The federal government will now require its private suppliers and many other "non-federal entities" to protect "Controlled Unclassified Information" (CUI). DoD has been the first mover.

Since 2013, the DoD has required defense contractors to protect "Controlled Technical Information" of military or space significance. A new, final DFARS rule, issued on Oct. 21, 2106, changes and expands the obligations of the defense industrial base to provide "adequate security" of "Covered Defense Information" (CDI) and to report promptly after cyber incidents. A "Basic Safeguarding" FAR rule now requires virtually all federal contractors to provide protection of "Federal Contract Information" (FCI). Civilian agencies are working on a much more demanding "general FAR provision" to mandate cyber safeguards and event reporting for all categories and subcategories of CUI.

This webinar will examine the reasons for the federal initiative, review the methods chosen, and inform defense and civilian contractors on what they must do to protect both CUI and CDI. You will better understand what must be protected, the methods of safeguards to apply, how to assess and improve upon your existing security, and when reporting obligations arise. This webinar will help you map the new requirements and navigate to compliance.  

Course Content:
  • Threats and Vulnerabilities: Why DoD and Federal Civilian Agencies Are Acting
  • “Roles and Missions” Among Federal Agencies; How Policy Translates to Contract Requirements
  • NARA’s Final Rule, “Controlled Unclassified Information”
  • NIST’s SP 800-171: Safeguarding CUI in “Nonfederal” Information Systems
  • DoD’s “Network Penetration and Reporting” DFARS
  • The FAR “Basic Safeguarding” Rule and “Federal Contract Information”
  • Special Agency Initiatives
  • Strategies and Methods to Meet Cyber Safeguarding Requirements
  • Expected Oversight and Enforcement
  • Handling Cyber Incidents 
  • Key Measures for Compliance
  • Role of Counsel and Specialists

What Explains the Federal Cybersecurity Initiative?
o Federal Information Systems Modernization Act (FISMA)
o Executive Order 13556
o DoD’s Experience with Industrial Espionage
How Federal Agencies Assess Cyber Risk
o NIST: FIPS 199 and FIPS 200
o DoD: Threat x Vulnerability x Consequences
Use of “Acquisition Methods” to improve contractor cybersecurity
o OMB Acquisition Guidance
o NARA’s role in designating CUI 
o The Federal policy to safeguard CUI
o Agency Regulations, Solicitation and Contract Requirements
NARA’s Final Rule, “Controlled Unclassified Information”
o Purpose of the Rule
o Categories and Subcategories of CUI
o The “Registry” Maintained by NARA
o Relevance of “Laws, Regulations and Governmentwide Policies” 
o “Basic” vs. “Derived” Safeguards
o Reconciliation Among Multiple CUI Types
o Extension of Obligations to “Non-Federal Entities”
o Obligations Imposed by “Contract or Other Agreements” 
NIST’s SP 800-171
o For “Nonfederal Information Systems and Organizations”
o Commonalities with FIPS 199 and FIPS 200
o Key Assumptions
? “Moderate Impact”
? Existing commercial systems
? Suitability of non-federal controls
o Emphasis on “Confidentiality” (vs. “Integrity” or “Availability”)
o Performance or Goal-Oriented Strategy
o Maps to SP 800-53 and ISO
o Overview of 14 “families” of Safeguards
o Key compliance challenges, e.g., Multi-Factor Authentication
o System Security Plan and Plan of Action and Milestones
DoD’s “Network Penetration Reporting and Contracting for Cloud Services” DFAR
o Relevant History – the “UCTI” Rule of Nov. 2013
o Interim Rule – 2015 (August, December)
o Key Changes in Oct. 2016 Final Rule
o Purpose and Policy of the Rule
o What is “Covered Defense Information”: CDI + CUI
o The “Compliance” Clause (-7008)
o The “Safeguarding” Clause (-7012)
o Contracting for Cloud Services
o Gap Analysis, Where “Inapplicable,” “Equally Effective” Alternatives
o Purpose and Significance of DoD-specific Reporting 
o Reporting Obligations
o DoD’s PGI and FAQs
o Issues of Interpretation and Application
o Government Oversight, Administration and Enforcement
o Cloud Services: what is “Equivalent” to FedRAMP Moderate?
o Flowdown: Is the Prime Responsible for Cybersecurity of its Subs?
The FAR “Basic Safeguarding” Rule
o Relevant History 
o Purpose and Policy of the Rule
o To Whom is the FAR Applicable?
o What is “Federal Contract Information”
o What is Protected (Information Systems, not Information Types)
o How is Protection Achieved – 15 Controls
o Industry Response
o Issues in Application, Administration and Compliance
Special Initiatives 
o Status of the “General FAR” to Implement SP 800-171 for all CUI
o GSA’s Business Due Diligence Rule
o DHS “Special Deviation” and HSAR Provisions
o “High Impact” CUI/CDI and Special Protection Measures
o Cyber Requirements for “Federal Information Systems”
Strategies and Methods to Meet Cyber Safeguarding Requirements
o Objectives and Process for Assessment
o Identification of Protected Information & Logical/Physical Domains
o Reconciliation of Multiple Standards, Methods & Obligations
o Methods to Review and Assess Baseline Controls
o What is Within Contractor Authority and What Requires “Adjudication”
o Special Issues for Export-Controlled Information
o System Security Plans  (SSPs) and Plans of Action and Milestones (POAMs)
o Issues Raised by the Cloud: “Security as a Service” 
o Special Measures: IAM and DRM 
o Monitoring and Periodic 3d Party Assessments
o Means to Provide “Adequate Security” in a “Dynamic Environment”
Expected Oversight and Enforcement
o Self-Direction and Self-Attestation
o Role of DoD CIO
o Role of Requiring Activities and Contracting Officers
o Event-Driven Review
o Areas of Potential Enforcement Exposure
o “Worst Case” Exposure Scenarios (FCA)
Handling Cyber Incidents
o Multiple Sources of Obligation
o DFARS and Agency-Specific
o Requirements Specific to Information Types (e.g., PII, PCI, HIPAA)
o “Privacy Act” Considerations
o Sectoral Regulations
o Applicable “Incident” Definitions 
o Required Reporting Actions: Timing and Method
o Collateral Measures  Required by Regulations
o Incident Scenarios: Practical Problems & Compliance Challenges
Key Measures for Compliance
Role of Counsel and Specialists