Presentation is loading. Please wait.

Presentation is loading. Please wait.

Background June 2011– DoD Proposes New DFARS Rule for Protecting Controlled, Unclassified Information Industry meeting scheduled for November 15, 2011.

Published byDwayne Floyd Modified over 9 years ago

Similar presentations

Presentation on theme: "Background June 2011– DoD Proposes New DFARS Rule for Protecting Controlled, Unclassified Information Industry meeting scheduled for November 15, 2011."— Presentation transcript:

1 DFARS Unclassified Controlled Technical Information (UCTI) Process and Procedures Update

2 Background June 2011– DoD Proposes New DFARS Rule for Protecting Controlled, Unclassified Information Industry meeting scheduled for November 15, 2011 Comments due December 2011 February 2013 – Executive Order on Improving Critical Infrastructure Cybersecurity Executive Branch response to Congressional inability to pass legislation October 10, 2013 – SecDef Memo on Protecting Unclassified Controlled Technical Information Instructs AT&L to “take immediate action to improve the protection of unclassified controlled technical information that resides on or passes through defense contractor systems or networks.” November 18, 2013 – DoD Publishes New DFARS Cyber Rule December 16, 2014 – PGI, FAQs, and Media Submission Instructions released February 20, 2015 – Executive Order on Promoting Private Sector Cybersecurity Information Sharing Cyber Threat Intelligence Integration Center (CTIIC) & Information Sharing & Analysis Organizations (ISAOs) May 12, 2015 – Comments due for NIST Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (Final Public Draft)

3 DIB Collaboration - US Govt (Today)
Utilize a Trusted Community among Government, Public, and/or Private Sector Entities that Enhances Collaboration and Builds Threat Knowledge to Enable DIB Cyber Defense DoD Secretary of Defense Dept of Homeland Security White House/Capitol Hill Critical Infrastructure Partnership Advisory Council (CIPAC) … Agency U S Cyber Command (USCYBERCOM) Senate/House Legislation CIO Defense Industrial Base (DIB) Cyber Program Sector Coordinating Councils (SCCs, ie. DIB SCC) Cyber Security Coordinator Defense Cyber Crime Center (DC3) National Defense Industrial Association (NDIA) Federal Acquisition Regulation (FAR), Defense (DFARS) Defense Security Service (DSS) & Federal Bureau of Investigations (FBI) Critical Infrastructure Information Sharing & Analysis Center (ISAC) International 5EYE DIB Information Sharing Analysis Organization (ISAO) Aerospace & Defense Companies - Partners/Suppliers/Competitors

4 H.R. 1731: National Cybersecurity Protection Advancement Act of 2015
Tracking Cybersecurity Legislation To Date Cyber Legislation Summary 44 Introduced/Proposed Bills 38 in Committee 4 Passed One Chamber 1 Vetoed & Override Failed in Senate – Keystone Pipeline 1 Acts/Law (Energy Appropriation & Authorization Only) Pending Activity/Regulation NIST NDAA Section 941 & 1645 Incident Reporting SECDEF DOD Cyber Strategy (Classification for Critical) Critical Infrastructure Potential Regulation (Framework & C3) Current Concerns Customer Requirements/ Contract Language 2. DFARS/FAR Safeguarding Unclassified Controlled Technical Information (UCTI) & Controlled Unclassified Information (CUI) 3. DOD AT&L Better Buying Power 3.0 includes Cyber for the Product Life Cycle 4. ~30 Cyber related Legislative Proposals 5. Executive Orders focused on Cybersecurity Proposal Sponsor Status H.R. 1560: Protecting Cyber Networks Act Rep. Devin Nunes [R-CA22] Passed House Apr 22, 2015 S. 754: Cybersecurity Information Sharing Act of 2015 Sen. Richard Burr [R-NC] Reported by Committee: Mar 17, 2015 S. 456: Cyber Threat Sharing Act of 2015 Sen. Thomas Carper [D-DE] Referred to Committee: Feb 11, 2015 H.R. 1731: National Cybersecurity Protection Advancement Act of 2015 Rep. Michael McCaul [R-TX] Apr 23, 2015

