Safeguarding Covered Defense Information

Slides:



Advertisements
Similar presentations
Section Six: Foreign Ownership, Control, or Influence (FOCI)
Advertisements

Conversation on the Chemical Facility Anti-Terrorism Standards (CFATS) and Critical Infrastructure Protection Chemical-Terrorism Vulnerability Information.
Controlled Unclassified Information (CUI). Unclassified Information Public Domain: information that does not qualify for status of CUI -- suitable for.
Presented By the Office of Research Integrity & Assurance June 2010.
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
SAE AS9100 Quality Systems - Aerospace Model for Quality Assurance
National Contract Management Association – Norfolk Chapter Contracting Ground Rules.
Introduction to Intellectual Property using the Federal Acquisitions Regulations (FAR) To talk about intellectual property in government contracting, we.
CONTRACTUAL FLOW DOWN OF DPAS PRIORITY RATINGS
Introduction to Software Quality Assurance (SQA)
DFARS & What is Unclassified Controlled Technical Information (UCTI)?
Information Systems Security Computer System Life Cycle Security.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
1 WARFIGHTER SUPPORT STEWARDSHIP EXCELLENCE WORKFORCE DEVELOPMENT WARFIGHTER-FOCUSED, GLOBALLY RESPONSIVE, FISCALLY RESPONSIBLE SUPPLY CHAIN LEADERSHIP.
Section Five: Security Inspections and Reviews Note: All classified markings contained within this presentation are for training purposes only.
Theme: classification & distribution of government control of FEA.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Of XX Cybersecurity in Government Contracting David Z. Bodenheimer, Partner, Crowell & Moring LLP ©2015 PubKLearning. All rights reserved.1 The Federal.
1 Felisha Hitt, Senior Procurement Analyst March 18, 2008 Defense Acquisition Regulations System
1 Accessing Technical Data through DIBBS - cFolders Performance Transformation Culture.
Business & Contracting – Module 7 ELO-170Identify risks of not having a direct contractual relationship with the cloud service provider. ELO-180Match cloud-related.
Of XX Data Rights, Intellectual Property, Information Technology and Export Controls in Government Contracting Fernand Lavallee, Partner, Jones Day ©2015.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Export Control Processes For Sponsored Projects. Proposal Phase.
State of Georgia Release Management Training
Government Contract Law – Post Award Shraddha Upadhyaya Contract Law Division U.S. Department of Commerce Office of General Counsel GSA Training Conference.
MARINE CORPS INSTALLATIONS EAST CONTRACTING DIVISION DEFINING REQUIREMENTS.
Information Security tools for records managers Frank Rankin.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device.
1 Consent to Subcontract Breakout Session # D12 Name: Rita Wells Daniel Johnson Anthony Simmons Date:July 12, 2011 Time:11:15 – 12:30.
1DoD Cloud Computing Read the provided excerpts from - The “25 Point Implementation Plan to Reform Federal IT” - DoD Cloud Computing Strategy - The National.
1 Changes to Regulations Governing Personal Conflicts of Interest and Organizational Conflicts of Interest Breakout Session # C08 Name: Barbara S. Kinosky,
TGIC Cyber-Security for Government Contractor Information Systems
Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Patricia Toth NIST MEP.
Safeguarding CDI - compliance with DFARS
Introduction for the Implementation of Software Configuration Management I thought I knew it all !
Got DoD Contracts in Your Supply Chain
Consent to Subcontract
Providing Access to Your Data: Handling sensitive data
Software and Systems Integration
Introduction to the Federal Defense Acquisition Regulation
Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Dr. Ron Ross Computer Security.
Information Security Seminar
Safeguarding Covered Defense Information
DoD Protection of CDI – What You Need To Know About Protecting Data
Vendor Management & Business Value
Export Controls – Export Provisions in Research Agreements
Accessing Technical Data through DIBBS - cFolders
PRODUCT EVALUATION & TESTING BRANCH SUPPLIER SUPPORT DIVISION II
DFARS Cybersecurity Compliance: Understanding Your DoD Requirements
Supplier Information Session Safeguarding Covered Defense Information and Cyber Incident Reporting, DFARS August 16, 2016 Christian Ortego.
UConn NIST Compliance Project
DFARS Cybersecurity Requirements
MBUG 2018 Session Title: NIST in Higher Education
Cybersecurity Challenges
NDIA Cyber DFARS Workshop: Countdown to Compliance
EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO
Cybersecurity ATD technical
Operationalizing Export Certification and Regionalization Programmes
Rutgers Export Compliance Officer
How to conduct Effective Stage-1 Audit
Overview and Implementation
Export Controls – Export Provisions in Research Agreements
Radiopharmaceutical Production
DLAD Procurement Notes & Tech/Quality Requirements
Cybersecurity Challenges
Presentation transcript:

Safeguarding Covered Defense Information CYBER SECURITY Safeguarding Covered Defense Information March 2017

Goal Improve DLA’s business relationships with vendor base to better accomplish our shared mission of supporting warfighters worldwide by mitigating risk and reducing vulnerability to cybercrime

Who is Impacted DFARS 252.204-7012 applies to all DOD solicitations and contracts for commercial items Exception: solicitations and contracts solely for the acquisition of Commercial Off the Shelf (COTS) items Requires flow down to: Suppliers at all tiers including Commercial suppliers Subcontractors at all tiers

How? Provide updates to contractors for cybersecurity requirements Define what is “Covered Defense Information” Where and how to apply “Adequate Security” Cyber incident reporting requirements

