Todays topics DFARS Regulations Reporting Cyber Incidents Controlled Unclassified InformationCovered Defense Information Flow Downs NIST SP 800171 rev 1 Implementing NIST amp Systems Security Plan ID: 759991
Download Presentation The PPT/PDF document "DFARS Cybersecurity Systems Security Pl..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
DFARS Cybersecurity
Systems Security Plan & Updates
Slide2Today’s topics
DFARS Regulations
Reporting Cyber Incidents
Controlled Unclassified Information/Covered Defense Information
Flow Downs
NIST SP 800-171 rev 1
Implementing NIST & Systems Security Plan
Additional Information and Resources
Slide3Not just a
new requirement by the government – think of it as a
NEW
Business “Best practice”.
Critical for the Government to have measures in place as well as the contractor.
Slide4DFARS Regulations
Slide53 - Separate systems
NIST SP 800-53
is required for Systems Operated on behalf of the DoD
NIST SP 800-171 For DoD Contractors internal systems
Slide6Department of Defense & all other Federal Agencies
Safeguarding Covered
Defense Information & Cyber Incident Reporting
Basic Safeguarding of Covered Contractor Information Systems
Slide7This subpart applies to all acquisitions, including acquisitions of commercial items other than commercially available off-the-shelf items, when a contractor's information system may contain Federal contract information.
FAR
Subpart 4.19
52.204-21
Use the clause at 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, in all solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, except for solicitations and contracts solely for the acquisition of COTS items.
The contracting officer shall insert the clause at 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, in solicitations and contracts when the contractor or a subcontractor at any tier may have Federal contract information residing in or transiting through its information system.
This subpart applies to contracts and subcontracts requiring contractors and subcontractors to safeguard covered defense information that resides in or transits through covered contractor information systems by applying specified network security requirements. It also requires reporting of cyber incidents.
DFARS
Subpart
204.7 252.204-7012
15 Controls(currently)
110 Controls
Slide8Purpose of dfars 252.204-7012
Slide9Safeguarding covered defense information & cyber incident reporting
IT Services or Systems Operated on behalf of Government
1. Adequate Security
The Contractor shall provide adequate security on all covered contractor information systems. To provide adequate security, the Contractor shall implement, at a minimum, the following information security
All Others
Cloud computing services shall be subject to clause 252.239-7010
Any other system
Contractor’s Information Systems shall be subject to NIST SP800-171 rev. 1
DFARS Clause 252.204-7012
Slide10Safeguarding covered defense information & cyber incident reporting
Contractor Shall
2. Cyber incident reporting requirement
When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract:
Subcontracts
Conduct a review for evidence
Rapidly report cyber incident to DOD at http://dibnet.dod.net
Contractor shall include this clause including paragraph (m) in
subcontracts in which performance will involve Covered Defense Information.Subcontractors are required to notify Primes or next tier of a cyber incident.
DFARS Clause 252.204-7012
When CDI/CUI is being used
Slide11Cloud Services – 3 scenarios
Cloud Service Provider
Contractor using Cloud as an Extension
Contractor’s Internal Information System
Providing cloud services directly to the government (operating on behalf of the government – Must follow the DOD Cloud Security Guide
Contractor using own system or built an internal system – must
meet the 800-171
and would still need a way to detect cyber incidences.
Contractor using a cloud provider as an extension of it’s information systems but not on behalf of the government, that Cloud provider must meet the equivalent of FedRamp Moderate
Slide12Initial steps
Take it one step at a time
Read your Contract/s – identify clauses
Access FAR/DFARS – understand the language
Download NIST 800-171 r1 – read it
Create a Cyber-team
Gather resources
Call your local PTAC for assistance
Slide13READ YOUR CONTRACT
Slide14Federal Acquisition Regulations
http://farsite.hill.af.mil/
The FAR contains all the
rules governing the contracting process as well as all the forms and clauses used in contracts.
https://www.acquisition.gov/
KNOW HOW TO ACCESS THE FARS & DFARS
Slide15DOWNLOAD A COPY OF NIST SP 800-171 rev. 1
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf
Slide16Reporting Cyber Incidents
Slide17Reporting cyber incidents
What is a cyber incident? Defined as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein”Who should report? DoD contractors and subcontractors in accordance with DFARS clause 252.204-7012DoD Cloud Service Providers in accordance with DFARS clause 252-239-7010
Slide18Reporting cyber incidents
When a Contractor discovers a cyber incident:
RapidlyReportCyber Incidents
Conduct a
Review
72 hours
To report
Medium
AssuranceCertificate
Subs Report to the next tier up &
DibNet
Work with your CIO or CO on Flow-Downs
CO may request a “Damage Assessment”
Note**
- Your company is not in trouble if you have an incident – the government wants details to have a better understanding of what is being targeted and how to make it better.
