Presentation is loading. Please wait.

Presentation is loading. Please wait.

Safeguarding CDI - compliance with DFARS

Published byPhilippa Kelley Modified over 6 years ago

Similar presentations

Presentation on theme: "Safeguarding CDI - compliance with DFARS"— Presentation transcript:

1 Safeguarding CDI - compliance with DFARS 252.204-7012
Heather Engel, FQNV, CISSP, PCI-QSA , MBA Sera-Brynn EVP for Risk and Compliance

2 Agenda Introduction to Cybersecurity FARs and DFARS
Understanding CDI – Covered Defense Information NIST SP Four Phases to Compliance Cost Consequences of Non-Compliance

3 Introduction to cyber DFARS
Defense Federal Acquisition Regulation Supplement (DFARS) , Safeguarding Covered Defense Information and Cyber Incident Reporting 110 Controls from NIST SP Clause flows down and must be included for: Operationally critical support Where performance involves CDI Other relevant clauses include and

4 requirements Comply with requirements in 252.204-7012
Report non-compliance per Understand and comply with cloud requirements per Notify the Prime when submitting a request to the government to vary from requirements

5 Understanding CDI – Covered Defense Information
Unclassified Controlled Technical Information or other info as described in the Controlled Unclassified Information (CUI) Registry Requirement for government to mark or otherwise identify all CDI provided to the contractor in the contract. Shared obligation on contractors “to recognize and protect CDI that the contractor is developing during contract performance.”

6 What is CUI? Controlled Unclassified Information Registry maintained by NARA 23 categories, including Controlled Technical Information, Critical Infrastructure, Export Control, IS Vulnerability Info, Nuclear, Privacy, SAFETY Act Info

7 NIST SP 800-171 14 Control Families drawn from 800-53 and FIPS 200
Maps controls to ISO/IEC 27001/2 and NIST Can use alternative but equal measures to satisfy requirements

8 NIST SP 800-171 14 Families – 110 Controls Family Access Control
Media Protection Awareness & Training Personnel Security Audit and Accountability Physical Protection Configuration Management Risk Assessment Identification & Authentication Security Assessment Incident Response System & Communications Protection Maintenance System & Information Integrity

9 Four Phases to Compliance
Phase 1: Scoping Phase 2: IRP / Respond and Report Phase 3: Protect/Detect Phase 4: Reassess

10 Phase 1: Scoping Determine where CUI lives and how it flows
The requirements apply to components of NFIS that process, store, or transmit CDI Also applies to devices that provide security protection for components Components include workstations, servers, OS, virtual machines, applications, network devices

11 Phase 1.b: RISK ASSESSMENT
Why perform a risk assessment? What’s the method? Who should perform? What is the expected outcome?

12 Phase 2: Develop an IRP Reporting an Incident
Within 72 hours of discovery Subcontractors must report to the government directly, AND up the chain to the prime Must maintain an image of all known, affected systems for 90 days Required to grant DoD access for forensic investigation Having the required information on-hand is key to meeting the rapid reporting requirement

13 Reporting an incident http://dibnet.dod.mil
Requires a certificate, plan ahead! Different requirements for contractors and cloud service providers. Having the required information on-hand is key to meeting the rapid reporting requirement

14 Required information Company name, Company point of contact information (address, position, telephone, ), Data Universal Numbering System (DUNS) Number Contract number(s) or other type of agreement affected or potentially affected Contracting Officer (address, position, telephone, ), USG Program Manager (address, position, telephone, ) Contact or other type of agreement clearance level (Unclassified, Confidential, Secret, Top Secret, Not applicable) Facility CAGE code, Facility Clearance Level (Unclassified, Confidential, Secret, Top Secret, Not applicable) Impact to Covered Defense Information, Ability to provide operationally critical support Date incident discovered Location(s) of compromise Incident location CAGE code DoD programs, platforms or systems involved Type of compromise (unauthorized access, unauthorized release (includes inadvertent release) unknown, not applicable) Description of technique or method used in cyber incident Incident outcome (successful compromise, failed attempt, unknown) Incident/Compromise narrative Any additional information

15 Phase 3: protect and detect
Address gaps, change processes if needed, implement technology to comply with Examples: Audit collection, reduction, and report generation on-demand Multi-factor Authentication Configuration Management Encryption Mark and control media Limit access to CUI systems and data

16 Requirement Highlights
AC – Encrypt CUI on mobile devices AT – Security Awareness Training AU – Maintain audit records, user actions must be uniquely traceable, automated CM – Monitor user installed software IA – Multi-factor authentication MP – Control removable media, prohibit portable storage that does not have an owner PS – Protect CUI during personnel termination/transfers PE – Enforce safeguarding at alternate work sites (telework) RA/CA – Periodically assess risk and security controls SC – deny by default, no simultaneous remote connections, protect CUI at rest

17 Phase 4: reassess Document changes from initial assessment
Update POA&M Determine reporting requirements To Prime Adjudication by DoD CIO

18

Download ppt "Safeguarding CDI - compliance with DFARS"

Similar presentations

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Section Six: Foreign Ownership, Control, or Influence (FOCI)

Section Six: Foreign Ownership, Control, or Influence (FOCI)
Security Controls – What Works

Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.

1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
DFARS 204.73 & 252.204-7012 What is Unclassified Controlled Technical Information (UCTI)?

DFARS & What is Unclassified Controlled Technical Information (UCTI)?
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Applied Technology Services, Inc. Your Partner in Technology.

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.

Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Certification and Accreditation CS-7493-01 Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
April 14, 2003- A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

Similar presentations

Ads by Google