The document discusses cybersecurity challenges related to protecting DoD's unclassified information. It outlines DoD's efforts to codify cybersecurity responsibilities through regulations and voluntary programs. It focuses on the requirements of DFARS Clause 252.204-7012, which requires contractors to safeguard covered defense information and report cyber incidents. The document provides guidance on implementing NIST SP 800-171 security requirements to protect covered information, documenting compliance, addressing cloud computing, and the flowdown of requirements to subcontractors.
Why does DFARS exist?
Current requirements for companies with Controlled Unclassified Information (CUI) or DoD Covered Defense Information (CDI)
What is CMMC?
Dickstein Shapiro LLP and the Government Technology & Services Coalition (GTSC) held a webcast, “Key Cybersecurity Issues for Government Contractors” on Thursday, October 3, 2013. This interactive program, of particular interest to government contractor compliance officers, CIOs, CISOs, General Counsel, and any other C-suite members, discussed how the federal government is planning on fundamentally altering its acquisition policies to make the cybersecurity of its contractors a top priority. The discussion included:
- Proposed Federal Acquisitions Regulation (FAR) changes relating to President Obama’s Cybersecurity Executive Order;
- Planned changes to procurement requirements based on independent agency actions;
- Congressionally mandated cybersecurity requirements; and
Ways contractors can prepare for these changes.
To view the webinar, visit:
Cybersecurity for GovCons - DFARS 252.204-7012 Latest Updates and Last CallUnanet
In this webinar Unanet and H2L Solutions, a provider of cyber security and information assurance services, will be discussing the latest updates for the DFARS 7012 regulations and answering questions that anyone might have regarding the assessment and the NIST 800-171 controls. We will cover the key requirements, adequate security, reporting compliance, flow down, implementation experiences and and the impact the regulation is having.
Learn more at: https://www.unanet.com/news/demand-webinars
Bizmanualz Sample from the Computer & IT Policies and Procedures Manual includes
an example policy, procedure, a list of topics, forms and job descriptions.
The Computer and Network Policy, Procedures and Forms Manual discusses strategic IT management, control of computer and network assets, and includes a section on creating your own information systems manual along with a computer and IT security guide. The Computer & Network Manual helps you comply with Sarbanes Oxley, COBIT or ISO 27002 security and control requirements. This Computer and Network Manual allows IT Managers, IT departments and IT executives to develop their own unique IT policy and procedures.
Includes seven (7) modules:
1. Introduction and Table of Contents
2. Guide to preparing a well written manual
3. A Sample Manual covering common requirements and practices
4. 41 Policies and 75 corresponding forms
5. Software Development Supplement
6. IT Security Guide
7. 33 Job Descriptions covering every position referenced in the Manual
8. Complete Index.
Are existing compliance requirements sufficient to prevent data breaches? This session will provide a technical assessment of the 2019 Capital One data breach, illustrating the technical modus operandi of the attack and identify related compliance requirements based on the NIST Cybersecurity Framework. Attendees will learn the unexpected impact of corporate culture on overall cyber security posture.
This talk was presented at RSA Conference 2021 (Session RMG-T15) on May 18, 2021.
Original paper available for download at SSRN: Novaes Neto, Nelson and Madnick, Stuart E. and Moraes G. de Paula, Anchises and Malara Borges, Natasha, A Case Study of the Capital One Data Breach (28/04/2020). https://ssrn.com/abstract=3570138
Why does DFARS exist?
Current requirements for companies with Controlled Unclassified Information (CUI) or DoD Covered Defense Information (CDI)
What is CMMC?
Dickstein Shapiro LLP and the Government Technology & Services Coalition (GTSC) held a webcast, “Key Cybersecurity Issues for Government Contractors” on Thursday, October 3, 2013. This interactive program, of particular interest to government contractor compliance officers, CIOs, CISOs, General Counsel, and any other C-suite members, discussed how the federal government is planning on fundamentally altering its acquisition policies to make the cybersecurity of its contractors a top priority. The discussion included:
- Proposed Federal Acquisitions Regulation (FAR) changes relating to President Obama’s Cybersecurity Executive Order;
- Planned changes to procurement requirements based on independent agency actions;
- Congressionally mandated cybersecurity requirements; and
Ways contractors can prepare for these changes.
To view the webinar, visit:
Cybersecurity for GovCons - DFARS 252.204-7012 Latest Updates and Last CallUnanet
In this webinar Unanet and H2L Solutions, a provider of cyber security and information assurance services, will be discussing the latest updates for the DFARS 7012 regulations and answering questions that anyone might have regarding the assessment and the NIST 800-171 controls. We will cover the key requirements, adequate security, reporting compliance, flow down, implementation experiences and and the impact the regulation is having.
Learn more at: https://www.unanet.com/news/demand-webinars
Bizmanualz Sample from the Computer & IT Policies and Procedures Manual includes
an example policy, procedure, a list of topics, forms and job descriptions.
The Computer and Network Policy, Procedures and Forms Manual discusses strategic IT management, control of computer and network assets, and includes a section on creating your own information systems manual along with a computer and IT security guide. The Computer & Network Manual helps you comply with Sarbanes Oxley, COBIT or ISO 27002 security and control requirements. This Computer and Network Manual allows IT Managers, IT departments and IT executives to develop their own unique IT policy and procedures.
Includes seven (7) modules:
1. Introduction and Table of Contents
2. Guide to preparing a well written manual
3. A Sample Manual covering common requirements and practices
4. 41 Policies and 75 corresponding forms
5. Software Development Supplement
6. IT Security Guide
7. 33 Job Descriptions covering every position referenced in the Manual
8. Complete Index.
Are existing compliance requirements sufficient to prevent data breaches? This session will provide a technical assessment of the 2019 Capital One data breach, illustrating the technical modus operandi of the attack and identify related compliance requirements based on the NIST Cybersecurity Framework. Attendees will learn the unexpected impact of corporate culture on overall cyber security posture.
This talk was presented at RSA Conference 2021 (Session RMG-T15) on May 18, 2021.
Original paper available for download at SSRN: Novaes Neto, Nelson and Madnick, Stuart E. and Moraes G. de Paula, Anchises and Malara Borges, Natasha, A Case Study of the Capital One Data Breach (28/04/2020). https://ssrn.com/abstract=3570138
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowPECB
The CMMC, NIST 800-171, and ISO/IEC 27001 frameworks include the application of a structured approach to cybersecurity and a formal risk assessment process, and the implementation of customized security controls. However, each of them has a distinct scope.
The webinar covers
• US legislative overview, impacts and update in NIST adoption
• Weaving together NIST PF and NIST 800-171
• Quick definitions for CMMC / 27001 / 800-171
• Common scope elements between CMMC / 27001 / 800-171
• Differences in scope between CMMC / 27001 / 800-171
• When to implement each of the three
• How these three can support each other
• The link between these three and cyber insurance
• How each of these is used to measure and implement compliance
Presenters:
Anthony English
One of the top cybersecurity professionals in Atlantic Canada with extensive Canadian and International experience in cybersecurity covering risk assessment, management, mitigation, security testing, business continuity, information security management systems, architecture security reviews, project security, security awareness, lectures, presentations and standards-based compliance.
