Embed Size (px)
Citation preview
DFARS 252.204-7012
Cybersecurity for Federal Contractors:Where We Are and Where
We Are Going
© 2017-2019 RegDOX Solutions Inc. All Rights Reserved
We will cover…
7/31/2019 2
Introducing DFARS 252.204-7012
◦ FARs (Federal Acquisition Regulations)
◦ DFARS (Defense Federal Acquisition
Regulation Supplement)
◦ DFARS contain first agency-specific
regulations of non-classified, sensitive
information based on general controls
published by the NIST (National Institute of
Standards and Technology)
◦ DFARS impose “basic” controls for the safeguarding of contractor information systems that process, store, or transmit
Federal contract information (CUI).7/31/2019 3
Introducing DFARS 252.204-7012: Definitions
◦ CUI: "Controlled Unclassified Information“ described in the CUI Registry* which is administered by NARA (National Archives and Records Administration)
◦ CDI: "Covered Defense Information“. DoD CDI is essentially the same as FARS CUI, except CDI has contractual differences defined in your contract
◦ Covered Defense Information System: Unclassified information system that is owned or operated by or for a contractor and that processes, stores, or transmits CDI
◦ CTI: A subset of CUI data is further clarified as "Controlled Technical Information", or CTI
◦ COTS Software: “Commercial Off-The-Shelf Software” excluded from classification as CUI; Provider is not subject to DFARS 252.204-7012
◦ UCTI: "Unclassified Controlled Technical Information”; term used by original DFARS
◦ Cyber Incident: Event that results in a compromise or an actual or potentially adverse effect on a Covered Defense Information System and/or CDI
*http://www.archives.gov/cui/registry/category-list.html
7/31/2019 4
History of DFARS Cyber-security Regulations
1
Concerns certain unclassified Government Information being mishandled
2
Increasingly frequent and more sophisticated cyber attacks and intrusions
7/31/2019 5
Examples
2001 – 2002 Scottish hacker gained access to 97 U.S. military networks while looking for information on UFOs; conveniently left message, “Your security is crap.”
12003 – 2008 Mathematician gained unfettered access to French aviation company Dassault; stole five years of weapons data before he was caught; $360 million cost
22003 → Titan Rain:
ongoing Chinese
hacker on defense
contractors, agencies
(DoD, British Defense
Ministry, Lockheed,
Sandia National Labs,
Redstone Arsenal,
NASA)
3Dec. 2014 Records on 21.5 million people stolen from US Office of Personnel Management (OPM); used Chinese created malware.
4
7/31/2019 6
Response
◦ Consensus developed rules were needed for
adequate security, incident reporting and remedial
actions
◦ The reaction has been,
◦ General: NIST special publication (sp) 800-171 revision 1
(6/07/2018)*
◦ Specific: Agency and Departmental regulations or rules
such as the Defense Departments Supplement to the
Federal Acquisition Regulations (DFARS – Defense
Federal Acquisition Regulations Supplement)
*”Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations”
7/31/2019 7
Date Event
11/4/2010Executive Order 13556 – Controlled Unclassified Information – program to be
run by NARA to identify, manage and protect CUI
11/18/2013 DFARS Final Ruling implementing requirements for safeguarding CTI
8/26/2015 Interim Ruling for safeguarding CDI
10/8/2015 Class Deviation allowing for compliance 9 months after award
12/30/2015 Extended compliance to all NIST 800-171 Controls to 12/31/2017
5/15/2016 FAR Cyber Ruling – Applies subset of 15 controls from NIST (sp) 800-171
9/16/2016 NARA Final CUI Ruling
10/21/2016 DFARS Final Ruling; COTS exemption; Clarification CDI (CUI Registry)
12/7/2017DoD Undersecretary Ellen Lord explained that a System Security Plan (“a
simple plan) by 2018 is compliance
1/21/2019Undersecretary Lord asked the Defense Contract Management Agency
(DCMA) to audit and validate contractor compliance7/31/2019 8
Timeline of DFARS Cybersecurity Requirements
◦ DFARS 252.204.7008 – Compliance with
Safeguarding Covered Defense
Information Controls
◦ DFARS 252.204.7009 – Limitations on the
Use or Disclosure of Third-Party
Contractor Reported Cyber Incident
Information
◦ DFARS 252.239.7010 – Cloud Computing
Services
◦ DFARS 252.204.7012 – Safeguarding
Covered Defense Information (“CDI”);
Cyber Incident Reporting
7/31/2019 9
Requirements:
◦ Adhering to the Cloud Computing Security Requirements Guide (SRG)
◦ Maintaining DoD data in US unless permitted otherwise in writing
◦ Imaging Hacked Systems for 90 days
◦ Notification of Third-party Access Requests
◦ Adequate security
◦ Must provide adequate security for contractor (internal) systems with CDI
◦ Minimum – NIST 800-171 compliance by December 31, 2017
