key ideas associated with cui requirements and dfars 252
play

KEY IDEAS ASSOCIATED WITH CUI REQUIREMENTS AND DFARS 252.204-7012 - PowerPoint PPT Presentation

Jan 25, 2023 •321 likes •908 views

KEY IDEAS ASSOCIATED WITH CUI REQUIREMENTS AND DFARS 252.204-7012 (CYBER SECURITY SERIES PART 4 OF 5) ACQUISITION HOUR WEBINAR November 6, 2019 11/6/2019 WEBINAR ETIQUETTE PLEASE Log into the GoToMeeting session with the name that you

  1. KEY IDEAS ASSOCIATED WITH CUI REQUIREMENTS AND DFARS 252.204-7012 (CYBER SECURITY SERIES PART 4 OF 5) ACQUISITION HOUR WEBINAR November 6, 2019 11/6/2019

  2. WEBINAR ETIQUETTE PLEASE ▪ Log into the GoToMeeting session with the name that you registered with online ▪ Place your phone or computer on MUTE ▪ Use the CHAT option to ask your question(s). ▪ We will share the questions with our guest speaker who will respond to the group THANK YOU! 11/6/2019 Page 2

  3. ABOUT WPI SUPPORTING THE MISSION Celebrating 32 Years of serving Wisconsin Business! 11/6/2019 Page 3

  4. Assist businesses in creating, development and growing their sales, revenue and jobs through Federal, state and local government contracts. WPI is a Procurement Technical Assistance Center (PTAC) funded in part by the Defense Logistics Agency (DLA), WEDC and other funding sources. 11/6/2019 Page 4

  5. WPI OFFICE LOCATIONS ▪ MILWAUKEE ▪ OSHKOSH ▪ ▪ Fox Valley Technical College Technology Innovation Center ▪ Greater Oshkosh Economic Development Corporation ▪ MADISON ▪ EAU CLAIRE ▪ FEED Kitchens ▪ ▪ Western Dairyland Dane County Latino Chamber of Commerce ▪ Wisconsin Manufacturing Extension Partnership ▪ MENOMONIE (WMEP) ▪ Madison Area Technical College (MATC) ▪ Dunn County Economic Development Corporation ▪ CAMP DOUGLAS ▪ LADYSMITH ▪ Juneau County Economic Development ▪ Indianhead Community Action Agency Corporation (JCEDC) ▪ RHINELANDER ▪ STEVENS POINT ▪ Nicolet Area Technical College ▪ IDEA Center ▪ GREEN BAY ▪ APPLETON ▪ Advance Business & Manufacturing Center ▪ Fox Valley Technical College 11/6/2019 Page 5

  6. www.wispro.org 11/6/2019 Page 6

  7. SO…. WHAT DOES WPI REALLY DO? Provides technical assistance to CURRENT and POTENTIAL Contractors and subcontractors ▪ INDIVIDUAL CONSELING – At our offices, at clients facility or via telephone/GoToMeeting ▪ SMALL GROUP TRAINING – Workshops and webinars ▪ CONFERENCES to include one on one or roundtable sessions Last year WPI provided training at over 100 events, provided service to over 1,000 companies 11/6/2019 Page 7

  8. DFARS – Key, top-level elements Marc N. Violante Wisconsin Procurement Institute November 6, 2019

  9. 9 DFARS 252.204-7012 - actions • Requires Adequate Security • Implementation of NIST 800-171 rx (x being the current version) • System Security Plan • Plan of Action • Monitor for Malware • If Malware is identified, found • Inactivate and send to Contracting Officer • Monitor for intrusions/incidents • Conduct investigation for suspicious activity – abide by relevant laws (eg wire tapping) • Required report for validated incidents within 72 hours – requires Medium assurance cert • Take image of system • Retain for up to 90 days • Flow down to subcontractors – only if there is CUI November 6, 2019