George Usi
George Usi is the CEO of Omnistruct Inc, a GaaS (cyber Governance as a Service) company with a vision to be the safety airbag of cyber risk and compliance.
After more than twenty-five years in internet open standards, networking, and security, George recognized that getting hacked in an Internet-delivered world was a matter of when. He also recognized that cyber laws with the potential of steep fines for business leaders who neglect to illustrate cyber security diligence would evolve with more aggressive sanctions in arrears of hacker success. So, he ideated a goal to eliminate cyber risk and set a mission for Omnistruct to be the “safety airbag” of cyber compliance. With a continuous audit and documentation approach, business owners can protect consumer privacy rights when they ideate, illustrate, and continuously measure their cyber posture using a new US guideline in cyber risk developed by NIST.
George attended California State University Chico, is a graduate of California State University Sacramento and a graduate of the Stanford Latino Executive Initiative (SLEI-ed) and Latino Business Action Network (LBAN) Graduate School of Business certificate program.
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
Company Background & Operating EnvironmentThe assigned case study .docxbrownliecarmella
Company Background & Operating Environment
The assigned case study and attachments to this assignment provide information about “the company.”
·
Use the Baltimore field office as the target for the System Security Plan
·
Use Verizon FiOS as the Internet Services Provider (see
http://www.verizonenterprise.com/terms/us/products/internet/sla/
)
Policy Issue & Plan of Action
A recent risk assessment highlighted the need to formalize the security measures required to protect information, information systems, and the information infrastructures for the company’s field offices. This requirement has been incorporated into the company’s risk management plan and the company’s CISO has been tasked with developing, documenting, and implementing the required security measures. The IT Governance board also has a role to play since it must review and approve all changes which affect IT systems under its purview.
The CISO has proposed a plan of action which includes developing system security plans using guidance from NIST SP-800-18
Guide for Developing Security Plans for Federal Information Systems.
The IT Governance board, after reviewing the CISO’s proposed plan of action, voted and accepted this recommendation. In its discussions prior to the vote, the CISO explained why the best practices information for security plans from NIST SP 800-18 was suitable for the company’s use. The board also accepted the CISO’s recommendation for creating a single
System Security Plan
for a
General Support System
since, in the CISO’s professional judgement, this type of plan would best meet the “formalization” requirement from the company’s recently adopted risk management strategy.
Your Task Assignment
As a staff member supporting the CISO, you have been asked to research and then draft the required
system security plan
for a
General Support System.
In your research so far, you have learned that:
·
A general support system is defined as “an interconnected set of information resources under the same direct management control that shares common functionality.” (See NIST SP 800-18)
·
The Field Office manager is the designated
system owner
for the IT support systems in his or her field office.
·
The
system boundaries
for the field office
General Support System
have already been documented in the company’s enterprise architecture (see the case study).
·
The
security controls
required for the field office IT systems have been documented in a security controls baseline (see the controls baseline attached to this assignment).
Research:
1.
Review the information provided in the case study and in this assignment, especially the information about the field offices and the IT systems and networks used in their day to day business affairs.
2.
Review NIST’s guidance for developing a System Security Plan for a general support IT System.
This information is presented in NIST SP 800-18.
http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-fina ...
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptxJack Nichelson
Beginning in 2020, the DoD will use the Cybersecurity Maturity Model Certification (CMMC) to verify contractors of the Defense Industrial Base are operating with effective cyber hygiene. In order to bid on, maintain, and win future DoD contracts, all organizations will need to prove their required level of cyber maturity. If you do business with the DPD, NASA, GSA or another state/federal agency, you need to be prepared for the CMMC framework. In this presentation, we discuss the potential impacts on your business, while introducing an affordable, practical and secure solution for contractors preparing for CMMC certification.In addition to answering questions from attendees, this presentation will cover the following topics:• What You Need to Know About CMMC• CMMC 2.0 Proposed Changes• The Crawl – Walk – Run of CMMC• Preliminary Steps for CMMC Success• How to improve your NIST SP 800-171 Self-Assessment SPRS score
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DCAdam Levithan
Do you have government contracts or are looking to broaden your portfolio? Aggravated by acronyms like FISMA, DFARS or NIST? A new class was defined in 2015 as Controlled Unclassified Information (CUI) to add to the list of acronyms and as of January 1, 2018 its protection will be an integral piece of government contracts. In this session we'll cover the three steps to be complaint, and overview of the technologies required.
With all of the acronyms and numbers, it is challenging to determine what is what in the world of cyber security and compliance.
In the government space, the National Institute of Standards (NIST) has been the key body for identifying and determining standards related to protecting critical infrastructure and government data.
Participants will walk away more conversant in the alphabet soup of NIST requirements and how they apply to these various programs.
This presentation:
• Provides a deep dive in the the similarities and differences between standards such as NIST 800-53, 800-171, and frameworks such as the cybersecurity framework
• How these standards and frameworks apply to FedRAMP, CJIS, and very specific programs covering data like the Death Master File (DMF)
The DoD released v1.2 of the CMMC on March 18, 2020, Walkthrough the slides to understand
1. CMMC/DFARS/NIST SP 800-171
2. CMMC Framework
3. CMMC Levels & Requirements
4. The CMMC effort builds upon existing regulation
5. CMMC – Asset Management
6. CMMC Practices Across Domains per Maturity Levels
7. NIST 800-171 to CMMC Gaps
8. Certification & Accreditation Details
9. CMMC Training
10. Challenges being solved by Ignyte | Training
11. Challenges being solved by Ignyte | Automation
12. What is included within the Full CMMC Accreditation Package?
13. CMMC Accreditation Process Automated
This presentation was developed to accompany the live webinar hosted by Federal Publications Seminars. Guests included Bryan Van Brunt, Founder of Van Brunt Law Firm, P.A, and Max Aulakh, Founder & CEO of Ignyte Assurance Platform and Ignyte Institute, who discussed how to get on board with the emerging Cybersecurity Maturity Model Certification (CMMC) compliance regulations and to be able to continue working with the DoD as a prime or subcontractor after the interim rule comes into effect. It gives you both legal and technical perspectives on how to protect your business and maintain a competitive advantage, explains what tools and manpower are required to become compliant within the optimal period of time and with limited IT resources. Speakers also shared important lessons learned while running NIST and CMMC projects.
A business-level review of current security standards for the energy and utility school, a look around the corner at what's coming next from the standards bodies, and a discussion of the burdens this amount of change and uncertainty is is placing on executives and security professionals in the electric utilities.
https://class.waldenu.edu/webapps/assessment/take/launchAssessment.jsp?course_id=_16908130_1&
content_id=_61332310_1&mode=cpview
Date updated: September 23, 2021
Withdrawn NIST Technical Series Publication
Warning Notice
The attached publication has been withdrawn (archived) and is provided solely for historical purposes. It
may have been superseded by another publication (indicated below).
