SlideShare a Scribd company logo

NIST 800-171 Simplifying CUI and DFARS Compliance

Government Technology & Services Coalition
Government Technology & Services Coalition

This document summarizes information about CUI (Controlled Unclassified Information) and DFARS (Defense Federal Acquisition Regulation Supplement) compliance requirements. It notes that CUI and DFARS compliance is mandated by December 2017 or within 30 days of contract award. It defines CUI and DFARS, outlines 14 security control families required by CUI, and discusses implications of non-compliance including liability risks. Common mistakes made in compliance are also listed, such as not accounting for non-cyber aspects, using a checklist approach, and not involving leadership. Contact information is provided for questions.

Government & Nonprofit
1 of 9
Download to read offline
EmeSec Incorporated ©2017 1 Maria Horton, CISSP-ISSMP GTSC Capacity Building Day Countdown to Compliance CUI & DFARS August 17, 2017
2 We help our clients protect their mission, reputation and their growth engine by harnessing the power of security and compliance within their organization • We are a Security Solutions Company • Cloud Security and Engineering • Regulatory Compliance Services • A FedRAMP accredited 3PAO • Hold 4 ISO certifications: • ISO 9001:2015, • ISO/IEC 20000-1:2011, • ISO/IEC 27001:2013, • ISO/IEC 17020: 2012 EmeSec EmeSec Incorporated ©2017
3 • CUI and DFARS 7012 compliance is mandated • Either December 2017, or within 30 days of contract award • CUI and DFARS applies to all contractors • Prime and their subcontractors • Flow down requirements include 1099 staff as well • High tech and low tech companies CUI – Wow! 135 Days & counting …. EmeSec Incorporated ©2017
• NARA Registry http://www.archives.gov/cui/registry/category-list.html • Federal Acquisition Requirements (FAR) 52.204.21 • Defense Federal Acquisition Regulations Supplement (DFARS) 252.204.7012 • Two key requirements • (1) Adequate Security • (2) Incident Reporting • NIST SP 800-171, Rev. 1 • Published December 2016 • Made SSP a requirement for compliance Oversight & Enforcement • Controlled Unclassified Information (CUI) • Unclassified information that requires safeguarding or dissemination controls • Covered Defense Information (CDI) • Unclassified controlled technical information (CTI) or other information that requires safeguarding or dissemination controls • Covered Contractor System • An information system owned or operated by a contractor that processes, stores, or transmits Federal contract information Definitions What is CUI ? EmeSec Incorporated ©2017 4
5 CUI and DFARS Information Supply Chain Protection EmeSec Incorporated ©2017
• CUI requires compliance with 14 security control families • More complex than presented • NIST SP 800-171, Page v states: • Satisfying these requirements should not be assumed to meet NIST SP 800-53 and FIPS 200 Elements of CUI Compliance EmeSec Incorporated ©2017 Acronym Security Control Family AC Access Control AT Awareness & Training AU Audit & Accountability CM Configuration Management IA Identification & Authentication IR Incident Response MA Maintenance MP Media Protection PE Physical & Environmental PS Personnel Security RA Risk Assessment SA Security Assessment SC System & Communication Protection SI System & Information Integrity
• Why? • Today, every business is a digital business • Every business has third party and supply chain connections • Due diligence is taking the effort to avoid harm or loss through reasonable care Liability almost always comes from not demonstrating due diligence Compliance Due Diligence Liability The implications of non-compliance risks and liabilities to your company EmeSec Incorporated ©2017
8 1. CUI is more than Cyber 2. CUI is about a comprehensive InfoSec 3. CUI isn’t isolated – protect all of your data flow 4. Leadership and accountability is critical to CUI 1. Not accounting for non-cyber 2. Using a Checklist Mentality 3. Light Manufacturing Issues 4. Decision makers not in the process Common Mistakes CUI and DFARS Compliance EmeSec Incorporated ©2017
• Maria Horton, CEO • Phone: 703.429.4492/4491 • Email: info@emesec.net • @EmeSec • @mariahorton Thank you for your time! We would love to hear from you. Contact us for a free CUI primer and Tips Handout! Remember, there is still time to meet the deadline! EmeSec Incorporated ©2017 9

