800 171 handbook
play

800-171 Handbook Webinar Pat Toth Cybersecurity Program Manager - PowerPoint PPT Presentation

Apr 17, 2023 •217 likes •713 views

800-171 Handbook Webinar Pat Toth Cybersecurity Program Manager National Institute of Standards and Technology (NIST) Manufacturing Extension Partnership (MEP) MEP Overview NIST MEP 800-171 Assessment Handbook Step-by-step guide to

  1. 800-171 Handbook Webinar Pat Toth Cybersecurity Program Manager National Institute of Standards and Technology (NIST) Manufacturing Extension Partnership (MEP) MEP Overview

  2. NIST MEP 800-171 Assessment Handbook • Step-by-step guide to assessing NIST SP 800-171 Security Requirements • Available in DRAFT format for MEP Centers to use in providing assistance to U.S. manufacturers – Includes Handbook Supplement for compliance with DFARS Cybersecurity Requirements • Publication as an official NIST Handbook pending. • NIST MEP providing training to MEP Centers. 2 MEP Overview

  3. What is the purpose of DFARS clause 252.204-7012? • Structured to ensure that: – controlled unclassified DoD info residing on a contractor’s internal info system is safeguarded from cyber incidents. – any consequences associated with the loss of this info are assessed and minimized via the cyber incident reporting and damage assessment processes. • Also provides single DoD-wide approach to safeguarding covered contractor information systems – prevent proliferation of multiple/potentially different safeguarding controlled unclassified information clauses, contract language by various entities across DoD. 3 MEP Overview

  4. What is the DFARS Cybersecurity Requirement? • Clause 252.204-7012 requires defense contractors and subcontractors to: 1. Provide adequate security to safeguard covered defense information (CDI) that resides on or is transiting through a contractor’s internal information system or network. 2. Report cyber incidents that affect a covered contractor information system or the CDI residing therein, or that affect the contractor’s ability to perform requirements designated as operationally critical support. 3. Submit malicious software discovered and isolated in connection with a reported cyber incident to the DOD Cyber Crime Center. 4. If requested, submit media and additional information to support damage assessment. 5. Flow down the clause in subcontracts for operationally critical support, or for which subcontract performance will involve CDI. 4 MEP Overview

  5. What is “adequate security”? Contractors should implement, at a minimum, the security requirements in NIST SP 800- 171 rev 1 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf 5 MEP Overview

  6. What is a "Covered contractor information system”? DFARS 252.204- 7012(a): “covered contractor information system” – “an unclassified info system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense info.” – A covered contractor info system is specifically an ‘‘unclassified’’ info system. – A covered contractor info system requires safeguarding in accordance with 252.204-7012(b) because performance of the contract requires that the system process, store, or transmit CDI. 6 MEP Overview

  7. What do contractors need to do to ensure compliance with DFARS and when does this apply? • Defense contractors are required by DFARS to provide adequate security on all covered contractor info systems. • Defense contractors must implement, at a minimum, the following information security protections: – NIST SP 800-171 rev 1, as soon as practical, – but not later than December 31, 2017 . 7 MEP Overview

  8. MEP 3-Step Process to Complying with DFARS Cybersecurity Requirements • Step 1 : – Develop System Security Plan • Step 2: System Plan of Security Action – Conduct Assessment Plan – Produce Security Assessment Report Security Assessment Report • Step 3: – Produce a Plan of Action 8 MEP Overview

  9. MEP 3-Step Process to Complying with DFARS Cybersecurity Requirements • STEP 1 : Develop System Security Plan • System Security Plan Describes System Plan of Security Action – the system boundary; Plan – the operational environment; – how the security requirements from SP 800-171 are implemented; and Security Assessment – the relationships with or connections to other systems Report • No required format 9 MEP Overview

  10. MEP 3-Step Process to Complying with DFARS Cybersecurity Requirements • Step 2: Conduct Assessment and Produce Security Assessment Report • Conduct Assessment – Develop Assessment Plan System Plan of – Conduct assessment against security requirements in NIST SP 800-171 Security Action • Self-Assessment or Plan • Third -Party – Determined if security requirements are effective and operating as intended – Some requirements may not apply Security – Alternative but equally effective Assessment Report • Produce Security Assessment Report – No Required Format 10 MEP Overview

  11. MEP 3-Step Process to Complying with DFARS Cybersecurity Requirements • STEP 3: Produce a Plan of Action • Plan of Action describes: – How any unimplemented security requirements will be met – How any planned improvements will be implemented – Detailed milestones used to measure progress • No deadline for meeting Plan of Action items 11 MEP Overview

