dod cybersecurity rules: government contractors need to kno · nist sp 800-171 ‘tailoring...
Post on 30-May-2020
11 Views
Preview:
TRANSCRIPT
1government contracting
DoD Cybersecurity Rules:Government Contractors Need to KnowBill Walter, DHGJermaine Stanley, DHGTom Tollerton, DHG
2government contracting
Speaker Information
TomTollerton,ManagerDixonHughesGoodman,LLP(704)367.7061Tom.tollerton@dhgllp.com
JermaineStanley,ManagerDixonHughesGoodman,LLP(703)970.0475Jermaine.stanley@dhgllp.com
@DHG_GovCon@DHG_Cyber
BillWalter,PartnerDixonHughesGoodman,LLP(703)970.0509Bill.walter@dhgllp.com
3government contracting
Topics for Today
• Introductions• BackgroundofDoDCybersecurityRules• UpdatestoComplianceRequirements• NISTSP800-171Overview• KeyDates• WhatShouldGovernmentContractorsBeDoing?
@DHG_GovCon@DHG_Cyber
5government contracting
DoD Cybersecurity Rules
InterimRule#1…RequirescontractorreportingofnetworkpenetrationsandimplementedtheDoDCIOCloudComputingSecurityRequirementsGuide(SRG)Version1,Release1onJanuary13,2015.1
ThisruleisintendedtostreamlinethereportingprocessforDoDcontractorsandminimizeduplicativereportingprocesses.2
InterimRule#2ExtendedtimelineforcompliancetoprovidecontractorswithadditionaltimetoimplementsecurityrequirementsspecifiedbyaNISTSpecialPublication(SP)800-171.3
@DHG_GovCon@DHG_Cyber
6government contracting
DoD Cybersecurity Rules
InterimRule#1…Setforth(i)informationsystemsecurityrequirements;(ii)mandatorycyberbreachreporting;and(iii)cloudcomputingstandardsandprocedures.
Expandedsafeguardingrequirementstocoverthesafeguardingofcovereddefenseinformation(CDI)residingincontractorinformationsystems,andrequiredcompliancewiththesecurityrequirementsintheNationalInstituteofStandardsandTechnology(NIST)SpecialPublication(SP)800–171,‘‘ProtectingControlledUnclassifiedInformationinNonfederalInformationSystemsandorganizations
@DHG_GovCon@DHG_Cyber
7government contracting
DoD Cybersecurity Rules
(ii)MandatoryCyberIncidentReporting§ Increasednumberofcircumstanceswherecontractorsmustreportincidents.
§ IncidentsmustbereportedtoDoDwithin72hours.§ Howdowedefineanincident?
‒ Incidentvs.Compromise‒ Event?
@DHG_GovCon@DHG_Cyber
8government contracting
DoD Cybersecurity Rules
(iii)CloudComputerStandardsandProcedures§ EnforcespreviousguidanceissuedbyDoDCIOoncontractingcloudservices
§ Enforces“CloudComputingSecurityRequirementsGuide”‒ FedRAMPcompliancestillrequired,butadditionalcontrolsfor“moresensitiveinformation”
‒ DefinesseveraladditionalclassesofSensitiveData
@DHG_GovCon@DHG_Cyber
9government contracting
DoD Cybersecurity Rules
NewDefinitions…§ CUIvs.UCTIvs.CDI§ 800-171refersto“ControlledUnclassifiedInformation”
‒ Wasdatedbeforethenewruleswereputinplace§ “UnclassifiedControlledTechnicalInformation”wastheoriginalterminDFARS252.204-7012
§ CoveredDefenseInformation– newtermthatencompassesalloftheabove,aswellasnewtypesofinformation
@DHG_GovCon@DHG_Cyber
10government contracting
DoD Cybersecurity Rules
CoveredDefenseInformation(CDI)§ UnclassifiedinformationprovidedtothecontractorbyoronbehalfofDoDinconnectionwiththeperformanceofthecontract;or
§ Unclassifiedinformationwhichiscollected,developed,received,transmitted,used,orstoredbyoronbehalfofthecontractorinsupportoftheperformanceofthecontract
@DHG_GovCon@DHG_Cyber
11government contracting
DoD Cybersecurity Rules
CoveredDefenseInformation(CDI)is…§ Controlledtechnicalinformation(Military)§ Exportcontrolledinformation(commodities,tech,softwareetc.)
§ Criticalinformation(DoDDirective,OPEC,etc.)§ ‘CatchAll’(privacyorproprietarybusinessinformation)
@DHG_GovCon@DHG_Cyber
12government contracting
DoD Cybersecurity Rules
CoveredContractorSystems§ ContractorownedInformationSystem§ Processes,stores,ortransmitsCDI§ Properscopingiskey
‒ Serversandworkstations‒ Networkdevices‒ Storagesystems
@DHG_GovCon@DHG_Cyber
14government contracting
Updated Requirements
Remember…DoDissuedInterimRule#2amendingtheDefenseFederalAcquisitionRegulationSupplement(DFARS)toprovidecontractorswithadditionaltimetoimplementsecurityrequirementsspecifiedinNISTSP800-171.