  10. 10 Subcontracts – flowdown Key thoughts – deliberate management & minimize flowdown Train-the-Trainer Unabridged DFARS 252.204-7012 May 2018_0 – accessed from www.dodprocurementtoolbox.com/cybersecurity - slide 15 November 6, 2019

  11. 11 Implementation – Contractor’s responsibility ➢ Ultimately, it is the contractor’s responsibility to determine whether it is has implemented the NIST SP 800-171 (as well as any other security measures necessary to provide adequate security for covered defense information). ➢ Third party assessments or certifications of compliance are not ▪ required, ▪ authorized, ▪ or recognized by DoD, ▪ nor will DoD certify that a contractor is compliant with the NIST SP 800-171 security requirements. Office of the Under Secretary of Defense, Acquisition, Technology and Logistics, Implementing DFARS 252.204-7012 Memorandum, Sep 21, 2017 November 6, 2019

  12. What is the purpose of implementation & 12 reporting? • Manage risk • The concept of “Single State Information” • Controlled Unclassified Information has the same value , whether such information is resident in a federal system that is part of a federal agency or a nonfederal system that is part of a nonfederal organization. Accordingly, the security requirements contained in this publication are consistent with and complementary to the standards and guidelines used by federal agencies to protect CUI. • Help prevent incidents • Understand – who, what, where, and how • Determine – what information was lost / how much / criticality NIST 800-171 r1 – Single State Information - page 6 November 6, 2019

  13. 13 Three dimensions of cyber security • Confidentiality • Integrity • Availability November 6, 2019

  14. 14 Information – cycle – in general Security Perimeter Authorized holder/user of information Receive Utilize Manage November 6, 2019

  15. 15 What data/information is on your computer? On your Network? What devices are being used? Who has access? What are the entry points? Are the security/safeguarding requirements all the same? – different customers, different types of data/information November 6, 2019

  16. 16 Information – life cycle, general elements Receipt • Auditing • Awareness Marking • Controls • Deliverables • Information – source(s) Storage • Monitor – test • Questions to KO, other • Use Training • Transmittal registry • Update procedures Sharing Destruction M.N. Violante, WPI – Nov 2017 November 6, 2019

  17. 800-171 r1 --Focuses on Confidentiality 17 November 6, 2019 Copied from Google search: infrared heat loss image

  18. 18 Sensitive Information – don’t view in isolation • Federal Contract Information FAR – 52.204-21 • Covered Defense Information DFARS – 252.204-7012 • Joint Certification Program DD- 2345 • International Traffic In Arm Regulation (ITAR) • Disclosure of Information DFARS – 252.204-7000 November 6, 2019

  19. 19 Definitions • Critical elements to understanding requirements November 6, 2019

  20. 20 Adequate Security • “Adequate security” means protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information. DFARS 252.204-7012 November 6, 2019

  21. 21 Compromise • “Compromise” means disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred. DFARS 252.204-7012 November 6, 2019

  22. 22 Cyber incident? • A cyber incident is defined as actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. According to - DoD's DIB Cyber Incident Reporting & Cyber Threat Information Sharing Portal; the recipient of the required cyber incident report. https://dibnet.dod.mil/portal/intranet/Splashpage/ReportCyberIncident November 6, 2019

  23. 23 Don’t minimize the risk! • It’s not just Fortune 500 companies and nation states at risk of having IP stolen – even the local laundry service is a target. • In one example, an organization of 35 employees was the victim of a cyber attack by a competitor. • The competitor hid in their network for two years stealing customer and pricing information, giving them a significant advantage. Hid for two years! Internet Security Threat Report, Volume 21, April 2016, Symantec November 6, 2019

  24. 24 Cyber – breach detection “February 25, SecurityWeek – (International) Breach detection time improves, destructive attacks rise: FireEye. FireEye-owned Mandiant released a report titled, M-Trends which stated that current organizations were improving their breach detection rates after an investigation on real-life incidences revealed that the median detection rate improved from 205 days in 2014 to 146 days in 2015. The report also stated that disruptive attacks were a legitimate threat and gave insight into how organizations can prepare for and deal with such attacks. Source: http://www.securityweek.com/breach-detection-time- improves-destructive-attacks-rise- fireeye “ Copied from: DHS Open Source Daily Infrastructure Report, Item 18, February 29, 2016 November 6, 2019