Recommended

How to Comply with NIST 800-171
How to Comply with NIST 800-171How to Comply with NIST 800-171
How to Comply with NIST 800-171
Corserva
 
Cybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide Deck
Cimetrics Inc
 
[null] Iso 27001 a business view by Sripathi
[null] Iso 27001 a business view by Sripathi[null] Iso 27001 a business view by Sripathi
[null] Iso 27001 a business view by Sripathi
Prajwal Panchmahalkar
 
Deep secure holistic protection for ICS
Deep secure holistic protection for ICSDeep secure holistic protection for ICS
Deep secure holistic protection for ICS
johnsdeepsecure
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation?
PECB
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
PECB
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
PECB
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTING
Arul Nambi
 

Recommended

How to Comply with NIST 800-171
How to Comply with NIST 800-171How to Comply with NIST 800-171
How to Comply with NIST 800-171
Corserva
 
Cybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide Deck
Cimetrics Inc
 
[null] Iso 27001 a business view by Sripathi
[null] Iso 27001 a business view by Sripathi[null] Iso 27001 a business view by Sripathi
[null] Iso 27001 a business view by Sripathi
Prajwal Panchmahalkar
 
Deep secure holistic protection for ICS
Deep secure holistic protection for ICSDeep secure holistic protection for ICS
Deep secure holistic protection for ICS
johnsdeepsecure
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation?
PECB
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
PECB
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
PECB
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTING
Arul Nambi
 
ISO/IEC 27032 – Guidelines For Cyber Security
ISO/IEC 27032 – Guidelines For Cyber SecurityISO/IEC 27032 – Guidelines For Cyber Security
ISO/IEC 27032 – Guidelines For Cyber Security
Tharindunuwan9
 
Cybersecurity Summit AHR20 NIST framework Cimetrics
Cybersecurity Summit AHR20 NIST framework CimetricsCybersecurity Summit AHR20 NIST framework Cimetrics
Cybersecurity Summit AHR20 NIST framework Cimetrics
Cimetrics Inc
 
It security iso 27001
It security iso 27001It security iso 27001
It security iso 27001
Iris Maaß
 
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
IGN MANTRA
 
Iso27001- Nashwan Mustafa
Iso27001- Nashwan MustafaIso27001- Nashwan Mustafa
Iso27001- Nashwan Mustafa
Fahmi Albaheth
 
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsFull Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Ignyte Assurance Platform
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
Dr Madhu Aman Sharma
 
Information Security Challenges & Opportunities
Information Security Challenges & OpportunitiesInformation Security Challenges & Opportunities
Information Security Challenges & Opportunities
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
ISO 27001 Training | ISO 27001 Implementation
ISO 27001 Training | ISO 27001 ImplementationISO 27001 Training | ISO 27001 Implementation
ISO 27001 Training | ISO 27001 Implementation
himalya sharma
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
PECB
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
Mart Rovers
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the Cloud
ControlCase
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
IGN MANTRA
 
we45 ISO-27001 Case Study
we45 ISO-27001 Case Studywe45 ISO-27001 Case Study
we45 ISO-27001 Case Study
we45
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training course
Mart Rovers
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
ControlCase
 
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined Perimeter
Vishwas Manral
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone
 

More Related Content

What's hot

Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsFull Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Ignyte Assurance Platform
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
PECB
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 

What's hot (20)

ISO/IEC 27032 – Guidelines For Cyber Security
ISO/IEC 27032 – Guidelines For Cyber SecurityISO/IEC 27032 – Guidelines For Cyber Security
ISO/IEC 27032 – Guidelines For Cyber Security
 
Cybersecurity Summit AHR20 NIST framework Cimetrics
Cybersecurity Summit AHR20 NIST framework CimetricsCybersecurity Summit AHR20 NIST framework Cimetrics
Cybersecurity Summit AHR20 NIST framework Cimetrics
 
It security iso 27001
It security iso 27001It security iso 27001
It security iso 27001
 
