. 31, 2017.

DFARS 252.204-7012(c) Cyber reporting Review evidence of compromise Report the incident to DoD Allow DoD access to assess the compromise DFARS 239.76 Cloud Computing Follow regarding Declaration of offeror’s intent to use Cloud Computing, and relevant procedures. Recommendations: Implement an enforceable plan based on NIST requirements and the definitions and checklist of clause 52.204-21, including flow down to subcontractors.

Final FAR Rule: Basic Safeguarding of Contractor Information Systems New clause (FAR 52.204-21) in solicitations and contracts when the contractor or subcontractor at any tier may have Federal Contract Information (“FCI”) residing in or transiting through its information system. Federal Contract Information: non-public information provided by or developed for the Government in connection with the contract, excluding “simple transactional information, such as necessary to process payment.”

B. Final FAR Rule: Basic Safeguarding of Contractor Information Systems 81 Fed. Reg. 30,439 (May 16, 2016) (effective June 15, 2016) Outline basic network safeguards and standardize rudimentary security procedures

What Safeguards Does the FAR Require? Limit access to authorized users. Limit info system access to the types of transactions and functions that authorized users are permitted to execute. Verify controls on connections to external info systems. Impose controls on info that is posted or processed on publicly accessible info systems. Identify info system users and devices and those acting on behalf of users or devices.

FAR Requirements (Con't) Verify identities of users, processes and devices before access to info systems is allowed. Sanitize or destroy info system media containing contract info before disposal or reuse. Limit physical access to info systems, equipment, and operating environments to authorized individuals and devices. Escort visitors and monitor visitor activity, maintain audit logs of physical access, control and manage physical access devices.

FAR Requirements (Con't) Monitor, control & protect organizational communications at external boundaries and key internal boundaries. Implement sub networks for publicly accessible system components that are physically or logically separated from internal networks. Identify, report (internally) and correct info and system flaws in a timely manner.

FAR Requirements (Con't) Provide protection from malicious code at appropriate locations within organization’s info systems. Update malicious code protection mechanisms when new releases are available. Perform periodic scans of the info systems and real-time scans of files from external sources as files are downloaded, opened or executed.

DFARS REQUIRES MORE KEY FAR - DFAR Differences: FAR excludes COTS (commercial off-the-shelf) contracts. FAR applies to info systems on which Fed Contract Info transits or resides. DFARS applies to both covered defense info itself and the info system on which it transits or resides. DFARS requires somewhat more extensive security controls - NIST SP 800-171 or alternative but equally secure measures - need written approval of DoD CIO.

DFAR Rule February 2013: EO 13,636 (“Improving Critical Infrastructure Cybersecurity”) Establish cybersecurity framework by creating technical standards National Institute of Standards and Technology (“NIST”) November 2013: DFAR Rule Cybersecurity measures imposed on defense contractors “adequate security” for “systems” that handle “unclassified controlled technical information” (UCTI) (military or space application)

DFAR Rule Utilize NIST standards (NIST SP 800-53) Incident reporting (72 hours) Investigate and preserve data 2015 – DFAR Interim Rule (Safeguarding Covered Defense Information and Cyber Incident Reporting) (effective December 2015) Extended date of full compliance to December 31, 2017

A. DFARS Interim Rule — Safeguarding Covered Defense Information and Cyber Incident Reporting DFARS 252.204-7012 expanded to include all “covered defense information” Covered Defense Information (“CDI”): controlled technical information, critical information, export controlled information, or any information that law or policy requires safeguarding or controls—very broad, encompasses most contracts Must comply with security requirements outlined in National Institute of Standards and Technology (NIST) SP 800-171 (110 controls)

DFARS DFARS 252.204-7012 clause includes requirement that contractors must report incidents within 72 hours Reportable incidents involve compromise of CDI, covered contractor systems, or actions that limit the ability to perform “operationally critical support” Contractor should register for a DoD-approved medium assurance certificate for incident reporting (see http://iase.disa.mil/pki/eca/Pages/index.aspx)

DFARS Interim Rule — Safeguarding Covered Defense Information and Cyber Incident Reporting Clause must be flowed down to subcontractors handling CDI Contractor must report to DoD within 30 days of any non-compliance with new security requirements and what substitute measures are in place Full compliance mandated no later than December 31, 2017

Relationship of FAR to DFARS FAR clause provides basic requirements for almost any government information stored and processed by a contractor FAR clause explicitly states it is not to diminish other more stringent security requirements—acts as a supplement Both clauses will likely be included—CO should make known use of Covered Defense Information ("CDI") early in the process Both clauses are required to be "flowed down" to subcontractors DFARS is only required to be "flowed down" when CDI is necessary for performance of the subcontract

Time Is Not On Your Side! Some deadlines that have already passed: January 2017 – Have system security plan (SSP) in place Other deadlines that are fast approaching: December 31, 2017 DFARS 252.204.7012 Compliance - Safeguarding Controlled Defense Information (CDI)

Related Legal Issues Allowability of cyber security compliance costs Bid Protests based on cyber security issues Performance evaluations 4. Protection of intellectual property and trade secrets when disclosing cyber attacks 5. Insurance for cyber attacks 6. Be prepared for post-cyber attack report events (i.e. investigation, seizure of hardware, have back-ups)

Potential Contractor Liability Issues: Breach of contract liability – including breach of express and implied certifications Negligence liability for release of certain personal info - False Claims Act (“FCA”) Liability Recent Supreme Court decision* made it easier to incur FCA liability when non-compliant with cybersecurity measures Could be liable even when not making an express certification but “knowingly fails to disclose . . . noncompliance with a statutory, regulatory, or contractual requirement.” *Universal Health Servs. v. United States, ex rel. Escobar, 136 S. Ct. 1989 (2016)

Liability Protection Designated “operationally critical contractors” can receive liability protection under 10 USC 391 for reporting cyber incidents Definition: a contractor designated as a critical source of supply for airlift, deployment, or sustainment of a military contingency operation Protection does not apply if designated contractor engaged in willful misconduct or to achieve a wrongful purpose or acted without legal or factual justification

Much of this is not new to certain DoD activities which have addressed spillage of classified and confidential (i.e., PII or Personal Identification Information, such as social security numbers, home addresses, etc.) for a number of years in contract provisions, including anticipated damages to correct spillage.   White House action in this area is likely to increase rules and further guidance in this area. Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.