Presentation is loading. Please wait.

Presentation is loading. Please wait.

TGIC Cyber-Security for Government Contractor Information Systems

Published byBonnie Walters Modified over 6 years ago

Similar presentations

Presentation on theme: "TGIC Cyber-Security for Government Contractor Information Systems"— Presentation transcript:

1 TGIC Cyber-Security for Government Contractor Information Systems
TGIC June and July 2017 Presentations

2 Regulatory Overview FAR 4.10 – sets forth basic requirements for safeguarding of contractor information systems. Requires clause in solicitations and contracts when the contractor or subcontractor (at any tier) may have federal contract information residing in or transiting though its information systems. (a) definitions (b) checklist of safeguard procedures (c) substance of this clause flows down to subcontractors

3 DFARS 252.204-7008 Compliance DFARS 252.204-7012(b)(2) (a) Definitions
(b) Follow DFARS security requirements DFARS (b)(2) Offeror must follow NIST (Nat’l. Insti. Of Standards and Tech.) Special Publication (SP) , Protecting Controlled Unclassified Information in Nonfederal Information Systems… Implement by Dec. 31, 2017.

4 DFARS 252.204-7012(c) Cyber reporting
Review evidence of compromise Report the incident to DoD Allow DoD access to assess the compromise DFARS Cloud Computing Follow regarding Declaration of offeror’s intent to use Cloud Computing, and relevant procedures. Recommendations: Implement an enforceable plan based on NIST requirements and the definitions and checklist of clause , including flow down to subcontractors.

5 Final FAR Rule: Basic Safeguarding of Contractor Information Systems
New clause (FAR ) in solicitations and contracts when the contractor or subcontractor at any tier may have Federal Contract Information (“FCI”) residing in or transiting through its information system. Federal Contract Information: non-public information provided by or developed for the Government in connection with the contract, excluding “simple transactional information, such as necessary to process payment.”

6 B. Final FAR Rule: Basic Safeguarding of Contractor Information Systems
81 Fed. Reg. 30,439 (May 16, 2016) (effective June 15, 2016) Outline basic network safeguards and standardize rudimentary security procedures

7 What Safeguards Does the FAR Require?
Limit access to authorized users. Limit info system access to the types of transactions and functions that authorized users are permitted to execute. Verify controls on connections to external info systems. Impose controls on info that is posted or processed on publicly accessible info systems. Identify info system users and devices and those acting on behalf of users or devices.

8 FAR Requirements (Con't)
Verify identities of users, processes and devices before access to info systems is allowed. Sanitize or destroy info system media containing contract info before disposal or reuse. Limit physical access to info systems, equipment, and operating environments to authorized individuals and devices. Escort visitors and monitor visitor activity, maintain audit logs of physical access, control and manage physical access devices.

9 FAR Requirements (Con't)
Monitor, control & protect organizational communications at external boundaries and key internal boundaries. Implement sub networks for publicly accessible system components that are physically or logically separated from internal networks. Identify, report (internally) and correct info and system flaws in a timely manner.

10 FAR Requirements (Con't)
Provide protection from malicious code at appropriate locations within organization’s info systems. Update malicious code protection mechanisms when new releases are available. Perform periodic scans of the info systems and real-time scans of files from external sources as files are downloaded, opened or executed.

11 DFARS REQUIRES MORE KEY FAR - DFAR Differences:
FAR excludes COTS (commercial off-the-shelf) contracts. FAR applies to info systems on which Fed Contract Info transits or resides. DFARS applies to both covered defense info itself and the info system on which it transits or resides. DFARS requires somewhat more extensive security controls - NIST SP or alternative but equally secure measures - need written approval of DoD CIO.

12 DFAR Rule February 2013: EO 13,636 (“Improving Critical Infrastructure Cybersecurity”) Establish cybersecurity framework by creating technical standards National Institute of Standards and Technology (“NIST”) November 2013: DFAR Rule Cybersecurity measures imposed on defense contractors “adequate security” for “systems” that handle “unclassified controlled technical information” (UCTI) (military or space application)

13 DFAR Rule Utilize NIST standards (NIST SP ) Incident reporting (72 hours) Investigate and preserve data 2015 – DFAR Interim Rule (Safeguarding Covered Defense Information and Cyber Incident Reporting) (effective December 2015) Extended date of full compliance to December 31, 2017

14 A. DFARS Interim Rule — Safeguarding Covered Defense Information and Cyber Incident Reporting
DFARS expanded to include all “covered defense information” Covered Defense Information (“CDI”): controlled technical information, critical information, export controlled information, or any information that law or policy requires safeguarding or controls—very broad, encompasses most contracts Must comply with security requirements outlined in National Institute of Standards and Technology (NIST) SP (110 controls)

