Presentation is loading. Please wait.

Presentation is loading. Please wait.

Supplier Information Session Safeguarding Covered Defense Information and Cyber Incident Reporting, DFARS 252.204-7012 August 16, 2016 Christian Ortego.

Published bySandra Gibbs Modified over 5 years ago

Similar presentations

Presentation on theme: "Supplier Information Session Safeguarding Covered Defense Information and Cyber Incident Reporting, DFARS 252.204-7012 August 16, 2016 Christian Ortego."— Presentation transcript:

1 Supplier Information Session Safeguarding Covered Defense Information and Cyber Incident Reporting, DFARS August 16, 2016 Christian Ortego Senior Counsel

2 DFARS Cybersecurity Rule
Evolution of a Rule Covered Contractor Information Systems NIST Standards Reporting Requirements The content discussed in this presentation is provided for informational purposes only and does not constitute legal advice or counsel. For legal advice or counsel related to issues discussed herein, please consult your attorney.

3 Evolution of a Rule – DFARS 252.204-7012
November 2013 – initial rule August/September 2015 – major change December 2015 – major change Rule Evolved as DoD Received Comments/Feedback from Industry

4 Evolution of a Rule – DFARS 252.204-7012
November 2013 – initial rule Established Concepts for: Information Technology System Standards Reporting Requirement for Cyber Incidents Applied to “cleared contractors” and Systems that store or transmit Unclas Controlled Technical Information Rule Evolved as DoD Received Comments/Feedback from Industry

5 Evolution of a Rule – DFARS 252.204-7012
September 2015 – updated standards/expanded scope Amended Standards from NIST SP to SP (DoD CIO must approve exceptions and alternative measures) Expanded scope of information to “covered defense information” from unclas controlled tech info Expanded regulatory coverage to all contractors and subcontractors 72 Hour Incident Reporting Requirement to both: DoD Higher Tier Contractor September Change Greatly Broadened Scope of Rule

6 Evolution of a Rule – DFARS 252.204-7012
December 2015 – current rule Extended Deadline to meet NIST SP to December 31, 2017 Report areas of non-compliance to DoD CIO Same scope of information covered as September rule Required Inclusion in all DoD Contracts Mandatory Flowdown to all Subcontractor Tiers December Change Maintained Rule but Extended NIST Standards Deadline

7 Covered Contractor Information Systems
Current Rule: Systems owned or operated by, or for, a contractor and that processes, stores or transmits: “Covered Defense Information” which is: Controlled Technical Info Critical Information Export Controlled Info; or “Any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies (e.g., privacy, proprietary business information).” The type of information subject to safeguarding and the additional reporting obligations are not the interim rule’s only material changes. Under the previous regime, contractors were only required to report cyber incidents affecting UCTI. The interim rule, on the other hand, requires contractors to report any cyber incidents affecting (i) covered defense information (a broader category of data than UCTI), (ii) contractor information systems that contain covered defense information, and/or (iii) information that affects the contractor’s ability to provide operationally critical support. For example, under the interim rule, the reporting requirement would be triggered by a cyber incident that affects the contractor’s information system housing covered defense information, even if the information itself was not affected. “Covered Information Systems” is Broad Concept

8 Over 100 Items Included in the Standards
NIST Standards Current Rule: NIST SP Deadline to meet NIST SP is as soon as possible but NLT December 31, 2017 Covers a variety of factors: Access control Awareness and Training Audit and Accountability Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Risk and Security Assessments System and Communication Protection System and Information Integrity Over 100 Items Included in the Standards

9 Reporting Requirements
Current Rule – Two Main Requirements 1. Report to DoD CIO within 30 days of contract award from HII/NNS/Ingalls: YES or NO: In compliance with NIST Standards If NO: must report areas of non-compliance to DoD CIO 2. Report Cyber Incidents within 72 Hours to BOTH DoD (through and NNS/Ingalls The Reporting Requirements are in effect upon award of a contract with the clause (i.e. the December 2017 deadline DOES NOT change the reporting requirements) Reporting Requirements are in Effect Now

10 Questions? Questions?

11

Download ppt "Supplier Information Session Safeguarding Covered Defense Information and Cyber Incident Reporting, DFARS 252.204-7012 August 16, 2016 Christian Ortego."

Similar presentations

Annual Security Refresher Briefing Note: All classified markings contained within this presentation are for training purposes.

Annual Security Refresher Briefing Note: All classified markings contained within this presentation are for training purposes.
What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication 800-171 Protecting Controlled.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication Protecting Controlled.
CENTRAL CONTRACTOR REGISTRATION (CAGE CODES) DFARS Case 2003-D040 DFARS Parts 204, 212, 213 and 252 are amended to remove policy on Central Contractor.

CENTRAL CONTRACTOR REGISTRATION (CAGE CODES) DFARS Case 2003-D040 DFARS Parts 204, 212, 213 and 252 are amended to remove policy on Central Contractor.
Presented By the Office of Research Integrity & Assurance June 2010.

Presented By the Office of Research Integrity & Assurance June 2010.
Background June 2011– DoD Proposes New DFARS Rule for Protecting Controlled, Unclassified Information Industry meeting scheduled for November 15, 2011.

Background June 2011– DoD Proposes New DFARS Rule for Protecting Controlled, Unclassified Information Industry meeting scheduled for November 15, 2011.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.

COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
DFARS 204.73 & 252.204-7012 What is Unclassified Controlled Technical Information (UCTI)?

DFARS & What is Unclassified Controlled Technical Information (UCTI)?
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
1 CIP-004-1 Cyber Security – Personnel & Training Steve Garn CIP Compliance Workshop Baltimore, MD August 19-20, 2009 © ReliabilityFirst Corporation.

1 CIP Cyber Security – Personnel & Training Steve Garn CIP Compliance Workshop Baltimore, MD August 19-20, 2009 © ReliabilityFirst Corporation.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Of XX Cybersecurity in Government Contracting David Z. Bodenheimer, Partner, Crowell & Moring LLP ©2015 PubKLearning. All rights reserved.1 The Federal.

Of XX Cybersecurity in Government Contracting David Z. Bodenheimer, Partner, Crowell & Moring LLP ©2015 PubKLearning. All rights reserved.1 The Federal.
Of XX Data Rights, Intellectual Property, Information Technology and Export Controls in Government Contracting Fernand Lavallee, Partner, Jones Day ©2015.

Of XX Data Rights, Intellectual Property, Information Technology and Export Controls in Government Contracting Fernand Lavallee, Partner, Jones Day ©2015.
1 PARCC Data Privacy & Security Policy December 2013.

1 PARCC Data Privacy & Security Policy December 2013.

Similar presentations

Ads by Google