Slide19Reporting cyber incidents
https://dibnet.dod.mil/
First you will need to obtain a DoD Approved Medium Assurance External Certificate Authority
ECA
Slide20Medium Assurance External Certificate Authority ECA
ECA certificates enable contractors to securely communicate with the DoD and authenticate themselves to DoD Information SystemsEstablish your identity when trying to access a protected siteLegally "sign" a document, form or applicationEncrypt messages (email) or documents to ensure confidentialityECA Medium Assurance: A "Medium Assurance" certificate is a browser based software certificate loaded on to a user’s hard-drive. It is not portable from computer to computer. This certificate meets the minimum security requirement for ECA. Medium Assurance level certificates are available outside the United States.
Downloaded to one user’s computer only – most common for small business
Slide21Controlled Unclassified Information (CUI)
Slide22Also known as - “Covered defense information” means unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html
Controlled unclassified information (CUI)
Slide23Controlled Unclassified information (Cui)
Unclassified Information that:
Is provided to the CONTRACTOR by or on behalf of the DoD in connection with the performance of the contract orIs collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract
Slide24The language in the DFARS Clause reads:
Controlled unclassified information (CUI)
If you
are unclear about
what is covered, talk with your CO or Prime Contractor – What do they consider
CUI/CDI?
Slide25Controlled Unclassified Information
Can be separated into 4 buckets
Slide26Flow-down to Sub-contractors
Slide27Flow-down to subcontractors
The clause flows down to subcontractors without alteration, except to identify the parties, when performance will involve CDI (Covered Defense Information). Flow-down is a requirement of the terms of the contract, which should be enforced by the prime contractor as a result of compliance with these terms. If a subcontractor does not agree to comply with the clause, CDI should not be on that subcontractor’s systems.
Slide28Flow-down or not to flow-down???
If you have a sub that is only making a piece of the end product, and they don’t require
technical document, then there is no need to flow-down the requirements. Again, if you have questions, communicate with your CO. You as a prime contractor will need to decide what risks you’re willing to take when making a decision to flow-down or not flow-down.
The Government really wants Primes to start taking a better look or have more control of what information they give to the Subs.
Slide29NIST SP800-171Rev. 1
Slide30Nist special publication 800-171 rev 1
1
st
step is to read the publication – when you start reading through it you will realize that some of the requirements are things that you are already doing.
Slide31Nist special publication 800-171 rev 1
NOTE**
NIST 800-171 Rev 1 is the
minimal requirement
– Contracts with higher risk may be required to have additional controls in place
. READ your Terms and Conditions
within the contract.
Slide32Nist special publication 800-171 rev 1
14 Families
800-171 is derived from
FIPS 200
http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf
NIST 800-53
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf
110 Controls or Requirements
Nist special publication 800-171 rev 1
Slide34Nist special publication 800-171 rev 1
NIST 800-171 Security Requirements
NIST 800-53
ISO/IEC 27001 Certification
Slide35The requirements - Examples
Provide Security Awareness Training
Terminating User Session
Slide36The requirements
3.1
Access Control
3.1.19
Encrypt
CUI on Mobile Devices & Mobile Platforms
Any
Staff that use their devices at home or on business trips and they are working with CUI must have their devices encrypted including smartphones, tablets, E-readers, i-pads and notebook computers.
3.13
System & Communication
3.13.12 – Prohibit Remote Activation of collaborating computing
devices and provide indication of devices in use to users present at the device
If
you have webcams on your computers, and you have a drawing or poster on the wall that contains CUI.
3.2.2
Ensure that organizational
personnel are adequately
trained to carry out their
assigned information
security-related duties and
responsibilities
Basic security awareness training to new employees.
Security awareness training to users when information system changes.
Annual security awareness refresher training.
