Understanding the New DoD Contractor Cybersecurity ...

© 2020 Cyber Collaboration Center. All rights reserved.

Understanding the New DoD Contractor Cybersecurity Assessment Methodology


Copyright Notice This presentation is protected by U.S. and International copyright laws. Reproduction and distribution of the presentation without written permission of the sponsor is prohibited. Webinar Copyright 2020 Cyber Collaboration Center and the partnering organizations for this presentation. All images copyright of their respective holders, used for educational purposes only.


Welcome & Introduction DFARS 7012 Awareness Campaign


DFARS 7012 Webinar Series •  #1 – July 13, 2017: Cybersecurity Requirements Update for Contracts Managers

•  #2 – August 2, 2017: Prime Contractor Responsibilities for Safeguarding Controlled Unclassified Information (CUI)

•  #3 – August 23, 2017: Protecting Covered Defense Information (CDI) in the Cloud

•  #4 – September 13, 2017: Strategies to Minimize Business Impacts of DFARS 7012

•  #5 – July 18, 2018 Primer: Performing Streamlined NIST 800-171A Assessments

•  #6 – September 5, 2018: How Changes in DFARS Cybersecurity Enforcement Can Impact Your DoD Business

•  #7 – November 14, 2018: DFARS 7012 Cyber Incident Response Liabilities and Strategies

•  #8 – February 6, 2019: Cybersecurity Trends for 2019 and their Impact on DoD Contracting

•  #9 – April 17, 2019: Update on DoD Enforcement of DFARS 7012 Cybersecurity Compliance

•  #10 – July 17, 2019: Upcoming DFARS Cybersecurity Audits and 3rd Party Certifications: DCMA CPSR / NIST 800-171B / CMMC

•  #11 – October 23, 2019: Cybersecurity Maturity Model Certification (CMMC) Update Featuring Katie Arrington, CISO OUSD A&S

•  #12 – January 22, 2020: Understanding the New DoD Contractor Cybersecurity Assessment Methodology (Featuring John Ellis, DCMA)


Reminders •  Please fill out Exit Surveys

•  Request copies of slides or link to video recording •  If Survey doesn’t automatically open due to browser

blocking pop-up windows, please email us

•  Next webinar with Cyber Collaboration Center: •  Overcoming Hurdles to DFARS 7012 Compliance •  Date/Time in March TBA •  CCC will send notifications when registration is open


Presenters •  John A. Ellis

Director, DCMA Software Division

• Larry Lieberman Cyber Evangelist, eResilience


Webinar Agenda •  Introduction •  Everything You Ever Wanted to Know About DCMA Cyber

Assessments But Were Afraid to Ask •  DoD Assessment Methodology Application and Best

Practices for Contractors and Their Supply Chains •  Q&A

© 2020-eResilience, A Division of Referentia Systems Incorporated. All rights reserved. © 2020 eResilience, A Division of Referentia Systems Incorporated. All rights reserved.

Advanced DoD Cybersecurity

Solutions (over 15 years)

NSA Trusted Integrator

Certified Cyber Risk and Solutions Experts


eResilience Outreach Efforts • Educational Content Partner for CCC and other Webinars • Next Webinar will be about Overcoming Hurdles to DFARS 7012 Compliance

•  Expected broadcast date TBD Mid-March 2020 • Partnerships with Government and Industry • Thought Leadership in DFARS / NIST cybersecurity • Today’s role is to facilitate, review, and to moderate Q&A • Pleased to introduce John A. Ellis, DCMA

Oneteam,onevoicedeliveringglobalacquisi5oninsight.

PresentedBy:

EverythingyoueverwantedtoknowaboutDCMAcyberassessments,butwereafraidtoask

Mr.JohnA.EllisDCMATechnicalDirectorate

22January2020

Oneteam,onevoicedeliveringglobalacquisi5oninsight. 11

Topics

•  DefenseIndustryBaseCybersecurityAssessmentCenter(DIBCAC)overview

•  CMMCandrelaDonshiptoDIBCACassessments•  QuesDons

Oneteam,onevoicedeliveringglobalacquisi5oninsight.

