Evolving DoD Contractor Cybersecurity Requirements About the VIB Network Join the FREE VIB Network Directory Check the VIB Opportunity Board weekly Signup for the VIB newsletter for the latest eventsopportunities ID: 1043665
Download Presentation The PPT/PDF document "The VIB Network webinar will begin at 12..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. The VIB Network webinar will begin at 1200 PST“Evolving DoD Contractor Cybersecurity Requirements”About the VIB Network:Join the FREE VIB Network DirectoryCheck the VIB Opportunity Board weekly Sign-up for the VIB newsletter for the latest events/opportunities VIB National Conference: November 8 & 9, 2021 – Registration Begins: Monday, May 3rdwww.vibnetwork.orgWe’re on a mission to provide education, training, resources, outreach and support to help all Veterans in Business grow and succeed.
2. Thank You Business Development Webinar Sponsors:VIB Network • www.vibnetwork.orgWe’re on a mission to provide education,training, resources, outreach and support tohelp all Veterans in Business grow and succeed.
3. About the Expert: Adam Austin is the Cybersecurity Lead at Totem.Tech, a minority veteran-owned Prime DoD contractor. Mr. Austin has a decade of experience securing classified, unclassified, and HIPAA-environment US Government IT systems, having worked with NASA, the Center for Medicare and Medicaid Systems (CMS), and all branches of the Department of Defense. Adam holds a Master's in Information Assurance from Capitol Technology University, and is an ISACA Certified Information Security Manager (CISM) and Certified Information Systems Auditor (CISA). Adam's goal is to leverage his experience and education to help small businesses in regulatory environments implement affordable, compliant, risk-based cybersecurity programs.VIB Network Webinar Presenter:VIB Network • www.vibnetwork.orgWe’re on a mission to provide education,training, resources, outreach and support tohelp all Veterans in Business grow and succeed.Adam AustinCybersecurity Lead at Totem.Tech
4. Evolving DoD Contractor Cybersecurity RequirementsWhat you must be doing now, and must be preparing for in the futureAdam Austin, MSIA, CISM, CISACybersecurity LeadHaight Bey & Associates/Totem Technologiesadam@haightbey.com adam@totem.techhttps://www.linkedin.com/in/adam-austin-cybersecurity/
5. J31F355
6. Regulatory Overview – Protect FCI & CUI6NIST SP 800-171 “Protecting CUI in Nonfederal Systems and Organizations”EO 13556“Controlled Unclassified Information” (Nov 2010) All Federal AgenciesDFARS 7012DoDI 5200.48(Mar 2020) Current RequirementDFARS 7019/7020 Required by 2026DFARS 7021Controlled Unclassified Information (CUI) - Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. 48 CFR 52.204-21 “Basic Safeguarding of Covered Contractor Info Systems”(Oct 2016) Department of Defense OnlyCybersecurity Maturity Model Certification (CMMC)(Jan 2020)DoD Assessment Methodology (DAM)(Nov 2019)What you must start with:System Security Plan (SSP)Plan of Actions & Milestones (POA&M)Incident Response Plan “adequate security”incident response & reporting capabilityCUIFCIFCICUI
7. What to do right now: DON’T PANIC...but get to workOnce you have your SSP you can generate your DAM score IAW DFARS 7019
8. Compliance Methodology Step 1:Determine ScopeIdentify what Federal Government information is handledCharacterize the Gov’t information lifecycle in the environment“Scope” out the “covered” systemCatalog hardware and software assets8
9. 9Read the full post and download our guide: https://www.totem.tech/dod-cui-identification-guide/
10. Information Lifecycle Determination10Characterize (narrative/tables/diagrams/lists) how the information is:
11. Compliance Methodology Step 2:Document the SystemCapture system asset interconnections informationDevelop system diagrams (based on interconnections information)Generate a contact list of roles with security responsibilitiesCreate a Separation of Duties matrix from the Contact listGenerate a System Security Plan (SSP) Introduction document11
12. Compliance Methodology Step 3:Build the PlansExecute the Security Assessment in Totem™In parallel with the SAR, develop the SSP in Totem™Generate the Plan of Actions and Milestones (POA&M)Develop an IRP from the Totem™ templateEnsure the organization can report incidents to the DoD12
13. 800-171 Assessment MethodologyScoring system for each of 110 controlsWeighted value subtracted from 110 for each non-compliant controlCan result in negative scoreNo SSP? You can’t generate a score…At minimum, contractors required to self assess and report score and estimate date of full implementation to SPRSOur blog guide to assessment and score submission: https://www.totem.tech/how-to-generate-and-report-your-dod-self-assessment-score/Constitutes “Basic” level of confidenceFor higher confidence, DCMA conducts auditsMedium: off-site review of SSPHigh: on-site assessment of cybersecurity program using 800-171A13
14. CMMC by the numbersLevel 1Level 2Level 3Level 4Level 5Who?All contractors(220k +)???All CUI processors(~50k)APT-targeted organizations(<100 total)APT-targeted organizationsWhat?17 Practices(FAR 17)72 Practices(includes some 800-171)130 Practices(all of 800-171 + 20 additional)156 Practices(includes enhanced assessment objectives from 800-172)171 Practices(includes enhanced assessment objectives from 800-172)14
15. CMMC Maturity Levels15Maturity LevelAssessment Objective: “Does the organization…”Nutshell1. Performedperform the practice?Do it2. Documentedperform the practice AND have a written process and policy?Do it and document it3. Managedperform the practice AND have a written process and policy AND establish, maintain, and resource a plan demonstrating the management of activities for practice implementation, to include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders?Do it, document it, demonstrate resources for it4. Reviewedperform the practice AND have a written process and policy AND establish, maintain, and resource a plan demonstrating the management of activities for practice implementation, AND review and measure practices for effectiveness, to include the ability to take corrective action when necessary?Do it, document it, demonstrate resources for it, measure its effectiveness and fix it5. Optimizedperform the practice AND have a written process and policy AND establish, maintain, and resource a plan demonstrating the management of activities for practice implementation, AND review and measure practices for effectiveness, to include the ability to take corrective action when necessary, AND standardize and optimize process implementation across the organization?Do it, document it, demonstrate resources for it, measure its effectiveness and fix it, automate it and have feedback loops for it across the enterpriseBA+
16. Free E-Book Price: $49 FREE Email: info@totem.tech Subject: Free EBook
17. Contact InfoTotem Technologies1972W 2550S Suite BWest Haven, UT 84401(888) 379-0509adam@totem.tech info@totem.tech https://totem.tech https://www.linkedin.com/company/totem-tech/
18. Thank you for attending:“Evolving DoD Contractor Cybersecurity Requirements”Presented by Adam Austin Cybersecurity Lead, Totem.TechThis webinar will be emailed directly to you and/or you can access it on the VIB website by end of the week.Register today for our next webinar - Thursday, April 29th from 1000 – 1030 PST: Innovative Veteran Businesses learn how to work with the Navy through theSBIR/STTR Programs – Register on the VIB Network events calendar. www.vibnetwork.org