Withdrawn Publication
Series/Number NIST Special Publication 800-53 Rev. 4
Title Security and Privacy Controls for Federal Information Systems and
Organizations
Publication Date(s) April 2013 (including updates as of January 22, 2015)
Withdrawal Date September 23, 2021
Withdrawal Note SP 800-53 Rev. 4 is superseded in its entirety by SP 800-53 Rev. 5 (September
2020, including updates as of 12/10/20).
Superseding Publication(s) (if applicable)
The attached publication has been superseded by the following publication(s):
Series/Number NIST Special Publication 800-53 Rev. 5
Title Security and Privacy Controls for Information Systems and Organizations
Author(s) Joint Task Force
Publication Date(s) September 2020 (including updates as of December 10, 2020)
URL/DOI https://doi.org/10.6028/NIST.SP.800-53r5
Additional Information (if applicable)
Contact Computer Security Division (Information Technology Laboratory)
Latest revision of the
attached publication
Related Information https://csrc.nist.gov/projects/risk-management/sp800-53-controls
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
Withdrawal
Announcement Link
https://doi.org/10.6028/NIST.SP.800-53r5
https://csrc.nist.gov/projects/risk-management/sp800-53-controls
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
NIST Special Publication 800-53
Revision 4
Security and Privacy Controls for
Federal Information Systems
and Organizations
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53r4
http://dx.doi.org/10.6028/NIST.SP.800-53r4
NIST Special Publication 800-53
Revision 4
Security and Privacy Controls for
Federal Information Systems
and Organizations
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53r4
April 2013
INCLUDES UPDATES AS OF 01-22-2015
U.S. Department of Commerce
Rebecca M. Blank, Acting Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director
http://dx.doi.org/10.6028/NIST.SP.800-53r4
Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems
and Organizations
_____________________________________________ ...
Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: Cybersecurity for Government Contractors
Presenter: Robert Nichols, Partner, Covington & Burling LLP
Please join Jennifer Schaus & Associates every Wednesday in 2018 for a complimentary Wednesday series. For full audio of this presentation please visit (https://youtu.be/-vwaFjAnjiA). For more information about our federal contracting services please visit http://www.Jenniferschaus.com or contact us at 202-365-0598. Win more federal government contracts!
Hello Sir
We are a premier academic writing agency with industry partners in UK, Australia and Middle East and over 15 years of experience. We are looking to establish long-term relationships with industry partners and would love to discuss this opportunity further with you.
Thanks & Regards
visit our website.
www.onlineassignmenthelp.com.au
www.freeassignmenthelp.com
www.btechndassignment.cheapassignmenthelp.co.uk
www.cheapassignmenthelp.com
www.cheapassignmenthelp.co.uk/
http://www.cheapassignmenthelp.net/
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowPECB
The CMMC, NIST 800-171, and ISO/IEC 27001 frameworks include the application of a structured approach to cybersecurity and a formal risk assessment process, and the implementation of customized security controls. However, each of them has a distinct scope.
The webinar covers
• US legislative overview, impacts and update in NIST adoption
• Weaving together NIST PF and NIST 800-171
• Quick definitions for CMMC / 27001 / 800-171
• Common scope elements between CMMC / 27001 / 800-171
• Differences in scope between CMMC / 27001 / 800-171
• When to implement each of the three
• How these three can support each other
• The link between these three and cyber insurance
• How each of these is used to measure and implement compliance
Presenters:
Anthony English
One of the top cybersecurity professionals in Atlantic Canada with extensive Canadian and International experience in cybersecurity covering risk assessment, management, mitigation, security testing, business continuity, information security management systems, architecture security reviews, project security, security awareness, lectures, presentations and standards-based compliance.
George Usi
George Usi is the CEO of Omnistruct Inc, a GaaS (cyber Governance as a Service) company with a vision to be the safety airbag of cyber risk and compliance.
After more than twenty-five years in internet open standards, networking, and security, George recognized that getting hacked in an Internet-delivered world was a matter of when. He also recognized that cyber laws with the potential of steep fines for business leaders who neglect to illustrate cyber security diligence would evolve with more aggressive sanctions in arrears of hacker success. So, he ideated a goal to eliminate cyber risk and set a mission for Omnistruct to be the “safety airbag” of cyber compliance. With a continuous audit and documentation approach, business owners can protect consumer privacy rights when they ideate, illustrate, and continuously measure their cyber posture using a new US guideline in cyber risk developed by NIST.
George attended California State University Chico, is a graduate of California State University Sacramento and a graduate of the Stanford Latino Executive Initiative (SLEI-ed) and Latino Business Action Network (LBAN) Graduate School of Business certificate program.
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
Company Background & Operating EnvironmentThe assigned case study .docxbrownliecarmella
Company Background & Operating Environment
The assigned case study and attachments to this assignment provide information about “the company.”
·
Use the Baltimore field office as the target for the System Security Plan
·
Use Verizon FiOS as the Internet Services Provider (see
http://www.verizonenterprise.com/terms/us/products/internet/sla/
)
Policy Issue & Plan of Action
A recent risk assessment highlighted the need to formalize the security measures required to protect information, information systems, and the information infrastructures for the company’s field offices. This requirement has been incorporated into the company’s risk management plan and the company’s CISO has been tasked with developing, documenting, and implementing the required security measures. The IT Governance board also has a role to play since it must review and approve all changes which affect IT systems under its purview.
The CISO has proposed a plan of action which includes developing system security plans using guidance from NIST SP-800-18
Guide for Developing Security Plans for Federal Information Systems.
The IT Governance board, after reviewing the CISO’s proposed plan of action, voted and accepted this recommendation. In its discussions prior to the vote, the CISO explained why the best practices information for security plans from NIST SP 800-18 was suitable for the company’s use. The board also accepted the CISO’s recommendation for creating a single
System Security Plan
for a
General Support System
since, in the CISO’s professional judgement, this type of plan would best meet the “formalization” requirement from the company’s recently adopted risk management strategy.
Your Task Assignment
As a staff member supporting the CISO, you have been asked to research and then draft the required
system security plan
for a
General Support System.
In your research so far, you have learned that:
·
A general support system is defined as “an interconnected set of information resources under the same direct management control that shares common functionality.” (See NIST SP 800-18)
·
The Field Office manager is the designated
system owner
for the IT support systems in his or her field office.
·
The
system boundaries
for the field office
General Support System
have already been documented in the company’s enterprise architecture (see the case study).
·
The
security controls
required for the field office IT systems have been documented in a security controls baseline (see the controls baseline attached to this assignment).
Research:
1.
Review the information provided in the case study and in this assignment, especially the information about the field offices and the IT systems and networks used in their day to day business affairs.
