Presentation is loading. Please wait.

Presentation is loading. Please wait.

Got DoD Contracts in Your Supply Chain

Published byVerity Williams Modified over 6 years ago

Similar presentations

Presentation on theme: "Got DoD Contracts in Your Supply Chain"— Presentation transcript:

1 Got DoD Contracts in Your Supply Chain
 Got DoD Contracts in Your Supply Chain? Get Cybersecurity Compliant and Meet DOD’s Year-End Deadline for Competitive Advantage Elizabeth Adams, Vermont Procurement Technical Assistance Center Patricia Giavara, Vermont Manufacturing Extension Center Jon Bates, Vermont Manufacturing Extension Center

2 Today’s Objective: Create awareness about DoD’s cybersecurity requirements and provide information and resources on compliance and implementation.

3 Cybersecurity is Good Business

4 What is Information Security?
Cyber-security Privacy Physical Security Contingency Planning & Disaster Recovery Operational Security Personnel Security Information Security Information your business uses / stores Includes customers, suppliers, IP, etc. Has several components you’re probably aware of already Includes the following interrelated disciplines: Physical Security Protection of Life and Property An Essential Element of Information Access Control Personnel Security Background Checks – including educational checks – as appropriate Behavioral Monitoring Contingency Planning and Disaster Recovery – also, Business Continuity Planning Includes planning for not being able to use your computer Includes planning for when your critical IT person leaves/resigns. Well understood, but not always implemented and tested Operational Security Protection of your private business intentions Protecting processes Dealing with the Media, External Organizations Privacy Protecting Personally Identifiable Information, especially of customers and employees Cybersecurity Protecting electronic devices Protecting the electronically-stored data / information Lacking any one piece (physical, personnel, etc.) diminishes the effectiveness of the other pieces of the security puzzle. Presentation Notes Explain that all these aspects of security are interrelated and interdependent.

5 DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting
Contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) , “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” The Contractor shall implement NIST SP , not later than December 31, 2017. The Contractor shall submit requests to vary from NIST SP in writing to the Contracting Officer, for consideration by the DoD CIO. The Contractor need not implement any security requirement adjudicated by an authorized representative of the DoD CIO to be non applicable or to have an alternative, but equally effective, security measure that may be implemented in its place. Rapidly report cyber incidents to DoD at  Flow down the clause in subcontracts

6 Let’s break down the DFARS requirements:
What is Covered Defense Information and Controlled Unclassified Information? What is NIST SP ? What does implemented by December 31, 2017 mean? What are options for meeting the requirements? What if a requirement doesn’t apply to my business; or can’t be implemented as described? What is required for reporting cyber incidents?

7 What is CDI, CTI, CUI ?

8 The CUI Registry Online repository for information, guidance, policy, and requirements on handling CUI, including issuances by the CUI Executive Agent. Identifies approved CUI categories and subcategories (with descriptions of each) and the basis for controls. Sets out procedures for the use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, re-using, and disposing of the information.

9 CUI Registry Manufacturing Category-Subcategory:
Proprietary Business Information-Manufacturer Category Description: Material and information relating to, or associated with, a company's products, business, or activities, including but not limited to financial information; data or statements; trade secrets; product research and development; existing and future product designs and performance specifications. Subcategory Description: Relating to the production of a consumer product to include that of a private labeler. Marking: MFC

10 NIST Special Publication 800-171 Rev 1
Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations December 2016

11 Security Requirements 14 Families
Access Control Audit and Accountability Awareness and Training Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Physical Protection Personnel Security Risk Assessment Security Assessment System and Communications Protection System and Information Integrity Security Requirements 14 Families Obtained from FIPS 200 and NIST Special Publication

12 Assumptions Nonfederal Organizations —
Have information technology infrastructures in place. Not developing or acquiring systems specifically for the purpose of processing, storing, or transmitting CUI. Have safeguarding measures in place to protect their information. May also be sufficient to satisfy the CUI requirements. May not have the necessary organizational structure or resources to satisfy every CUI security requirement. Can implement alternative, but equally effective, security measures. Can implement a variety of potential security solutions. Directly or through the use of managed services.

13 Structure of Security Requirements
Security requirements have a well-defined structure that consists of the following components: Basic security requirements section. Derived security requirements section.

14 Awareness and Training Example
Security Requirement Awareness and Training Example Basic Security Requirements: 3.2.1 Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those organizational information systems. Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities. Derived Security Requirements: Provide security awareness training on recognizing and reporting potential indicators of insider threat.

15 Awareness and Training Example 3.2.2
Security Requirement Awareness and Training Example 3.2.2 Basic Security Requirement: Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities. Meeting the Requirement: Basic security awareness training to new employees. Security awareness training to users when information system changes. Annual security awareness refresher training.