  25. 25 Id’ing the digital spy “When businesses do eventually notice that they have a digital spy in their midst and that their vital information systems have been compromised, an appalling 92 percent of the time it is not the company’s chief information officer, security team, or system administrator who discovers the breach.” • How do companies find out that they have been breached? • Law enforcement • Angry customer • Contractor Marc Goodman, Future Crimes: everything is connected, everyone is vulnerable and what we can do about it, (New York: DOUBLEDAY, 2015), 16-17 Verizon’s 2013 Data Breach Investigations Report is cited as the source November 6, 2019

  26. 26 The dilemma Having to Continued report an contracting incident success November 6, 2019

Recommend

Agenda DFARS 239.71 Updates Cybersecurity Contracting DFARS Clause 252.204-7001

Agenda DFARS 239.71 Updates Cybersecurity Contracting DFARS Clause 252.204-7001

The Aerospace & Defense Forum San Diego Chapter May 23, 2017 C YBER S ECURITY B RIEF Presented By: Curt Parkinson DCMA May 23, 2017 Agenda DFARS 239.71 Updates Cybersecurity Contracting DFARS Clause 252.204-7001 DFARS

328 views • 11 slides
DFARS Case 2017-D019 Performance-Based Payments and Progress Payments Wesley Hallman Senior

DFARS Case 2017-D019 Performance-Based Payments and Progress Payments Wesley Hallman Senior

DFARS Case 2017-D019 Performance-Based Payments and Progress Payments Wesley Hallman Senior Vice-President of Policy WHallman@NDIA.org, (703)2472595 Public Meeting September 14, 2018 1 9/10/2018 DFARS Case 2017-D019 INDUSTRY

133 views • 11 slides
5 Analyzing the Requirements 5.1 Context of Requirements Analysis 5.2 Analysing Ideas and

5 Analyzing the Requirements 5.1 Context of Requirements Analysis 5.2 Analysing Ideas and

5 Analyzing the Requirements 5.1 Context of Requirements Analysis 5.2 Analysing Ideas and Concepts: Focus Groups 5.3 Work Processes Bottom-Up: Ethnographic Observation 5.4 Work Processes Top-Down: Task Analysis 5.5 Analysis of Existing

541 views • 40 slides
Project Ideas Sources for Finding Ideas Recent projects by researchers doing computational

Project Ideas Sources for Finding Ideas Recent projects by researchers doing computational

11/8/16 Project Ideas and Grading Course Project (aka HW #5) Straightforward approach: Pick a paper, implement it, extend it, and modify it in some Requirements ways, and perform experimental evaluation Thursday, November

563 views • 24 slides
FAR & DFARS compliance projects Saab Dynamics and Saab Aeronautics Fredrik Genbo

FAR & DFARS compliance projects Saab Dynamics and Saab Aeronautics Fredrik Genbo

This document and the information contained herein is the property of Saab AB and must not be used, disclosed or altered without Saab AB prior written consent. FAR & DFARS compliance projects Saab Dynamics and Saab Aeronautics Fredrik

432 views • 9 slides
(VREX) Generalized Simulator SBIR AF121-148 DFARS SBIR Data Rights; 03 May 2012

(VREX) Generalized Simulator SBIR AF121-148 DFARS SBIR Data Rights; 03 May 2012

FishEye - Virtual Receiver/Exciter (VREX) Generalized Simulator SBIR AF121-148 DFARS SBIR Data Rights; 03 May 2012 www.FishEye.net 1 FishEye Proprietary Information Radar Front-End and Environment Simulation Observation Equipment

505 views • 26 slides
ANPR: Safeguarding Unclassified Information (DFARS Case 2008-D028) Principal Concerns Scope