3.4.1
Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
Develops, documents and maintains a current baseline configuration of the information system
Configuration control in place
Slide37The requirements
Multifactor Authentication
PIN or Username/Password
Access Card, Verification Code (sent through an email), Finger Print, Eye (Iris Recognition), digital certificates
Also, used to open CDI information from server or locally through Microsoft word, excel or Adobe Reader. The CDI is to be encrypted and can only be accessed by authorized users.
Slide38Steps to Implementing NIST & System Security Plan
Slide39framework
5 BASIC FUNDAMENTALS
Steps to implementing
800-171r 1
Slide40Systems Security Plan - 3.12.4Develop, document, periodically update, and implement system security plans for organizational information systems that describe the security requirements in place or planned for the systems.
How the specified security requirements are met or how your company plans to meet the requirements.System boundaryThe operational environmentHow the security requirements are implementedThe relationships with or connections to other systemsDevelop plans of action that describe how any unimplemented security requirements will be metHow any planned mitigations will be implemented
Organizations can document the system security plan and plan of action as separate or combined documents and in any chosen format.
Must include the following:
Steps to implementing 800-171
Slide41Examine each of the requirements to determineWhat you already do or don’t doHighlight the things you don’t understandWhat things can be accomplished easily Do a little investigating to see if you are or notPolicy or process requirementPolicy/process requirements that require IT implementationIT configuration requirementsAny additional software requiredAny additional hardware requiredIf unsure refer to Appendix D mapping Table Create a Systems Security Plan (SSP) listing all the requirements**If you see the footnote indicator Pay attention to the Footnotes in the NIST document; this will provide you with specific implementation guidance to help you.
Steps to approach
Steps to implementing
800-171 rev 1
Slide42Technology
is NOT the single one thing that needs to be assessed for Cybersecurity Compliance – the entire company needs to involved.
Steps to implementing 800-171
Slide43Establish timeline/
Schedule
Steps to implementing 800-171
DO YOUR OWN GAP ANALYSIS – CREATE A CYBER SECURITY TEAM
Slide44Steps to implementing 800-171
Make sure leadership and executives in your company are on board. Use the DFAR clauses in contracts and the NIST 800-171 documents to prove regulations.
Think of it as a Quality Assurance Plan, but only for your systems to safeguard CUI/CDI
Slide45Additional Information & Resources
Slide46https://dodprocurementtoolbox.com/
DOD Procurement toolbox
Slide47Questions to DPAP via email atosd.dibcsia@mail.mil
DOD Procurement toolbox
FAQ’s
Slide48https://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf
Additional resources
Slide49NIST 800-171 A will help address how to build your systems to meet compliance
DRAFT ONLY
Slide50https://www.regulations.gov/docket?D=DARS-2018-0023
Latest developments – 4/24/18
Slide51Latest developments – 4/24/18
DOD Drafted Guidance Document Matrix of NIST 800-171 and how the DoD will Prioritize on each requirement or compliance.List of approaches for DoD agencies to evaluate implementation.
https://
www.regulations.gov/docket?D=DARS-2018-0023
100% Implementation
CO can ask to review your SSP, however they cannot site visit unless they give you notice in the terms and conditions of the contract
December 31, 2017
Your SSP may be used as a deciding factor between two contractors or they can ask to see your POAM at the time of the award
Audit – DCMA may ask to see your SSP, but they do not have the authority to see implementation
Slide53resources
Cyber Security Evaluation ToolThe Cyber Security Evaluation Tool (CSET®) is a Department of Homeland Security (DHS) product that assists organizations in protecting their key national cyber assets. It was developed by cybersecurity experts under the direction of the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The tool provides users with a systematic and repeatable approach to assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems.
https://ics-cert.us-cert.gov/Downloading-and-Installing-CSET
resources
Procurement Technical Assistance Center (PTAC)
To find the PTAC that serves your State/county:
http://www.aptac-us.org/find-a-ptac/
Slide55What is a PTAC?
“
This Procurement Technical Assistance Center is funded in part through a cooperative agreement with the Defense Logistics Agency
.”
Slide56Thank you !!
Robyn Young
Government Contracting Manager
Northwest PA Commission PTAC
395 Seneca Street
Oil City, PA 16301
(814)677-4800
ext
130
robyny@northwestpa.org
Northwest PA Commission PTAC Serves the following counties:
Clarion
Crawford
Erie
Forest
Lawrence
Mercer
Venango
Warren