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
 
Iso27001- Nashwan Mustafa
Iso27001- Nashwan MustafaIso27001- Nashwan Mustafa
Iso27001- Nashwan Mustafa
 
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsFull Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
 
Information Security Challenges & Opportunities
Information Security Challenges & OpportunitiesInformation Security Challenges & Opportunities
Information Security Challenges & Opportunities
 
ISO 27001 Training | ISO 27001 Implementation
ISO 27001 Training | ISO 27001 ImplementationISO 27001 Training | ISO 27001 Implementation
ISO 27001 Training | ISO 27001 Implementation
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the Cloud
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
 
we45 ISO-27001 Case Study
we45 ISO-27001 Case Studywe45 ISO-27001 Case Study
we45 ISO-27001 Case Study
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training course
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
 

Viewers also liked

It's Time the Data Center Gets the "Moneyball" Treatment
It's Time the Data Center Gets the "Moneyball" TreatmentIt's Time the Data Center Gets the "Moneyball" Treatment
It's Time the Data Center Gets the "Moneyball" Treatment
TeamQuest Corporation
 
Top 5 Ways to Optimize for Cost Efficiency with the Cloud
Top 5 Ways to Optimize for Cost Efficiency with the CloudTop 5 Ways to Optimize for Cost Efficiency with the Cloud
Top 5 Ways to Optimize for Cost Efficiency with the Cloud
Amazon Web Services
 
Running Lean Architectures: How to Optimize for Cost Efficiency
Running Lean Architectures: How to Optimize for Cost Efficiency Running Lean Architectures: How to Optimize for Cost Efficiency
Running Lean Architectures: How to Optimize for Cost Efficiency
Amazon Web Services
 

Viewers also liked (11)

CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined Perimeter
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?
 
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
Software Defined Perimeter - A New Paradigm for Securing Digital Infrastructu...
 
Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...
Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...
Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...
 
AWS Cost Optimisation Best Practices Webinar
AWS Cost Optimisation Best Practices WebinarAWS Cost Optimisation Best Practices Webinar
AWS Cost Optimisation Best Practices Webinar
 
Resource Optimization Strategy and Innovation
Resource Optimization Strategy and Innovation Resource Optimization Strategy and Innovation
Resource Optimization Strategy and Innovation
 
It's Time the Data Center Gets the "Moneyball" Treatment
It's Time the Data Center Gets the "Moneyball" TreatmentIt's Time the Data Center Gets the "Moneyball" Treatment
It's Time the Data Center Gets the "Moneyball" Treatment
 
Making the most of your constrained resources optimizing resource allocation ...
Making the most of your constrained resources optimizing resource allocation ...Making the most of your constrained resources optimizing resource allocation ...
Making the most of your constrained resources optimizing resource allocation ...
 
Top 5 Ways to Optimize for Cost Efficiency with the Cloud
Top 5 Ways to Optimize for Cost Efficiency with the CloudTop 5 Ways to Optimize for Cost Efficiency with the Cloud
Top 5 Ways to Optimize for Cost Efficiency with the Cloud
 
Running Lean Architectures: How to Optimize for Cost Efficiency
Running Lean Architectures: How to Optimize for Cost Efficiency Running Lean Architectures: How to Optimize for Cost Efficiency
Running Lean Architectures: How to Optimize for Cost Efficiency
 
CMG2013 Workshop: Netflix Cloud Native, Capacity, Performance and Cost Optimi...
CMG2013 Workshop: Netflix Cloud Native, Capacity, Performance and Cost Optimi...CMG2013 Workshop: Netflix Cloud Native, Capacity, Performance and Cost Optimi...
CMG2013 Workshop: Netflix Cloud Native, Capacity, Performance and Cost Optimi...
 