DefenseIndustrialBaseCybersecurityAssessmentCenter

12

MissionSupportthewarfighterbyassessingtheDefenseIndustrialBasecomplianceintheprotecDonofDoDControlledUnclassifiedInformaDon,ensuringcontractorsimplementappropriatecybersecurityrequirements,insupportofacquisiDondecisionmaking.

VisionSecurity-focused,highlytrainedcybersecurityprofessionalsprovidingcomprehensiveandrepeatableassessmentsforrisk-baseddecisionmaking

SecuritythroughcomplianceSecurita)sinobsequio


ThisAllStartedbackbefore2013An Inforgraphic Timeline is in this

6 Jun

2016

Q3FY16 -Q1FY17 Q2FY1

Q1FY18 -Present

End of Q2FY17 -Q3FY17


6Jun

DFARSClause252.204-701218NOV2013,CUIprotectedusingNIST800-53controls

v  FARClause52.204-21,“BasicSafeguardingofContractorInformaTonSystems,”FinalRule,effecTveJune2016

v  32CFRPart236,“[DoD]DefenseIndustrialBase(DIB)CyberSecurity(CS)AcTviTes,”UpdatedfinalrulepublishedOctober4,2016

v  Rev1NISTSP800-171ReleasedDEC2016v  FinalDFARs7012ClauseupdatesandclarificaTon

OSDworkingwithDIBandNISTdeterminedthatAvailabilityandIntegritywasDoDcentricandNonFederalSystemsneedtoconcentrateonConfidenTally

ü  FinalDra^sofNIST800-171outtoIndustry.PublishedJune2015ü  DEC2015-Mustbecompliantinprovidingadequatesecurity

ASAPbutNLT31DEC2017

v  2019MsLordMemosreleasedv  DIBCACStartedtoStandUpv  DIBCACGOv  DIBCACPilot

ü  EstablishescybersecurityasarequirementforallDoDprogramstobeconsideredandimplementedinallaspectsofacquisiTonprogramsacrossthelifecycle.Change2toDoDI5000.02,Enclosure14issuedFeb2,2017

ü  DEC312015MandatedComplianceDeadline


DFARClauseChangesoverTme


OSD(AS)Memo,dated2019-01-21


WhatDCMAIsTaskedtoDo

•  Establishthetools,databases,processes,andrequirementsthatwillapplytoall•  PartnerwithotherServices/Agenciestoimplementthesameassessmentmechanismsto

assessthecontractorsandcontractsthattheyadminister•  EnsuretheContractoriscompliant(atDmeofaward)withNIST800-171requirementsin

-7012clause•  DeveloptheproposedpathusingitsadministraDonauthorityunderFARPart42&43and

DFARS242.302tomodifycontractsthatareadministeredbyDCMAtoachieveasetofbusinessstrategiestoobtainandassesscontractorSSPsbyleveragingitsreviewofacontractor'spurchasingsysteminaccordancewithDFARSClause252.244-7001,ContractorPurchasingSystemAdministraDon


AssessmentObjecTve,Approach,Methodology

•  AssessmentObjecTve:TheobjecDveistoobjecDvelyevaluateadherencetoandthelevelofcompliancewiththerequirementsofDFARSClause252.204-7012.•  AssessmentApproach:AssessmentsareaHighConfidenceLevelAssessmentasdefinedintheDoDOfficeofSecretaryofDefense(OSD)-developed"NISTSP800-171DoDAssessmentMethodology,Version1.0,datedNovember7,2019.”•  AssessmentMethodology:TheDIBCACusesNISTSP800-171A,"AssessingSecurityRequirementsforControlledUnclassifiedInformaDon"asthebasisoftheassessmentwiththescoringcriteriadefinedinthe"NISTSP800-171DoDAssessmentMethodology,Version1.0,datedNovember7,2019."