  12. MEP 3-Step Process to Complying with DFARS Cybersecurity Requirements • Submit to DOD Contracting Officer or Prime Contractor: – System Security Plan, System – Security Assessment Report and Plan of Security action – Plan of Action Plan • These documents provide evidence to demonstrate compliance Security Assessment with the DFARS. Report 12 MEP Overview

  13. IMPORTANT: Things to Remember Regarding Compliance with DFARS Cybersecurity Requirements Compliance occurs upon approval of the System Security Plan, Security • Assessment Report and the Plan of Action. • Approval of these items comes from the appropriate DOD Contracting Officer, or Prime Contractor – depending upon where a particular manufacturer falls System Plan of within the supply chain. Security action Plan • Some plans may need to be reviewed by DOD CIO. Security • A contractor’s signature on a contract indicates that DFARS cybersecurity Assessment requirements have been met. Report No pre-determined audit processes are planned, but audits by DOD may • occur as warranted. 13 MEP Overview

  14.  Access Control.  Audit and Accountability.  Awareness and Training.  Configuration Management.  Identification and Authentication.  Incident Response. NIST SP 800-171  Maintenance. Security Requirements  Media Protection.  Physical Protection. 14 Families  Personnel Security. Obtained from FIPS 200 and  Risk Assessment. NIST Special Publication 800-53  Security Assessment.  System and Communications Protection  System and Information Integrity. MEP Overview

  15. Access Control: SP 800-171 Security Family 3.1 • Access is the ability to make use of any system resource. Access control is the process of granting or denying requests to: • use information • • use information processing services • enter company facilities Logical access controls • prescribe who or what can access system resource and • • the type of access that is permitted. • built into the operating system or • incorporated into applications programs or major utilities (e.g., database management systems, communications systems), or • implemented through add-on security packages. • • may be implemented internally to the system or in external devices. 15 MEP Overview

  16. Access Control: SP 800-171 Security Family 3.1 Companies should limit: • • system access to authorized users • processes acting on behalf of authorized users • devices, including other systems and the types of transactions and functions that authorized users are permitted to exercise • • Can vary from one system to another. • It may also be important to control the kind of access that is permitted (e.g., the ability for the average user to execute, but not change, system programs). These types of access restrictions enforce policy and help ensure that unauthorized actions are not taken. • Controlling physical access to company facilities is also important. It provides for the protection of employees, plant equipment, hardware, software, networks and data from physical actions and events that could cause serious loss or damage to the company. 16 MEP Overview

  17. Awareness and Training: SP 800-171 Security Family 3.2 Information security awareness, training, and education • Raises awareness of the need to protect system resources • Develops skills and knowledge so system users can perform their jobs more securely and • Builds in-depth knowledge as needed to design, implement, or operate security programs for organizations and systems. All managers and users are aware of the security risks associated with their activities. Employees are trained to carry out their information security-related duties and responsibilities. 17 MEP Overview

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Technology Handbook Highlights Orientation Presentation 2020-2021 Technology Handbook In each

Technology Handbook Highlights Orientation Presentation 2020-2021 Technology Handbook In each

Technology Handbook Highlights Orientation Presentation 2020-2021 Technology Handbook In each students folder that you receive at open house or on the first day of school, you will find a Technology Handbook. It is important to read

532 views • 16 slides
2 Overview of Presentation Objectives of the Handbook

2 Overview of Presentation Objectives of the Handbook

1 OCCUPATIONS AND CAREERS HANDBOOK FOR UAE NATIONALS Handbook Overview

422 views • 26 slides
TRIBAL/LOCAL PUBLIC AGENCY HANDBOOK 2019 Overview of the T/LPA Handbook and the Project

TRIBAL/LOCAL PUBLIC AGENCY HANDBOOK 2019 Overview of the T/LPA Handbook and the Project

TRIBAL/LOCAL PUBLIC AGENCY HANDBOOK 2019 Overview of the T/LPA Handbook and the Project Development Process Trainers Jolene Herrera Planning/STIP Unit JoleneM.Herrera@state.nm.us Jessica Hunter, P.E. T/LPA Construction Liaison Engineer

990 views • 88 slides
Welcome to Orientation Employee Orientation Handbook The Carewest Employee Orientation Handbook

Welcome to Orientation Employee Orientation Handbook The Carewest Employee Orientation Handbook

Welcome to Orientation Employee Orientation Handbook The Carewest Employee Orientation Handbook is a 36-page booklet that supports the orientation process. Please read it and refer to it when noted in this presentation. It has useful

184 views • 14 slides
CITIZENS ADVISORY COMMITTEE DESIGN HANDBOOK PRESENTATION December 13, 2018 Campus Regulatory

CITIZENS ADVISORY COMMITTEE DESIGN HANDBOOK PRESENTATION December 13, 2018 Campus Regulatory

