The Aerospace & Defense Forum San Diego Chapter May 23, 2017 C YBER S ECURITY B RIEF Presented By: Curt Parkinson DCMA May 23, 2017 Agenda � DFARS 239.71 Updates � Cybersecurity Contracting � DFARS Clause 252.204-7001 � DFARS Clause 252.239-7012 � Adequate Security � System Security Plan (SSP) � Cyber Incident � Questions 2 1
The Aerospace & Defense Forum San Diego Chapter May 23, 2017 Cybersecurity DFARS 239.71 Updates DFARS Part 239 - Acquisition of Information Technology “DFARS 239.71 - Security and Privacy for Computer Systems” • DFARS 239.7102-1, General: Applies to all acquisitions for “Information Technology”… includes security and privacy act considerations . • DFARS 239.7102-2, Compromising Emanations – TEMPEST or other standard: For acquisitions requiring information assurance against compromising emanations, the requiring activity is responsible for providing to the contracting officer: � The required protections (i.e. established National TEMPEST standard (e.g. NACSEM 5100, NACSIM 5100A) or standard used by another authority; � The required identification markings… � Inspection and acceptance requirements… � A date through which the accreditation is considered current 3 Cybersecurity Contracting Applicable DFARS • DFARS: 252.239-7000 – Protecting Against Compromising Emanations • Tempest certification NASEM 5100 or compromising Emanations NACSEM 5100A(U) • Contractor to provide test certification documentation • Note usually referred to as TEMPEST • DFARS: 252.239-7001 - IA Contractor Training and Certification • Requires DoD 8570/8140 training and certification of contractor IA Personnel • Documentation from Contractor to DoD • Non certified staff will be barred from DoD Information Systems • Note a new qualification for Certification of Cyber Defense Firms not just staff • DFARS: 252.204-7012 - Safeguarding Covered Defense Information and Cyber Incident Reporting • Reporting in 72 hours • Flows down to the Subcontractors • Note Covered Defense Information • Controlled technical Information • Export Control items (both ITAR and EAR) Note: DCMA is not performing technical assessment of the cyber-security standards, i.e. NIST 800-171. 4 2
The Aerospace & Defense Forum San Diego Chapter May 23, 2017 DFARS Clause 252.204-7012 • When the contract includes DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, the supplier must comply with the 14 CS requirements in NIST SP 800-171 • Compliant Assessment • SP shall verify that the supplier has the required System Security Plan under CM • SP shall issue a CAR and inform the AC if the Plan does not exist • The SP does not conduct an assessment of the System Security Plan or issue a CAR against the Plan • Non-compliant Assessment • SP shall verify that the supplier notified the DoD CIO via email within 30 days of contract award • SP shall verify that the supplier submitted a POA&M to the AC • SP shall otherwise issue a CAR and inform the AC 5/26/2017 DFARS Clause 252.204-7012 • Resource: Guidance to Stakeholders for Implementing Defense Federal Acquisition Regulation Supplement Clause 252.204-7012 (Safeguarding Unclassified Controlled Technical Information) • Basic Supplier Requirements: • Provide adequate security :: DFARS 252.204-7012(b) • Report cyber incidents :: DFARS 252.204-7012(c) • Flow down these requirements :: DFARS 252.204-7012(m) • DCMA software professionals primarily work with the “b” and “m” requirements Software - Policy Implementation Meeting (PIM) One team, one voice delivering global acquisition insight that matters. One team, one voice delivering global acquisition insight that matters. 3
The Aerospace & Defense Forum San Diego Chapter May 23, 2017 DFARS Clause 252.239-7001 When the contract includes DFARS 252.239-7001, IA Contractor Training and Certification, The Contractor shall ensure that personnel accessing information systems have the proper and current information assurance certification to perform information assurance functions in accordance with DoD 8570.01-M • The supplier will need to provide DoD-approved information assurance workforce certifications appropriate for each category and level • SP shall verify that the supplier has the required certifications • SP shall issue a CAR and inform the AC if the supplier does not provide certifications � Note: Contractor personnel who do not have proper and current certifications shall be denied access to DoD information systems for the purpose of performing information assurance functions. 5/26/2017 DFARS Clause 252.239-7001 • Resource: DoD 8570.01-M Information Assurance Workforce Improvement Program • Three basic supplier requirements: • Meet the applicable IA certification requirements :: DFARS 252.204-7001(a) • Provide documentation supporting IA Certification status :: DFARS 252.204-7001(b) • Contractor personnel who do not have proper and current certifications shall be denied access to DoD information systems :: DFARS 252.204-7012(c) • DCMA software professionals primarily work with each requirements of this clause Software - Policy Implementation Meeting (PIM) One team, one voice delivering global acquisition insight that matters. One team, one voice delivering global acquisition insight that matters. 4
The Aerospace & Defense Forum San Diego Chapter May 23, 2017 Adequate Security • Resource: NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations • Requires supplier to be compliant with NIST 800-171 NLT 31 DEC 2017 • NIST 800-171 describes 14 security requirements • Additional requirement for contracts awarded before 01 OCT 2017 • Require supplier self-assessment against NIST 800-171 • Require supplier to report to DoD CIO any shortcomings that existed at time of contract award Software - Policy Implementation Meeting (PIM) One team, one voice delivering global acquisition insight that matters. One team, one voice delivering global acquisition insight that matters. System Security Plan (SSP) • Resource: NIST 800-18 Revision 1, Guide for Developing Security Plans for Federal Information Systems • The objective of system security planning is to improve protection of information system resources • Appendix A of NIST 800-18 R1 contains a template for SSP • Any “to-do” tasks that need to be accomplished before SSP is fully capable must be documented via a Plan of Action and Milestones (POA&M) Software - Policy Implementation Meeting (PIM) One team, one voice delivering global acquisition insight that matters. One team, one voice delivering global acquisition insight that matters. 5
The Aerospace & Defense Forum San Diego Chapter May 23, 2017 Cyber Incident “Cyber incident” :: means actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. • Cyber incident reporting requirement. • (1) When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract, the Contractor shall— • (i) Conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor’s ability to provide operationally critical support; and • (ii) Rapidly report cyber incidents to DoD at http://dibnet.dod.mil Software - Policy Implementation Meeting (PIM) One team, one voice delivering global acquisition insight that matters. One team, one voice delivering global acquisition insight that matters. Cyber Incident cont. • (2) Cyber incident report. The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements at http://dibnet.dod.mil • (3) Medium assurance certificate requirement . In order to report cyber incidents in accordance with this clause, the Contractor or subcontractor shall have or acquire a DoD-approved medium assurance certificate to report cyber incidents NOTE :: For information on obtaining a DoD-approved medium assurance certificate, see http://iase.disa.mil/pki/eca/Pages/index.aspx Software - Policy Implementation Meeting (PIM) One team, one voice delivering global acquisition insight that matters. One team, one voice delivering global acquisition insight that matters. 6
The Aerospace & Defense Forum San Diego Chapter May 23, 2017 Cyber Incident cont. • Reporting a Cyber Incident • Elements of a cyber report :: Software - Policy Implementation Meeting (PIM) One team, one voice delivering global acquisition insight that matters. One team, one voice delivering global acquisition insight that matters. Risk Management Framework Incorporated into full system life cycle For Official Use Only 7
Recommend
More recommend
