Jennifer Schaus & Associates GOV CON WEBINAR SERIES - 2017
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC
www.JenniferSchaus.com
Join Us for A Series of Complimentary Webinars on various US Federal Government Contracting Topics. Presenters are industry experts sharing knowledge about the competitive government contracting sector. Find all of our Govt Contracting webinars (free download) at www.JenniferSchaus.com
Contact Us @ 2 0 2 – 3 6 5 – 0 5 9 8
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC
www.JenniferSchaus.com
ABOUT JENNIFER SCHAUS & ASSOCIATES: -
Based in downtown Washington, DC; A la carte services for Federal Contractors;
- Proposal Writing to GSA Schedules and Contract Administration, etc.; Deep bench of industry experts; -
Educational webinars;
Networking events and seminars;
WEBSITE: http://www.JenniferSchaus.com
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC
www.JenniferSchaus.com
ABOUT JENNIFER SCHAUS: -
Over 20 years in federal contracting; -
-
Began career with D&B; Industry speaker and author;
Board Member: GovLish; NCMA; and NMIA.
Volunteer Mentor &/or Instructor: VA PTAP; CBP / VBOC; Capitol Post; 1776; Eastern Foundry, WIT; WDCEP and the Towson University Incubator.
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC
ABOUT OUR SPEAKER DAVID DEMPSEY
www.JenniferSchaus.com
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC
www.JenniferSchaus.com
ABOUT DAVID DEMPSEY: Amherst College (1972) University of South Carolina Law School (1977): 40 Years in Govt Contracting Partner: Dempsey Fontana, PLLC Phone: 703. 880. 9171 Email: ddempsey@deftlaw.com
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC
www.JenniferSchaus.com
ABOUT DEMPSEY FONTANA, PLLC ► Formation, administration and litigation of federal and state government contracts ► Extensive experience relating to such areas as: IT contracts, service contracts, small business issues, government accounting, protection of intellectual property rights, mergers & acquisitions, GSA Schedules, export controls, teaming and subcontracting, internal reviews / investigations, industrial security, trade agreements and foreign sourcing, protests and contract litigation in all forums ►Large firm expertise at small firm cost http://www.deftlaw.com
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC
www.JenniferSchaus.com
FEDERAL CYBER ELIGIBILITY: ESTABLISHING YOUR COMPANY’S CYBER QUALIFICATIONS Monday, July 31, 2017
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC
Applicable to
www.JenniferSchaus.com
FAR 4.19 SAFEGUARDING OF COVERED CONTRACTOR INFORMATION SYSTEMS
“all acquisitions, including acquisitions of commercial items other than commercially available off-the-shelf items, when a contractor’s information system may contain Federal contract information” FAR 4.1902
Applies to subcontractors (except for COTS)
No affirmative compliance certification
No incident reporting requirement
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC
www.JenniferSchaus.com
FAR 4.19
Safeguarding of Covered Contractor Information Systems Identifies 15 responsibilities for those receiving or possessing “Federal Contract Information” as defined under FAR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems” (June 2016) Addresses fundamental IP and proprietary information protections: Limitations on Access and limitations on use Identification & Authentication Verification thereof on a user basis
Physical Protection System & Communication Protection System & Information Integrity
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC
www.JenniferSchaus.com
FAR 4.19
Safeguarding of Covered Contractor Information Systems Incorporate / reference FAR 52.204-21 in NDAs and Teaming Agreements Protect “Federal contract information” a defined term under FAR 52.204-21 (so mark it…) Email data and information (e.g., proposals) because email systems are “Information systems” as defined under federal law (44 U.S.C. 3502)
Relevant to the Defend Trade Secrets Act Indicia of company policy to identify and protect its trade secrets
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC
www.JenniferSchaus.com
DFARS 252.204-7008
