DFARS Cybersecurity Systems Security Plan & Updates - PowerPoint Presentation

Slide1

DFARS Cybersecurity

Systems Security Plan & Updates

Slide2

Today’s topics

DFARS Regulations

Reporting Cyber Incidents

Controlled Unclassified Information/Covered Defense Information

Flow Downs

NIST SP 800-171 rev 1

Implementing NIST & Systems Security Plan

Additional Information and Resources

Slide3

Not just a

new requirement by the government – think of it as a

NEW

Business “Best practice”.

Critical for the Government to have measures in place as well as the contractor.

Slide4

DFARS Regulations

Slide5

3 - Separate systems

NIST SP 800-53

is required for Systems Operated on behalf of the DoD

NIST SP 800-171 For DoD Contractors internal systems

Slide6

Department of Defense & all other Federal Agencies

Safeguarding Covered

Defense Information & Cyber Incident Reporting

Basic Safeguarding of Covered Contractor Information Systems

Slide7

This subpart applies to all acquisitions, including acquisitions of commercial items other than commercially available off-the-shelf items, when a contractor's information system may contain Federal contract information.

FAR

Subpart 4.19

52.204-21

Use the clause at 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, in all solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, except for solicitations and contracts solely for the acquisition of COTS items.

The contracting officer shall insert the clause at 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, in solicitations and contracts when the contractor or a subcontractor at any tier may have Federal contract information residing in or transiting through its information system.

This subpart applies to contracts and subcontracts requiring contractors and subcontractors to safeguard covered defense information that resides in or transits through covered contractor information systems by applying specified network security requirements. It also requires reporting of cyber incidents.

DFARS

Subpart

204.7 252.204-7012

15 Controls(currently)

110 Controls

Slide8

Purpose of dfars 252.204-7012

Slide9

Safeguarding covered defense information & cyber incident reporting

IT Services or Systems Operated on behalf of Government

1. Adequate Security

The Contractor shall provide adequate security on all covered contractor information systems. To provide adequate security, the Contractor shall implement, at a minimum, the following information security

All Others

Cloud computing services shall be subject to clause 252.239-7010

Any other system

Contractor’s Information Systems shall be subject to NIST SP800-171 rev. 1

DFARS Clause 252.204-7012

Slide10

Safeguarding covered defense information & cyber incident reporting

Contractor Shall

2. Cyber incident reporting requirement

When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract:

Subcontracts

Conduct a review for evidence

Rapidly report cyber incident to DOD at http://dibnet.dod.net

Contractor shall include this clause including paragraph (m) in

subcontracts in which performance will involve Covered Defense Information.Subcontractors are required to notify Primes or next tier of a cyber incident.

DFARS Clause 252.204-7012

When CDI/CUI is being used

Slide11

Cloud Services – 3 scenarios

Cloud Service Provider

Contractor using Cloud as an Extension

Contractor’s Internal Information System

Providing cloud services directly to the government (operating on behalf of the government – Must follow the DOD Cloud Security Guide

Contractor using own system or built an internal system – must

meet the 800-171

and would still need a way to detect cyber incidences.

Contractor using a cloud provider as an extension of it’s information systems but not on behalf of the government, that Cloud provider must meet the equivalent of FedRamp Moderate

Slide12

Initial steps

Take it one step at a time

Read your Contract/s – identify clauses

Access FAR/DFARS – understand the language

Download NIST 800-171 r1 – read it

Create a Cyber-team

Gather resources

Call your local PTAC for assistance

Slide13

READ YOUR CONTRACT

Slide14

Federal Acquisition Regulations

http://farsite.hill.af.mil/

The FAR contains all the

rules governing the contracting process as well as all the forms and clauses used in contracts.

https://www.acquisition.gov/

KNOW HOW TO ACCESS THE FARS & DFARS

Slide15

DOWNLOAD A COPY OF NIST SP 800-171 rev. 1

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf

Slide16

Reporting Cyber Incidents

Slide17

Reporting cyber incidents

What is a cyber incident? Defined as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein”Who should report? DoD contractors and subcontractors in accordance with DFARS clause 252.204-7012DoD Cloud Service Providers in accordance with DFARS clause 252-239-7010

Slide18

Reporting cyber incidents

When a Contractor discovers a cyber incident:

RapidlyReportCyber Incidents

Conduct a

Review

72 hours

To report

Medium

AssuranceCertificate

Subs Report to the next tier up &

DibNet

Work with your CIO or CO on Flow-Downs

CO may request a “Damage Assessment”

Note**

- Your company is not in trouble if you have an incident – the government wants details to have a better understanding of what is being targeted and how to make it better.