Similar to NIST 800-171 Simplifying CUI and DFARS Compliance

IT Risk Management & Compliance
IT Risk Management & ComplianceIT Risk Management & Compliance
IT Risk Management & Compliance
rhanna11
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
PECB
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
Operational Excellence Consulting
 

Similar to NIST 800-171 Simplifying CUI and DFARS Compliance (20)

ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of Privacy
 
IT governance and Information System Security
IT governance and Information System SecurityIT governance and Information System Security
IT governance and Information System Security
 
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
 
Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish Kirtikar
 
CMMC 2.0 | What the changes mean for organizations in the DIB
CMMC 2.0 | What the changes mean for organizations in the DIBCMMC 2.0 | What the changes mean for organizations in the DIB
CMMC 2.0 | What the changes mean for organizations in the DIB
 
IT Risk Management & Compliance
IT Risk Management & ComplianceIT Risk Management & Compliance
IT Risk Management & Compliance
 
What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?
 
Cobit 5 for information security
Cobit 5 for information securityCobit 5 for information security
Cobit 5 for information security
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
 
Security in Mergers and Acquisitions - NTT Security - Miriam Levenstein
Security in Mergers and Acquisitions - NTT Security - Miriam LevensteinSecurity in Mergers and Acquisitions - NTT Security - Miriam Levenstein
Security in Mergers and Acquisitions - NTT Security - Miriam Levenstein
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016
 
NQA Your Risk Assurance Partner
NQA Your Risk Assurance PartnerNQA Your Risk Assurance Partner
NQA Your Risk Assurance Partner
 
Achieving ISO 27001 Certification.pdf
Achieving ISO 27001 Certification.pdfAchieving ISO 27001 Certification.pdf
Achieving ISO 27001 Certification.pdf
 
Securium Solutions: Empowering Online Certification Training in Cyber Securit...
Securium Solutions: Empowering Online Certification Training in Cyber Securit...Securium Solutions: Empowering Online Certification Training in Cyber Securit...
Securium Solutions: Empowering Online Certification Training in Cyber Securit...
 
Securim Solutions Pvt Ltd
Securim Solutions Pvt LtdSecurim Solutions Pvt Ltd
Securim Solutions Pvt Ltd
 
SECURIUM-SOLUTIONS Best VAPT Security Company
SECURIUM-SOLUTIONS Best VAPT Security CompanySECURIUM-SOLUTIONS Best VAPT Security Company
SECURIUM-SOLUTIONS Best VAPT Security Company
 
Best Vapt Security Company Securium Solu
Best Vapt Security Company Securium SoluBest Vapt Security Company Securium Solu
Best Vapt Security Company Securium Solu
 

More from Government Technology & Services Coalition

GTSC's Annual Report 2018
GTSC's Annual Report 2018GTSC's Annual Report 2018
GTSC's Annual Report 2018
Government Technology & Services Coalition
 

More from Government Technology & Services Coalition (20)

GTSC 2020 Annual Report
GTSC 2020 Annual ReportGTSC 2020 Annual Report
GTSC 2020 Annual Report
 
USBP pmod singleton gtsc bde-brief-20200219
USBP pmod singleton gtsc bde-brief-20200219USBP pmod singleton gtsc bde-brief-20200219
USBP pmod singleton gtsc bde-brief-20200219
 
GTSC Annual Report 2019
GTSC Annual Report 2019GTSC Annual Report 2019
GTSC Annual Report 2019
 
ESBG 2/14/2020
ESBG 2/14/2020ESBG 2/14/2020
ESBG 2/14/2020
 
ESBG 2/14/2020
ESBG 2/14/2020ESBG 2/14/2020
ESBG 2/14/2020
 
GTSC 2019 Annual Report
GTSC 2019 Annual ReportGTSC 2019 Annual Report
GTSC 2019 Annual Report
 
TSA's Innovation Task Force
TSA's Innovation Task ForceTSA's Innovation Task Force
TSA's Innovation Task Force
 
GTSC's Annual Report 2018
GTSC's Annual Report 2018GTSC's Annual Report 2018
GTSC's Annual Report 2018
 
GTSC's CBP Day 2019
GTSC's CBP Day 2019GTSC's CBP Day 2019
GTSC's CBP Day 2019
 
GTSC Transportation Security Day Enhancing partnerships with TSA
GTSC Transportation Security Day Enhancing partnerships with TSAGTSC Transportation Security Day Enhancing partnerships with TSA
GTSC Transportation Security Day Enhancing partnerships with TSA
 