Covered Defense Information (CDI) Defined as: Unclassified controlled technical information; or Information, as described in the Controlled Unclassified Information (CUI) Registry at: http://www.archives.gov/cui/registry/category-list.html Requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies, AND IS: Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract

Covered Defense Information (CDI) CDI Definition Continued… DLA L&M will apply DFARS 252.204-7012 requirement for safeguarding CDI as follows: National Stock Number (NSN) has demilitarization code other than A; or Technical Data Package contains document(s) with distribution statement other than A; or Identification of export control; or Information contained in the customer and/or applicable agency specific critical information list For DLA L&M, if CDI is included in the technical data package for an acquisition it will be specifically identified in the Purchase Item Description (PID) Note: CDI may also be contained in contractor-owned data and is identified with a similar contractor type coding as described above

CDI: Controlled Technical Information Defined as: Technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24 Distribution Statements on Technical Documents The term does not include information that is lawfully publicly available without restrictions

Controlled Technical Information L&M Distribution Statements B-F Reasons for assignment of distribution statements B-F in L&M technical documents: Critical Technology Export Controlled Foreign Government Information Operations Security Premature Dissemination Proprietary Information Test and Evaluation Software Documentation Vulnerability Information Contractor Performance Evaluation Administrative or Operational Use Reference DoDI 5230.24: http://www.dtic.mil/whs/directives/corres/pdf/523024p.pdf See pages 14-21 of the DoDI 5230.24 for additional details

CTI: Controlled Technical Information Unclassified information not limited to: Design & Manufacturing Technical Data Keystone Equipment Inspection and Test Equipment Or data related to a specific military deficiency of a potential adversary

CTI: Export Control Unclassified information concerning: Certain items Commodities Technology Software Or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives.

CTI: Test & Evaluation Information related to: Protect Results of Test/Evaluation of Commercial Products or Military Hardware Occurs when disclosure may cause unfair advantage or disadvantage to the manufacturer of the products

Applying “Adequate Security” Information Sharing/Collaboration Toolbox Only to information systems containing CDI Implement security protections on: IT operated on behalf of Government Not part of IT operated on behalf of Government On contractors assessed risk or vulnerability

IT Not Operated on Behalf of DoD National Institute of Standards and Technology (NIST) NIST SP 800-171 Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations Isolate CUI into own security domain Limit scope to CUI particular system or components Don’t try to boil the ocean

NIST SP 800-171 Basic Security Basic Security Requirements Access Control Physical Protection Awareness and Training Risk Assessment Audit and Accountability Security Assessment Configuration Management System and Communication Protection Identification and Authentication System and Information Integrity Incident Response Maintenance

Implementation of NIST SP 800-171 Implement NIST SP 800-171, as soon as practical, but NTL December 31, 2017 Contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via email at osd.dibcsia@mail.mil, and the contracting officer within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award

Request to Varying from NIST SP 800-171 Contractors electing to vary/deviate from the NIST SP 800-171 requirement must submit their requests in writing to the Contracting Officer of record The Contracting Officer will then submit the request on behalf of the contractor to the DoD CIO for consideration Contractor do not need to implement any security requirement adjudicated by an authorized representative of the DoD CIO to be nonapplicable or to have an alternative, but equally effective, security measure that may be implemented in its place If the DoD CIO has previously adjudicated the contractor’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Contracting Officer when requesting its recognition under the contract

Cyber Incident Reporting Requirements Contractor discovers a cyber incident affecting: Contractor information system Covered Defense Information Required elements of cyber incident report DoD-approved medium assurance certificate For information on obtaining a DoD-approved medium assurance certificate, see: http://iase.disa.mil/pki/eca/Pages/index.aspx

When you have a Cyber Incident Conduct a review for evidence of compromise of CDI Including, but not limited to: Compromised Computers Compromised Servers Specific Data User Accounts Covered contractor information systems Rapidly report to http://dibnet.dod.mil

What goes in Cyber Incident Report Include elements required by http://dibnet.dod.mil

Within 72 Hours Within 72 hours report as much of the following: Company name Ability to provide operationally critical support Company Point of Contact (POC) Date incident discovered Data Universal Numbering System (DUNS) Number Location(s) of compromise Contract number(s) or other type of agreement affected Incident location CAGE code DoD programs, platforms or systems involved Contracting Officer or other agreement POC Type of compromise USG Program Manager POC Description of technique or method used in incident Contract or other agreement clearance level Incident outcome Facility CAGE code Incident/Compromise narrative Facility Clearance Level Any additional information Impact to CDI

Questions/Resources For additional information on the cyber security requirement please see the following resources: FAQs: http://www.acq.osd.mil/dpap/pdi/docs/FAQs_Network_Penetration_Reporting_and_Contracting_for_Cloud_Services_(01-27-2017).pdf. DoDI 5230.24: http://www.dtic.mil/whs/directives/corres/pdf/523024p.pdf CUI Registry: http://www.archives.gov/cui/registry/category-list.html Medium Assurance Certificate: http://iase.disa.mil/pki/eca/Pages/index.aspx Cyber Incident Report: http://dibnet.dod.mil DOD CIO: osd.dibcsia@mail.mil DFARS Clause 252.204-7012: http://farsite.hill.af.mil/vfdfara.htm DFARS PGI 204.73: http://www.acq.osd.mil/dpap/dars/pgi/pgi_htm/PGI204_73.htm#204.7303-3

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.