Slide19

Reporting cyber incidents

https://dibnet.dod.mil/

First you will need to obtain a DoD Approved Medium Assurance External Certificate Authority

ECA

Slide20

Medium Assurance External Certificate Authority ECA

ECA certificates enable contractors to securely communicate with the DoD and authenticate themselves to DoD Information SystemsEstablish your identity when trying to access a protected siteLegally "sign" a document, form or applicationEncrypt messages (email) or documents to ensure confidentialityECA Medium Assurance: A "Medium Assurance" certificate is a browser based software certificate loaded on to a user’s hard-drive. It is not portable from computer to computer. This certificate meets the minimum security requirement for ECA. Medium Assurance level certificates are available outside the United States.

Downloaded to one user’s computer only – most common for small business

Slide21

Controlled Unclassified Information (CUI)

Slide22

Also known as - “Covered defense information” means unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html

Controlled unclassified information (CUI)

Slide23

Controlled Unclassified information (Cui)

Unclassified Information that:

Is provided to the CONTRACTOR by or on behalf of the DoD in connection with the performance of the contract orIs collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract

Slide24

The language in the DFARS Clause reads:

Controlled unclassified information (CUI)

If you

are unclear about

what is covered, talk with your CO or Prime Contractor – What do they consider

CUI/CDI?

Slide25

Controlled Unclassified Information

Can be separated into 4 buckets

Slide26

Flow-down to Sub-contractors

Slide27

Flow-down to subcontractors

The clause flows down to subcontractors without alteration, except to identify the parties, when performance will involve CDI (Covered Defense Information). Flow-down is a requirement of the terms of the contract, which should be enforced by the prime contractor as a result of compliance with these terms. If a subcontractor does not agree to comply with the clause, CDI should not be on that subcontractor’s systems.

Slide28

Flow-down or not to flow-down???

If you have a sub that is only making a piece of the end product, and they don’t require

technical document, then there is no need to flow-down the requirements. Again, if you have questions, communicate with your CO. You as a prime contractor will need to decide what risks you’re willing to take when making a decision to flow-down or not flow-down.

The Government really wants Primes to start taking a better look or have more control of what information they give to the Subs.

Slide29

NIST SP800-171Rev. 1

Slide30

Nist special publication 800-171 rev 1

1

st

step is to read the publication – when you start reading through it you will realize that some of the requirements are things that you are already doing.

Slide31

Nist special publication 800-171 rev 1

NOTE**

NIST 800-171 Rev 1 is the

minimal requirement

– Contracts with higher risk may be required to have additional controls in place

. READ your Terms and Conditions

within the contract.

Slide32

Nist special publication 800-171 rev 1

14 Families

800-171 is derived from

FIPS 200

http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf

NIST 800-53

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf

Slide33

110 Controls or Requirements

Nist special publication 800-171 rev 1

Slide34

Nist special publication 800-171 rev 1

NIST 800-171 Security Requirements

NIST 800-53

ISO/IEC 27001 Certification

Slide35

The requirements - Examples

Provide Security Awareness Training

Terminating User Session

Slide36

The requirements

3.1

Access Control

3.1.19

Encrypt

CUI on Mobile Devices & Mobile Platforms

Any

Staff that use their devices at home or on business trips and they are working with CUI must have their devices encrypted including smartphones, tablets, E-readers, i-pads and notebook computers.

3.13

System & Communication

3.13.12 – Prohibit Remote Activation of collaborating computing

devices and provide indication of devices in use to users present at the device

If

you have webcams on your computers, and you have a drawing or poster on the wall that contains CUI.

3.2.2

Ensure that organizational

personnel are adequately

trained to carry out their

assigned information

security-related duties and

responsibilities

Basic security awareness training to new employees.

Security awareness training to users when information system changes.

Annual security awareness refresher training.