GTSC Transportation Security Day - Enterprise Support
GTSC Transportation Security Day - Enterprise SupportGTSC Transportation Security Day - Enterprise Support
GTSC Transportation Security Day - Enterprise Support
 
GTSC Maritime & Port Security Day 2019
GTSC Maritime & Port Security Day 2019GTSC Maritime & Port Security Day 2019
GTSC Maritime & Port Security Day 2019
 
GTSC IRS Day 2019 - Criminal Investigations - Eric Hylton and Panel
GTSC IRS Day 2019 - Criminal Investigations - Eric Hylton and PanelGTSC IRS Day 2019 - Criminal Investigations - Eric Hylton and Panel
GTSC IRS Day 2019 - Criminal Investigations - Eric Hylton and Panel
 
GTSC IRS Day 2019 - Online Services at IRS - Maria Cheeks
GTSC IRS Day 2019 - Online Services at IRS - Maria CheeksGTSC IRS Day 2019 - Online Services at IRS - Maria Cheeks
GTSC IRS Day 2019 - Online Services at IRS - Maria Cheeks
 
GTSC Day Feb 28 2019 power point
GTSC Day Feb 28 2019 power pointGTSC Day Feb 28 2019 power point
GTSC Day Feb 28 2019 power point
 
GTSC Annual Report 2018
GTSC Annual Report 2018GTSC Annual Report 2018
GTSC Annual Report 2018
 
GTSC CBP Day 2018 - Roland Suliveras Slides
GTSC CBP Day 2018 - Roland Suliveras SlidesGTSC CBP Day 2018 - Roland Suliveras Slides
GTSC CBP Day 2018 - Roland Suliveras Slides
 
CBP Day 2018 - Samuel Grable Slides
CBP Day 2018 - Samuel Grable SlidesCBP Day 2018 - Samuel Grable Slides
CBP Day 2018 - Samuel Grable Slides
 
Jose Bonilla ORCA Panel GTSC's TSA Day 2018
Jose Bonilla ORCA Panel GTSC's TSA Day 2018Jose Bonilla ORCA Panel GTSC's TSA Day 2018
Jose Bonilla ORCA Panel GTSC's TSA Day 2018
 
DHS HQ Day 2018 - Barry West
DHS HQ Day 2018 - Barry WestDHS HQ Day 2018 - Barry West
DHS HQ Day 2018 - Barry West
 

Recently uploaded

Value, protect, respect and invest in our nuses for a sustainable future for ...
Value, protect, respect and invest in our nuses for a sustainable future for ...Value, protect, respect and invest in our nuses for a sustainable future for ...
Value, protect, respect and invest in our nuses for a sustainable future for ...
Christina Parmionova
 
Unique Value Prop slide deck________.pdf
Unique Value Prop slide deck________.pdfUnique Value Prop slide deck________.pdf
Unique Value Prop slide deck________.pdf
ScottMeyers35
 
2024 asthma jkdjkfjsdklfjsdlkfjskldfgdsgerg
2024 asthma jkdjkfjsdklfjsdlkfjskldfgdsgerg2024 asthma jkdjkfjsdklfjsdlkfjskldfgdsgerg
2024 asthma jkdjkfjsdklfjsdlkfjskldfgdsgerg
MadhuKothuru
 
Competitive Advantage slide deck___.pptx
Competitive Advantage slide deck___.pptxCompetitive Advantage slide deck___.pptx
Competitive Advantage slide deck___.pptx
ScottMeyers35
 
"Plant health, safe trade and digital technology." International Day of Plant...
"Plant health, safe trade and digital technology." International Day of Plant..."Plant health, safe trade and digital technology." International Day of Plant...
"Plant health, safe trade and digital technology." International Day of Plant...
Christina Parmionova
 

Recently uploaded (20)

AHMR volume 10 number 1 January-April 2024
AHMR volume 10 number 1 January-April 2024AHMR volume 10 number 1 January-April 2024
AHMR volume 10 number 1 January-April 2024
 
Value, protect, respect and invest in our nuses for a sustainable future for ...
Value, protect, respect and invest in our nuses for a sustainable future for ...Value, protect, respect and invest in our nuses for a sustainable future for ...
Value, protect, respect and invest in our nuses for a sustainable future for ...
 