◦ Can submit “alternate yet equally effective” controls or propose that specific controls are not applicable, each for approval
◦ Contracts awarded after September 2017 submit a report within 30 days after award to DoD CIO listing controls not implemented at time of award
7/31/2019 10
◦ Contractors – access the DIBNet portal and complete fields in the Incident Collection Format (ICF)
◦ Access requires a DoD-approved medium assurance public key infrastructure (PKI) certificate
◦ Contact the DoD Cyber Crime Center (DC3) for additional information if PKI certificate not available
◦ It can take up to four weeks to obtain Incident Reporting Login credentials
◦ DFARS Clause 252.204–7012 (m) (2) requires subcontractors to rapidly report cyber incidents directly to DoD and to the prime Contractor
◦ Must provide incident report number to prime Contractor (or next higher‐tier subcontractor)
*http:// dibnet.dod.mil
7/31/2019 11
◦ Adequate Security: NIST (sp) 800-171-based
◦ Required Reporting: Contractors and subcontractors must report cyber
incidents on information systems with CDI or which affects ability to perform
critical support under a contract
◦ Required response: Upon discovery of a Cyber Incident: conduct review for
evidence; provide DoD assigned incident report number to prime/next higher
subcontractor; preserve imaged system for 90 days
◦ When to report: Within 72 hours directly to DoD via specified portal
◦ Other: Provide DoD access to information / equipment to conduct its analysis; submit malicious software to DoD Cyber Crime Center (DC3)
7/31/2019 12
1. Direct or indirect DoD contractor, or
2. Companies working with CDI, or
3. DFARS 252.204.7008 is incorporated into a contract
The DFARS Cover All of the Following:
7/31/2019 13
Definition: Any unclassified information provided by or for
the DoD relating to a contract or collected, developed, received, transmitted, used, or stored by or
for a contractor in performing the contract.
CDI can be technical, administrative, or operational in nature and is:
1. CTI
2. Critical information (operations security)
3. Export control
4. Any other information, marked or identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government policies
7/31/2019 14
◦ Regulations Not Concerned with Classified
(Secret) Material
◦ Do Not Address Other Privacy or Confidentiality Regulations, although there
can be an overlap
◦ ITAR (International Traffic in Arms Regulations
– State Department)
◦ EAR (Export Administrative Regulations –
Commerce Department)
◦ HIPAA – Standards for Privacy of Individually
Identifiable Health Information
◦ Gramm-Leach-Bliley Act Right to Opt-out of
Sharing of Nonpublic Personally Identifiable
Financial Information
7/31/2019 15
Contractors to include clause in Solicitations, Purchase Orders and Subcontracts
Specifically applies to contract (i) providing “operationally critical support” and/or (ii) working with Covered Contractor Information System
All subcontractors must meet NIST (sp) 800-171 controls
• All DFARS says is Contractors to flow-down provision
• Unclear contractor / subcontractor responsibility to ensure its contractors and suppliers are compliant
• Best practices – assume responsibility
7/31/2019 16
◦ Found in NIST (sp) 800-171 rev. 2
◦ 14 Categories
◦ 110 Controls
◦ Referenced by Section Numbers
in Publication
7/31/2019 17
3.1 Access Control
3.2 Awareness and Training
3.3 Audit and Accountability
3.4 Configuration Management
3.5 Identification and Authentication
3.6 Incident Response
3.7 Maintenance
3.8 Media Protection
3.9 Personnel Security
3.10 Physical Protection
3.11 Risk Assessment
3.12 Security Assessment
3.13 System and Communication Protection
3.14 System and Information Integrity
7/31/2019 18
Complete DFARS CDI Assessment (current cybersecurity posture) and report your findings to the DoD Chief Information Officer (CIO), within 30 days of contract award
1
Prior Interpretation: Correct any gaps documented by an assessment by December 31, 2017
2
Now: Plan of compliance by end of 2017
3
7/31/2019 19
Expanding Reach of These Regulations
◦ FAR 52.2014-21 (Basic Safeguarding of Contractor Information Systems Requirements): Applies subset of 15 controls from NIST 800-171, effective June 16, 2016
◦ Covers 300,000± Companies; Has Mandatory Flow-down; no cyber-incident reporting requirement (yet)
◦ NARA: DFARS Regulations are much of what we will see in FARS
◦ NARA intends to establish a universal FAR that supersedes DFARS 252.204-7012, uses NIST (sp) 800-171 and expands to all Federal agencies and contractors
◦ NARA's timing is open
7/31/2019 20
Open Questions
◦ Do CSPs (Cloud Service Providers) apply FedRamp or 800-171 standards?
◦ What CDI / CUI marking requirements exist?