2.
Review NIST’s guidance for developing a System Security Plan for a general support IT System.
This information is presented in NIST SP 800-18.
http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-fina ...
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptxJack Nichelson
Beginning in 2020, the DoD will use the Cybersecurity Maturity Model Certification (CMMC) to verify contractors of the Defense Industrial Base are operating with effective cyber hygiene. In order to bid on, maintain, and win future DoD contracts, all organizations will need to prove their required level of cyber maturity. If you do business with the DPD, NASA, GSA or another state/federal agency, you need to be prepared for the CMMC framework. In this presentation, we discuss the potential impacts on your business, while introducing an affordable, practical and secure solution for contractors preparing for CMMC certification.In addition to answering questions from attendees, this presentation will cover the following topics:• What You Need to Know About CMMC• CMMC 2.0 Proposed Changes• The Crawl – Walk – Run of CMMC• Preliminary Steps for CMMC Success• How to improve your NIST SP 800-171 Self-Assessment SPRS score
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DCAdam Levithan
Do you have government contracts or are looking to broaden your portfolio? Aggravated by acronyms like FISMA, DFARS or NIST? A new class was defined in 2015 as Controlled Unclassified Information (CUI) to add to the list of acronyms and as of January 1, 2018 its protection will be an integral piece of government contracts. In this session we'll cover the three steps to be complaint, and overview of the technologies required.
With all of the acronyms and numbers, it is challenging to determine what is what in the world of cyber security and compliance.
In the government space, the National Institute of Standards (NIST) has been the key body for identifying and determining standards related to protecting critical infrastructure and government data.
Participants will walk away more conversant in the alphabet soup of NIST requirements and how they apply to these various programs.
This presentation:
• Provides a deep dive in the the similarities and differences between standards such as NIST 800-53, 800-171, and frameworks such as the cybersecurity framework
• How these standards and frameworks apply to FedRAMP, CJIS, and very specific programs covering data like the Death Master File (DMF)
The DoD released v1.2 of the CMMC on March 18, 2020, Walkthrough the slides to understand
1. CMMC/DFARS/NIST SP 800-171
2. CMMC Framework
3. CMMC Levels & Requirements
4. The CMMC effort builds upon existing regulation
5. CMMC – Asset Management
6. CMMC Practices Across Domains per Maturity Levels
7. NIST 800-171 to CMMC Gaps
8. Certification & Accreditation Details
9. CMMC Training
10. Challenges being solved by Ignyte | Training
11. Challenges being solved by Ignyte | Automation
12. What is included within the Full CMMC Accreditation Package?
13. CMMC Accreditation Process Automated
This presentation was developed to accompany the live webinar hosted by Federal Publications Seminars. Guests included Bryan Van Brunt, Founder of Van Brunt Law Firm, P.A, and Max Aulakh, Founder & CEO of Ignyte Assurance Platform and Ignyte Institute, who discussed how to get on board with the emerging Cybersecurity Maturity Model Certification (CMMC) compliance regulations and to be able to continue working with the DoD as a prime or subcontractor after the interim rule comes into effect. It gives you both legal and technical perspectives on how to protect your business and maintain a competitive advantage, explains what tools and manpower are required to become compliant within the optimal period of time and with limited IT resources. Speakers also shared important lessons learned while running NIST and CMMC projects.
A business-level review of current security standards for the energy and utility school, a look around the corner at what's coming next from the standards bodies, and a discussion of the burdens this amount of change and uncertainty is is placing on executives and security professionals in the electric utilities.
https://class.waldenu.edu/webapps/assessment/take/launchAssessment.jsp?course_id=_16908130_1&
content_id=_61332310_1&mode=cpview
Date updated: September 23, 2021
Withdrawn NIST Technical Series Publication
Warning Notice
The attached publication has been withdrawn (archived) and is provided solely for historical purposes. It
may have been superseded by another publication (indicated below).
Withdrawn Publication
Series/Number NIST Special Publication 800-53 Rev. 4
Title Security and Privacy Controls for Federal Information Systems and
Organizations
Publication Date(s) April 2013 (including updates as of January 22, 2015)
Withdrawal Date September 23, 2021
Withdrawal Note SP 800-53 Rev. 4 is superseded in its entirety by SP 800-53 Rev. 5 (September
2020, including updates as of 12/10/20).
Superseding Publication(s) (if applicable)
The attached publication has been superseded by the following publication(s):
Series/Number NIST Special Publication 800-53 Rev. 5
Title Security and Privacy Controls for Information Systems and Organizations
Author(s) Joint Task Force
Publication Date(s) September 2020 (including updates as of December 10, 2020)
URL/DOI https://doi.org/10.6028/NIST.SP.800-53r5
Additional Information (if applicable)
Contact Computer Security Division (Information Technology Laboratory)
Latest revision of the
attached publication
Related Information https://csrc.nist.gov/projects/risk-management/sp800-53-controls
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
Withdrawal
Announcement Link
https://doi.org/10.6028/NIST.SP.800-53r5
https://csrc.nist.gov/projects/risk-management/sp800-53-controls
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
NIST Special Publication 800-53
Revision 4
Security and Privacy Controls for
Federal Information Systems
and Organizations
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53r4
http://dx.doi.org/10.6028/NIST.SP.800-53r4
NIST Special Publication 800-53
Revision 4
Security and Privacy Controls for
Federal Information Systems
and Organizations
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53r4
April 2013
INCLUDES UPDATES AS OF 01-22-2015
U.S. Department of Commerce
Rebecca M. Blank, Acting Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director
http://dx.doi.org/10.6028/NIST.SP.800-53r4
Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems
and Organizations
_____________________________________________ ...
Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: Cybersecurity for Government Contractors
Presenter: Robert Nichols, Partner, Covington & Burling LLP
Please join Jennifer Schaus & Associates every Wednesday in 2018 for a complimentary Wednesday series. For full audio of this presentation please visit (https://youtu.be/-vwaFjAnjiA). For more information about our federal contracting services please visit http://www.Jenniferschaus.com or contact us at 202-365-0598. Win more federal government contracts!
Hello Sir
We are a premier academic writing agency with industry partners in UK, Australia and Middle East and over 15 years of experience. We are looking to establish long-term relationships with industry partners and would love to discuss this opportunity further with you.
Thanks & Regards
visit our website.
www.onlineassignmenthelp.com.au
www.freeassignmenthelp.com
www.btechndassignment.cheapassignmenthelp.co.uk
www.cheapassignmenthelp.com
www.cheapassignmenthelp.co.uk/
http://www.cheapassignmenthelp.net/
Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...Subhajit Sahu
Abstract — Levelwise PageRank is an alternative method of PageRank computation which decomposes the input graph into a directed acyclic block-graph of strongly connected components, and processes them in topological order, one level at a time. This enables calculation for ranks in a distributed fashion without per-iteration communication, unlike the standard method where all vertices are processed in each iteration. It however comes with a precondition of the absence of dead ends in the input graph. Here, the native non-distributed performance of Levelwise PageRank was compared against Monolithic PageRank on a CPU as well as a GPU. To ensure a fair comparison, Monolithic PageRank was also performed on a graph where vertices were split by components. Results indicate that Levelwise PageRank is about as fast as Monolithic PageRank on the CPU, but quite a bit slower on the GPU. Slowdown on the GPU is likely caused by a large submission of small workloads, and expected to be non-issue when the computation is performed on massive graphs.
