DFARS Cybersecurity Requirements

Slides:

Advertisements

Similar presentations

Tim A. Di Guiseppe

Advertisements

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

Annual Security Refresher Briefing Note: All classified markings contained within this presentation are for training purposes.

Section Six: Foreign Ownership, Control, or Influence (FOCI)

Subcontracts 101 By Mitali Ravindrakumar USC Collaboration between Parties Perform Subcontractor Analysis Sponsor - Fund Project/Subcontr act Negotiate.

DII Best Practices Forum: New Developments Peter J. Eyre Crowell & Moring © Crowell & Moring LLP All Rights Reserved. June 23, 2011.

NCMA Philadelphia Lunch & Learn What Does the Contract Say? E. Jean Labadini, Senior Advisor November 25, 2014.

Background June 2011– DoD Proposes New DFARS Rule for Protecting Controlled, Unclassified Information Industry meeting scheduled for November 15, 2011.

Information Systems Security Officer

ISO 9001 Interpretation : Exclusions

IRB Monthly Investigator Meeting Columbia University Medical Center IRB October 11, 2005.

Session 3 – Information Security Policies

The New FAR Property Plan Collaboration is Key 2007 Eastern Region Seminar Pat Jacklets, CPPM, CF.

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

CONTRACTUAL FLOW DOWN OF DPAS PRIORITY RATINGS

DFARS & What is Unclassified Controlled Technical Information (UCTI)?

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

Section Five: Security Inspections and Reviews Note: All classified markings contained within this presentation are for training purposes only.

Health Insurance Portability and Accountability Act (HIPAA)

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Contractor Business Systems (CBS) Rule Eric Fassett.

FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

SECURITY BRIEFING A threat awareness briefing A defensive security briefing An overview of the security classification system Employee reporting obligations.

Of XX Data Rights, Intellectual Property, Information Technology and Export Controls in Government Contracting Fernand Lavallee, Partner, Jones Day ©2015.

Privacy Act United States Army (Managerial Training)

CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry.

Regulation Highlights Kimberly Heifetz May 15, 2012.

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device.

What is ISO Certification? Information is a valuable asset that can make or break your business. When properly managed it allows you to operate.

1 Changes to Regulations Governing Personal Conflicts of Interest and Organizational Conflicts of Interest Breakout Session # C08 Name: Barbara S. Kinosky,

TGIC Cyber-Security for Government Contractor Information Systems

Metra Construction Contractor Prevailing Wage Workshop

Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Patricia Toth NIST MEP.

Safeguarding CDI - compliance with DFARS

Got DoD Contracts in Your Supply Chain

TD Government Solutions

Safeguarding Covered Defense Information

Team 1 – Incident Response

Administrivia Settings Controls Attendees Record

Providing Access to Your Data: Handling sensitive data

HIPPA/HITECH Act Requirements Under the Business Associate Agreement Between CNI and Military Health Services.

Introduction to the Federal Defense Acquisition Regulation

Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Dr. Ron Ross Computer Security.

DFARS Cybersecurity Compliance

Contract Review and Processing

INTRODUCTION TO ISO 9001:2015 FOR IMPLEMENTATION Varinder Kumar CISA, ISO27001 LA, ISO 9001 LA, ITIL, CEH, MEPGP IT, Certificate course in PII & Privacy.

Safeguarding Covered Defense Information

DoD Protection of CDI – What You Need To Know About Protecting Data

Derivative Classification Overview

Bob Siegel President Privacy Ref, Inc.

Supplier Information Session Safeguarding Covered Defense Information and Cyber Incident Reporting, DFARS August 16, 2016 Christian Ortego.

Disability Services Agencies Briefing On HIPAA

GDPR – Practical Implementation Managing contracts, procurement and relationships with suppliers Terry Brewer Chief Executive.

A+ A+ CORPORATION PRESENTS: INFORMATION TECHNOLOGY DEPARTMENT

AN OVERVIEW OF THE INDUSTRIAL SECURITY PROGRAM

MBUG 2018 Session Title: NIST in Higher Education

Cybersecurity Challenges

NDIA Cyber DFARS Workshop: Countdown to Compliance

EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO

Cybersecurity ATD technical

Overview and Implementation

The General Data Protection Regulations 2016

Protect data in core business applications

Part 1: Controlled Unclassified Information (CUI)

Cybersecurity Challenges

Presentation transcript:

DFARS Cybersecurity Requirements Relating relevant guidance for DFARS Cybersecurity Requirements

Expectation vs Compliance Compliance – Satisfying all 110 individual requirements Very few contractors satisfying this condition Costly for small business Expectation – Meeting the minimum set of conditions to satisfy DoD SSP & POAM Medium Assurance Certificate