Compliance with Safeguarding [CDI] Controls (OCT 2016) Imposes DFARS 252.204-7012 on “all covered [controlled] defense information on all covered contractor information systems” used in performance of the contract “By submission of this offer, the Offeror represents that it will implement the security requirements specified by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171” If an offeror wishes to deviate from NIST SP 800-171, the offeror shall submit to the CO and DoD CIO, a written explanation of Why a [NIST 800-171] security requirement is not applicable, or How an alternative, but equally effective measure will achieve equivalent protection
DoD CIO will issue written decision before award and any accepted variance will be incorporated into the resulting contract Enforcement: DCMA-INST 815 (July 10, 2014) entitled Cybersecurity/Information Assurance (IA)
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC
www.JenniferSchaus.com
DFARS 252.204-7012
Safeguarding Covered Defense Information and Cyber Incident Reporting (OCT 2016) 3-4 years of history behind this clause Final rule issued October 21, 2016 DFARS 204.73 on SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING and PGI 204.73 – SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING; DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (Oct. 2016); DFARS 252.204-7008, COMPLIANCE WITH SAFEGUARDING COVERED DEFENSE INFORMATION CONTROLS (OCT 2016); DFARS 252.204-7009 Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information (Oct. 2016)
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC
www.JenniferSchaus.com
DFARS 252.204-7012
SafeguardIng Covered Defense Information and Cyber Incident Reporting (OCT 2016) Definitions: “Contractor attributional/proprietary information” (i.e., trade secret) “Adequate security” (protection commensurate with consequences) Minimum: NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” in effect at time of award (see DFARS 252.204-7008(c)(1)) to safeguard CDI and a “covered contractor information system” By December 31, 2017 – unless for contracts awarded prior to Oct. 1, 2107 you made a deal with the CO per the DOD CIO under DFARS 252.204-7012(b)(2) Clause focuses on “Cyber incident” / “Rapidly report” / “Forensic analysis” https://dibnet.dod.mil/portal/intranet/ -- the Defense Industrial Base Cyber Incident Reporting and Cyber Threat Information Sharing Portal (see https://dibnet.dod.mil/portal/intranet/Splashpage/ ReportCyberIncident) for list of items to report including “Impact to Covered Defense Information,” “Type of compromise” (which specifically includes inadvertent release) and “Description of technique or method used in cyber incident” (i.e., the forensic analysis Medium assurance certificate required to report a cyber incident (see DFARS 252.204-7012(c)(3))
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC
www.JenniferSchaus.com
DFARS 252.204-7012
Safeguarding covered Defense Information and Cyber Incident Reporting (OCT 2016) For contracts with CDI awarded prior to October 1, 2017, the CO must notify the DoD CIO, via e-mail at osd.dibcsia@mail.mil within 30 days of contract award, of any security requirements specified by NIST SP 800-171 that were not implemented at the time of contract award. DFARS 252.204-7012(b)(ii)(A) The contractor shall submit written requests to vary from NIST SP 800-171 and it “need not implement any security requirement adjudicated by an authorized representative, but equally effective, security measure that may be implemented in its place.” DFARS 252.204-7012(b)(ii)(B) See NIST SP 800-171, ¶ 3.12.4: Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, 151515and the relationships with or connections to other systems
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC
www.JenniferSchaus.com
DFARS 252.204-7012
Safeguarding Covered Defense Information and Cyber Incident Reporting (OCT 2016) DFARS 252.204-7012(c): cyber incident reporting: (1) Upon discovery of a cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract, the Contractor shall – Conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor’s ability to provide operationally critical support; and Rapidly report (72 hours) cyber incident to DoD at http://dibnet.dod.mil (need a medium assurance certificate per DFARS 252.204-7012(c)(3) to report a cyber incident
Cyber incident report. The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements at http://dibnet.dod.mil (see 32 CFR Part 236).