1. Cybersecurity Challenges
Protecting DoD’s Unclassified Information
Implementing DFARS Clause 252.204-7012, Safeguarding Covered
Defense Information and Cyber Incident Reporting
January 2019
Unclassified 1
2. Unclassified 2
Outline
• Protecting DoD’s Unclassified Information on the
Contractor’s Internal Information System
• DFARS Clause 252.204-7012, Safeguarding Covered
Defense Information and Cyber Incident Reporting
– Implementation and Guidance
• Resources
3. DoD has a range of activities that include both regulatory and voluntary
programs to improve the collective cybersecurity of the nation and
protect U.S. interests:
• Securing DoD’s information systems and networks
• Codifying cybersecurity responsibilities and procedures for the
acquisition workforce in defense acquisition policy
– Contractual requirements implemented through the Federal
Acquisition Regulation (FAR) and Defense FAR Supplement
(DFARS)
• DoD’s DIB Cybersecurity Program for voluntary cyber threat
information sharing
• Leveraging security standards such as those identified in National
Institute of Standards and Technology (NIST) Special Publication
800-171 “Protecting Controlled Unclassified Information in Nonfederal
Systems and Organizations” (Revision 1 published Dec 2016)
What DoD Is Doing
Unclassified 3
4. DFARS Clause 252.204-7012, Safeguarding Covered
Defense Information and Cyber Incident Reporting
DFARS Clause 252.204-7012 requires contractors/subcontractors to:
1. Provide adequate security to safeguard covered defense information
that resides on or is transiting through a contractor’s internal
information system or network
2. Report cyber incidents that affect a covered contractor information
system or the covered defense information residing therein, or
that affect the contractor’s ability to perform requirements
designated as operationally critical support
3. Submit malicious software discovered and isolated in connection
with a reported cyber incident to the DoD Cyber Crime Center
4. If requested, submit media and additional information to
support damage assessment
5. Flow down the clause in subcontracts for operationally critical
support, or for which subcontract performance will involve covered
defense information
Unclassified 4
5. Covered Defense Information
Covered Defense Information ̶ Term used to identify information that requires
protection under DFARS Clause 252.204-7012
• Unclassified controlled technical information (CTI) or other information, as
described in the CUI Registry,1 that requires safeguarding or dissemination
controls pursuant to and consistent with law, regulations, and Government
wide policies and is −
1) Marked or otherwise identified in the contract, task order, or delivery
order and provided to contractor by or on behalf of, DoD in support of
the performance of the contract; OR
2) Collected, developed, received, transmitted, used, or stored by, or on
behalf of, the contractor in support of the performance of the contract2
2 “In support of the performance of the contract” is not meant to include the contractor’s internal
information (e.g., human resource or financial) that is incidental to contract performance
1 Referenced only to point to information that requires safeguarding or dissemination
controls pursuant to and consistent with law, regulations, government-wide policies
See FAQs 19 - 30
Unclassified 5
6. Unclassified 6
Subcontractor Flowdown
When should DFARS Clause 252.204-7012 flow down to subcontractors?
• The clause is required to flow down to subcontractors only when performance
will involve operationally critical support or covered defense information
• The contractor shall determine if the information required for subcontractor
performance is, or retains its identify as, covered defense information and
requires safeguarding
• Flowdown is a requirement of the terms of the contract with the Government,
which must be enforced by the prime contractor as a result of compliance with
these terms
− If a subcontractor does not agree to comply with the terms of DFARS Clause
252.204–7012, then covered defense information shall not be shared with
the subcontractor or otherwise reside on it’s information system
The Department’s emphasis is on the deliberate management of
information requiring protection. Prime contractors should
minimize the flowdown of information requiring protection.
7. Unclassified 7
Adequate Security for Covered Defense Information
To provide adequate security to safeguard covered defense information:
DFARS 252.204-7012 (b) Adequate Security. … the contractor shall implement,
at a minimum, the following information security protections:
***
(b)(2)(ii)(A): The contractor shall implement NIST SP 800-171, Protecting
CUI in Nonfederal Systems and Organizations, as soon as practical, but not
later than December 31, 2017
***
(b)(3): Apply other information systems security measures when the Contractor
reasonably determines that information systems security measures, in addition
to those identified in paragraphs (b)(1) and (2) of this clause, may be required
DFARS 252.204-7012 directs how the contractor shall protect covered defense information;
The requirement to protect it is based in law, regulation, or Government wide policy.