CITIZENS ADVISORY COMMITTEE DESIGN HANDBOOK PRESENTATION December 13, 2018 Campus Regulatory Framework ZONING DSGS HANDBOOK (CPD) (CPD) (SADL) Design Handbook - Table of Contents Introduction Campus Framework Context

221 views • 7 slides
Launching of UNCTAD's Handbook on IP Implications of the CBD and Nagoya Protocol Presentation

Launching of UNCTAD's Handbook on IP Implications of the CBD and Nagoya Protocol Presentation

Launching of UNCTAD's Handbook on IP Implications of the CBD and Nagoya Protocol Presentation by: Harmut Meyer, David Vivas Eugui and Thamara Romero Why a handbook on IP and Nagoya? Nagoya largely silent on IP but very important for ABS rule

618 views • 8 slides
& HANDBOOK As of 11 May 2020 S C H O O L O F M U S I C A N D T H E A R T S ABOUT OUR

& HANDBOOK As of 11 May 2020 S C H O O L O F M U S I C A N D T H E A R T S ABOUT OUR

W R I T E H E R E S O M E T H I N G STUDENT ORIENTATION & HANDBOOK As of 11 May 2020 S C H O O L O F M U S I C A N D T H E A R T S ABOUT OUR SCHOOL C P E R e g i s t r a t i o n N u m b e r : 199103776M Va l i d i t y P e r

823 views • 64 slides
Software Reliability 18-849b Dependable Embedded Systems Jiantao Pan Feb 2, 1999 Handbook of

Software Reliability 18-849b Dependable Embedded Systems Jiantao Pan Feb 2, 1999 Handbook of

Software Reliability 18-849b Dependable Embedded Systems Jiantao Pan Feb 2, 1999 Handbook of Software Reliability Engineering, Chapter 1 Required Reading: Handbook of Software Reliability Engineering, Michael R. Lyu Best Tutorial: Handbook

521 views • 14 slides
& HANDBOOK As of 13 March 2020 S C H O O L O F M U S I C A N D T H E A R T S ABOUT OUR

& HANDBOOK As of 13 March 2020 S C H O O L O F M U S I C A N D T H E A R T S ABOUT OUR

W R I T E H E R E S O M E T H I N G STUDENT ORIENTATION & HANDBOOK As of 13 March 2020 S C H O O L O F M U S I C A N D T H E A R T S ABOUT OUR SCHOOL OUR Igniting passion and growing talents for the Asia-Pacific music and arts

807 views • 63 slides
Proposed Tentative Handbook Amendment Kiley Ranch North Planned Development BACKGROUND 2004

Proposed Tentative Handbook Amendment Kiley Ranch North Planned Development BACKGROUND 2004

Proposed Tentative Handbook Amendment Kiley Ranch North Planned Development BACKGROUND 2004 Original tentative handbook approved 2016 Tentative handbook amendment approved January 2019 Comprehensive Plan amendment for

480 views • 20 slides
PARENT WELCOME MEETING Saturday, August 11, 2018 Important Documents Musicians Handbook

PARENT WELCOME MEETING Saturday, August 11, 2018 Important Documents Musicians Handbook

PARENT WELCOME MEETING Saturday, August 11, 2018 Important Documents Musicians Handbook (on our website) School Participation Form (pick up on your way out) Season Calendar (in Musicians Handbook online) This Presentation

608 views • 28 slides
PARENT WELCOME MEETING Wednesday, August 8, 2018 Important Documents Musicians Handbook

PARENT WELCOME MEETING Wednesday, August 8, 2018 Important Documents Musicians Handbook

PARENT WELCOME MEETING Wednesday, August 8, 2018 Important Documents Musicians Handbook (on our website) School Participation Form Season Calendar (in Musicians Handbook online) This Presentation (well email it to you!)

566 views • 28 slides
Management A handbook for Supreme Audit Institutions Presentation for Annual WGPD Meeting,

Management A handbook for Supreme Audit Institutions Presentation for Annual WGPD Meeting,

Audit of Public Debt Management A handbook for Supreme Audit Institutions Presentation for Annual WGPD Meeting, Hyderabad, India, 11-13 July 2018 About the Handbook IDI global public good developed as a part of the IDI programme on

412 views • 12 slides
SEPARATE GATE HANDBOOK - Operating a Project When a Picket is Present on the Jobsite The purpose

SEPARATE GATE HANDBOOK - Operating a Project When a Picket is Present on the Jobsite The purpose

SEPARATE GATE HANDBOOK - Operating a Project When a Picket is Present on the Jobsite The purpose of this handbook is to provide information as general reference material concerning the subject. This information is for educational purposes only

391 views • 25 slides
NCHRP 19-10: AASHTO Partnering Handbook, 2 nd Edition Doug Gransberg, PhD, PE dgran@iastate.edu

