More Related Content Similar to NIST 800-171 Simplifying CUI and DFARS Compliance (20) More from Government Technology & Services Coalition (20) NIST 800-171 Simplifying CUI and DFARS Compliance2. 2
We help our clients protect their
mission, reputation and their growth
engine by harnessing the power of
security and compliance within their
organization
• We are a Security Solutions
Company
• Cloud Security and Engineering
• Regulatory Compliance Services
• A FedRAMP accredited 3PAO
• Hold 4 ISO certifications:
• ISO 9001:2015,
• ISO/IEC 20000-1:2011,
• ISO/IEC 27001:2013,
• ISO/IEC 17020: 2012
EmeSec
EmeSec Incorporated ©2017
3. 3
• CUI and DFARS 7012 compliance is
mandated
• Either December 2017, or within 30 days of
contract award
• CUI and DFARS applies to all
contractors
• Prime and their subcontractors
• Flow down requirements include 1099 staff as well
• High tech and low tech companies
CUI – Wow!
135 Days &
counting ….
EmeSec Incorporated ©2017
4. • NARA Registry
http://www.archives.gov/cui/registry/category-list.html
• Federal Acquisition Requirements (FAR) 52.204.21
• Defense Federal Acquisition Regulations
Supplement (DFARS) 252.204.7012
• Two key requirements
• (1) Adequate Security
• (2) Incident Reporting
• NIST SP 800-171, Rev. 1
• Published December 2016
• Made SSP a requirement for compliance
Oversight & Enforcement
• Controlled Unclassified Information (CUI)
• Unclassified information that requires
safeguarding or dissemination controls
• Covered Defense Information (CDI)
• Unclassified controlled technical
information (CTI) or other information that
requires safeguarding or dissemination
controls
• Covered Contractor System
• An information system owned or operated
by a contractor that processes, stores, or
transmits Federal contract information
Definitions
What is CUI ?
EmeSec Incorporated ©2017
4
6. • CUI requires compliance
with 14 security control
families
• More complex than
presented
• NIST SP 800-171, Page v
states:
• Satisfying these requirements
should not be assumed to
meet NIST SP 800-53 and
FIPS 200
Elements of CUI Compliance
EmeSec Incorporated ©2017
Acronym Security Control Family
AC Access Control
AT Awareness & Training
AU Audit & Accountability
CM Configuration Management
IA Identification & Authentication
IR Incident Response
MA Maintenance
MP Media Protection
PE Physical & Environmental
PS Personnel Security
RA Risk Assessment
SA Security Assessment
SC System & Communication Protection
SI System & Information Integrity
7. • Why?
• Today, every business is a
digital business
• Every business has third
party and supply chain
connections
• Due diligence is taking the
effort to avoid harm or loss
through reasonable care
Liability almost always comes
from not demonstrating due
diligence
Compliance Due Diligence Liability
The implications of non-compliance risks and liabilities to your company
EmeSec Incorporated ©2017
8. 8
1. CUI is more than Cyber
2. CUI is about a
comprehensive InfoSec
3. CUI isn’t isolated – protect
all of your data flow
4. Leadership and
accountability is critical to
CUI
1. Not accounting for
non-cyber
2. Using a Checklist
Mentality
3. Light Manufacturing
Issues
4. Decision makers not
in the process
Common Mistakes
CUI and DFARS Compliance
EmeSec Incorporated ©2017
9. • Maria Horton, CEO
• Phone:
703.429.4492/4491
• Email:
info@emesec.net
• @EmeSec
• @mariahorton
Thank you for your time!
We would love to hear from you.
Contact us for a free CUI primer and Tips Handout!
Remember, there is still time to meet the deadline!
EmeSec Incorporated ©2017
9