Unique Value Prop slide deck________.pdf
Unique Value Prop slide deck________.pdfUnique Value Prop slide deck________.pdf
Unique Value Prop slide deck________.pdf
 
PPT Item # 9 2ndQTR Financial & Inv. Report
PPT Item # 9 2ndQTR Financial & Inv. ReportPPT Item # 9 2ndQTR Financial & Inv. Report
PPT Item # 9 2ndQTR Financial & Inv. Report
 
Contributi dei parlamentari del PD - Contributi L. 3/2019
Contributi dei parlamentari del PD - Contributi L. 3/2019Contributi dei parlamentari del PD - Contributi L. 3/2019
Contributi dei parlamentari del PD - Contributi L. 3/2019
 
PPT Item # 7&8 6900 Broadway P&Z Case # 438
PPT Item # 7&8 6900 Broadway P&Z Case # 438PPT Item # 7&8 6900 Broadway P&Z Case # 438
PPT Item # 7&8 6900 Broadway P&Z Case # 438
 
2024: The FAR, Federal Acquisition Regulations, Part 31
2024: The FAR, Federal Acquisition Regulations, Part 312024: The FAR, Federal Acquisition Regulations, Part 31
2024: The FAR, Federal Acquisition Regulations, Part 31
 
BioandPicforRepKendrick_LastUpdatedMay2024
BioandPicforRepKendrick_LastUpdatedMay2024BioandPicforRepKendrick_LastUpdatedMay2024
BioandPicforRepKendrick_LastUpdatedMay2024
 
School Health and Wellness Programme -.pptx
School Health and Wellness Programme -.pptxSchool Health and Wellness Programme -.pptx
School Health and Wellness Programme -.pptx
 
2024: The FAR, Federal Acquisition Regulations, Part 32
2024: The FAR, Federal Acquisition Regulations, Part 322024: The FAR, Federal Acquisition Regulations, Part 32
2024: The FAR, Federal Acquisition Regulations, Part 32
 
POKKUVARAVU OF RR property-directions for mutation
POKKUVARAVU OF RR property-directions for mutationPOKKUVARAVU OF RR property-directions for mutation
POKKUVARAVU OF RR property-directions for mutation
 
Panchayath circular KLC -Panchayath raj act s 169, 218
Panchayath circular KLC -Panchayath raj act s 169, 218Panchayath circular KLC -Panchayath raj act s 169, 218
Panchayath circular KLC -Panchayath raj act s 169, 218
 
2024 asthma jkdjkfjsdklfjsdlkfjskldfgdsgerg
2024 asthma jkdjkfjsdklfjsdlkfjskldfgdsgerg2024 asthma jkdjkfjsdklfjsdlkfjskldfgdsgerg
2024 asthma jkdjkfjsdklfjsdlkfjskldfgdsgerg
 
Item # 7-8 - 6900 Broadway P&Z Case # 438
Item # 7-8 - 6900 Broadway P&Z Case # 438Item # 7-8 - 6900 Broadway P&Z Case # 438
Item # 7-8 - 6900 Broadway P&Z Case # 438
 
The 2024 World Wildlife Crime Report tracks all these issues, trends and more...
The 2024 World Wildlife Crime Report tracks all these issues, trends and more...The 2024 World Wildlife Crime Report tracks all these issues, trends and more...
The 2024 World Wildlife Crime Report tracks all these issues, trends and more...
 
PPT Item # 5 -- Announcements Powerpoint
PPT Item # 5 -- Announcements PowerpointPPT Item # 5 -- Announcements Powerpoint
PPT Item # 5 -- Announcements Powerpoint
 
Competitive Advantage slide deck___.pptx
Competitive Advantage slide deck___.pptxCompetitive Advantage slide deck___.pptx
Competitive Advantage slide deck___.pptx
 
Yale Historical Review Machava Interview PDF Spring 2024
Yale Historical Review Machava Interview PDF Spring 2024Yale Historical Review Machava Interview PDF Spring 2024
Yale Historical Review Machava Interview PDF Spring 2024
 
