[PDF] - Agenda DFARS 239.71 Updates Cybersecurity Contracting DFARS Clause PDF Document

SLIDE 1

The Aerospace & Defense Forum San Diego Chapter May 23, 2017 1

CYBER SECURITY BRIEF

May 23, 2017

Presented By:

Curt Parkinson DCMA

2

Agenda

DFARS 239.71 Updates Cybersecurity Contracting DFARS Clause 252.204-7001 DFARS Clause 252.239-7012 Adequate Security System Security Plan (SSP) Cyber Incident Questions

SLIDE 2

The Aerospace & Defense Forum San Diego Chapter May 23, 2017 2

3

DFARS Part 239 - Acquisition of Information Technology

“DFARS 239.71 - Security and Privacy for Computer Systems”

DFARS 239.7102-1, General: Applies to all acquisitions for “Information

Technology”… includes security and privacy act considerations.

DFARS

239.7102-2, Compromising Emanations – TEMPEST

r
ther

standard: For acquisitions requiring information assurance against compromising emanations, the requiring activity is responsible for providing to the contracting

fficer:

The required protections (i.e. established National TEMPEST standard (e.g. NACSEM 5100, NACSIM 5100A) or standard used by another authority; The required identification markings… Inspection and acceptance requirements… A date through which the accreditation is considered current

Cybersecurity DFARS 239.71 Updates

4

DFARS: 252.239-7000 – Protecting Against Compromising Emanations
Tempest certification NASEM 5100 or compromising Emanations NACSEM 5100A(U)
Contractor to provide test certification documentation
Note usually referred to as TEMPEST
DFARS: 252.239-7001 - IA Contractor Training and Certification
Requires DoD 8570/8140 training and certification of contractor IA Personnel
Documentation from Contractor to DoD
Non certified staff will be barred from DoD Information Systems
Note a new qualification for Certification of Cyber Defense Firms not just staff
DFARS: 252.204-7012 - Safeguarding Covered Defense Information and Cyber Incident

Reporting

Reporting in 72 hours
Flows down to the Subcontractors
Note Covered Defense Information
Controlled technical Information
Export Control items (both ITAR and EAR)

Note: DCMA is not performing technical assessment of the cyber-security standards, i.e. NIST 800-171.

Cybersecurity Contracting Applicable DFARS

SLIDE 3

The Aerospace & Defense Forum San Diego Chapter May 23, 2017 3

5/26/2017

DFARS Clause 252.204-7012

When the contract includes DFARS 252.204-7012,

Safeguarding Covered Defense Information and Cyber Incident Reporting, the supplier must comply with the 14 CS requirements in NIST SP 800-171

Compliant Assessment
SP shall verify that the supplier has the required System Security Plan

under CM

SP shall issue a CAR and inform the AC if the Plan does not exist
The SP does not conduct an assessment of the System Security Plan or

issue a CAR against the Plan

Non-compliant Assessment
SP shall verify that the supplier notified the DoD CIO via email within 30

days of contract award

SP shall verify that the supplier submitted a POA&M to the AC
SP shall otherwise issue a CAR and inform the AC

Software - Policy Implementation Meeting (PIM) One team, one voice delivering global acquisition insight that matters. One team, one voice delivering global acquisition insight that matters.

DFARS Clause 252.204-7012

Resource: Guidance to Stakeholders for Implementing Defense Federal

Acquisition Regulation Supplement Clause 252.204-7012 (Safeguarding Unclassified Controlled Technical Information)

Basic Supplier Requirements:
Provide adequate security :: DFARS 252.204-7012(b)
Report cyber incidents :: DFARS 252.204-7012(c)
Flow down these requirements :: DFARS 252.204-7012(m)
DCMA software professionals primarily work with the “b” and “m”

requirements

SLIDE 4

The Aerospace & Defense Forum San Diego Chapter May 23, 2017 4

5/26/2017

DFARS Clause 252.239-7001

When the contract includes DFARS 252.239-7001, IA Contractor Training and Certification, The Contractor shall ensure that personnel accessing information systems have the proper and current information assurance certification to perform information assurance functions in accordance with DoD 8570.01-M

The supplier will need to provide DoD-approved information

assurance workforce certifications appropriate for each category and level

SP shall verify that the supplier has the required certifications
SP shall issue a CAR and inform the AC if the supplier does not provide

certifications

Note: Contractor personnel who do not have proper and current certifications shall be denied access to DoD information systems for the purpose of performing information assurance functions.

Software - Policy Implementation Meeting (PIM) One team, one voice delivering global acquisition insight that matters. One team, one voice delivering global acquisition insight that matters.

DFARS Clause 252.239-7001

Resource: DoD 8570.01-M Information Assurance Workforce Improvement

Program

Three basic supplier requirements:
Meet the applicable IA certification requirements :: DFARS 252.204-7001(a)
Provide documentation supporting IA Certification status :: DFARS 252.204-7001(b)
Contractor personnel who do not have proper and current certifications shall be denied

access to DoD information systems :: DFARS 252.204-7012(c)

DCMA software professionals primarily work with each requirements of this

clause

SLIDE 5

The Aerospace & Defense Forum San Diego Chapter May 23, 2017 5

Software - Policy Implementation Meeting (PIM) One team, one voice delivering global acquisition insight that matters. One team, one voice delivering global acquisition insight that matters.