◦ Is the COTS exemption the same for solicitations as subcontracts?
◦ Is a SSP really sufficient for post-2017 compliance?
◦ When is final compliance deadline?
◦ Will there be 800-171 audits?
◦ Enforcement
◦ Who is responsible?
◦ What are the consequences of failure to comply?
7/31/2019 21
Answering One of those Questions
◦ Will there be 800-171 audits?
◦ January 21, 2019 Memorandum (email for copy: [email protected])
7/31/2019 22
Conducting a DFARS
Assessment
◦ Don’t Delay
◦ Don’t Start Without Company Buy-in Across Functions –
Compliance, Facilities, Finance, IT, Legal, Supply Chain
Management, Engineering, Manufacturing
◦ Senior Management Responsibility, Supervision and
Assessment Focal Point
◦ Understand DFARS and NIST 800-171 or Retain Outside
Expertise
◦ Set Milestones to Avoid Project Drift
7/31/2019 23
Assessment Steps…
◦ Reference NIST (sp) 181-171 for additional
guidelines
◦ Identifying applicable “information systems*,” the
scope of effort, available resources and personnel,
and tasks and milestones
◦ Cybersecurity assessment
◦ Preparation and agreement on a gap analysis and
status of compliance
◦ Preparation and adopt of a remediation plan
◦ Prepare a POA&M (Plan of Action and Milestones)
◦ Training
◦ Institute POA&M, including document storage,
control management and audit solution*Group of components (workstations, servers, VoIP phones, routers, switches, firewalls) in a connected infrastructure, under a single management authority. A separate information system could be segregated by a firewall or logically separated physically or by access, or under a separate management authority
7/31/2019 24
DFARS Assessment Approach
Preliminary
DFARS
Questionnaire
• Preliminary DFARS Assessment
• Interview
GAP Analysis
• Compiling results of preliminary questionnaire, interview, and assessment document
• Preparation and Presentation of GAP Analysis
POA&M
• Preparation, Presentation and Tracking of POA&M
• Preparation of Third Party Compliance Certificate
7/31/2019 25
Preliminary Review
◦ During the preliminary assessment, the DFARS questionnaire is completed
by the prospective client.
◦ The initial interview with business stakeholders is carried out following the
completion of the questionnaire.
◦ During the initial interview outside assessor learns about the client’s IT
systems and internal flow of operations.
◦ The goal is to identify current security posture of the business.
7/31/2019 26
Determining the Scope
The results of the interview and
questionnaire are used to create a customized assessment document
In that assessment document, each
control will be clearly defined for the client in
accordance with DFARS requirements
The outside team works closely with the relevant
client personnel to provide clarification on
what each of the 110800-171 controls mandate and how
these controls apply to the client’s business
7/31/2019 27
Research and Gap Analysis
The audit team records the results of each stage into the third-party’s assessment tool.
The tool generates a percentage of compliance.
The audit team identifies and investigates each
control:
Controls met by the client are recorded and verified.
Controls that are not met are recorded and
recommendations to satisfy the control are provided to
the client.
The result is a Gap Analysis specific to that client.
7/31/2019 28
Agreed Remediation◦ The audit team presents Gap Analysis to the client’s
stakeholders.
◦ The Gap Analysis will spell out in detail the deficiencies identified, as well as recommendations for remediation.
◦ The Gap Analysis enables the client to develop a roadmap, which includes specific goals tied to dates, will allow the client to reach compliance.
◦ This roadmap, reflecting the requirements of 800-171 and the DFARS, as well as the clients’ priorities, will be the client’s Plan of Action and Milestones (POA&M).
7/31/2019 29
Progress Reviews
• The client will drive the timeline to remedy identified deficiencies.
• The outside audit team will continue to track progress toward full compliance as each deficiency is resolved.
• The POA&M is a ‘living and breathing’ document that is used to track implementation of the recommendations and may be amended as circumstances and available solutions change.
• The audit team typically will follow up weekly to track and verify implementation progress until full compliance.
7/31/2019 30
Certification and Benefits of Third-party Assessments
POA&M and DFARS Assessment Tool are used to provide the client the NIST (sp) 800-171/DFARS 252.204-7012 Compliance Certificate
Partial compliance certificate along with POA&M can demonstrate to DoD or Prime Contractor that client is taking steps to be compliant and progress in achieving full compliance
Full compliance certificate will demonstrate compliance as of date of certificate
7/31/2019 31
How Long Does it Take to Complete a DFARS Assessment?
◦ About two man-weeks for SMEs. Larger companies can take several months.
◦ Variable factors:
- number of unique "Information Systems" that must be assessed
- number of employees and their computing devices
- number of sites that must be visited during the assessment
- number of DoD contracts that must be reviewed for specific requirements
- definitions of systems, and the overall number of computing systems in place
7/31/2019 32