NCHRP 19-10: AASHTO Partnering Handbook, 2 nd Edition Doug Gransberg, PhD, PE dgran@iastate.edu

1 NCHRP 19-10: AASHTO Partnering Handbook, 2 nd Edition Doug Gransberg, PhD, PE dgran@iastate.edu New email: dgransberg@gransberg.com 2 Outline Discuss research key findings Overview of the Handbook Specifics of partnering

602 views • 27 slides
Workshop: STARTSIM Handbook Entrepreneurship and Cultural Conditions Entrepreneurship and

Workshop: STARTSIM Handbook Entrepreneurship and Cultural Conditions Entrepreneurship and

. Workshop: STARTSIM Handbook Entrepreneurship and Cultural Conditions Entrepreneurship and Cultural Conditions . F. Heintze and J. Moelleken, 2008 P. Agardi 2005 STARTSIM Handbook Introduction: Overview about STARTSIM project

315 views • 8 slides
Software as a Medical Device (SaMD) Application of Quality Management System IMDRF/WG/N23

Software as a Medical Device (SaMD) Application of Quality Management System IMDRF/WG/N23

Software as a Medical Device (SaMD) Application of Quality Management System IMDRF/WG/N23 Proposed Document (PD1)R3 NWIP - Quality Management Systems for Software as a Medical Device (SaMD) Scope Translate and adapt existing quality

366 views • 13 slides
SIMULATION USING IPG CARMAKER Dr. Jochen Schaffnit Adam Opel AG, Vehicle CAE apply &

SIMULATION USING IPG CARMAKER Dr. Jochen Schaffnit Adam Opel AG, Vehicle CAE apply &

A MASTER MODEL APPROACH FOR SYSTEM SIMULATION USING IPG CARMAKER Dr. Jochen Schaffnit Adam Opel AG, Vehicle CAE apply & innovate 2014 23. September 2014 www.opel.com AGENDA 1. CarMaker Usage at Opel 2. Challenges for Model/CarMaker

264 views • 15 slides
Training Objectives Obtain knowledge of the ITIL terminology, structure and basic concepts and

Training Objectives Obtain knowledge of the ITIL terminology, structure and basic concepts and

Training Objectives Obtain knowledge of the ITIL terminology, structure and basic concepts and to comprehend the core principles of ITIL practices To appreciate how a framework, process and procedures are essential in providing a stable

441 views • 41 slides
Virtualisation with Vagrant By Noorvir Aulakh James Lambert Thomas Rickard Le Lear arni ning

Virtualisation with Vagrant By Noorvir Aulakh James Lambert Thomas Rickard Le Lear arni ning

Virtualisation with Vagrant By Noorvir Aulakh James Lambert Thomas Rickard Le Lear arni ning ng Ou Outc tcom omes es Understand different types of virtual machines Be able to run, provision and stop a vagrant virtual machine.

291 views • 15 slides
Session #4: Transport Network Control (ASON, Session #4: Transport Network Control (ASON, GMPLS

Session #4: Transport Network Control (ASON, Session #4: Transport Network Control (ASON, GMPLS

I nternational Telecom m unication Union ITU-T Session #4: Transport Network Control (ASON, Session #4: Transport Network Control (ASON, GMPLS and Control plane management) GMPLS and Control plane management) Highlights & Conclusions

420 views • 7 slides
Application of BIM and GIS for Dutch Infrastructure assets. together with a contractor Daan

Application of BIM and GIS for Dutch Infrastructure assets. together with a contractor Daan

Application of BIM and GIS for Dutch Infrastructure assets. together with a contractor Daan Alsem projectmanager Royal HaskoningDHV GeoBIM Amsterdam november 24th, 2016 The project: Rebuilding of the junction Joure, NL Junction Joure Hamburg

316 views • 28 slides
Apple Configurator in a nutshell Allows you to make a Golden Master that you can quickly deploy

Apple Configurator in a nutshell Allows you to make a Golden Master that you can quickly deploy

Apple Configurator in a nutshell Allows you to make a Golden Master that you can quickly deploy to large numbers of iPads First: Work in AC and create configuration profiles, make global customizations before plugging in the first iPad Second:

238 views • 20 slides
BATTERY REPLACEMENT IN IDLE STOP START VEHCILES (ISS) What are ISS systems An Idle Stop Start

BATTERY REPLACEMENT IN IDLE STOP START VEHCILES (ISS) What are ISS systems An Idle Stop Start

BATTERY REPLACEMENT IN IDLE STOP START VEHCILES (ISS) What are ISS systems An Idle Stop Start (ISS) system automatically shuts down and restarts the internal combustion engine to reduce the amount of time the engine spends idling. ISS systems

1.13k views • 68 slides

More recommend