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC
www.JenniferSchaus.com
DFARS 252.204-7012
Safeguarding Covered Defense Information and Cyber Incident Reporting (OCT 2016) Cyber incident report may also include: Identifying malicious software uncovered in connection with a reported cyber incident – report to DoD Cyber Crime Center (D3C)(DFARS 252.204-7012(d)) Preserving and protecting the media related to “all known affected information systems” for at least 90 days from submitting the cyber incident report to allow DoD to request the media or decline interest)(DFARS 252.204-7012(e)) Permitting DoD access to “additional information or equipment” needed to conduct a forensic analysis of the incident (DFARS 252.204-7012(f)) including all of the contractor’s damage assessment information if requested by the CO (DFARS 252.204-7012(g))
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC
www.JenniferSchaus.com
DFARS 252.204-7012
Safeguarding covered Defense Information and Cyber Incident Reporting (OCT 2016) The contractor must identify and mark any proprietary data submitted to the Government and/or prime contractor Mark “contractor attributional/proprietary information” and/or “covered defense information” See also DFARS 252.227-7013 regarding technical data and 7014 regarding computer software – two licensing clauses
The data provided under the clause (i.e., the cyber incident report) may be released in limited circumstances outside of DoD
To entities with missions affected by the information To entities that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents To Government entities that conduct counterintelligence or law enforcement purposes To a support services contractor holding a contract that includes DFARS 252.204-7009, Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC
www.JenniferSchaus.com
DFARS 252.204-7009
Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information (OCT 2016) If the cyber incident report involves third-party information, the contractor must limit the use and disclosure of such third-party information (DFARS 252.204-7009(b)) specific obligation to protect from unauthorized release or disclosure any information used in the government’s forensic analysis authorized by DFARS 252.204-7012(f) Contractor employees must be subject to a [specific] non-disclosure agreement prior to access to the third-party’s information that is used in the cyber incident report Get a copy of the cyber incident report
If the third-party reported the cyber incident, then that third-party must be identified as a “third party beneficiary” in the event of unauthorized disclosure
Contractor and subcontractors must include this clause (“or similar contractual instruments”) in any subcontracts for “services that include support for the Government’s activities related to safeguarding covered defense information and cyber incident reporting, including subcontracts for commercial items, without alteration, except to identify the parties (DFARS 252.204-7012(m), DFARS 252.204-7009(c))
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC
www.JenniferSchaus.com
NIST SP 800-171 Revision 1 (Dec. 2016)
Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations Sets forth 110 requirements in a formally documented security plan covering the 14 areas laid out in Chapter 3, The Requirements: access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity) The “NIST-171 System Security Plan” is dynamic No prescribed format
[NEW] 3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC
www.JenniferSchaus.com
NIST SP 800-171 Revision 1 (Dec. 2016)
Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations DOD Guidance (Jan. 27, 2017): The protections required to protect Government information are dependent on the type of information we are protecting, and on the type of system on which the information is processed or stored. The following diagram illustrates the requirements for protecting covered defense information, controlled unclassified information, and Federal contract information when processed or stored on a contractor’s internal information system, or on a DoD information system.” June 23, 2017: Contractors must have a System Security Plan and a Plan of Action and Milestones by December 31, 2017 To implement review Ch. 3 of NIST 171 for the requirements, then
See App. D of NIST SP 800-171 (r1) (https://doi.org/10.6028/NIST.SP.800-171r1) See App. D of NIST SP 800-53 (r4) (http://dx.doi.org/10.6028/NIST.SP.800-53r4)
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC
www.JenniferSchaus.com
NIST SP 800-171 Revision 1 (Dec. 2016)
Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations Company System Security Plan Revision History (dynamic plan) Introduction (why the plan) Table of Contents Introduction Company Operating Environment (description or depiction) Inventory (workstations, laptops, handhelds, smart phones, printers, etc.) System Security Plan and a Plan of Action and Milestones
SECURITY REQUIREMENT
Company Implementation
Exception POA&M
Jennifer Schaus & Associates
GOV CON WEBINAR SERIES - 2017
QUESTIONS? CONTACT OUR SPEAKER: David Dempsey AT 703. 880. 9171
THANK YOU FOR ATTENDING!!
AND ddempsey@deftlaw.com
WWW.JENNIFERSCHAUS.COM