Corporate Cyber Program
Download as PPTX, PDF0 likes41 views
The document outlines the third session of a six-part webinar series focused on cybersecurity for defense contractors, led by Max Aulakh, CEO of Corporate Cyber Program. It covers corporate program setup, including compliance, risk assessment, and security plans, emphasizing the importance of aligning cybersecurity with business needs and governmental requirements. Key topics discussed include the Supplier Performance Risk System (SPRS), security controls based on NIST standards, and the significance of comprehensive security planning and documentation.
Corporate Cyber Program
- 1. WEBINAR SERIES. Part 3 7 April 2021 10:30 AM EST Hosted by CATALYST CONNECTION Max Aulakh Founder & CEO CORPORATE CYBER PROGRAM
- 2. Who’s driving this webinar? Max Aulakh Founder & CEO About our Speaker C-SUITE DEFENSE & ASSURANCE LEADER S P E C I A L G U E S T As a Data Security and Compliance Leader, he delivers DoD-tested security strategies and compliance that safeguard mission-critical IT operations. Having trained and excelled in The United States Air Force, he maintained and tested the InfoSec and ComSec functions of network hardware, software, and IT infrastructure for global networks — both classified and unclassified. He drove the Information Assurance (IA) programs for the U.S. Department of Defense (DoD). Facilitated by Connie Palucka Vice President, Consulting at Catalyst Connection Connie joined Catalyst Connection in 2005 and brings over 25 years of global sales, business development, and product development experience to her role as the Managing Director of Regional Initiatives. She leads a team that secures and executes grants initiatives to support manufacturers and build the region’s vibrancy. She also works with regional academic institutions, economic development organizations and regional manufacturers to build new capabilities and help make Southwestern Pennsylvania a model for the nation.
- 3. • Webinar 1: Laying the Foundation – The Need for Cybersecurity in U.S. Manufacturing • Webinar 2: DFARS & CMMC Overview • Webinar 3: Corporate Program Setup • Webinar 4: Real Company Examples • Webinar 5: CMMC Breakdown • Session 6: Risk Mitigation 6-Part Webinar Series: CYBER RESILIENCY FOR DEFENSE CONTRACTORS
- 4. Business Case for Cybersecurity Cybersecurity specific DFAR Rules, CMMC Basic Levels Controlled Unclassified Information (CUI), Data Classification and Information Protection Scheme What we covered so far 1 2 3
- 5. Session 3: Corporate Program Setup 1. Setting up your compliance program at the corporate level. 2. Conducting Rapid - Low Fidelity Assessment for generating SPRS Scores. 3.Developing a completed SSP (System Security Plan). 4.How and why to create a POA&M (Plan of Actions & Milestones).
- 7. Corporate Security Program Development Driving to a Common Understanding Business Language: Existing Business Model Knowledge Gap: Software & Technology Alignment Common Understanding of Business Model Common Understanding of Technology Common Understanding of Risks & Rewards of Technology Technology Risk Partners Language: Servers, IP Addresses, Routers (Technology) Knowledge Gap: Customer’s Needs & Business Model
- 8. Corporate Security Program • Developing alignment starts with understanding of your business and external influences. ○ Primes and how they may behave • DFARs is part of the over all federal legislation scheme • Internal policies require alignment with total expectations of the business ○ Cyber Security requires early top management input • Start with a board resolution to setup a corporate security program. • Setup a basic governing committee on key decision and “grey” area decisions ○ Helps in developing consensus & direction.
- 10. Supplier Performance Risk System & Reports • Cyber Score Submission Required • Scores are based on NIST 800-171 Assessment • SPRS Data is used for Source Selection • Accessible By: o Government Personnel with Need to Know o Contractors (your own data only) • Not Releasable Under Freedom of Information Act (FOIA)
- 11. Product Data Reporting and Evaluation Program (PDREP) automated manual Air Force Contracting Database Information System (J018) - EDA - WAWF - MOCAS - USN/USMC - USAF - Army - DCMA - DLA - GIDEP - USAF - NAVAIR - USMC Aviation Joint Discrepancy Reporting System (JDRS) Contractor Performance Assessment Reporting System (CPARS) - PPIRS-RC - FAPIIS Other (ad hoc) - DLA Contract Data - Award, Delivery, Pricing Quality Data - PQDRs, GIDEP, MIRs, Bulletins, SDRs - Surveys, Lab Reports Material Data - NSNs, application and safety criticality Contract Data - Award, Delivery Quality Data - PQDRs DCMA Supplier Risk System (SRS) Supplier Risk Data - Corrective Action Requests (CARs) - Corrective Action Plans (CAPs) - Program Assessment Reports (PARs) Bureau of Labor Statistics Contract Data - Award, Delivery System for Award Mgt (SAM) DLA - eProcurement - EBS - eProcurement - EBS Price Risk Data - PPI (inflation) Company Data - CAGE codes - Exclusion/debarment - DUNS & MPIN Item Risk Data - DMSMS Supplier Risk Data - performance ratings, testimonials SPRS Supplier Performance Risk System Data Flow DLA
- 13. NIST Point System Methodology 110 NIST 800-171 Controls are weighted and are subtracted from the starting score of 110 A perfect score is 110 A negative score is possible ● Controls are worth 5 points, some 3, and some 1. ● There are 42 controls worth 5 points each, which include: ○ The 17 basic safeguards required of all Federal contractors’ IT systems, as outlined in the FAR Clause 52.204-21, and ○ Other controls that “would allow for exploitation of the network and its information.” ● There are 14 controls worth 3 points each, which if not implemented “have a specific and confined effect on the security of the network and its data” ● The remaining 54 controls are worth 1 point. ● Two of the controls, 3.5.3 (multi-factor authentication) and 3.13.11 (FIPS-validated cryptography), are worth either 5 or 3 points, depending on the level on non-compliance ● If the organization does not have an SSP, no score is possible - negative 110. A score can be generated without an SSP but 110 points are deducted from the start.
- 15. SPRS Scores & Domains
- 16. SSP Development & POA&Ms
- 17. System Security Plan Formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements. info@Ignyteplatform.com for template requests
- 18. System Security Plan Components Plan or System Name Identifier CMMC Level (System Categorization) System Owner Other Contacts (IT Management, Audit Firm, etc..) Assignment of Security Responsibilities Information Type (CUI Data) General Description/System Purpose System Environment System Interconnections Laws, Regulations and Policies Impacting Systems Control Section Minimum Security Controls • Control Name, ID • Control Owner • Control Response • Current Status info@Ignyteplatform.com for template requests
- 19. Plan of Action & Milestones (POA&M) A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones. info@Ignyteplatform.com for template requests
- 20. Plan of Actions & Milestones Components POAM ID Related Control(s) Weakness Name Weakness Description Weakness Source Detection Asset Identification Point of Contact Resources Required Remediation Plan Scheduled Completion Date Planned Milestones Vendor Dependencies Current Status Risk Rating Comments info@Ignyteplatform.com for template requests
- 21. Summary • Corporate Security Program - Start with business leadership first • SPRS Assessment - Conduct a rapid assessment (low fidelity) update your scores often or during major changes • SSPs & POA&Ms - Two primary planning documents, formal documentation that is expected to be provided to auditors for purpose of certification.
- 22. Summary
- 23. Questions? Thank you! Point of Contact Connie Palucka Vice President, Consulting Max Aulakh, MBA, CISSP, PMP Founder & CEO Point of Contact info@ignyteplatform.com cpalucka@catalystconnection.org