DCMACybersecurityAssessmentRhythmAn Inforgraphic Timeline is in this

6 Jun

2016

Q3FY16 -Q1FY17 Q2FY1

Q1FY18 -Present



6Jun

Pre-AssessmentPhase

AssessmentPhase

PostAssessmentPhase

v  NinetydayplanningoftentaTveschedule

v  ThirtydaysadvancenoTficaTonofDCMACybersecurityAssessmenttotheDIBsite

v TwentytoTwenty-fivedaysadvancepre-coordinaTonmeeTngwiththeDIBsite

v  SixtydaysoutgroupnoTficaTonofpreliminaryschedule

v  Forty–fivedaysoutschedulelockedinv  EnsureTeamMembershaveanyleavescheduledsubmihed

•  Mondaya^ernoonIn-brief•  Tuesday-Thursday

•  Assess,Interview,Examine,Test•  DocumentaTonreviews•  DailyHotWashes

•  FridaymorningOut-brief•  PreliminaryReport

v  ThirtydayspostOut-brief,thefinalreportisprovidedtotheDIBsitethroughtheC/D/ACOAdministra5veContrac5ngOfficer(ACO),CorporateAdministra5veContrac5ngOfficer(CACO),DivisionalAdministra5veContrac5ng

Officer(DACO),CACO/DACO/ACO(C/D/ACO)


CMMCandDIBCAC

•  TheCybersecurityMaturityModelCerDficaDon(CMMC)andDIBCAC252.204-7012assessmentsarecomplementaryefforts

•  CMMCassessmentoccureverythreeyears,likealicensetooperateandrenewoccasionally

•  252.204-7012assessmentsareaboutcompliancewithDoDrequirements

•  CompaniespayforCMMC,butnotfor252.204-7012assessments•  DCMAAssessmentswillconDnueforDoDprioriDzedcompaniesaherCMMCisimplemented


Wrapup

•  CompanieshavebeenworkingwellwiththeDIBCAC,ithasbeenalearningexperiencebothsideseachassessment

•  TheotherServicesandAgenciesareusingthesameassessmentmethodologyforapplicaDonundertheircognizance

•  DCMAisnotaloneintheconductofassessments(ServicesandAgenciesparDcipate)andhasbeentrainingfolksfromacrossDoD

•  DCMAworkscloselytheDCSAtoaddresscurrentandfuturerequirements

•  QuesDons?


Recap of DoD Assessment Methodology v1.0

and Contractor Best Practices

23


Key Document: NIST 800-171A •  Government standard for assessing

compliance with each security requirement of NIST SP 800-171

•  Released in June 2018 •  Explains what evidence should be

gathered for review by assessors •  320 objective tests to confirm compliance

with each of the 110 security requirements •  This should serve as the basis for your 171

implementation and be used to prepare mandatory Security Control Assessments

•  Will be used by CMMC / DCMA / DoD assessors to validate 800-171 compliance


DoD Assessment Methodology Scoring System


DoD Assessment Methodology Scores •  Be prepared to share your SSP with DoD

•  Score of 110 = Full implementation of ALL 110 NIST 800-171 Security Requirements

•  Subtractive & Weighted scoring of between 1 to 5 points off for every unimplemented requirement.

•  You could be 80% done, and still score ZERO (or even have a negative score)

•  Be prepared to apply DoD’s methodology to your supply chain

•  Suppliers should be scored on the same scale, and be ready to share their SSPs and/or undergo 171-A evidence-based validation when requested

•  Everything done now to prepare for DoD score is relevant to CMMC


“Basic” Self-Attestation


So You’ve Got Your Score: Now What?

Submit self-assessment results via encrypted email to: [email protected]


DoD Assessment Methodology & CMMC

DoD Assessment Methodology & Scores CMMC

Starting NOW and relevant to all

contracts with CUI. Keep your Basic, Med and High confidence

scores aligned

Starting Sept 2020 and will be rolled out

incrementally, eventually to ALL contracts with or

without CUI

171 “A” Alignment

is Key

For Alignment Today, Target 171A!

© 2020 eResilience, A Division of Referentia Systems Incorporated. All rights reserved. © 2020 eResilience, A Division of Referentia Systems Incorporated. All rights reserved.