ANPR: Safeguarding Unclassified Information (DFARS Case 2008-D028) Principal Concerns Scope

ANPR: Safeguarding Unclassified Information (DFARS Case 2008-D028) Principal Concerns Scope too broad in some places and too specific in others Definitions - ambiguous Reporting concerns about provision, use and protection of

304 views • 6 slides
CSSE 220: Object Design Part 1 of Many Also Class Diagrams Designing Classes Programs

CSSE 220: Object Design Part 1 of Many Also Class Diagrams Designing Classes Programs

CSSE 220: Object Design Part 1 of Many Also Class Diagrams Designing Classes Programs typically begin as abstract ideas These ideas form a set of requirements (i.e. what the user wants) We must take these requirements, and figure out

481 views • 26 slides
CSSE 220: Object Design Part 1 of Many Also Class Diagrams Designing Classes Programs

CSSE 220: Object Design Part 1 of Many Also Class Diagrams Designing Classes Programs

CSSE 220: Object Design Part 1 of Many Also Class Diagrams Designing Classes Programs typically begin as abstract ideas These ideas form a set of requirements (i.e. what the user wants) We must take these requirements, and figure out

937 views • 28 slides
New Ideas for 6 D Ionization Cooling R B Palmer Oxford, UK 5/11/05 Muon Collider

New Ideas for 6 D Ionization Cooling R B Palmer Oxford, UK 5/11/05 Muon Collider

New Ideas for 6 D Ionization Cooling R B Palmer Oxford, UK 5/11/05 Muon Collider requirements Transverse Ionization Cooling Theory Longitudinal Emittance Cooling Theory Final Reverse Emittance Exchange New Ideas on How to do

905 views • 33 slides
1 Software Safety Specifying safety requirements Safety vs. Reliability Component

1 Software Safety Specifying safety requirements Safety vs. Reliability Component

User requirements CSE 403 Business Requirements Lecture 14 User User Use Cases Requirements Study Safety and Security Requirements Functional Requirements Requirements Documentation Non-functional Requirements Non-functionality

275 views • 3 slides
MATCHING IDEAS A COLLABORATIVE NETWORK OF IDEAS G I O VA N N I R I N A L D I A R C T I C 2 0 1

MATCHING IDEAS A COLLABORATIVE NETWORK OF IDEAS G I O VA N N I R I N A L D I A R C T I C 2 0 1

MATCHING IDEAS A COLLABORATIVE NETWORK OF IDEAS G I O VA N N I R I N A L D I A R C T I C 2 0 1 2 , B O L O G N A THE INTERNET ERA CURRENT ECONOMIC CONTINGENCY New paradigms New organization New concepts NETWORKS OF RELATIONSHIPS

502 views • 21 slides
Your Co-facilitators Big Ideas ! The Approach

Your Co-facilitators Big Ideas ! The Approach

Big Ideas Agenda 1. Welcome ! 2. Premier Wynne speaks ! Discuss: ! 3. IDEA JAM presentations + panel ! 4. Your input on the Big Ideas How I see this Vision session being useful - Work in teams ! to the region and Ontario is. 5. Share

340 views • 4 slides
Software Requirements and Specification Requirements Process Requirements Process SE3821 - Jay

Software Requirements and Specification Requirements Process Requirements Process SE3821 - Jay

Software Requirements and Specification Requirements Process Requirements Process SE3821 - Jay Urbain 1 Requirements 2 Requirements No matter what product you are building, you still need to explore, understand, capture, and communicate

740 views • 27 slides
ST Data-warehouse for trajectories Some preliminary ideas S. Orlando, R. Orsini, A. Raffaet,

ST Data-warehouse for trajectories Some preliminary ideas S. Orlando, R. Orsini, A. Raffaet,

ST Data-warehouse for trajectories Some preliminary ideas S. Orlando, R. Orsini, A. Raffaet, A. Roncato Requirements and Starting points Trajectories arrive in streams, as triples (ID, SpatialPos, TemporalPos) to insert information

