It’s Midnight …. - PowerPoint Presentation

It’s Midnight ….do you know where your Federal Safeguards are? image courtesy Brendan Loy

It’s Midnight on May 11, 2017… do you know where your safeguards were?

What is Cybersecurity? The Department of Homeland Security (DHS) defines cybersecurity as “the protection of computers and computer systems against unauthorized attacks or intrusion.”

It’s Midnight…do you know where your Federal Safeguards are ?Moderator: Richard Stump, AIA; Vice President, Stanley ConsultantsSpeakers:Robert E. Jones, CPCM, Fellow; Left Brain Professionals Terry O’Connor, Partner; Berenzweig Leonard, LLP

Topics of Coverage A Brief Introduction – Safeguarding Data TodayAwarenessConsiderations for AECs, Small and LargeProactive Management ResolutionThe Value Proposition-Why Do It?Discussion and Takeaways

Password Tools LastPass KeePass Onelogin ManageEngine SplashID A Brief Introduction – Safeguarding Data Today

DoD Cybersecurity Clauses FAR and DFARS DFARS 252.204-7012 Safeguarding Covered Defense Information (CDI) DFARS 252.204-7300 Safeguarding CDI and Cyber Incident Reporting NIST (SP) 800-171

What is the purpose of DFARS 252.204-7012? DFARS clause 252.204-7012 was structured to ensure that unclassified DoD information residing on a contractor’s internal information system is safeguarded from cyber incidents, and that any consequences associated with the loss of this information are assessed and minimized via the cyber incident reporting and damage assessment processes. In addition, by providing a single DoD-wide approach to safeguarding covered contractor information systems, the clause prevents the proliferation of cyber security clauses and contract language by the various entities across DoD. Source: 27 Jan 17 FAQ, DFARS Case 2013-D018

What is the purpose of DFARS 252.204-7012? Safeguard unclassified DOD information on contractor information storage systems Minimize consequences of a cyber incident Provide a single DOD-wide approach

NIST (SP) 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations 14 Requirements: Access Control Awareness and Training Audit & Accountability Configuration Management Identification and Authentication Incident Response

NIST (SP) 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Maintenance Media Protection Personnel Security Physical Protection Risk Assessment Security Assessment System and Communications Protection System and Information Integrity

Contractor Compliance Large businesses struggle Time and financial commitment can appear overwhelming How do small businesses have a chance?

Awareness Considerations for AECs, Small and LargeProactive Management ResolutionThe Value Proposition-Why Do It?

Awareness . Cyber Awareness Month is in October. The government expects you to be aware (and compliant with its clauses) all year long.

Positive Share

Safety Check

What to Protect? Corporate networks Cloud storage (Dropbox, Office 365) E-mail Social media Online accounts (banks, utilities, etc ) Mobile devices IoT (phones, printers, other devices)

Physical Security Control access to building. Limit access to servers and systems. Visitor policy.

Update & Virus Protection Update OS and programs regularly. Invest in quality virus protection. Auto-update program and definitions.

Virus Tools Avast McAfee AVG Eset MalwareBytes

Password Management Strong passwords are critical! California  California2017  C@l1f0rn!a  C@l1f0rn!a2017 Secret Q&A does not have to be real – only YOU need to know the answer.

Password Tools LastPass KeePass Onelogin ManageEngine SplashID

Password Tools How Secure Is My Password? https://howsecureismypassword.net/ California – Instantly California2017 – 10 million years C@l1f0rn!a – 6 years C@l1f0rn!a2017 – 204 million years

Wi-fi and Bluetooth Keep them off until needed. Separate guest network.

Wi-fi Tools SecureLine VPN PureVPN

Mobile Devices Use Passcode/PIN for encryption. Have a method to remote wipe.

Mobile Tools Avast Mobile Avira Lookout

E-mail Keep separate accounts. Use a professional domain for work.

Email Tools Setup multi-factor authentication on every account.

Cloud Storage Use separate storage for work & personal. Don’t cross contaminate!

Cloud Tools Dropbox Google Drive Box iCloud Carbonite

Encryption Look for “http s ” in websites.

Encryption Tools SertintyOne

Multi-Factor Authentication User name Password Another item Text code Digital certificate One-time password Biometric

Multi-Factor Tools Windows Authenticator Google Authenticator IdenTrust RSA SecurID

Awareness Considerations for AECs, Small and LargeProactive Management ResolutionThe Value Proposition-Why Do It?

Considerations for Business Prime AEC Contracts with Federal Agencies Subcontracts Joint Venture Partners Host Nation Partners and Subconsultants

Prime Contract Considerations Clause Compliance 31 Dec 17 – compliance required for DFARS 252.204-7012 Notification to DOD CIO within 30 days of award Flowdown of clauses CDI Identification and Management

Subcontractor Considerations Clause Compliance Conformance to Prime AE cybersecurity requirements Need to report your compliance, post-award Costs of compliance vs. benefits of subcontract

Joint Venture Considerations Clause Compliance for all parties All Parties’ Cybersecurity Conformance Incident Management and Reporting Location and Management of Data

Meeting the 31 Dec 17 Deadline DFARS 252.204-7012 Costs and time for compliance vary Larger contractor, greater compliance requirement Upfront costs and recurring costs Smaller firms benefit from smaller footprint Many firms will not be fully compliant by Dec 2017 If you haven’t yet started…you still need to comply!

Awareness Considerations for AECs, Small and LargeProactive Management ResolutionThe Value Proposition-Why Do It?

Explaining the Basic Safeguards FAR requires 15 controls at a minimum on covered contractor information systems

Definitions Covered contractor information systemsFederal contract informationInformationInformation system

Definitions The 15 requirements are requirements that “most prudent businesses already follow.”

Access controls Limit access: To authorized usersTo the transactions/functions authorized users can execute

Access Controls Control: use of external information systemsposting of information on publicly accessible information systems

Identification and Authentication Identify users and authenticate their identity before letting them use information system

Media Protection Destroy media before disposal

Physical Protection Limit physical accessEscorts, sign-in logs, door-openers

Systems and Communications Protection Boundary protectionsSubnetworks

System and Information Integrity Timely report and fix flawsProtect against malicious code and install update protectionsScan system periodically and scan downloads in real-time

Systems and Communications Protection Boundary protectionsSubnetworks

Awareness Considerations for AECs, Small and LargeProactive Management ResolutionThe Value Proposition-Why Do It?

Value Proposition Slide by Robert

Value Proposition Slide by Rich

Value Proposition Slide by Terry

A Little Bit of Conversation Questions, Comments and Answers

It’s Midnight…. do you know where your Federal Safeguards are? image courtesy Brendan Loy

Your Best Way Forward Takeaway 1 Takeaway 2 Takeaway 3 Takeaway 4 Takeaway 5

63 Robert E. Jones (614) 556-4415 Robert@leftbrainpro.com Richard Stump (808) 542-9265 stumprichard@stanleygroup.com Terry O’Connor 703.760.0402  toconnor@berenzweiglaw.com Contact Information