8. Unclassified 8
Implementing NIST SP 800-171 Security Requirements
Most requirements in NIST SP 800-171 are about policy, process, and configuring
IT securely, but some may require security-related software or hardware. For
companies new to the requirements, a reasonable approach would be to:
1. Examine each of the requirements to determine
— Policy or process requirements
— Policy/process requirements that require an implementation in IT
(typically by either configuring the IT in a certain way or through use of
specific software)
— IT configuration requirements
— Any additional software or hardware required
The complexity of the company IT system may determine whether additional
software or tools are required
2. Determine which requirements can readily be accomplished by in-house IT
personnel and which require additional research or assistance
3. Develop a plan of action and milestones to implement the requirements
9. Approach to Implementing NIST SP 800-171 Requirements
AC AT AU CM IA IR MA MP PS PE RA CA SC SI
3.1.1 3.2.1 3.3.1 3.4.1 3.5.1 3.6.1 3.7.1 3.8.1 3.9.1 3.10.1 3.11.1 3.12.1 3.13.1 3.14.1
3.1.2 3.2.2 3.3.2 3.4.2 3.5.2 3.6.2 3.7.2 3.8.2 3.9.2 3.10.2 3.11.2 3.12.2 3.13.2 3.14.2
3.8.3 3.11.3 3.12.3 3.14.3
(3.12.4)
3.1.3 3.2.3 3.3.3 3.4.3 3.5.3 3.6.3 3.7.3 3.8.4 3.10.3 3.13.3 3.14.4
3.1.4 3.3.4 3.4.4 3.5.4 3.7.4 3.8.5 3.10.4 3.13.4 3.14.5
3.1.5 3.3.5 3.4.5 3.5.5 3.7.5 3.8.6 3.10.5 3.13.5 3.14.6
3.1.6 3.3.6 3.4.6 3.5.6 3.7.6 3.8.7 3.10.6 3.13.6 3.14.7
3.1.7 3.3.7 3.4.7 3.5.7 3.8.8 3.13.7
3.1.8 3.3.8 3.4.8 3.5.8 3.8.9 3.13.8
3.1.9 3.3.9 3.4.9 3.5.9 3.13.9
3.1.10 3.5.10 3.13.10
3.1.11 3.5.11 3.13.11
3.1.12 3.13.12
3.1.13 3.13.13
3.1.14 3.13.14
3.1.15 Policy/Process Policy or Software Requirement 3.13.15
3.1.16 3.13.16
3.1.17 Configuration Configuration or Software
3.1.18
3.1.19 Software Configuration or Software or Hardware
3.1.20
3.1.21 Hardware Software or Hardware
3.1.22
Basic
(FIPS 200)
Derived
(800-53)
Unclassified 9
10. Unclassified 10
Alternative but Equally Effective
Security Measures
• Per DFARS Clause 252.205-7012(b)(2)(ii)(B), if the offeror proposes to
vary from NIST SP 800-171, the Offeror shall submit to the Contracting
Officer, for consideration by the DoD CIO, a written explanation of -
- Why security requirement is not applicable; OR
- How an alternative but equally effective security measure is
used to achieve equivalent protection
• When DoD CIO receives a request from a contracting officer,
representatives in DoD CIO review the request to determine if the
proposed alternative satisfies the security requirement, or if the
requirement for non-applicability is acceptable
- The assessment is documented and provided to the contracting officer,
generally within 5 working days
- If request is favorably adjudicated, the assessment should be included
in the contractor’s system security plan
See FAQ 59 - 62
11. Demonstrating Implementation of NIST SP 800-171
— System Security Plan and Plans of Action
• To document implementation of NIST SP 800-171, companies should
have a system security plan in place, in addition to any associated
plans of action:
̶ Security Requirement 3.12.4 (System Security Plan): Requires the
contractor to develop, document, and periodically update, system
security plans that describe system boundaries, system environments
of operation, how security requirements are implemented, and the
relationships with or connections to other systems
̶ Security Requirement 3.12.2 (Plans of Action): Requires the contractor
to develop and implement plans of action designed to correct
deficiencies and reduce or eliminate vulnerabilities in their systems,
and to describe how and when any unimplemented security
requirements will be met
Unclassified 11
12. Unclassified 12
Cloud Computing
Safeguarding Covered Defense Information and Cyber Incident Reporting
48 CFR Parts 202, 204, 212, and 252, DFARS Clause 252.204-7012
• Applies when a contractor uses an external cloud service provider to store, process,
or transmit Covered Defense Information on the contractor’s behalf
• Ensures that the cloud service provider:
— Meets requirements equivalent to those established for the Federal Risk and
Authorization Management Program (FedRAMP) Moderate baseline
— Complies with requirements for cyber incident reporting and damage assessment
Cloud Computing Services
48 CFR Parts 239 and 252, DFARS Clause 252.239-7010
• Applies when a cloud solution is being used to process data on the DoD's behalf or
DoD is contracting with Cloud Service Provider to host/process data in a cloud
• Requires the cloud service provider to:
— Comply with the DoD Cloud Computing Security Requirements Guide
— Comply with requirements for cyber incident reporting and damage assessment
13. Unclassified 13
Protecting the DoD’s Unclassified Information See FAQ 32
Security requirements
from CNSSI 1253, based
on NIST SP 800-53, apply
DFARS Clause 252.204-7012,
and/or FAR Clause 52.204-21,
and security requirements
from NIST SP 800-171 apply
When cloud services are
used to process data on the
DoD's behalf, DFARS Clause
252.239-7010 and DoD Cloud
Computing SRG apply
DoD Owned and/or
Operated Information System
System Operated
on Behalf of the DoD
Contractor’s Internal System
Controlled Unclassified
Information
Federal
Contract
Information
Covered
Defense Information
(includes Unclassified
Controlled Technical Information)
Controlled
Unclassified Information
(USG-wide)
Cloud Service Provider
External CSP
Equivalent
to FedRAMP
Moderate
CSP
Internal Cloud
NIST SP 800-171
DoD Information
System
CSP
When cloud services are
provided by DoD, the DoD
Cloud Computing SRG applies
Cloud Service Provider
Controlled Unclassified Information
14. Unclassified 14
DFARS Clause 252.204-7012, Safeguarding Covered
Defense Information and Cyber Incident Reporting
Implementation
• Identification and Marking of Covered Defense
Information
• Cyber Incident Reporting and Damage Assessment
15. Government/Requiring Activity is required to:
• Use DoDM 5200.01 Vol 4, DoD Information Security Program: CUI and DoDI
5230.24, Distribution Statements on Technical Documents to identify and mark
covered defense information
• Use Section C, e.g., Statement of Work, of the contract to require development
and delivery of covered defense information from the contractor
• Direct appropriate marking and dissemination for covered defense information
in the contract (e.g., Block 9 of Contract Data Requirements List (CDRL) DD Form
1423). Additional markings (e.g., Export Control) can be placed in Block 16.
• Verify that covered defense information is appropriately marked when provided
to the contractor as Government Furnished Information (GFI)
The Contractor is responsible for:
• Following the terms of the contract, which includes applying the marking and
dissemination requirements directed by the Government and found in the
Statement of Work and/or Contract Data Requirements Lists
• Appropriately flowing down marking requirements to subcontractors
Identification and Marking of Covered Defense Information
Unclassified 15
16. DoDI 5230.24 – Distribution Statements on
Technical Documents
Distribution authorized to DoD only; Proprietary Information; 15 Apr 2017. Other requests for this document shall be
referred to AFRL/VSSE, 3550 Aberdeen Ave. SE, Kirtland AFB, NM 87117-5776. REL TO UK
* Distro A: Public Release –
NO Dissemination limitation
Reason Date Controlling Org
Distribution A: Public Release*
Distribution B: U.S. Govt Only
Distribution C: U.S. Govt & Contractors
Distribution D: DoD & US DoD
Contractors
Distribution E: DoD only
Distribution F: Further dissemination
only as directed by controlling office
Administrative or Operational Use
Contractor Performance Evaluation
Critical Technology
Direct Military Support
Export Controlled
Foreign Government Information
Operations Security
Premature Dissemination
Proprietary Information
Software Documentation
Specific Authority
Test and Evaluation
Vulnerability Information
Dissemination Limitation
Note:
Controlling
Org can be
different
than the
Authoring
Org
Note:
Reason
Determination
Date
Example of Marking for Export Control Warning (Also requires separate distribution statement)
Example of Marking for Distribution Statement E
WARNING - This document contains technical data whose export is restricted by the Arms Export Control Act (Title 22,
U.S.C., Sec 2751, et seq.) or the Export Administration Act of 1979 (Title 50, U.S.C., App. 2401 et seq.), as amended.
Violations of these export laws are subject to severe criminal penalties. Disseminate in accordance with provisions of
DoD Directive 5230.25.
