FED GOV CON Webinar Wednesdays 2019 Series JSchaus & Assoc. Washington DC +1–202–365–0598
About Our Webinars: - Every Wednesday; - Complimentary; - Recorded; - YouTube & our Website; - No Questions
About Us:
Professional Services for Federal Contractors - GSA Sched; - SBA 8(a); - Proposal Writing; - Pricing; - Contract Administration; - Business Development
ur THURSDAY - April 18 CONFERENCE: 29th Annual Procurement Con ference TUESDAY - May 8 CONFERENCE: 7th Annual Reston Chamber B2G Matchmaking TUESDAY - Aug 6 IN-PERSON CLASS: Intro To GSA Schedules
Advertise With Us! We offer newsletter & webinar advertising. CONTACT: Mallory.Flowers@ jenniferschaus.com for more information.
About Our Speaker: Johana Reed Education: J.D. Georgetown University Company Name: McMahon, Welch, & Learned PLLC # of Years Federal Gov Con Experience: Over 30
Cybersecurity Under the Federal Acquisition Regulation (FAR)
2019 – Fed Gov Con Webinar Series - Washington DC JSchaus & Associates Federal Unclassifi ed Cyber Spending DOD
Civilian
2.9 2.28
3.05
3.17
2.45
1.7 1.83 2014
From Bloomberg Government Data
2.34
2.55
2015
2016
3.03
3.33
3.57
2017
201 8 proj
2 01 9 proj
2019 – Fed Gov Con Webinar Series - Washington DC JSchaus & Associates
So what is Cybersecurity? The National Institute of Standards and Technology (NIST) defines Cybersecurity as: “The ability to protect or defend the use of cyberspace from cyber attacks.”
Source: NIST IR 7298 Revision 2, Glossary of Key Information Security Terms
2019 – Fed Gov Con Webinar Series - Washington DC JSchaus & Associates
Magnitude of the Threat: According to a December 2018 GAO Report, there were 35,277 total information security incidents. The threats came from primarily from web based applications, loss or theft of equipment, email/phishing, improper usage, and other attack methods that do not fit within these categories.
2019 – Fed Gov Con Webinar Series - Washington DC JSchaus & Associates
So what laws governs Cybersecurity? FISMA Federal Cybersecurity Enhancement Act of 2015 E.O. 13800 Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure 32 CFR ¶ 2002—Controlled Unclassified Information (CUI)
2019 – Fed Gov Con Webinar Series - Washington DC JSchaus & Associates
FAR 39.101 – General Policy regarding the purchase of IT FAR 52.239-1: Privacy or Security Safeguards (Aug. 1996) FAR 4.19 – Safeguarding of Covered Contractor Information Systems FAR 52.204-21: Basic Safeguarding of Contractor Information Systems (May 2016) OMB Circular A-130 -- Managing Information as a Strategic Resource DFARS Clauses – to be discussed at the 2nd session
2019 – Fed Gov Con Webinar Series - Washington DC JSchaus & Associates
FAR 39.101 (a) (1) In acquiring information technology, agencies shall identify their requirements pursuant to— (i) OMB Circular A-130, including consideration of security of resources, protection of privacy, national security and emergency preparedness, accommodations for individuals with disabilities, and energy efficiency; ***
2019 – Fed Gov Con Webinar Series - Washington DC JSchaus & Associates
(c) In acquiring information technology, agencies shall include the appropriate information technology security policies and requirements, including use of common security configurations available from the National Institute of Standards and Technology’s website at http://checklists.nist.gov. Agency contracting officers should consult with the requiring official to ensure the appropriate standards are incorporated. (d) When acquiring information technology using Internet Protocol, agencies must include the appropriate Internet Protocol compliance requirements in accordance with 11.002(g).
2019 – Fed Gov Con Webinar Series - Washington DC JSchaus & Associates
52.239-1 -- Privacy or Security Safeguards (Aug. 1996) (a) The Contractor shall not publish or disclose in any manner, without the Contracting Officer’s written consent, the details of any safeguards either designed or developed by the Contractor under this contract or otherwise provided by the Government.
