Government contracts require cybersecurity compliance regardless of the agency or contract type. FAR 52.204-21 addresses the basic requirements of all businesses and the Federal Register commentary around the clause states these are “measures every prudent business should follow to protect their own data.”
Defense contractors face additional requirements with DFARS 252.204-7012 and the impending Cybersecurity Maturity Model Certification (CMMC) slated for mid- to late-2020.
Regardless of the specific requirements in your contracts, every business should want to exercise prudent measures to protect themselves and their employees, customers, and suppliers. Join us to learn practical measures every business can implement - measures that will help you achieve compliance with CMMC Level 1.
APTAC Spring 2020
www.leftbrainpro.com
2. Who we are
Left Brain Professionals is a boutique accounting firm that
serves government contractors. We specialize in accounting
system design, implementation and audit support.
3. Our Team
Robert E. Jones
Government Contracts & Accounting Expert
CPA, CPCM, NCMA Fellow
• Robert has over 16 years of Department of
Defense contract and accounting experience.
• He has successfully managed over $400 million
in federal contracts.
Melissa Metzger
• Melissa has successfully developed and instituted
compliant and efficient processes that have saved
businesses over $1.5 million during the last 5 years.
• She has successfully managed over $100 million in
annual federal funds.
Government Accounting & Finance Advisor
MAFM, CPA Candidate
7. Learning
Objectives
• Identify the cybersecurity
requirements in government
contracts.
• Describe the basic requirements
of FAR 52.204-21 and CMMC
Level 1.
• List tools to address CMMC
Level 1 requirements.
• Locate resources for
cybersecurity compliance.
10. Generally looking for FAR 52.204-21,
DFARS 204.208-7012 and CMMC
• Look in RFQ, final award, and modifications
• Note that requirements may change over time
• Not all agencies follow the same format
• Government and primes have different format
• May be listed in T&C or separate document
• All contractors require certification under CMMC to perform work on any contract
Cybersecurity Requirements in Government
Contracts, Continued…
12. CMMC Comprised of Five Levels
All government contractors will be required to certify at least Level 1.
Cont…
13. CMMC Comprised of Five Levels, Continued…
Level 1 contains 17 practices or requirements.
Cont…
14. CMMC Comprised of Five Levels, Continued…
Progression of CMMC certification goes from basic safeguarding to advanced or
progressive reduction of risk.
Cont…
15. CMMC Comprised of Five Levels, Continued…
If you remember our studies on NIST (SP) 800-171, the categories of protection
look similar.
Cont…
16. CMMC Comprised of Five Levels, Continued…
A quick comparison of CMMC to FAR and NIST requirement.
18. The Requirements
Basic Requirement 1
Limit information system access to authorized users, processes acting on behalf of
authorized users, or devices (including other information systems). (P1001)
Deny by default, allow by exception. Create accounts only for known individuals,
processes, or devices.
Cont…
Tip or Tool: Implement Active Directory or LDAP and limit access to networks and
external services to only listed users. Consider single sign-on (SSO) solution to
provision accounts and manage access.
• Office 365 & Azure AD
19. Basic Requirement 2
Limit information system access to the types of
transactions and functions that authorized users
are permitted to execute. (P1002)
Cont…
The Requirements, Continued…
Tip or Tool: Employ rule of least privilege –
assign only minimal access to user and system
accounts as necessary.
20. Basic Requirement 3
Verify and control/limit connections to and use of external information
systems. (P1003)
Synchronization with external systems such as backups or data sharing
between systems.
Cont…
Tip or Tool: Deny external traffic by default. Policy to review any apps, cloud or
external services before use.
The Requirements, Continued…
21. Basic Requirement 4
Control information posted or processed on
publicly accessible information systems. (P1004)
Cont…
Tip or Tool: Policy to review what is posted on any
website, portal, social media, or newsletter.
The Requirements, Continued…
22. Basic Requirement 5
Identify information system users, processes acting on behalf of users,
or devices. (P1076)
Cont…
Tip or Tool: Create unique logins for all users and service accounts. No
generic or shared logins.
The Requirements, Continued…
23. Basic Requirement 6
Authenticate (or verify) the identities of those users, processes, or devices, as
a prerequisite to allowing access to organizational information systems.
(P1077)
• Username and password
Cont…
Tip or Tool: Enable multi-factor authentication (MFA) on all networks, devices
and cloud services.
The Requirements, Continued…
24. Basic Requirement 7
Sanitize or destroy information system media
containing Federal Contract Information before
disposal or release for reuse. (P1118)
Cont…
Tip or Tool: Remove and shred hard drives from all
devices (including printers). Sanitization is not an
acceptable practice for many IT professionals.
The Requirements, Continued…
25. Basic Requirement 8
Limit physical access to organizational
information systems, equipment, and the
respective operating environments to authorized
individuals. (P1131)
Cont…
Tip or Tool: Put a lock on all servers – put them in
a locked closet room, or cage.
The Requirements, Continued…
26. Basic Requirement 9
Escort visitors and monitor visitor activity (P1132); maintain audit logs of
physical access (P1133); and control and manage physical access devices
(P1134).
Cont…
Tip or Tool: Visitor logs and badges. Require all non-employees to check-in and
check-out, even if you have a no-escort policy for certain visitors. Ensure access
cards limit access in terms of days, times and locations (geographic, rooms, etc.)
The Requirements, Continued…
27. Basic Requirement 10
Monitor, control, and protect organizational
communications (i.e., information transmitted or
received by organizational information systems) at
the external boundaries and key internal
boundaries of the information systems. (P1175)
Cont…
Tip or Tool: Block unknown network. Implement
rule of least privilege.
The Requirements, Continued…
28. Basic Requirement 11
Implement subnetworks for publicly accessible system components that
are physically or logically separated from internal networks. (P1176)
Cont…
Tip or Tool: Guest network must be separate from internal network. Host
website on third-party server. Remove any links from public website to internal
networks or cloud services.
The Requirements, Continued…
29. Basic Requirement 12
Identify, report and correct information and information system flaws in
a timely manner. (P1210)
Cont…
Tip or Tool: Policy and forms/mechanisms for reporting and follow-up.
Implement help desk tool for tracking.
The Requirements, Continued…
30. Basic Requirement 13
Provide protection from malicious code at appropriate
locations within organizational information systems.
(P1211)
Cont…
Tip or Tool: Install antivirus & anti-malware on
all devices (including phones and tablets).
The Requirements, Continued…
31. Basic Requirement 14
Update malicious code protection mechanisms when new releases are
available. (P1212)
Cont…
Tip or Tool: Set antivirus software to update automatically (usually daily).
The Requirements, Continued…
32. Basic Requirement 15
Perform periodic scans of the information system and real-time scans of files
from external sources as files are downloaded, or executed. (P1213)
Antivirus & anti-malware should be configured to scan files downloaded or
copied from external media before opening.
The Requirements, Continued…
Tip or Tool: Ensure proper configuration of antivirus & anti-malware..
34. Buy a domain -
• No more Gmail, Hotmail, Yahoo, etc.
• Setup Office 365 or Google G Suite for
Business
• Why Office 365:
• Affordable
• Scalable
• Built-in security
Domain
35. Select a Password Manager such as-
• LastPass
• 1Password
• Dashlane
Password Management
36. Train all employees annually on basic
cyber hygiene-
• NICCS
• Cybersecurity Training
Training, Training, Training