@DHG_GovCon@DHG_Cyber
15government contracting
Additional Updated Requirements § DFARSclause252.204–7012wasamendedtorequirenotificationtheDoDCIO
ofanyNISTSP800–171requirementsthatarenotimplementedatthetimeofcontractaward,within30daysofcontractaward(Doesnotexemptorganizationsfromworkingtoward100%compliance)
§ DFRSprovision252.204–7009andclause252.204–7012wereamendedtorequire,whenapplicable,inclusionoftheclausewithoutalteration,excepttoidentifytheparties.
§ DFARSclause252.204–7012wasfurtheramendedtolimittherequirementtoflowdowntheclauseonlytosubcontractorswheretheireffortswillinvolvecovereddefenseinformationorwheretheywillprovideoperationallycriticalsupport.
§ DFARSclause252.204–7012wasamendedtoremovetherequirementforDoDCIOacceptanceofalternativebutequallyeffectivesecuritymeasurespriortoaward.
@DHG_GovCon@DHG_Cyber
17government contracting
NIST SP 800-171
ProvidesfederalagencieswithrecommendedrequirementsforprotectingtheconfidentialityofCUI:(i)whentheCUIisresidentinnonfederalinformationsystemsandorganizations;
(ii)whentheinformationsystemswheretheCUIresidesarenotusedoroperatedbycontractorsoffederalagenciesorotherorganizationsonbehalfofthoseagencies;and
(iii)wheretherearenospecificsafeguardingrequirementsforprotectingtheconfidentialityofCUI
@DHG_GovCon@DHG_Cyber
18government contracting
NIST SP 800-171
‘TailoringCriteria'
SP800-171guidelinesaretailoredfornonfederalinformationsystemsthatcontactorsalreadyhaveinplace,withagoalofattemptingtoavoidrequiringcontractorstocompletelyreplacelegacyinformationsystems.
ProvidesacompletelistingofthesecuritycontrolsintheNISTSpecialPublication800-53moderatebaselineandthetailoringactions(byfamily)thathavebeencarriedoutonthesecuritycontrolsinthemoderatebaseline.
– ThetailoringactionsfacilitatethedevelopmentoftheCUIderivedsecurityrequirements
@DHG_GovCon@DHG_Cyber
19government contracting
NIST SP 800-171
Threeprimarycriteriaforeliminatingasecuritycontrolorcontrolenhancementsfromthemoderatebaselineincluding:§ Thecontrolorcontrolenhancementisuniquely
federal(i.e.,primarilytheresponsibilityofthefederalgovernment);
§ ThecontrolorcontrolenhancementisnotdirectlyrelatedtoprotectingtheconfidentialityofCUI;or
§ Thecontrolorcontrolenhancementisexpectedtoberoutinelysatisfiedbynonfederalorganizationswithoutspecification.
@DHG_GovCon@DHG_Cyber
20government contracting
Key Dates
August26,2015-expanded
safeguardingrequirementstocovercovered
defenseinformation(CDI)
Dec.14,2015–Publicmeeting
withDoDcontractors
Dec.30,2015–DoDissues
interimruletograntadditional
timeforcontractorstoimplementNISTSP800-171
Dec.31,2017-Contractorsmustcomplywiththe
requirementsofNISTSP800-
171
@DHG_GovCon@DHG_Cyber
22government contracting
What Should We Do?
ExpectationsofContractors§ UnderstandstatusofcompliancewithSP800-171
‒ Beabletocommunicategaps‒ HaveaplanforremediationbyDec.31,2017
§ Haveasystembreachreportingplan‒ Howquicklyareweabletoperformaninvestigation?
@DHG_GovCon@DHG_Cyber
23government contracting
What Should We Do?
CurrentPriorities…§ Understandcompliancerequirements
§ Thetimetobeginreviewingcontrolcompliancestatusisnow!
§ Breachnotificationrequirementswithin72hours‒ Howdowereport?‒ What’sinvolved?
@DHG_GovCon@DHG_Cyber
24government contracting
What Should We Do?
CriticalQuestions…§ Doweknowthenatureofourin-scopesystem?
‒ Doweknowexactlywhatdatawehave?‒ Dataflows‒ Systemsthat“transmit,process,orstore”relevantdata
§ Needtoproperlyscopeour“coveredinformationsystem.”‒ Segmentationcandramaticallyreduceorexpandthescopeofcompliancerequirements
@DHG_GovCon@DHG_Cyber
25government contracting
What Should We Do?
CriticalQuestions…§ Areweeffectivelypushingandenforcingcompliancerequirementswithoursubs?
§ Howareweperformingourcomplianceassessment?‒ Areweusingobjectiveanalysis?‒ Tabletopexerciseorin-depthassessment?‒ Areweusingtoolstoconducttechnicalreviews?‒ Areweimplementingadequateplantoremediategaps?
@DHG_GovCon@DHG_Cyber
top related