349 views • 22 slides
The Creative Networker 4. Seek Diversion 1. Find Many Ideas 5. Execute Your Ideas 2. Generate Many

The Creative Networker 4. Seek Diversion 1. Find Many Ideas 5. Execute Your Ideas 2. Generate Many

The Creative Networker 4. Seek Diversion 1. Find Many Ideas 5. Execute Your Ideas 2. Generate Many Ideas 6. Appreciate Mistakes 3. Make Connections 7. Learn From Failure https://www.flickr.com/photos/jronaldlee/4479381576

913 views • 72 slides
1 Good Requirements Graphical Languages? Specification Qualities Examples: Complete -

1 Good Requirements Graphical Languages? Specification Qualities Examples: Complete -

REQUIREMENT SPECIFICATION The Basic Waterfall Model Today: Requirements Specification Requirements Requirements tell us what the system should do - specification not how it should do it. Analysis & Requirements are

363 views • 3 slides
Customer requirements Developer requirements Business requirements

Customer requirements Developer requirements Business requirements

Customer requirements Developer requirements Business requirements Specification ELICITATION PRACTICES Quality standards IEEE 830 Companies make up their own

320 views • 29 slides
1 Representations for requirements Unified Modeling Language UML (1997) Requirement

1 Representations for requirements Unified Modeling Language UML (1997) Requirement

Today CSE 403, Software Engineering Representation of requirements Lecture 4 Use of requirements Key parts of the discussion will (probably) be about process, not Documenting and Using artifacts Requirements Non-functional

358 views • 4 slides
Thalia X Y C O L L E C T I V E ITS NOT ABOUT IDEAS ITS ABOUT MAKING IDEAS HAPPEN X Y

Thalia X Y C O L L E C T I V E ITS NOT ABOUT IDEAS ITS ABOUT MAKING IDEAS HAPPEN X Y

Thalia X Y C O L L E C T I V E ITS NOT ABOUT IDEAS ITS ABOUT MAKING IDEAS HAPPEN X Y C O L L E C T I V E Thalia Logo Design Project (Jushua) XY Collective Website E-mail: GS.04 Barley Mow Centre, 10 Barley Mow Passage June /

447 views • 28 slides
Project Ideas Semester long projects of medium scope TAs presenting project ideas today

Project Ideas Semester long projects of medium scope TAs presenting project ideas today

Project Ideas Semester long projects of medium scope TAs presenting project ideas today Students can submit their own ideas Send to cs161projectidea@gmail.com To be approved by staff Short presentation of approved ideas this

355 views • 31 slides
1 Functional requirements: Michael Jackson s Design Functional requirements methodology

1 Functional requirements: Michael Jackson s Design Functional requirements methodology

Today s goals Requirements How can we document requirements? What are different ways of writing Use Cases? When do Use Cases (do not) fit for Use Cases capturing requirements? CS361 4-2 1 Announcements Homework 2 First

211 views • 6 slides
CS 5150 So(ware Engineering 6. Requirements Analysis William Y. Arms Requirements Requirements

CS 5150 So(ware Engineering 6. Requirements Analysis William Y. Arms Requirements Requirements

Cornell University Compu1ng and Informa1on Science CS 5150 So(ware Engineering 6. Requirements Analysis William Y. Arms Requirements Requirements describe the func1on of the system from the client's viewpoint. The requirements

438 views • 32 slides
Pinterest Brings Us Ideas Collected OGC Winter Decorating Ideas for Home & Garden Created by

Pinterest Brings Us Ideas Collected OGC Winter Decorating Ideas for Home & Garden Created by

Pinterest Brings Us Ideas Collected OGC Winter Decorating Ideas for Home & Garden Created by Merle Cole OGC Board VP How Pinterest Works People post ideas, photos, images, links, how-tos to the internet These are pinned to their

600 views • 38 slides

More recommend