"Plant health, safe trade and digital technology." International Day of Plant...
"Plant health, safe trade and digital technology." International Day of Plant..."Plant health, safe trade and digital technology." International Day of Plant...
"Plant health, safe trade and digital technology." International Day of Plant...
 
tOld settlement register shouldnotaffect BTR
tOld settlement register shouldnotaffect BTRtOld settlement register shouldnotaffect BTR
tOld settlement register shouldnotaffect BTR
 

NIST 800-171 Simplifying CUI and DFARS Compliance

  • 1. EmeSec Incorporated ©2017 1 Maria Horton, CISSP-ISSMP GTSC Capacity Building Day Countdown to Compliance CUI & DFARS August 17, 2017
  • 2. 2 We help our clients protect their mission, reputation and their growth engine by harnessing the power of security and compliance within their organization • We are a Security Solutions Company • Cloud Security and Engineering • Regulatory Compliance Services • A FedRAMP accredited 3PAO • Hold 4 ISO certifications: • ISO 9001:2015, • ISO/IEC 20000-1:2011, • ISO/IEC 27001:2013, • ISO/IEC 17020: 2012 EmeSec EmeSec Incorporated ©2017
  • 3. 3 • CUI and DFARS 7012 compliance is mandated • Either December 2017, or within 30 days of contract award • CUI and DFARS applies to all contractors • Prime and their subcontractors • Flow down requirements include 1099 staff as well • High tech and low tech companies CUI – Wow! 135 Days & counting …. EmeSec Incorporated ©2017
  • 4. • NARA Registry http://www.archives.gov/cui/registry/category-list.html • Federal Acquisition Requirements (FAR) 52.204.21 • Defense Federal Acquisition Regulations Supplement (DFARS) 252.204.7012 • Two key requirements • (1) Adequate Security • (2) Incident Reporting • NIST SP 800-171, Rev. 1 • Published December 2016 • Made SSP a requirement for compliance Oversight & Enforcement • Controlled Unclassified Information (CUI) • Unclassified information that requires safeguarding or dissemination controls • Covered Defense Information (CDI) • Unclassified controlled technical information (CTI) or other information that requires safeguarding or dissemination controls • Covered Contractor System • An information system owned or operated by a contractor that processes, stores, or transmits Federal contract information Definitions What is CUI ? EmeSec Incorporated ©2017 4
  • 5. 5 CUI and DFARS Information Supply Chain Protection EmeSec Incorporated ©2017
  • 6. • CUI requires compliance with 14 security control families • More complex than presented • NIST SP 800-171, Page v states: • Satisfying these requirements should not be assumed to meet NIST SP 800-53 and FIPS 200 Elements of CUI Compliance EmeSec Incorporated ©2017 Acronym Security Control Family AC Access Control AT Awareness & Training AU Audit & Accountability CM Configuration Management IA Identification & Authentication IR Incident Response MA Maintenance MP Media Protection PE Physical & Environmental PS Personnel Security RA Risk Assessment SA Security Assessment SC System & Communication Protection SI System & Information Integrity
  • 7. • Why? • Today, every business is a digital business • Every business has third party and supply chain connections • Due diligence is taking the effort to avoid harm or loss through reasonable care Liability almost always comes from not demonstrating due diligence Compliance Due Diligence Liability The implications of non-compliance risks and liabilities to your company EmeSec Incorporated ©2017
  • 8. 8 1. CUI is more than Cyber 2. CUI is about a comprehensive InfoSec 3. CUI isn’t isolated – protect all of your data flow 4. Leadership and accountability is critical to CUI 1. Not accounting for non-cyber 2. Using a Checklist Mentality 3. Light Manufacturing Issues 4. Decision makers not in the process Common Mistakes CUI and DFARS Compliance EmeSec Incorporated ©2017
  • 9. • Maria Horton, CEO • Phone: 703.429.4492/4491 • Email: info@emesec.net • @EmeSec • @mariahorton Thank you for your time! We would love to hear from you. Contact us for a free CUI primer and Tips Handout! Remember, there is still time to meet the deadline! EmeSec Incorporated ©2017 9