5 Cybersecurity Regulation Status
PGI & FAQ Released Addressed ambiguities in certain areas but questions remain within industry DoD / industry working practical implementation issues to include Marking DFARS Unclassified Controlled Technical Information (UCTI) AIA DFARS Working Group meeting working on marking and commercial item clarifications UCTI Update at DOD DIB POWG 7 May 2015 MDA DFARS UCTI Regulation Guideline Draft Addressing Supplier Questions and Concerns Working Through Incident Reporting Ambiguity Encrypted laptops; Compromise with no data loss Defense Acquisition University DOD Training planned for Dec 2015

6 Watch Items Cyber Security Contract Language
Agencies / Programs Including Additional Cyber Language in Contracts to Address Protection of Unclassified Program Information Scope Greater than Program Specific Systems Requirements Contradictory / Duplicative Potential for Significant Cost Impact (e.g., Supply Chain) Incident Reporting Inconsistencies with DFARs incident reporting requirements (who, what, when, how) Damage Assessment Program/CO/DAMO independent DOD Backend Process Disparate Agency/Program Guidelines (CUI, definitions, compliance, & reporting) References to both DIACAP & DFARS without RMF PPP, IA Plan, SSP, IA Questions, etc – varied requests NDAA – National Defense Authorization Acts

7 DFARS UCTI: 65% of new awards DOD wide
Source:

8 Subcontractors and Supplier
The contract clause is in effect as of November 18, 2013, and must be included in all new DoD contracts, including contracts for commercial items.  The contract clause also must be flowed down to all subcontractors regardless of size and to all tiers of the supply chain.  Do I as a supplier need to notify my prime of my status on DFARS Clause ? If a supplier is non-compliant with the NIST cyber security controls outlined in the DFARS Clause , then the supplier should immediately notify the prime. What are the incident reporting requirements? A supplier must report an incident to the prime within 72 hours of discovery of any cyber incident that affects UCTI and cooperate with the investigation process.  Please note: the cyber incident reporting requirements associated with this DFARS Clause do not negate any additional reporting requirements found in the contract between the prime, subcontractor and the supplier.

9 Summary Ongoing Progress… DOD & DIB Working Together
Contract Language in addition to DFARS UCTI Supply Chain concerns Technology/Architecture Impacts (Cloud Services, Mobility, Enterprise/Segments/Programs) Marking Commercial Items Incident Reporting for UCTI on multiple contracts Damage Assessment by Programs, DOD Program Offices, and/or COs Future Requirements/Potential FAR in Yr 2015 with the NIST CUI implies additional controls Better Buying Power 3.0 with Cybersecurity Area Legislative focus on information sharing; upon Law will protection and controls be the focus for legislative proposals

Download ppt "Background June 2011– DoD Proposes New DFARS Rule for Protecting Controlled, Unclassified Information Industry meeting scheduled for November 15, 2011."

Similar presentations

Www.eia.gov U.S. Energy Information Administration Independent Statistics & Analysis Controlled Unclassified Information FCSM Conference Jacob Bournazian,

U.S. Energy Information Administration Independent Statistics & Analysis Controlled Unclassified Information FCSM Conference Jacob Bournazian,
Policies and Procedures for Proper Use of Non-DoD Contracts Revised April 19, 2005 Deidre A. Lee Director, Defense Procurement and Acquisition Policy Office.

Policies and Procedures for Proper Use of Non-DoD Contracts Revised April 19, 2005 Deidre A. Lee Director, Defense Procurement and Acquisition Policy Office.
0 Cost, Price, and Finance DFARS Cases of Interest Date: 24 October 2006 Bill Sain Senior Procurement Analyst Defense Procurement and Acquisition Policy,

0 Cost, Price, and Finance DFARS Cases of Interest Date: 24 October 2006 Bill Sain Senior Procurement Analyst Defense Procurement and Acquisition Policy,
CENTRAL CONTRACTOR REGISTRATION (CAGE CODES) DFARS Case 2003-D040 DFARS Parts 204, 212, 213 and 252 are amended to remove policy on Central Contractor.

