Its Midnight do you know where your Federal Safeguards are image courtesy Brendan Loy Its Midnight on May 11 2017 do you know where your safeguards were What is Cybersecurity The Department of Homeland Security DHS defines ID: 764841
Download Presentation The PPT/PDF document "It’s Midnight …." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
It’s Midnight ….do you know where your Federal Safeguards are? image courtesy Brendan Loy
It’s Midnight on May 11, 2017… do you know where your safeguards were?
What is Cybersecurity? The Department of Homeland Security (DHS) defines cybersecurity as “the protection of computers and computer systems against unauthorized attacks or intrusion.”
It’s Midnight…do you know where your Federal Safeguards are ?Moderator: Richard Stump, AIA; Vice President, Stanley ConsultantsSpeakers:Robert E. Jones, CPCM, Fellow; Left Brain Professionals Terry O’Connor, Partner; Berenzweig Leonard, LLP
Topics of Coverage A Brief Introduction – Safeguarding Data TodayAwarenessConsiderations for AECs, Small and LargeProactive Management ResolutionThe Value Proposition-Why Do It?Discussion and Takeaways
Password Tools LastPass KeePass Onelogin ManageEngine SplashID A Brief Introduction – Safeguarding Data Today
DoD Cybersecurity Clauses FAR and DFARS DFARS 252.204-7012 Safeguarding Covered Defense Information (CDI) DFARS 252.204-7300 Safeguarding CDI and Cyber Incident Reporting NIST (SP) 800-171
What is the purpose of DFARS 252.204-7012? DFARS clause 252.204-7012 was structured to ensure that unclassified DoD information residing on a contractor’s internal information system is safeguarded from cyber incidents, and that any consequences associated with the loss of this information are assessed and minimized via the cyber incident reporting and damage assessment processes. In addition, by providing a single DoD-wide approach to safeguarding covered contractor information systems, the clause prevents the proliferation of cyber security clauses and contract language by the various entities across DoD. Source: 27 Jan 17 FAQ, DFARS Case 2013-D018
What is the purpose of DFARS 252.204-7012? Safeguard unclassified DOD information on contractor information storage systems Minimize consequences of a cyber incident Provide a single DOD-wide approach
NIST (SP) 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations 14 Requirements: Access Control Awareness and Training Audit & Accountability Configuration Management Identification and Authentication Incident Response
NIST (SP) 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Maintenance Media Protection Personnel Security Physical Protection Risk Assessment Security Assessment System and Communications Protection System and Information Integrity
Contractor Compliance Large businesses struggle Time and financial commitment can appear overwhelming How do small businesses have a chance?
Awareness Considerations for AECs, Small and LargeProactive Management ResolutionThe Value Proposition-Why Do It?
Awareness . Cyber Awareness Month is in October. The government expects you to be aware (and compliant with its clauses) all year long.
Positive Share
Safety Check
What to Protect? Corporate networks Cloud storage (Dropbox, Office 365) E-mail Social media Online accounts (banks, utilities, etc ) Mobile devices IoT (phones, printers, other devices)
Physical Security Control access to building. Limit access to servers and systems. Visitor policy.
Update & Virus Protection Update OS and programs regularly. Invest in quality virus protection. Auto-update program and definitions.
Virus Tools Avast McAfee AVG Eset MalwareBytes
Password Management Strong passwords are critical! California California2017 C@l1f0rn!a C@l1f0rn!a2017 Secret Q&A does not have to be real – only YOU need to know the answer.
Password Tools LastPass KeePass Onelogin ManageEngine SplashID
Password Tools How Secure Is My Password? https://howsecureismypassword.net/ California – Instantly California2017 – 10 million years C@l1f0rn!a – 6 years C@l1f0rn!a2017 – 204 million years
Wi-fi and Bluetooth Keep them off until needed. Separate guest network.
Wi-fi Tools SecureLine VPN PureVPN
Mobile Devices Use Passcode/PIN for encryption. Have a method to remote wipe.
Mobile Tools Avast Mobile Avira Lookout
E-mail Keep separate accounts. Use a professional domain for work.
Email Tools Setup multi-factor authentication on every account.
Cloud Storage Use separate storage for work & personal. Don’t cross contaminate!
Cloud Tools Dropbox Google Drive Box iCloud Carbonite
Encryption Look for “http s ” in websites.
Encryption Tools SertintyOne
Multi-Factor Authentication User name Password Another item Text code Digital certificate One-time password Biometric
Multi-Factor Tools Windows Authenticator Google Authenticator IdenTrust RSA SecurID
Awareness Considerations for AECs, Small and LargeProactive Management ResolutionThe Value Proposition-Why Do It?
Considerations for Business Prime AEC Contracts with Federal Agencies Subcontracts Joint Venture Partners Host Nation Partners and Subconsultants
Prime Contract Considerations Clause Compliance 31 Dec 17 – compliance required for DFARS 252.204-7012 Notification to DOD CIO within 30 days of award Flowdown of clauses CDI Identification and Management
Subcontractor Considerations Clause Compliance Conformance to Prime AE cybersecurity requirements Need to report your compliance, post-award Costs of compliance vs. benefits of subcontract
Joint Venture Considerations Clause Compliance for all parties All Parties’ Cybersecurity Conformance Incident Management and Reporting Location and Management of Data
Meeting the 31 Dec 17 Deadline DFARS 252.204-7012 Costs and time for compliance vary Larger contractor, greater compliance requirement Upfront costs and recurring costs Smaller firms benefit from smaller footprint Many firms will not be fully compliant by Dec 2017 If you haven’t yet started…you still need to comply!
Awareness Considerations for AECs, Small and LargeProactive Management ResolutionThe Value Proposition-Why Do It?
Explaining the Basic Safeguards FAR requires 15 controls at a minimum on covered contractor information systems
Definitions Covered contractor information systemsFederal contract informationInformationInformation system
Definitions The 15 requirements are requirements that “most prudent businesses already follow.”
Access controls Limit access: To authorized usersTo the transactions/functions authorized users can execute
Access Controls Control: use of external information systemsposting of information on publicly accessible information systems
Identification and Authentication Identify users and authenticate their identity before letting them use information system
Media Protection Destroy media before disposal
Physical Protection Limit physical accessEscorts, sign-in logs, door-openers
Systems and Communications Protection Boundary protectionsSubnetworks
System and Information Integrity Timely report and fix flawsProtect against malicious code and install update protectionsScan system periodically and scan downloads in real-time
Systems and Communications Protection Boundary protectionsSubnetworks
Awareness Considerations for AECs, Small and LargeProactive Management ResolutionThe Value Proposition-Why Do It?
Value Proposition Slide by Robert
Value Proposition Slide by Rich
Value Proposition Slide by Terry
A Little Bit of Conversation Questions, Comments and Answers
It’s Midnight…. do you know where your Federal Safeguards are? image courtesy Brendan Loy
Your Best Way Forward Takeaway 1 Takeaway 2 Takeaway 3 Takeaway 4 Takeaway 5
63 Robert E. Jones (614) 556-4415 Robert@leftbrainpro.com Richard Stump (808) 542-9265 stumprichard@stanleygroup.com Terry O’Connor 703.760.0402 toconnor@berenzweiglaw.com Contact Information