Maine MEP and Maine PTAC present: CYBERSECURITY RESILIENCY FOR DEFENSE CONTRACTORS presented by the New England Regional Defense Industry Collaboration and the New England MEP National Network Centers Image used under license from Shutterstock.com Fall 2020-One Hour Webinar Agenda: • Speaker Intros/Objectives 10:00 to 10:10 • Cybersecurity Overview 10:10 to 10:20 • FARS / DFARS requirements 10:20 to 10:25 • CMMC Requirements/Certification- 10:25 to 10:30 • Small Business focus 10:30 to 10:35 • NIST 800-171 Guidelines -10:35 to 10:40 • Summary/Q&A-use CHAT function 10:40 to 11:00 Today’s Panel: Defendify Shanna Utgard-Success Manager sutgard@defendify.io Maine PTAC Ken Bloch-Director/APTAC NE Regional Director kbloch@emdc.org Maine MEP Bob Doiron-Senior Project Manager bobd@mainemep.org Today’s Objective: • Share information • Identify where to go for updates • Introduce cybersecurity resources in Maine • Discuss timelines • Provide links to guidance documents • Introduce cybersecurity terminology • Introduce steps to take Why are we all here? • Threat Landscape • Threats are constantly adapting • Coordinated attacks on DOD information • At sub Tier levels-not the primes! • Phishing/Ransomware/Data loss • Personal information compromised • US enemies • Hackers Why are we all here? • Cyber Resiliency • The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that include cyber resources ” NIST SP 800-160 volume Definition of “Cyber Resiliency • Assess, manage, and remediate risks • Prepare the organization to manage its security and privacy risks: • • • • Understand types of risk; Understand risk effects; Identify information at risk; Develop policies / procedures / plans to reduce that risk Cybersecurity Overview Please welcome Shanna from Defendify FARS & DFARS FARS & DFARS Post 9/11 History: • Executive Order 13556 (2010) Controlled Unclassified Information • 32 CFR 2002 (2016) Controlled Unclassified Information • 48 CFR 52.204–21 (2016) Basic Safeguarding of Covered Contractor Information Systems ã 48 CFR Đ 252.204-7008 (2016) Compliance with safeguarding covered defense information controls • 48 CFR 252.204-7012 (2016) Safeguarding Covered Defense Information and Cyber Incident Reporting Controlled Unclassified Information (CUI) • CUI is unclassified information that requires safeguarding or dissemination controls • EO 13556 mandated a standard method of handling it and placed the development under the National Archives and Records Administration (NARA) • 32 CFR 2002 (2016) established the CUI program • NARA CUI Registry categories include: Critical Infrastructure Defense Export Control Financial Immigration Intelligence International Agreements Law Enforcement Procurement/Acquisition Nuclear Patent Privacy NIST 800-171- 14 Control Families • PS-(2)-Personnel Security • PP-(6)-Physical Protection • RA-(3)-Risk Assessment • SA-(4)-Security Assessment • SC-(16)-System & Security Protection • SI-(7)-System & Information Integrity NIST 800-171- Assessment • Self-Assessment • CSET • NIST tool • External Resource • Maine MEP • May be partially offset by DOD-OEA grant funds • Private Sector NIST 800-171- Document System • Policies and Procedures(for example): • Access control • Unauthorized downloads • Password rules • External device connection • Internet use • SSP-System Security Plan • How you meet the 110 controls • Risk assessment/Incident response plan NIST 800-171- POAM • Plan of Action and Milestones • What controls need remediation • Who responsible • Planned date for completion • Periodic status update Cybersecurity Resources Cybersecurity Support Resources • Maine PTAC • Training and contract assistance • CMMC trained counselor(s) • Maine MEP • Awareness, training, and assessments • Private cybersecurity/IT/MSP companies • Awareness, training, and assessments • Ongoing training/penetration testing • Cybersecurity consulting services Cybersecurity Knowledge ResourcesGeneral • US Govt: • NIST Cybersecurity Framework • https://www.nist.gov/cyberframework • Cybersecurity&Infrastructure SecurityAgency • https://www.cisa.gov/ • Cybersecurity Maturity Model Certification • https://www.acq.osd.mil/cmmc/ • CUI Training • https://www.archives.gov/cui/training.html#cuiprogram-overview Cybersecurity & Infrastructure Security Agency(CISA)-emails Cybersecurity Knowledge ResourcesSmall Business & General • Small Business Cybersecurity Corner • https://www.nist.gov/itl/smallbusinesscyber • NISTIR 7621(Small Business Information Security: The Fundamentals) • https://csrc.nist.gov/publications/detail/nistir/7621/rev1/final • NIST Computer Security Resource Center • https://csrc.nist.gov/ NIST publications found here • NIST MEP Cybersecurity self assessment handbook • https://www.nist.gov/publications/nist-mep-cybersecurity-selfassessment-handbook-assessing-nist-sp-800-171-security Cybersecurity Knowledge ResourcesGlossary/Abbreviations/Guidance • NIST 800-171 Rev • Appendix B has a glossary of common terms and definitions • Appendix C has a list of common abbreviations • Appendix D has a table that maps to NIST SP 800-53 and ISO/IEC 27001 • CMMC Model v1.02 appendices(Great Resource!!) • Appendix B: Process and Practice Descriptions and Clarifications • Appendix C: Glossary • Appendix D: Abbreviations and Acronyms • Appendix E: Mapping table (to 800-171 plus others) Cybersecurity Knowledge ResourcesDOD contractors and sub-contractors • Companies working with DOD • Center for Development of Security Excellence • https://securityawareness.usalearning.gov/cyberse curity/index.htm • DOD supply chain education and training focus Next Steps… • Educate yourself using knowledge resources • Cybersecurity learning never ends! • Contact: • Maine MEP • Maine PTAC • Private cybersecurity company NERDIC Cybersecurity Assessment • Must be a manufacturer in the DOD supply chain! • Assessment deliverables: • • • • • Gap Analysis Plan of Actions with Milestones Assistance creating Policy & Procedure Assistance creating System Security Plan Assistance creating Incident Response Plan • Sign up before January 2021 • Contact Maine MEP • Bob Doiron: bobd@mainemep.org New England Regional Defense Industry Collaboration (NERDIC) About the New England Regional Defense Industry Collaboration (NERDIC): NERDIC is a partnership of the state economic development organizations of Connecticut, Maine, Massachusetts, New Hampshire, Rhode Island, and Vermont, working to support Small and Medium-Sized Enterprises (SMEs) that provide parts, assemblies, to Tier One providers working with the U.S Department of Defense NERDIC has financial support from the Office of Economic Adjustment, U.S Department of Defense The content reflects the views of the New England Collaborative and does not necessarily reflect the views of the Office of Economic Adjustment, the U.S Department of Defense, or the participating states Thank you for attending • Planned Fall/Winter 2020/2021 cyber awareness events: • • • • October 21-Completed November 18 December 16 January 13, 2021