Presentation is loading. Please wait.

Presentation is loading. Please wait.

Safeguarding Covered Defense Information

Published byPaulina Nichols Modified over 6 years ago

Similar presentations

Presentation on theme: "Safeguarding Covered Defense Information"— Presentation transcript:

1 Safeguarding Covered Defense Information
CYBER SECURITY Safeguarding Covered Defense Information March 2017

2 Goal Improve DLA’s business relationships with vendor base to better accomplish our shared mission of supporting warfighters worldwide by mitigating risk and reducing vulnerability to cybercrime

3 Who is Impacted DFARS applies to all DOD solicitations and contracts for commercial items Exception: solicitations and contracts solely for the acquisition of Commercial Off the Shelf (COTS) items Requires flow down to: Suppliers at all tiers including Commercial suppliers Subcontractors at all tiers

4 How? Provide updates to contractors for cybersecurity requirements
Define what is “Covered Defense Information” Where and how to apply “Adequate Security” Cyber incident reporting requirements

5 Covered Defense Information (CDI)
Defined as: Unclassified controlled technical information; or Information, as described in the Controlled Unclassified Information (CUI) Registry at: Requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies, AND IS: Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract

6 Covered Defense Information (CDI)
CDI Definition Continued… DLA L&M will apply DFARS requirement for safeguarding CDI as follows: National Stock Number (NSN) has demilitarization code other than A; or Technical Data Package contains document(s) with distribution statement other than A; or Identification of export control; or Information contained in the customer and/or applicable agency specific critical information list For DLA L&M, if CDI is included in the technical data package for an acquisition it will be specifically identified in the Purchase Item Description (PID) Note: CDI may also be contained in contractor-owned data and is identified with a similar contractor type coding as described above

7 CDI: Controlled Technical Information
Defined as: Technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction Distribution Statements on Technical Documents The term does not include information that is lawfully publicly available without restrictions

8 Controlled Technical Information
L&M Distribution Statements B-F Reasons for assignment of distribution statements B-F in L&M technical documents: Critical Technology Export Controlled Foreign Government Information Operations Security Premature Dissemination Proprietary Information Test and Evaluation Software Documentation Vulnerability Information Contractor Performance Evaluation Administrative or Operational Use Reference DoDI : See pages of the DoDI for additional details

9 CTI: Controlled Technical Information
Unclassified information not limited to: Design & Manufacturing Technical Data Keystone Equipment Inspection and Test Equipment Or data related to a specific military deficiency of a potential adversary

10 CTI: Export Control Unclassified information concerning: Certain items
Commodities Technology Software Or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives.

11 CTI: Test & Evaluation Information related to:
Protect Results of Test/Evaluation of Commercial Products or Military Hardware Occurs when disclosure may cause unfair advantage or disadvantage to the manufacturer of the products

12 Applying “Adequate Security”
Information Sharing/Collaboration Toolbox Only to information systems containing CDI Implement security protections on: IT operated on behalf of Government Not part of IT operated on behalf of Government On contractors assessed risk or vulnerability

13 IT Not Operated on Behalf of DoD
National Institute of Standards and Technology (NIST) NIST SP Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations Isolate CUI into own security domain Limit scope to CUI particular system or components Don’t try to boil the ocean

14 NIST SP 800-171 Basic Security
Basic Security Requirements Access Control Physical Protection Awareness and Training Risk Assessment Audit and Accountability Security Assessment Configuration Management System and Communication Protection Identification and Authentication System and Information Integrity Incident Response Maintenance

15 Implementation of NIST SP 800-171
Implement NIST SP , as soon as practical, but NTL December 31, 2017 Contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via at and the contracting officer within 30 days of contract award, of any security requirements specified by NIST SP not implemented at the time of contract award

16 Request to Varying from NIST SP 800-171
Contractors electing to vary/deviate from the NIST SP requirement must submit their requests in writing to the Contracting Officer of record The Contracting Officer will then submit the request on behalf of the contractor to the DoD CIO for consideration Contractor do not need to implement any security requirement adjudicated by an authorized representative of the DoD CIO to be nonapplicable or to have an alternative, but equally effective, security measure that may be implemented in its place If the DoD CIO has previously adjudicated the contractor’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Contracting Officer when requesting its recognition under the contract

17 Cyber Incident Reporting Requirements
Contractor discovers a cyber incident affecting: Contractor information system Covered Defense Information Required elements of cyber incident report DoD-approved medium assurance certificate For information on obtaining a DoD-approved medium assurance certificate, see:

18 When you have a Cyber Incident
Conduct a review for evidence of compromise of CDI Including, but not limited to: Compromised Computers Compromised Servers Specific Data User Accounts Covered contractor information systems Rapidly report to

19 What goes in Cyber Incident Report
Include elements required by

20 Within 72 Hours Within 72 hours report as much of the following:
Company name Ability to provide operationally critical support Company Point of Contact (POC) Date incident discovered Data Universal Numbering System (DUNS) Number Location(s) of compromise Contract number(s) or other type of agreement affected Incident location CAGE code DoD programs, platforms or systems involved Contracting Officer or other agreement POC Type of compromise USG Program Manager POC Description of technique or method used in incident Contract or other agreement clearance level Incident outcome Facility CAGE code Incident/Compromise narrative Facility Clearance Level Any additional information Impact to CDI

21 Questions/Resources For additional information on the cyber security requirement please see the following resources: FAQs: DoDI : CUI Registry: Medium Assurance Certificate: Cyber Incident Report: DOD CIO: DFARS Clause : DFARS PGI :

Download ppt "Safeguarding Covered Defense Information"

Similar presentations

Section Six: Foreign Ownership, Control, or Influence (FOCI)

Section Six: Foreign Ownership, Control, or Influence (FOCI)
Conversation on the Chemical Facility Anti-Terrorism Standards (CFATS) and Critical Infrastructure Protection Chemical-Terrorism Vulnerability Information.

Conversation on the Chemical Facility Anti-Terrorism Standards (CFATS) and Critical Infrastructure Protection Chemical-Terrorism Vulnerability Information.
Controlled Unclassified Information (CUI). Unclassified Information Public Domain: information that does not qualify for status of CUI -- suitable for.

Controlled Unclassified Information (CUI). Unclassified Information Public Domain: information that does not qualify for status of CUI -- suitable for.
Presented By the Office of Research Integrity & Assurance June 2010.

Presented By the Office of Research Integrity & Assurance June 2010.
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.

Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
SAE AS9100 Quality Systems - Aerospace Model for Quality Assurance

SAE AS9100 Quality Systems - Aerospace Model for Quality Assurance
National Contract Management Association – Norfolk Chapter Contracting Ground Rules.

National Contract Management Association – Norfolk Chapter Contracting Ground Rules.
Introduction to Intellectual Property using the Federal Acquisitions Regulations (FAR) To talk about intellectual property in government contracting, we.

Introduction to Intellectual Property using the Federal Acquisitions Regulations (FAR) To talk about intellectual property in government contracting, we.
CONTRACTUAL FLOW DOWN OF DPAS PRIORITY RATINGS

CONTRACTUAL FLOW DOWN OF DPAS PRIORITY RATINGS
Introduction to Software Quality Assurance (SQA)

Introduction to Software Quality Assurance (SQA)
DFARS 204.73 & 252.204-7012 What is Unclassified Controlled Technical Information (UCTI)?

DFARS & What is Unclassified Controlled Technical Information (UCTI)?
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
1 WARFIGHTER SUPPORT STEWARDSHIP EXCELLENCE WORKFORCE DEVELOPMENT WARFIGHTER-FOCUSED, GLOBALLY RESPONSIVE, FISCALLY RESPONSIBLE SUPPLY CHAIN LEADERSHIP.

1 WARFIGHTER SUPPORT STEWARDSHIP EXCELLENCE WORKFORCE DEVELOPMENT WARFIGHTER-FOCUSED, GLOBALLY RESPONSIVE, FISCALLY RESPONSIBLE SUPPLY CHAIN LEADERSHIP.
Section Five: Security Inspections and Reviews Note: All classified markings contained within this presentation are for training purposes only.

Section Five: Security Inspections and Reviews Note: All classified markings contained within this presentation are for training purposes only.
Theme: classification & distribution of government control of FEA.

Theme: classification & distribution of government control of FEA.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Certification and Accreditation CS-7493-01 Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Of XX Cybersecurity in Government Contracting David Z. Bodenheimer, Partner, Crowell & Moring LLP ©2015 PubKLearning. All rights reserved.1 The Federal.

Of XX Cybersecurity in Government Contracting David Z. Bodenheimer, Partner, Crowell & Moring LLP ©2015 PubKLearning. All rights reserved.1 The Federal.

Similar presentations

Ads by Google