Unclassified 16
17. Statement of Work (Section C)
̶ Prepared by Requiring Activity when DoD
requires development and delivery of
covered defense information
Contract Clauses (Section I), includes
̶ FAR Clause 52.204-2, when contract
involves access to Confidential, Secret, or
Top Secret information
̶ FAR Clause 52.204-21, when contract
involves Federal Contract Information
̶ DFARS Clause 252.204-7012 in all
contracts except COTS
List of Attachments (Section J)
̶ Data deliverables as identified in Contract
Data Requirements List (CDRL)
̶ Security Classification Guides
̶ Specifications
̶ Other Government Furnished Information
Identification and Marking of Covered Defense Information
Preparation of Statement of Work (SOW)
SCG
Unclassified 17
18. Identification and Marking of Covered Defense Information
Contract Data Requirements List (CDRL) Form DD1423
No change to existing marking procedures for contract deliverables – e.g.,
controlled technical information is marked in accordance with DoDI 5230.24
Item 9. For technical information, specify requirement
for contractor to mark the appropriate distribution
statement on the data (ref. DoDI 5230.24); information is
controlled when distribution statement is B-F
Unclassified 18
DoDI 5230.24
19. Unclassified 19
Cyber Incident Reporting
When reporting a cyber incident, contractors/subcontractors submit
to DoD—
• A cyber incident report via https://dibnet.dod.mil/
• Malicious software if detected and isolated
• Media or access to covered contractor information systems and equipment when
requested by the requiring activity/contracting officer
Upon receipt of a cyber incident report —
• The DoD Cyber Crime Center (DC3) sends the report to the contracting officer(s)
identified on the Incident Collection Format (ICF) via encrypted email; the
contracting officer(s) provide the ICF to the requiring activity(ies)
• DC3 analyzes the report to identify cyber threat vectors and adversary trends
• DC3 contacts the reporting company if the report is incomplete (e.g., no contract
numbers, no contracting officer listed)
20. Unclassified 20
Cyber Incident Damage Assessment Activities
Purpose of the cyber incident damage assessment —
• Determine impact of compromised information on U.S. military
capability underpinned by the technology
• Consider how the compromised information may enable an
adversary to counter, defeat, or reverse engineer U.S. capabilities
• Focus on the compromised intellectual property impacted by the
cyber incident ̶ not on the compromise mechanism
DoD decision to conduct a cyber incident damage assessment —
• Contracting officer verifies clause is included in the contract
• The Requiring Activity and the DoD Component damage assessment
office (DAMO) will determine if a cyber incident damage assessment
is warranted
• Decision to request media must be made within 90 days of the cyber
incident report
21. Unclassified 21
DFARS Clause 252.204-7012, Safeguarding Covered
Defense Information and Cyber Incident Reporting
Compliance
• Compliance with DFARS Clause 252.204-7012
• Demonstrating Implementation of the Security Requirements
in NIST SP 800-171
• Enhance Cybersecurity Measures Provided by DFARS Clause
252.204-7012 and NIST SP 800-171
22. Contractor Compliance — Implementation of
DFARS Clause 252.204-7012
• By signing the contract, the contractor agrees to comply with the terms
of the contract and all requirements of the DFARS Clause 252.204-7012
• It is the contractor’s responsibility to determine whether it is has
implemented the NIST SP 800-171 (as well as any other security
measures necessary to provide adequate security for covered defense
information)
̶ DoD will not certify that a contractor is compliant with the
NIST SP 800-171 security requirements
̶ Third party assessments or certifications of compliance are not
required, authorized, or recognized by DoD
• Per NIST SP 800-171, federal agencies may consider the submitted
system security plan and plans of action as critical inputs to an overall
risk management decision to process, store, or transmit CUI on a
nonfederal organization
Unclassified 22
23. Strategies to Enhance Cybersecurity Measures Provided by
DFARS Clause 252.204-7012 and NIST SP 800-171
• The Office of the Principal Director, Defense Pricing and Contracting (DPC)
issued guidance on Nov 6, 2018 to provide acquisition personnel with a
framework of actions that can be tailored by a program office/requiring
activity, commensurate with program risk, to assess the contractor's
approach to protecting the Department's controlled unclassified
information.
• The Assistant Secretary of Defense for Acquisition released a memorandum
on Dec 17, 2018 that provides program offices and requiring activities with
sample Statement of Work (SOW) language that can be used in conjunction
with the DPC guidance issued on Nov 6, 2019.
• The guidance includes language to request Contractors to identify, track
and restrict flow down of DoD CUI and language to request list Tier 1 level
suppliers.
See DPC Website at https://www.acq.osd.mil/dpap/pdi/cyber/
guidance_for_assessing_compliance _and_enhancing_protections.html
Unclassified 23
24. Defense Contract Management Agency (DCMA)
Oversight of DFARS Clause 252.204-7012
Actions DCMA will take in response to DFARS Clause 252.204-7012:
• Encourage industry to adopt corporate, segment, or facility-level system security plans
as may be appropriate in order to ensure more consistent implementations and to
reduce costs
• Verify that system security plans and any associated plans of action are in place (DCMA
will not assess plans against the NIST 800-171 requirements)
• If potential cybersecurity issue is detected –notify contractor, DoD program office, and
DoD CIO
• During the normal Contract Receipt and Review process -verify that DFARS Clause
252.204-7012 is flowed down to sub-contractors/suppliers as appropriate
• For contracts awarded before October 2017 -verify that contractor submitted to DoD
CIO notification of security requirements not yet implemented
• Verify contractor possesses DoD-approved medium assurance certificate to report
cyber incidents
• When required, facilitate entry of government assessment team into contractor
facilities via coordination with cognizant government and contractor stakeholders
Unclassified 24
25. Resources —
Frequently Asked Questions (FAQs)
Quick Look for FAQ Topics
Safeguarding Covered Defense Information and
Cyber Incident Reporting (DFARS 252.204-7008
and 252.204-7012)
General
Q1 ̶ Q18
Covered Defense Information
Q19 ̶ Q30
Operationally Critical Support
Q31
Safeguarding Covered Defense Information
Q32 ̶ Q34
Cyber Incidents and Reporting
Q35 ̶ Q45
Submission of Malicious Software
Q46
Cyber Incident Damage Assessment
Q47
NIST SP 800-171
General Implementation Issues
Q49 ̶ Q67
Specific Security Requirements
Q68 ̶ Q98
Cloud Computing
General
Q99 ̶ 101
Cloud solution being used to store data on
DoD’s behalf (DFARS 252.239-7009 and
252.204-7010, Cloud Computing Services)
Q102
Contractor using cloud solution to store
covered defense information (DFARS
252.204-7008 and 252.204-7012 apply)
Q103 ̶ Q109
Basic Safeguarding of Contractor Information
Systems (FAR Clause 52.204.21)
Q48
Limitations on the use or disclosure of third-party