3.4.1

Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

Develops, documents and maintains a current baseline configuration of the information system

Configuration control in place

Slide37

The requirements

Multifactor Authentication

PIN or Username/Password

Access Card, Verification Code (sent through an email), Finger Print, Eye (Iris Recognition), digital certificates

Also, used to open CDI information from server or locally through Microsoft word, excel or Adobe Reader. The CDI is to be encrypted and can only be accessed by authorized users.

Slide38

Steps to Implementing NIST & System Security Plan

Slide39

framework

5 BASIC FUNDAMENTALS

Steps to implementing

800-171r 1

Slide40

Systems Security Plan - 3.12.4Develop, document, periodically update, and implement system security plans for organizational information systems that describe the security requirements in place or planned for the systems.

How the specified security requirements are met or how your company plans to meet the requirements.System boundaryThe operational environmentHow the security requirements are implementedThe relationships with or connections to other systemsDevelop plans of action that describe how any unimplemented security requirements will be metHow any planned mitigations will be implemented

Organizations can document the system security plan and plan of action as separate or combined documents and in any chosen format.

Must include the following:

Steps to implementing 800-171

Slide41

Examine each of the requirements to determineWhat you already do or don’t doHighlight the things you don’t understandWhat things can be accomplished easily Do a little investigating to see if you are or notPolicy or process requirementPolicy/process requirements that require IT implementationIT configuration requirementsAny additional software requiredAny additional hardware requiredIf unsure refer to Appendix D mapping Table Create a Systems Security Plan (SSP) listing all the requirements**If you see the footnote indicator Pay attention to the Footnotes in the NIST document; this will provide you with specific implementation guidance to help you.

Steps to approach

Steps to implementing

800-171 rev 1

Slide42

Technology

is NOT the single one thing that needs to be assessed for Cybersecurity Compliance – the entire company needs to involved.

Steps to implementing 800-171

Slide43

Establish timeline/

Schedule

Steps to implementing 800-171

DO YOUR OWN GAP ANALYSIS – CREATE A CYBER SECURITY TEAM

Slide44

Steps to implementing 800-171

Make sure leadership and executives in your company are on board. Use the DFAR clauses in contracts and the NIST 800-171 documents to prove regulations.

Think of it as a Quality Assurance Plan, but only for your systems to safeguard CUI/CDI

Slide45

Additional Information & Resources

Slide46

https://dodprocurementtoolbox.com/

DOD Procurement toolbox

Slide47

Questions to DPAP via email atosd.dibcsia@mail.mil

DOD Procurement toolbox

FAQ’s

Slide48

https://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf

Additional resources

Slide49

NIST 800-171 A will help address how to build your systems to meet compliance

DRAFT ONLY

Slide50

https://www.regulations.gov/docket?D=DARS-2018-0023

Latest developments – 4/24/18

Slide51

Latest developments – 4/24/18

DOD Drafted Guidance Document Matrix of NIST 800-171 and how the DoD will Prioritize on each requirement or compliance.List of approaches for DoD agencies to evaluate implementation.

https://

www.regulations.gov/docket?D=DARS-2018-0023

Slide52

100% Implementation

CO can ask to review your SSP, however they cannot site visit unless they give you notice in the terms and conditions of the contract

December 31, 2017

Your SSP may be used as a deciding factor between two contractors or they can ask to see your POAM at the time of the award

Audit – DCMA may ask to see your SSP, but they do not have the authority to see implementation

Slide53

resources

Cyber Security Evaluation ToolThe Cyber Security Evaluation Tool (CSET®) is a Department of Homeland Security (DHS) product that assists organizations in protecting their key national cyber assets. It was developed by cybersecurity experts under the direction of the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The tool provides users with a systematic and repeatable approach to assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems.

https://ics-cert.us-cert.gov/Downloading-and-Installing-CSET

Slide54

resources

Procurement Technical Assistance Center (PTAC)

To find the PTAC that serves your State/county:

http://www.aptac-us.org/find-a-ptac/

Slide55

What is a PTAC?

“

This Procurement Technical Assistance Center is funded in part through a cooperative agreement with the Defense Logistics Agency

.”

Slide56

Thank you !!

Robyn Young

Government Contracting Manager

Northwest PA Commission PTAC

395 Seneca Street

Oil City, PA 16301

(814)677-4800

ext

130

robyny@northwestpa.org

Northwest PA Commission PTAC Serves the following counties:

Clarion

Crawford

Erie

Forest

Lawrence

Mercer

Venango

Warren