Adequate Security

Resource: NIST SP 800-171, Protecting Controlled Unclassified Information in

Nonfederal Information Systems and Organizations

Requires supplier to be compliant with NIST 800-171 NLT 31 DEC 2017
NIST 800-171 describes 14 security requirements
Additional requirement for contracts awarded before 01 OCT 2017
Require supplier self-assessment against NIST 800-171
Require supplier to report to DoD CIO any shortcomings that existed at time of contract

award

Software - Policy Implementation Meeting (PIM) One team, one voice delivering global acquisition insight that matters. One team, one voice delivering global acquisition insight that matters.

System Security Plan (SSP)

Resource: NIST 800-18 Revision 1, Guide for Developing Security Plans for

Federal Information Systems

The objective of system security planning is to improve protection of

information system resources

Appendix A of NIST 800-18 R1 contains a template for SSP
Any “to-do” tasks that need to be accomplished before SSP is fully capable

must be documented via a Plan of Action and Milestones (POA&M)

SLIDE 6

The Aerospace & Defense Forum San Diego Chapter May 23, 2017 6

Software - Policy Implementation Meeting (PIM) One team, one voice delivering global acquisition insight that matters. One team, one voice delivering global acquisition insight that matters.

Cyber Incident

“Cyber incident” :: means actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.

Cyber incident reporting requirement.
(1) When the Contractor discovers a cyber incident that affects a covered

contractor information system or the covered defense information residing therein,

r that affects the contractor’s ability to perform the requirements of the contract

that are designated as operationally critical support and identified in the contract, the Contractor shall—

(i) Conduct a review for evidence of compromise of covered defense information,

including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor’s ability to provide operationally critical support; and

(ii) Rapidly report cyber incidents to DoD at http://dibnet.dod.mil

Software - Policy Implementation Meeting (PIM) One team, one voice delivering global acquisition insight that matters. One team, one voice delivering global acquisition insight that matters.

Cyber Incident cont.

(2) Cyber incident report. The cyber incident report shall be treated as information

created by or for DoD and shall include, at a minimum, the required elements at http://dibnet.dod.mil

(3) Medium assurance certificate requirement. In order to report cyber incidents in

accordance with this clause, the Contractor or subcontractor shall have or acquire a DoD-approved medium assurance certificate to report cyber incidents NOTE :: For information on obtaining a DoD-approved medium assurance certificate, see

http://iase.disa.mil/pki/eca/Pages/index.aspx

SLIDE 7

The Aerospace & Defense Forum San Diego Chapter May 23, 2017 7

Software - Policy Implementation Meeting (PIM) One team, one voice delivering global acquisition insight that matters. One team, one voice delivering global acquisition insight that matters.

Cyber Incident cont.

Reporting a Cyber Incident
Elements of a cyber report ::

Risk Management Framework

Incorporated into full system life cycle For Official Use Only

SLIDE 8

The Aerospace & Defense Forum San Diego Chapter May 23, 2017 8

15

Key Dates:

Existing contracts have until 31 DEC 2017 to fully implement the NIST 800-

171 as required by 252.204–7012 (page 40 of https://www.gpo.gov/fdsys/pkg/FR-2015-12-30/pdf/FR-2015- 12-30.pdf)

Cyber Key Dates

16

Questions

SLIDE 9

The Aerospace & Defense Forum San Diego Chapter May 23, 2017 9

17

Backup

18

Reviewed Documents

FAR/DFARS, JCIDS
DoD 5220.22-M NISPOM
NIST SP 800-171 Protecting Controlled Unclassified Information in

Nonfederal Information Systems and Organizations

NIST 800-18 r1 Guide for Developing Security Plans for Federal

Information Systems

DoD Instruction 8500.01 Cybersecurity
CNSSP 22, Policy on IA Risk Management for National Security

Systems

DoDD 8570.01, IA Training, Certification, and Workforce Management
Cloud Computing Security Requirements Guide
DoDI 8510.01, RMF for DoD IT
DoD 5220.22-R, Industrial Security Regulation
DODI 5000.02, Operations of the Defense Acquisition System
DoD PM’s Guidebook for Integrating RMF into Acquisition Lifecycle
DoD Cybersecurity Test and Evaluation Guidebook

SLIDE 10

The Aerospace & Defense Forum San Diego Chapter May 23, 2017 10

19

List any significant items that “may” impact mission: Items listed below will reflect the DFARS that will require awareness of these requirements and/or Contract Receipt and Review action:

DFARS:
252.204-7000, Disclosure of Information (Awareness Only and CRR/CTR)
252.204-7003, Control of Government Personnel Work Product: (Awareness Only

and CRR/CTR)

252.204-7012, Safeguarding Defense Information and Cyber Incident Reporting

(Awareness / Validation)

252.239-7001, Information Assurance Contractor Training and Certification

(Surveillance Required)

252.239-7010, Cloud Computing Services (Awareness Only)

Significant Requirements Impacts

20

PM Guidebook for Integrating the Cybersecurity Risk Management

Framework (RMF) into the System Acquisition Lifecycle - September 2015

Chapter 2.1.3,ISSM Roles and Responsibilities in Support of the Program

Manager (Potential Surveillance Required)

Chapter 2.2.3, Functional Decomposition and Allocation of Cybersecurity

Requirements (Potential Surveillance Required)

Appendix 2.2, Include Cybersecurity in Preliminary Design and Final

MS B Documentation (Potential Surveillance Required)

Appendix 3.1 Include Cybersecurity in Detailed Final Design

(Potential Surveillance Required)

Significant Requirements Impacts Cont.

SLIDE 11

The Aerospace & Defense Forum San Diego Chapter May 23, 2017 11

Risk Management Framework

For Official Use Only

RMF Integration across the Acquisition Lifecycle