nist 800-171 simplifying cui and dfars compliance
TRANSCRIPT
EmeSec Incorporated ©20171
Maria Horton, CISSP-ISSMP
GTSC Capacity Building Day
Countdown to ComplianceCUI & DFARS
August 17, 2017
2
We help our clients protect their mission, reputation and their growth engine by harnessing the power of
security and compliance within their organization
• We are a Security Solutions Company
• Cloud Security and Engineering
• Regulatory Compliance Services
• A FedRAMP accredited 3PAO
• Hold 4 ISO certifications:
• ISO 9001:2015,
• ISO/IEC 20000-1:2011,
• ISO/IEC 27001:2013,
• ISO/IEC 17020: 2012
EmeSec
EmeSec Incorporated ©2017
3
• CUI and DFARS 7012 compliance is mandated
• Either December 2017, or within 30 days of contract award
• CUI and DFARS applies to all contractors
• Prime and their subcontractors• Flow down requirements include 1099 staff as well
• High tech and low tech companies
CUI – Wow!
135 Days & counting ….
EmeSec Incorporated ©2017
• NARA Registry http://www.archives.gov/cui/registry/category-list.html
• Federal Acquisition Requirements (FAR) 52.204.21
• Defense Federal Acquisition Regulations Supplement (DFARS) 252.204.7012
• Two key requirements
• (1) Adequate Security
• (2) Incident Reporting
• NIST SP 800-171, Rev. 1
• Published December 2016
• Made SSP a requirement for compliance
Oversight & Enforcement
• Controlled Unclassified Information (CUI)
• Unclassified information that requires safeguarding or dissemination controls
• Covered Defense Information (CDI)
• Unclassified controlled technical information (CTI) or other information that requires safeguarding or dissemination controls
• Covered Contractor System
• An information system owned or operated by a contractor that processes, stores, or transmits Federal contract information
Definitions
What is CUI ?
EmeSec Incorporated ©2017
4
5
CUI and DFARS Information Supply Chain Protection
EmeSec Incorporated ©2017
• CUI requires compliance with 14 security control families
• More complex than presented • NIST SP 800-171, Page v
states:
• Satisfying these requirements should not be assumed to meet NIST SP 800-53 and FIPS 200
Elements of CUI Compliance
EmeSec Incorporated ©2017
Acronym Security Control Family
AC Access Control
AT Awareness & Training
AU Audit & Accountability
CM Configuration Management
IA Identification & Authentication
IR Incident Response
MA Maintenance
MP Media Protection
PE Physical & Environmental
PS Personnel Security
RA Risk Assessment
SA Security Assessment
SC System & Communication Protection
SI System & Information Integrity
• Why?• Today, every business is a
digital business
• Every business has third party and supply chain connections
• Due diligence is taking the effort to avoid harm or loss through reasonable care
Liability almost always comes from not demonstrating due diligence
Compliance Due Diligence Liability
The implications of non-compliance risks and liabilities to your company
EmeSec Incorporated ©2017
8
1. CUI is more than Cyber
2. CUI is about a comprehensive InfoSec
3. CUI isn’t isolated – protect all of your data flow
4. Leadership and accountability is critical to CUI
1. Not accounting for non-cyber
2. Using a Checklist Mentality
3. Light Manufacturing Issues
4. Decision makers not in the process
Common MistakesCUI and DFARS Compliance
EmeSec Incorporated ©2017
• Maria Horton, CEO
• Phone: 703.429.4492/4491
• Email: [email protected]
• @EmeSec
• @mariahorton
Thank you for your time!
We would love to hear from you.
Contact us for a free CUI primer and Tips Handout!Remember, there is still time to meet the deadline!
EmeSec Incorporated ©2017
9