new frontier of cyber for contractors - ncmahq.org · specific contract guidance and/or dfars...
TRANSCRIPT
New Frontier of Cyber Clauses: A Call to Action for Contractors
Breakout Session # D06Mike Cullen, Senior Manager, Baker TillyMichael Wright, Senior Manager, Baker Tilly
December 5, 201711:15AM – 12:30PM
1
2
Agenda
• The different types of federal information contractors are required to protect
• Key guidance and legislation around cybersecurity safeguarding requirements
• Who is impacted by the new legislation and guidance on cybersecurity safeguarding requirements
• How applicable contractors could be impacted by noncompliance
• Ways for contractors to become compliant
• Lessons learned from implementation of cybersecurity safeguarding controls
• Poll Results
3
What is federal information?
Covered Defense Information - Unclassified information provided to the contractor by or on behalf of DoD in connection with the performance of the contract, or collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract (see DFARS 252.204-7012)
Controlled Unclassified Information - Information that law, regulation, or government-wide policy requires to have safeguarding or
disseminating controls, excluding information that is classified (see Executive Order 13556 and CUI Registry at www.archives.gov/cui)
Federal Contract Information - Any information provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided to the public (e.g., publicly accessible website data) or simple transactional data (e.g., billing or payment processing data)
CDI
CUI
FCI
4
Examples of federal information
CDIUnclassified Controlled Technical Information
…or other information as described in the CUI Registry
requiring safeguarding!
CUI
Critical Infrastructure
Financial Proprietary Business Information
FCI
see DFARS 252.204-7012
see CUI Registry
Anyinformation that is NOT provided to the public or
simple transactional
data!
see Federal Register;
Basic Safeguarding ruling
5
Key regulatory requirements
Provides guidance to Federal Defense and Aerospace
contractors around protecting Covered Defense Information
(CDI) and reporting cyber incidents affecting contractor
information systems – or CDI residing within those systems – to
the Federal Government, and requires contractors to do the
following:DFARS 252.204-7012
“Safeguarding Covered
Defense Information and
Cyber Incident Reporting”
– Implement adequate cybersecurity safeguarding
controls on all covered contractor information systems in
accordance with specific frameworks and standards set
forth in the ruling
– Rapidly report cyber incidents affecting contractor
information systems or CDI residing within those systems
to the Federal Government
6
Key regulatory requirements
IMPLEMENTATION OF ADEQUATE CYBERSECURITY SAFEGUARDING
CONTROLS:
DFARS 252.204-7012 “Safeguarding Covered
Defense Information and
Cyber Incident Reporting”
continued
Where contractor is handling CDI on their systems, must
implement safeguarding controls according to NIST SP 800-171
For cloud systems operated on behalf of the government, see
specific contract guidance and/or DFARS 252.239-7010 “Cloud
Computing Services” if applicable
Any other such services or systems (i.e., other than cloud
computing) are subject to the security requirements specified in
those contracts
All contractors, subcontractors, suppliers, and partners must
implement NIST SP 800-171 security requirements by December
31, 2017
7
Key regulatory requirements
REPORTING OF CYBER INCIDENTS
DFARS 252.204-
7012 “Safeguarding Covered
Defense Information and Cyber Incident
Reporting”
continued
A cyber incident is any action taken through computer networks
resulting in the compromise, or an actual or potentially adverse
effect, of an information system and/or the information residing
within those systems
Cyber incidents shall be reported to DoD within 72 hours of
discovery via DoD’s Defense Industrial Base (DIB) Cyber
Incident Reporting & Cyber Threat Information Sharing Portal
Contractors must acquire a DoD-approved medium assurance
certificate from Defense Information Systems Agency (DISA) to
access the DIB portal
Subcontractors who handle CDI under prime contracts with the
Federal Government are required to report cyber incidents
directly to DoD and share the incident report number with their
prime contractor customers (or next higher-tier subcontractor)
8
Key Guidance
Agencies must use NIST SP 800-171 when establishing
security requirements to protect CUI’s confidentiality on non-
Federal information systems (i.e. contractors’ systems)
NIST SP 800-
171“Protecting Controlled
Unclassified Information in
Nonfederal Information Systems and
Organizations”
Revision 1
Intended for use by federal agencies in appropriate
contractual vehicles or other agreements established between
those agencies and nonfederal organizations (i.e. contractors)
NIST SP 800-171 should be used when a contractor receives
CUI incidental to providing a service or product to the
Government (e.g., producing a study, conducting research,
creating training, building an aircraft or ship, etc.)