CENTRAL CONTRACTOR REGISTRATION (CAGE CODES) DFARS Case 2003-D040 DFARS Parts 204, 212, 213 and 252 are amended to remove policy on Central Contractor.
U.S. General Services Administration Presentation to: Software and Supply Chain Assurance Forum Improving Cybersecurity through Acquisition December 17,

U.S. General Services Administration Presentation to: Software and Supply Chain Assurance Forum Improving Cybersecurity through Acquisition December 17,
U.S. General Services Administration Presentation to: ACT-IAC Cybersecurity SIG Improving Cybersecurity through Acquisition Emile Monette Senior Advisor.

U.S. General Services Administration Presentation to: ACT-IAC Cybersecurity SIG Improving Cybersecurity through Acquisition Emile Monette Senior Advisor.
National Infrastructure Protection Plan

National Infrastructure Protection Plan
The U.S. Coast Guard’s Role in Cybersecurity

The U.S. Coast Guard’s Role in Cybersecurity
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.

Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
Defense Critical Infrastructure Program (DCIP)

Defense Critical Infrastructure Program (DCIP)
NSF CYBER-SECURITY SUMMIT: INFORMATION SECURITY CLAUSE  Influenced by recommendations from previous Cyber-Security Summit meetings, the clause was added.

NSF CYBER-SECURITY SUMMIT: INFORMATION SECURITY CLAUSE  Influenced by recommendations from previous Cyber-Security Summit meetings, the clause was added.
Security Issues on Campus: Government Initiatives Rodney J. Petersen University of Maryland Educause/Internet2 Security Task Force Copyright Rodney J.

Security Issues on Campus: Government Initiatives Rodney J. Petersen University of Maryland Educause/Internet2 Security Task Force Copyright Rodney J.
Standards for Shared ICT Jeju, 13 – 16 May 2013 Gale Lightfoot Senior Staff Program Manager, Office of the CTO, SPB Cisco ATIS Cybersecurity Standards.

Standards for Shared ICT Jeju, 13 – 16 May 2013 Gale Lightfoot Senior Staff Program Manager, Office of the CTO, SPB Cisco ATIS Cybersecurity Standards.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
DFARS 204.73 & 252.204-7012 What is Unclassified Controlled Technical Information (UCTI)?

DFARS & What is Unclassified Controlled Technical Information (UCTI)?
Jeju, 13 – 16 May 2013Standards for Shared ICT CYBERSECURITY-RELATED STANDARDS ACTIVITY IN THE TELECOMMUNICATIONS INDUSTRY ASSOCIATION Eric Barnhart, Fellow.

Jeju, 13 – 16 May 2013Standards for Shared ICT CYBERSECURITY-RELATED STANDARDS ACTIVITY IN THE TELECOMMUNICATIONS INDUSTRY ASSOCIATION Eric Barnhart, Fellow.
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
SERVICES ACQUISITION REFORM ACT OF 2003 A STATUS REPORT Alan Chvotkin Senior Vice President and Counsel Professional Services Council DEFENSE ACQUISITION.

SERVICES ACQUISITION REFORM ACT OF 2003 A STATUS REPORT Alan Chvotkin Senior Vice President and Counsel Professional Services Council DEFENSE ACQUISITION.
New FAR Ethics Requirements Richard W. Oehler Perkins Coie LLP 1201 Third Avenue Suite 4800 Seattle, WA 98101 (206) 359-8419

New FAR Ethics Requirements Richard W. Oehler Perkins Coie LLP 1201 Third Avenue Suite 4800 Seattle, WA (206)
Introduction to the National Cybersecurity & Communications Integration Center (NCCIC) “A Partnership for Strength” 1.

Introduction to the National Cybersecurity & Communications Integration Center (NCCIC) “A Partnership for Strength” 1.

Similar presentations

Ads by Google