15 DFARS DFARS clause includes requirement that contractors must report incidents within 72 hours Reportable incidents involve compromise of CDI, covered contractor systems, or actions that limit the ability to perform “operationally critical support” Contractor should register for a DoD-approved medium assurance certificate for incident reporting (see

16 DFARS Interim Rule — Safeguarding
Covered Defense Information and Cyber Incident Reporting Clause must be flowed down to subcontractors handling CDI Contractor must report to DoD within 30 days of any non-compliance with new security requirements and what substitute measures are in place Full compliance mandated no later than December 31, 2017

17 Relationship of FAR to DFARS
FAR clause provides basic requirements for almost any government information stored and processed by a contractor FAR clause explicitly states it is not to diminish other more stringent security requirements—acts as a supplement Both clauses will likely be included—CO should make known use of Covered Defense Information ("CDI") early in the process Both clauses are required to be "flowed down" to subcontractors DFARS is only required to be "flowed down" when CDI is necessary for performance of the subcontract

18 Time Is Not On Your Side! Some deadlines that have already passed:
January 2017 – Have system security plan (SSP) in place Other deadlines that are fast approaching: December 31, DFARS Compliance - Safeguarding Controlled Defense Information (CDI)

19 Related Legal Issues Allowability of cyber security compliance costs
Bid Protests based on cyber security issues Performance evaluations 4. Protection of intellectual property and trade secrets when disclosing cyber attacks 5. Insurance for cyber attacks 6. Be prepared for post-cyber attack report events (i.e. investigation, seizure of hardware, have back-ups)

20 Potential Contractor Liability Issues:
Breach of contract liability – including breach of express and implied certifications Negligence liability for release of certain personal info - False Claims Act (“FCA”) Liability Recent Supreme Court decision* made it easier to incur FCA liability when non-compliant with cybersecurity measures Could be liable even when not making an express certification but “knowingly fails to disclose noncompliance with a statutory, regulatory, or contractual requirement.” *Universal Health Servs. v. United States, ex rel. Escobar, 136 S. Ct (2016)

21 Liability Protection Designated “operationally critical contractors” can receive liability protection under 10 USC 391 for reporting cyber incidents Definition: a contractor designated as a critical source of supply for airlift, deployment, or sustainment of a military contingency operation Protection does not apply if designated contractor engaged in willful misconduct or to achieve a wrongful purpose or acted without legal or factual justification

22 Much of this is not new to certain DoD activities which have addressed spillage of classified and confidential (i.e., PII or Personal Identification Information, such as social security numbers, home addresses, etc.) for a number of years in contract provisions, including anticipated damages to correct spillage. White House action in this area is likely to increase rules and further guidance in this area. Questions?

Download ppt "TGIC Cyber-Security for Government Contractor Information Systems"

Similar presentations

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Contractor Code of Business Ethics and Conduct Laura K. Kennedy Senior Vice President, Ethics and Compliance SAIC.

Contractor Code of Business Ethics and Conduct Laura K. Kennedy Senior Vice President, Ethics and Compliance SAIC.
FAR Part 44: Subcontracting Policies & Procedures February 5, 2012.

FAR Part 44: Subcontracting Policies & Procedures February 5, 2012.
FEDERAL TECHNICAL DATA SOLUTION (FedTeDS) - FINAL RULE FAR 5.102, Availability of solicitations Implements President’s Management Agenda & eGov Initiative.

FEDERAL TECHNICAL DATA SOLUTION (FedTeDS) - FINAL RULE FAR 5.102, Availability of solicitations Implements President’s Management Agenda & eGov Initiative.
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.

Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Background June 2011– DoD Proposes New DFARS Rule for Protecting Controlled, Unclassified Information Industry meeting scheduled for November 15, 2011.

Background June 2011– DoD Proposes New DFARS Rule for Protecting Controlled, Unclassified Information Industry meeting scheduled for November 15, 2011.
ISO 9001 Interpretation : Exclusions

ISO 9001 Interpretation : Exclusions
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.

COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Privacy Foundations Samuel P. Jenkins Director for Privacy Defense Privacy and Civil Liberties Office Identity.

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Privacy Foundations Samuel P. Jenkins Director for Privacy Defense Privacy and Civil Liberties Office Identity.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
FAR PART 45 – Government Property

FAR PART 45 – Government Property
DFARS 204.73 & 252.204-7012 What is Unclassified Controlled Technical Information (UCTI)?

DFARS & What is Unclassified Controlled Technical Information (UCTI)?

Similar presentations

Ads by Google