contractor reported cyber incident information
(DFARS Clause 252.204-7009)
Q47
Unclassified 25
26. Resources
• NIST Manufacturing Extension Partnership (MEP)
̶ Public-private partnership with Centers in all 50 states and Puerto Rico
dedicated to serving small and medium-sized manufacturers
̶ Published “Cybersecurity Self-Assessment Workbook for Assessing
NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity
Requirements”, November 2017
https://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf
• Procurement Technical Assistance Program (PTAP) and Procurement Technical
Assistance Centers (PTACs)
̶ Nationwide network of centers/counselors experienced in government
contracting, many of which are affiliated with Small Business Development
Centers and other small business programs
http://www.dla.mil/HQ/SmallBusiness/PTAP.aspx
• Cybersecurity Evaluation Tool (CSET)
̶ No-cost application, developed by DHS, provides step-by-step process to
evaluate information technology network security practices
https://ics-cert.us-cert.gov/Downloading-and-Installing-CSET
Unclassified 26
27. Resources
• Cybersecurity in DoD Acquisition Regulations page at (http://dodprocurementtoolbox.com/)
for Related Regulations, Policy, Frequently Asked Questions, and Resources, June 26, 2017
• DPAP Website (http://www.acq.osd.mil/dpap/dars/dfarspgi/current/index.html)
for DFARS, Procedures, Guidance and Information (PGI), and Frequently Asked Questions
• NIST SP 800-171, Revision 1
(http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf)
• NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information
(https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171a.pdf)
• DoDI 5230.24, Distribution Statements on Technical Documents
(www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/523024p.pdf)
• Cloud Computing Security Requirements Guide (SRG)
(http://iasecontent.disa.mil/cloud/SRG/)
• DoD’s Defense Industrial Base Cybersecurity program (DIB CS Program)
(https://dibnet.dod.mil)
Questions? Submit via email at osd.dibcsia@mail.mil
Unclassified 27
28. Unclassified 28
Additional Regulations, Policy and Guidance
• 32 CFR Part 236, “DoD Defense Industrial Base Cybersecurity Activities”
• 32 CFR 2002, “Controlled Unclassified Information”
• FAR Case 2017-016, “Controlled Unclassified Information,”
• NIST Cybersecurity Framework
• FedRAMP and the DoD Cloud Computing Security Requirements Guide
• DoDI 8582.01, “Security of Unclassified DoD Information on
Non-DoD Information Systems,”
• DoDM 5200.01, Volume 4, “DoD Information Security Program: Controlled
Unclassified Information”
• DoDI 5000.02, Enclosure 14, “Cybersecurity in the Defense Acquisition
System”
29. 29
MARINE CORPS SYSTEMS
COMMAND
Equipping our MARINES
29
DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited.
• The Assistant Secretary of the Navy (Research, Development
and Acquisition) (ASN (RD&A)) issued new guidance on the
Implementation of Enhanced Security Controls on
Defense Industrial Base (DIB) Partner Networks
o Summary: All DoN Program Managers under ASN (RD&A)’s
purview as the Service Acquisition Executive are now required to
immediately insert into current and future contracts, task or delivery
order Statements of Work (SOW) language and Contract Data
Requirement Lists (CDRLs) requiring System Security Plans
(SSPs) that implement the Security Controls in accordance with
Defense Federal Acquisition Regulation Supplement (DFARS)
252.204-7012, National Institute of Standards and Technologies
(NIST) SP 800-171 and NIST Special Publication 800-53.
Department of the Navy (DoN) Current Guidance
30. Unclassified 30
DFARS Clause 252.204-7012, Safeguarding Covered
Defense Information and Cyber Incident Reporting
QUESTIONS
33. 33
MARINE CORPS SYSTEMS
COMMAND
Equipping our MARINES
33
DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited.
Cyber threats targeting government unclassified information has dramatically increased
DOJ Hits Chinese Hackers For
Attacking U.S. Navy, Agencies,
Companies Nextgov, 12/20/18
US indicts alleged Chinese Hackers
for ‘unrelenting effort’ to steal tech
abcnews, 12/20/18
Chinese hackers stole sensitive
U.S. Navy submarine plans from
contractor Cyberscoop, 06/08/18
Chinese Hackers Steal Navy Secrets,
Exposing Plans for Underwater
Warfare Yahoo News, 06/08/18
The DoD develops its own information and also acquires information from the defense
industrial base (contractors). The Chinese are investing in a range of platforms, and
what they cannot develop on their own, they steal — often through cyberspace
34. 34
MARINE CORPS SYSTEMS
COMMAND
Equipping our MARINES
34
DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited.
THE BASICS
• Safeguard Covered Defense Information (CDI) that is resident on or transiting
through a contractor’s internal information systems or networks. This includes
subs.
• Report all Cyber incidents that affect CDI or that impact the contractor’s ability
to perform the requirements designated as operationally critical support to
DAMO and DC3.
• Submit malicious software discovered and isolated in connection with a
reported cyber incident to the DC3.
• The contractor shall provide adequate security on all covered contractor
information systems that are not part of an IT system operated on behalf of the
Government, meaning at a minimum, “the contractor shall implement NIST SP
800-171, as soon as practical, but not later than December 31, 2017.”
Currently required in ALL contracts
except for those solely for the acquisition of COTS items.
DFARS Clause 252.204-7012 (Oct 2016)
35. 36
MARINE CORPS SYSTEMS
COMMAND
Equipping our MARINES
36
DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited.
THE BASICS
NIST SP 800-171
What is the NIST SP 800-171?
• A minimum requirement, this standard will enable Contractors to comply
with the new guidance using systems and practices to protect Controlled
Unclassified Information (CUI) that should already be in place.
• Program Managers have now been mandated by the ASN to require
Contractors to submit a System Security Plan (SSP) that implements the
security requirements in DFARS 252.204-7012 and ALL security
requirements in NIST SP 800-171.
• Program Managers shall not approve SSPs that do not demonstrate
compliance with the new requirements or include a Plan of Action &
Milestones (POA&M) identify intended corrective action plans for each
requirement that must to be accomplished to remediate security
vulnerabilities. The goal of a POA&M should be to identify the security
controls that are not met, and document the plan for meeting each control.
36. 37
MARINE CORPS SYSTEMS
COMMAND
Equipping our MARINES
37
DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited.
New Contract Requirements
• Three (3) CDRLs
• A CDRL requiring an initial and quarterly SSP with POA&M
• A CDRL requiring a list of all the Contractors Tier 1 Level Suppliers
– A CDRL requiring Contractors use DC3 reporting of all Cyber
Incidents
• Two (2) DIDs
• DID for Contractor’s SSP and POA&M for Contractors Internal CUI
• DID for Contractor’s Record of Tier 1 Level Suppliers
Receiving/Developing CUI
• Attachment 1 - Contractor CUI-SSP-Template
• Attachment 2 - DoD Guidance for how the Gov’t will Review SSPs
• Updated SOW Language to include all of the above