Supplier Information Session Safeguarding Covered Defense Information and Cyber Incident Reporting, DFARS 252.204-7012 August 16, 2016 Christian Ortego.

Slides:

Advertisements

Similar presentations

Annual Security Refresher Briefing Note: All classified markings contained within this presentation are for training purposes.

Advertisements

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

CIP Cyber Security – Security Management Controls

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication Protecting Controlled.

CENTRAL CONTRACTOR REGISTRATION (CAGE CODES) DFARS Case 2003-D040 DFARS Parts 204, 212, 213 and 252 are amended to remove policy on Central Contractor.

Presented By the Office of Research Integrity & Assurance June 2010.

Background June 2011– DoD Proposes New DFARS Rule for Protecting Controlled, Unclassified Information Industry meeting scheduled for November 15, 2011.

Complying With The Federal Information Security Act (FISMA)

COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

DFARS & What is Unclassified Controlled Technical Information (UCTI)?

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

1 CIP Cyber Security – Personnel & Training Steve Garn CIP Compliance Workshop Baltimore, MD August 19-20, 2009 © ReliabilityFirst Corporation.

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Of XX Cybersecurity in Government Contracting David Z. Bodenheimer, Partner, Crowell & Moring LLP ©2015 PubKLearning. All rights reserved.1 The Federal.

Of XX Data Rights, Intellectual Property, Information Technology and Export Controls in Government Contracting Fernand Lavallee, Partner, Jones Day ©2015.

1 PARCC Data Privacy & Security Policy December 2013.

SecSDLC Chapter 2.

HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

Policy, Standards and Guidelines Breakout Co-Chairs Victor Hazlewood OCIO Cyber Security, ORNL Kim Milford ISO, University of Rochester.

Key Points for a Privacy Programme for Multinationals Steve Coope.

For Official Use Only (FOUO) and Similar Designations NPS Security Office

Regulation Highlights Kimberly Heifetz May 15, 2012.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Adler Pollock & Sheehan P.C. One Citizens Plaza, 8th Floor

TGIC Cyber-Security for Government Contractor Information Systems

Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Patricia Toth NIST MEP.

Safeguarding CDI - compliance with DFARS

Enforcement, Business Associates and Breach Notification. Oh my!

Got DoD Contracts in Your Supply Chain

Presenter: Mohammed Jalaluddin

Safeguarding Covered Defense Information

Data Minimization Framework

GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E

HIPPA/HITECH Act Requirements Under the Business Associate Agreement Between CNI and Military Health Services.

Introduction to the Federal Defense Acquisition Regulation

Risk Management and Compliance

Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Dr. Ron Ross Computer Security.

GDPR Awareness and Training Workshop

General Data Protection Regulation

BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT

Service-centric policies – Update (NA3.2)

Safeguarding Covered Defense Information

NRC Cyber Security Regulatory Overview

UConn NIST Compliance Project

Current Privacy Issues That May Affect Your Credit Union

DFARS Cybersecurity Requirements

NCHER Knowledge Symposium Federal Contractor/TPS Session

Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .

MBUG 2018 Session Title: NIST in Higher Education

HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.

NDIA Cyber DFARS Workshop: Countdown to Compliance

EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO

Cybersecurity ATD technical

HIPAA Policy & Procedure Strategies

Discussion points for Interpretation Document on Cybersecurity

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Overview and Implementation

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

DSC Contract Management Committee Meeting

Export Controls – Export Provisions in Research Agreements

International Whole Vehicle Type Approval

IT Management Services Infrastructure Services

THE IMPACT OF DATA PROTECTION RULES ON CORPORATE INFO SECURITY AND INCIDENT RESPONSE MANAGEMENT – The Energy sector CEER Cybersecurity Workshop Massimo.

DSC Contract Management Committee Meeting

Presentation transcript:

Supplier Information Session Safeguarding Covered Defense Information and Cyber Incident Reporting, DFARS 252.204-7012 August 16, 2016 Christian Ortego Senior Counsel

DFARS Cybersecurity Rule Evolution of a Rule Covered Contractor Information Systems NIST Standards Reporting Requirements The content discussed in this presentation is provided for informational purposes only and does not constitute legal advice or counsel. For legal advice or counsel related to issues discussed herein, please consult your attorney.

Evolution of a Rule – DFARS 252.204-7012 November 2013 – initial rule August/September 2015 – major change December 2015 – major change Rule Evolved as DoD Received Comments/Feedback from Industry

Evolution of a Rule – DFARS 252.204-7012 November 2013 – initial rule Established Concepts for: Information Technology System Standards Reporting Requirement for Cyber Incidents Applied to “cleared contractors” and Systems that store or transmit Unclas Controlled Technical Information Rule Evolved as DoD Received Comments/Feedback from Industry

Evolution of a Rule – DFARS 252.204-7012 September 2015 – updated standards/expanded scope Amended Standards from NIST SP 800-53 to SP 800- 171 (DoD CIO must approve exceptions and alternative measures) Expanded scope of information to “covered defense information” from unclas controlled tech info Expanded regulatory coverage to all contractors and subcontractors 72 Hour Incident Reporting Requirement to both: DoD Higher Tier Contractor September Change Greatly Broadened Scope of Rule

Evolution of a Rule – DFARS 252.204-7012 December 2015 – current rule Extended Deadline to meet NIST SP 800-171 to December 31, 2017 Report areas of non-compliance to DoD CIO Same scope of information covered as September rule Required Inclusion in all DoD Contracts Mandatory Flowdown to all Subcontractor Tiers December Change Maintained Rule but Extended NIST Standards Deadline

Covered Contractor Information Systems Current Rule: Systems owned or operated by, or for, a contractor and that processes, stores or transmits: “Covered Defense Information” which is: Controlled Technical Info Critical Information Export Controlled Info; or “Any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies (e.g., privacy, proprietary business information).” The type of information subject to safeguarding and the additional reporting obligations are not the interim rule’s only material changes. Under the previous regime, contractors were only required to report cyber incidents affecting UCTI. The interim rule, on the other hand, requires contractors to report any cyber incidents affecting (i) covered defense information (a broader category of data than UCTI), (ii) contractor information systems that contain covered defense information, and/or (iii) information that affects the contractor’s ability to provide operationally critical support. For example, under the interim rule, the reporting requirement would be triggered by a cyber incident that affects the contractor’s information system housing covered defense information, even if the information itself was not affected. “Covered Information Systems” is Broad Concept

Over 100 Items Included in the Standards NIST Standards Current Rule: NIST SP 800-171 Deadline to meet NIST SP 800-171 is as soon as possible but NLT December 31, 2017 Covers a variety of factors: Access control Awareness and Training Audit and Accountability Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Risk and Security Assessments System and Communication Protection System and Information Integrity http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf Over 100 Items Included in the Standards

Reporting Requirements Current Rule – Two Main Requirements 1. Report to DoD CIO within 30 days of contract award from HII/NNS/Ingalls: YES or NO: In compliance with NIST Standards If NO: must report areas of non-compliance to DoD CIO 2. Report Cyber Incidents within 72 Hours to BOTH DoD (through http://dibnet.dod.mil/) and NNS/Ingalls The Reporting Requirements are in effect upon award of a contract with the clause (i.e. the December 2017 deadline DOES NOT change the reporting requirements) Reporting Requirements are in Effect Now

Questions? Questions?