2019 – Fed Gov Con Webinar Series - Washington DC JSchaus & Associates
(b) To the extent required to carry out a program of inspection to safeguard against threats and hazards to the security, integrity, and confidentiality of Government data, the Contractor shall afford the Government access to the Contractor’s facilities, installations, technical capabilities, operations, documentation, records, and databases. (c) If new or unanticipated threats or hazards are discovered by either the Government or the Contractor, or if existing safeguards have ceased to function, the discoverer shall immediately bring the situation to the attention of the other party.
2019 – Fed Gov Con Webinar Series - Washington DC JSchaus & Associates
Gaps: implementation, security management, Federal Information Processing Standards (FIPS) and NIST guidelines do not apply to subcontractors. NIST Guidelines: NIST Cybersecurity Framework SP 800-30 (rev 1): Risk Management Guide for Information Technology Systems. SP 800-37 (rev 2): Guide for Applying the Risk Management Framework to Federal Information Systems.
2019 – Fed Gov Con Webinar Series - Washington DC JSchaus & Associates
SP 800-53 (rev 4): Security and Privacy Controls for Federal Information Systems and Organizations. SP 800-171 (rev 1): Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations
2019 – Fed Gov Con Webinar Series - Washington DC JSchaus & Associates
FAR 4.19 – Safeguarding of Covered Contractor Information Systems 4.1901 -- Definitions “Covered contractor information system” means an information system that is owned or operated by a contractor that processes, stores, or transmits Federal contract information. “Federal contract information” means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as
2019 – Fed Gov Con Webinar Series - Washington DC JSchaus & Associates
Web sites) or simple transactional information, such as that necessary to process payments. “Information” means any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual (Committee on National Security Systems Instruction (CNSSI) 4009). “Information system” means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information (44 U.S.C. 3502).
2019 – Fed Gov Con Webinar Series - Washington DC JSchaus & Associates
“Safeguarding” means measures or controls that are prescribed to protect information systems. 4.1902 – Applicability This subpart applies to all acquisitions, including acquisitions of commercial items other than commercially available off-the-shelf items, when a contractor's information system may contain Federal contract information.
2019 – Fed Gov Con Webinar Series - Washington DC JSchaus & Associates
FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems The definitions are the same as in FAR 4.1901 The clause identifies 15 security requirements for safeguarding that are listed in the clause; they mirror NIST SP 800-171 (i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
2019 – Fed Gov Con Webinar Series - Washington DC JSchaus & Associates
(ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute. (iii) Verify and control/limit connections to and use of external information systems. (iv) Control information posted or processed on publicly accessible information systems. (v) Identify information system users, processes acting on behalf of users, or devices. (vi) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
2019 – Fed Gov Con Webinar Series - Washington DC JSchaus & Associates
(vii) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. (viii) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. (ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices. (x) Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
2019 – Fed Gov Con Webinar Series - Washington DC JSchaus & Associates
(xi) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. (xii) Identify, report, and correct information and information system flaws in a timely manner. (xiii) Provide protection from malicious code at appropriate locations within organizational information systems. (xiv) Update malicious code protection mechanisms when new releases are available. (xv) Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
2019 – Fed Gov Con Webinar Series - Washington DC JSchaus & Associates
52.204-21(b) (2) Other requirements. This clause does not relieve the Contractor of any other specific safeguarding requirements specified by Federal agencies and departments relating to covered contractor information systems generally or other Federal safeguarding requirements for controlled unclassified information (CUI) as established by Executive Order 13556. Note that there is no requirement to report a cyber incident.
2019 – Fed Gov Con Webinar Series - Washington DC JSchaus & Associates
So when can you expect to see a FAR clause that covers implements the NARA CUI Program is … Soon However, the FAR case has been promised to be soon for over 2 years and its current status (as of 3/29/19) is: “02/27/2019 DAR staff notified FAR staff that DARC agreed to draft proposed FAR rule. Awaiting CAAC concurrence.” There is no current FAR case for implementing any other cybersecurity.
2019 – Fed Gov Con Webinar Series - Washington DC JSchaus & Associates
This concludes the FAR Presentation. I will discuss the DFARS Clauses, FISMA and CUI in the next presentation.
THANK YOU! JSchaus & Assoc. Washington DC hello@JenniferSchaus.com www.JenniferSchaus.com +1–202–365–0598 Speaker: Johana Reed Email: Jreed@mwllegal.com Phone: 703 483-2818