Increase in Cyber Incident Reporting COMPANY NAME | COMPANY POINT OF CONTACT INFORMATION (ADDRESS, POSITION, TELEPHONE, EMAIL) | DATA UNIVERSAL NUMBERING SYSTEM (DUNS) NUMBER | CONTRACT NUMBER(S) OR OTHER TYPE OF AGREEMENT AFFECTED OR POTENTIALLY AFFECTED | CONTRACTING OFFICER OR | OTHER TYPE OF AGREEMENT POINT OF CONTACT (ADDRESS, POSITION, TELEPHONE, EMAIL) | USG PROGRAM MANAGER POINT OF CONTACT (ADDRESS, POSITION, TELEPHONE, EMAIL) | CONTACT OR OTHER TYPE OF AGREEMENT CLEARANCE LEVEL (UNCLASSIFIED, CONFIDENTIAL, SECRET, TOP SECRET, NOT APPLICABLE) | FACILITY CAGE CODE | FACILITY CLEARANCE LEVEL (UNCLASSIFIED, CONFIDENTIAL, SECRET, TOP SECRET, NOT APPLICABLE) | IMPACT TO COVERED DEFENSE INFORMATION | ABILITY TO PROVIDE OPERATIONALLY CRITICAL SUPPORT | DATE INCIDENT DISCOVERED | LOCATION(S) OF COMPROMISE | INCIDENT LOCATION CAGE CODE | DOD PROGRAMS, PLATFORMS OR SYSTEMS INVOLVED | TYPE OF COMPROMISE (UNAUTHORIZED ACCESS, UNAUTHORIZED RELEASE (INCLUDES INADVERTENT RELEASE), UNKNOWN, NOT APPLICABLE) | DESCRIPTION OF TECHNIQUE OR METHOD USED IN CYBER INCIDENT | INCIDENT OUTCOME (SUCCESSFUL COMPROMISE, FAILED ATTEMPT, UNKNOWN) | INCIDENT/COMPROMISE NARRATIVE | ANY ADDITIONAL INFORMATION DIBNet Portal DC3 Medium Assurance Certificate Incident Collection Format DoD Cyber Crime Center MAC

Help for Small Companies NIST SP 800-18 NIST HB 162 NIST SP 800-171A CSET

Non-compliant? FAQ 18: No changes WRT penalties or remedies Same as if you violate any contractual obligation False Claims Act - $5,500-$11,000 per claim + 3 times the amount of damages to the USG, subject to Civil penalties, in FY2016…$4.7B recovered from FCA

Good News FAQ 14 Your SSP and POAM demonstrate implementation or planned implementation of the security requirements in NIST SP 800-171 (r1). WARNING (FAQ 15) 3rd Party Certifications are NOT recognized by DoD.

When is the New ”Full Compliance Deadline”? RISK MANAGEMENT DoD IG Report No Defined Date for Full Compliance Missile Defense Audit Results Competitive Advantage

What if I don’t have an SSP & POAM yet? FAQ 18 FAQ 45 The requiring activity may consider in an overall risk management decision whether it is advisable to pursue a contract with the contractor. The requiring activity is not precluded from stating in the solicitation that it will consider the contractor’s implementation of 800-171 as part of the source selection process. If you signed a contract with DFARS requirements and do not yet have an SSP and POAM, if identified, you could be subject to penalty under the False Claims Act.

Who is going to Audit my compliance? FAQ 14: Self police because by signing the contract the contractor agrees to comply with the contract terms. FAQ 16: DCMA as part of the contract receipt and review process will verify the contractor has an SSP & POAM, possesses DoD approved medium assurance certificates, and will notify the contractor, DoD program office, and DoD CIO if they’re made aware of a cybersecurity issue. FAQ 17: The prime contractor is responsible for executing the flow down requirements and may use whatever mechanisms it employs to audit or evaluate subcontractors. (FAQ 20: the prime is responsible for safeguarding CDI throughout its entire supply chain.) FAQ 18: Your contract may include a provision to review progress in implementing the POAM.

Are DFARS Requirements Going Away Soon? National Archive Records Administration Cyber Attacks Aren’t Only for DoD Systems Operationally Critical Support z No. The scope of Nonfederal Information Systems Protections is expanding: “NARA…plans to sponsor…a single FAR clause that will apply the requirements contained in the federal CUI regulation and SP 800-171 to contractors.” Ensure that unclassified DoD information is safeguarded from cyber incidents and that any consequences associated with loss of this information are assessed and minimized, and understand when a cyber incident impacts a company’s ability to provide operationally critical support to DoD. Supplies or services designated by the Government as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.