Best Practices – For Companies •  This is a DoD-wide methodology and best practice for Primes, so be prepared with a

consistent and aligned score with NIST SP 800-171A to support all levels of confidence •  Prepare Basic Assessment aligned with NIST SP 800-171A, so everything needed to obtain

Medium and High confidence DoD Assessments and CMMC Level 1-3 will be aligned

•  Submit “Basic Assessment” (total score & estimated completion date) for listing in DoD database

•  Plan your final POAM date with your targeted CMMC certification

•  Execute your POAM

•  Be ready to share SSP and POAM (DoD Medium confidence, NMCARS Annex 16, Prime requests, etc.)

•  Be ready to support DoD on-site 171A evidence-based assessment, CMMC, 3rd party 171A review, etc.)

Keep in mind – it is NOT WASTED EFFORT: All of this is relevant to obtaining CMMC Level 1-3


REMINDER: Sharing CUI/CDI/ITAR to Suppliers (without knowing their compliance) is Very High Risk • Government policies state that Primes are responsible

•  FAQ 2 April 2018 •  “…prime is responsible for the safeguarding of covered defense information throughout

its entire supply chain.” •  Procurement Guidance 6 Nov 2018

•  “Demonstrate to the government the Contractor’s ability to ensure that their tier 1 level suppliers safeguard covered defense information in accordance with, at a minimum, DFARS Clause 252.204-7012.”

•  DCMA Contractor Purchasing System Review (CPSR) Guidebook 14 June 2019 •  “The prime contractor must validate that the subcontractor has a Covered

Contractor Information System (CCIS) that can receive and protect CUI. The prime contractor must show documentation that they have determined that the subcontractor has an acceptable CCIS to include an adequate System Security Plan (SSP).”

•  Cybersecurity Maturity Model Certification (CMMC) DoD RFIs June 2020 •  Supply chain must have mandatory certification by 3rd Parties

•  False Claims Act exposure and liabilities •  The DoD is hemorrhaging critical data. We all need to help stop it!

31


Best Practices - Primes with Supply Chains •  Primes are responsible for ensuring their suppliers can adequately safeguard CUI

before providing CUI to them

•  For Primes with Supply Chains – utilize same DoD Assessment Methodology •  Basic Confidence – collect scores from suppliers

•  Depending on risks – increase level of confidence

•  POAM should target CMMC certification

•  CMMC – certifications (equivalent to DoD High confidence) required for award •  Plan and track supply chain compliance early to ensure supply chain compliance for RFPs

•  Primes should recommend Suppliers follow Best Practices for Companies •  Be ready for Government and/or Prime requests for information, assessments or audits

Following DoD Assessment Methodology for your supply chain is an effective best practice! Be prepared for DCMA CPSR, manage your supply chain cyber compliance risk, and have a good

starting point to prepare for CMMC supply chain compliance (suppliers must be certified)


Summary and Conclusion •  DCMA DIBCAC, DoD CIO, CMMC and other stakeholders are aligned

•  Prime contractors should submit “Basic” self-assessment for entry into DoD contractor database

•  Primes can request the same “Basic” self-assessment from their subs, to help manage cyber risk

•  Assessment Methodology & Scoring System are being implemented DoD-wide, not just for DCMA

•  Procurement community will turn to DoD contractor database for up-to-date status information

•  DoD assessments will start before CMMC is implemented and continue after CMMC is implemented

•  Aggregated compliance score and expected date of 100% compliance will become competitive discriminators – make sure execs understand!

•  The best way to be ready for a DFARS 7012, DoD Assessment Methodology, and CMMC Level 3 is to implement all 110 requirements of NIST 800-171 using 171A as guidance

•  The best way to be ready for ensuring supply chain cyber compliance for DCMA CPSR, Government reviews, etc. is to apply DAM to your supply chain cyber compliance risk management


Questions & Answers

© 2020 eResilience, A Division of Referentia Systems Incorporated. All rights reserved. © 2020 Cyber Collaboration Center. All rights reserved.

Reminders & Contact •  Thanks for attending!

•  Please fill out exit survey to request slides

•  Next Webinar will be focused on Overcoming Hurdles to DFARS 7012 Compliance

eResilience Larry Lieberman Office: 808-840-8580 [email protected]

John A. Ellis

[email protected]

Understanding the New DoD Contractor Cybersecurity ...

Documents

Transcript of Understanding the New DoD Contractor Cybersecurity ...