16 Access Control Example
Security Requirement Access Control Example Basic Security Requirements: 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, or devices (including other systems). Limit system access to the types of transactions and functions that authorized users are permitted to execute. Derived Security Requirements: Control the flow of CUI in accordance with approved authorizations. Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Employ the principle of least privilege, including for specific security functions and privileged accounts. Use non-privileged accounts or roles when accessing non-security functions. Prevent non-privileged users from executing privileged functions and audit the execution of such functions. Limit unsuccessful logon attempts.

17 Access Control Example 3.1.8
Security Requirement Access Control Example 3.1.8 Derived Security Requirements: Limit unsuccessful logon attempts. Meeting the Requirements: Limit number of consecutive invalid logon attempts allowed during a time period. Account lockout time period automatically enforced by the information system when max number of unsuccessful logon attempts is exceeded. Locks the account/node until released by an administrator. Delays next logon prompt according to the organization-defined delay algorithm. Access control policy and procedures addressing unsuccessful logon attempts. Personnel with information security responsibilities; system developers; system/network administrators.

18 What does “implement SP 800-171 by 12/31/2017” really mean?
A company demonstrates compliance and implementation of all 110 security controls in through:  Developing a System Security Plan (SSP)  Performing an Assessment and producing an assessment report Addressing the deficiencies found during the assessment in a Plan of Action and Milestones (PoAM) These three steps provide evidence that the company has implemented the security controls. It is not enough for a company simply state they have implemented the security controls in , they must be able to provide evidence of the implementation. There may be other approaches to developing and providing the evidence but the three step approach listed above is what NIST and DoD are recommending. 

19 DFARS “If the Offeror proposes to vary from any of the security requirements specified by NIST SP that are in effect at the time the solicitation is issued or as authorized by the Contracting Officer, the Offeror shall submit to the Contracting Officer, for consideration by the DoD Chief Information Officer (CIO), a written explanation of— (A) Why a particular security requirement is not applicable; or (B) How an alternative but equally effective, security measure is used to compensate for the inability to satisfy a particular requirement and achieve equivalent protection.”

20 Meeting SP Some security controls may not be applicable to your environment. Build off what you are currently doing. Consider other ways to meet the requirements. Isolate CUI into its own security domain by applying architectural design concepts Mapping to NIST SP and ISO/IEC is provided in SP

21 NIST 800-171 Guidebook – Coming Soon. https://www. nist

22 Free Online Assessment Tool
CAUTION: Requires an IT savvy user.

23 Using CSET To be effective it should be completed by a cross-functional team of subject matter experts (SME) Operational (work day-to-day with the systems) Maintenance (fix, update, modify, etc. the systems) Information Technology (configure, create accounts, troubleshooting, etc. the systems) Business Security This tool will help create these two Reports: System Security Plan (SSP) Plan of Action and Milestones (PoAM)

24 Cyber Incident Reporting
Rapidly report cyber incidents to DoD at  NOTE: Vermont law requires reporting security breaches involving personal information %20updated.pdf

25

26 Resources: NIST SP Rev1 DFARS Safeguarding Covered Defense Information and Cyber Incident Reporting Small Business Information Security:The Fundamentals DoD Industry Information Day - Cybersecurity June 23, /Public%20Meeting%20-%20Jun%2023%202017%20Final.pdf Cybersecurity Resources for Small Manufacturers: VMEC Website Cybersecurity Links

27 Resources for 800-171 Implementation:
NIST MEP Guidebook CSET Tool ontent/cset-instructions-help.pdf Cybersecurity services companies Contact PTAC or VMEC

28 Contact Information: Elizabeth Adams, Vermont Procurement Technical Assistance Center Patricia Giavara, Vermont Manufacturing Extension Center Jon Bates, Vermont Manufacturing Extension Center

Download ppt "Got DoD Contracts in Your Supply Chain"

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.

Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Information Systems Security Officer

Information Systems Security Officer
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Supplier Ethics: Program Checklist

Supplier Ethics: Program Checklist
Session 3 – Information Security Policies

Session 3 – Information Security Policies
ZHRC/HTI Financial Management Training

ZHRC/HTI Financial Management Training
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
CONTRACTUAL FLOW DOWN OF DPAS PRIORITY RATINGS

CONTRACTUAL FLOW DOWN OF DPAS PRIORITY RATINGS
DFARS 204.73 & 252.204-7012 What is Unclassified Controlled Technical Information (UCTI)?

DFARS & What is Unclassified Controlled Technical Information (UCTI)?
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Similar presentations

Ads by Google