Describes 110 total controls across 14 control families
Provides mapping to NIST SP 800-53 Revision 4 and ISO
27001 information security controls
9
Key Guidance
NIST SP 800-171 (continued) – summary of control areas covered:
TABLE 1: NIST SP 800-171 Control Families
Access Control Media Protection
Awareness and Training Personnel Security
Audit and Accountability Physical Protection
Configuration Management Risk Assessment
Identification and Authentication Security Assessment
Incident Response System and Communications Protection
Maintenance System and Information Integrity
10
Other key regulatory requirements
FAR Part 52.204-21 “Basic Safeguarding of Contractor Information
Systems”
• Effective June 2016; requires contractors to implement 15 safeguarding controls and procedures, mapping to 17 control requirements in NIST SP 800-171
• Applies to covered contractor information systems owned or operated by contractors that process, store, or transmit FCI
• Establishes “basic, minimal information system safeguarding standards which Federal agencies are already required to follow internally and most prudent businesses already follow as well”
• Rule does not apply to sales of commercially available off-the-shelf (COTS) items
- For example, contractors who are resellers of COTS items (e.g., printers, copiers) may not be impacted
11
Other key regulatory requirements
32 CFR 2002 “Controlled Unclassified Information”
• Effective November 2016; resulting from Executive Order 13556, establishes policy for designating, handling, and decontrolling information that qualifies as CUI
• Describes, defines, and provides guidance on the minimum protections (derived from existing agency practices) for CUI:
- Physical and Electronic Environments
- Marking
- Sharing
- Destruction
- Decontrol
• Emphasizes unique protections described in law, regulation, and/or Government-wide policies (authorities)
12
Other key regulatory requirements
32 CFR 2002 “Controlled Unclassified Information” (continued)
• The National Archives, as the Executive Agent (EA) of CUI, has developed the “CUI Registry” (www.archives.gov/cui), which is the authoritative source for guidance regarding CUI policies and practices
• CUI is currently organized into 23 categories and 84 sub-categories
• Plans for future regulatory requirements:
- To promote standardization, NARA (the CUI EA) announced plans to sponsor a Federal Acquisition Regulation (FAR) clause that will apply the requirements contained in the 32 CFR Part 2002 and NIST SP 800-171 to industry (i.e., beyond defense contractors)
- NOTE: Targeting 1 year from release of 32 CFR 2002 (Fall 2017)
13
Recent Guidance
Guidance for Selected Elements of DFARS Clause 252.204-7012,
“Safeguarding Covered Defense Information and Cyber Incident Reporting”
– Implementing the Security Requirements of NIST SP 800-171
• The DoD released a memo on September 21, 2017 containing guidance intended for DoD acquisition personnel around the implementation of NIST SP 800-171 security requirements in anticipation of the December 31, 2017 deadline; key points addressed within the memo include:
- Contractor implementation of NIST SP 800-171
- Documenting a contractor’s implementation or planned implementation of NIST SP 800-171
- Role of the System Security Plan (SSP) and Plans of Action (POA&M) in contract formulation, administration, and source selection
- Additional references and resources with supporting information
14
Who will be impacted?
ALL contractors who handle CDI, CUI, and FCI are impacted by
recent guidance and legislation (or soon will be):
• Per DoD guidance, the government and contractors are responsible for identification of CDI in contracts or marking as such
• Failure of clearly identifying or marking CDI does not preclude contractors handling CDI from these requirements
• Contractors should contact their government or next higher tier contractor customer procurement or contract representatives
15
Who will be impacted?
For subcontractors and suppliers, flow-down requirements apply!
• Subcontractors are ultimately responsible for implementing cybersecurity safeguarding controls to be in compliance
• Subcontractors will be held accountable for breaches if they have not implemented required controls
• Prime contractors may be impacted by breaches involving their subcontractors
- Prime contractors may proactively engage key subcontractors to understand their current security posture and assess risk to their contracts
- Collaborative solutions are being implemented to capture information on subcontractors’ cybersecurity safeguarding practices (e.g., Exostar)
16
Cybersecurity business risks
Negative
publicity
Regulatory
sanctions
Consumer refusal
to share personal
information
Damage
to brand
Regulator
scrutiny
Legal
liability
Lost
business
Damaged
customer
relationships
Damaged
employee
relationships
Deceptive or
unfair trade
charges
!
Loss of
innovation
Intellectual
property
loss
Damaged supplier &
partner relationships
18
How you can become compliant
Identify and inventory all contracts and
CUI
• Focus on contracts where CUI may be
potentially involved
• Identify “high risk” contracts, including
current bid and proposal efforts (i.e.,
potential new awards)
• Consider prime-sub relationships
• Identify system boundaries for handling
CUI
19
How you can become compliant
Understand cybersecurity requirements
• Focus on language around protection of
information and reporting requirements
• Identify specific guidance references
• Do not be afraid to engage your CO and/or
CISO
20
How you can become compliant
Assess current state of cybersecurity
controls
• Use appropriate security control guidance
(NIST SP 800-53 or NIST SP 800-171)
• Where is your federal information stored,
processed, and/or transmitted?
• What controls do you have in place?
• Conduct gap analysis and determine
necessary corrective actions
21
How you can become compliant
Develop cybersecurity action plan
• Develop detailed list of prioritized corrective
actions with assigned owners and target
completion dates
• Define roles and responsibilities for oversight
• Redefine system boundaries for handling CUI
as necessary
22
How you can become compliant
Execute cybersecurity action plan
• Respond to agency and/or prime contract
officers with results of your assessment
• Implement security controls
• Establish monitoring and reporting practices
23
How you can become compliant
Monitor cybersecurity compliance
practices
• Monitor progress of ongoing
implementation efforts
• Regularly evaluate effectiveness of
cybersecurity controls via ongoing testing
and third-party assessments
• Monitor regulatory environment for new
developments (e.g., laws, standards, and
policies)
24
Lessons learned and common themes
• Compliance does NOT mean security
• Read your contracts!
• Engage your contracting officers or other representatives!
• Get involved in knowledge sharing opportunities
• Engage third parties for assistance with compliance efforts
• Minimize exposure to covered contractor information systems
• Conduct a gap assessment to identify compliance gaps
• Regularly assess and monitor progress towards remediation of
known gaps
• Monitor regulatory landscape for changes and new developments
Contact Information
27
Michael Wright
703-923-8623
Mike Cullen
703-923-8339