Escolar Documentos
Profissional Documentos
Cultura Documentos
Corporation Supplier
Cyber Regulatory
Awareness
2
Not Theoretical
In its publication, “Gazing into the Cyber “Target cyber breach hits 40
Security Future: 20 Predictions for 2015,” million payment cards at holiday
FireEye analysts predicted that cyber risks peak” - Reuters
through the supply chain would only
increase. Its advice to business:.. require
suppliers to show evidence of good security
controls…
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-
best-practices-in-cyber-supply-chain-risk-management.pdf
3
Potential Cyber Security Supply Chain Risks
4
Broad Mandatory Requirements at all Tiers
5
Regulatory Horizon
Anticipate additional
FAR release
7
DFARS Clause 252.204-7012 Safeguarding
CDI and Cyber Incident Reporting
8
DFARS Clause 252.204-7012 Safeguarding
CDI and Cyber Incident Reporting (cont’d)
9
DFARS Clause 252.204-7012 Safeguarding
CDI and Cyber Incident Reporting (cont’d)
10
Key Changes in October 2016 Final Rule
11
What is CDI?
• (1) Marked or otherwise identified in the contract, task order, or delivery order and
provided to the contractor by or on behalf of DoD in the performance of the contract; or
Note: Rules Focus on protecting systems with CDI not just the
specific information.
12
Protect CDI
NIST SP 800-171 Security Control Families
13
DFARS 252.204-7012 Safeguarding
CDI & Cyber Incident Reporting
• “Cyber incident” means actions taken through the use of computer networks that
result in a compromise or an actual or potentially adverse effect on a Covered Contractor
information system and/or the CDI residing on that system (this requirement is currently
in effect)
14
DFARS 252.204-7012 Flow-down to suppliers
15
What do you need to do?
Engage your Business
16
Primary Resources & Links
Copy these links to your browser.
• FAR:
http://farsite.hill.af.mil/reghtml/regs/far2afmcfars/fardfars/Far/52_000.htm#P8
91_130989
• DFARS:
http://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-
7012
• NIST SP 800-171:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf
• DoD’s Defense Industrial Base (DIB) Cyber Incident Reporting (Register Now):
http://dibnet.dod.mil.
17
Additional Cyber Resources
18
Acronyms
19
20
Regulatory Reference Chart
Oct 21, 2016 DFARS Final Ruling, Clarification of CDI (CUI https://www.gpo.gov/fdsys/pkg/FR-2016-
Registry), COTS exemption, 10-21/pdf/2016-25317.pdf