Aeronautical Systems Proprietary Information1 Aeronautical Systems Proprietary Information
Supplier Cybersecurity
Getting Cybersecurity compliant
as members of the Defense Industrial
Base
Controls Training DFARS CMMCFlow of
CDI/CDI
Aeronautical Systems Proprietary Information2
Strategic Supplier Manager
Cybersecurity Compliance
• Identify, define and support policies and processes
that promote the protection of Controlled
Unclassified Information (CUI) as it flows through our
procurement organization and our supply chain
• Support our suppliers in their efforts to protect CUI
and achieve compliance with and supply chain
cybersecurity
Roland Chapin
Aeronautical Systems Proprietary Information3
Definitions
CUI Controlled Unclassified Information: Unclassified
Information related to a government contract
that must be protected.
CDI Covered Defense Information (Deprecated)
FCI Federal Contract Information: Administrative
information related to the execution of a
government contract (Purchase Orders,
Contracts, Subcontracts…)
Aeronautical Systems Proprietary Information4
Definitions
FAR 52.204-21 Basic Safeguarding of Covered Contractor
Information Systems
DFARS 252.204-7012 Safeguarding Covered Defense Information and
Cyber Incident Reporting
NIST SP 800-171 National Institute of Standards and Technology
Special Publication 800-171: Protecting
Controlled Unclassified Information in
Nonfederal Systems and Organizations
CMMC Cyber-Security Maturity Model Certification
Aeronautical Systems Proprietary Information5
Definitions
System Security Plan
(SSP)
The document created by an organization
documenting compliance with the various NIST
controls.
Plan of Action and
Milestones (POAM)
A documented plan to implement controls from
the NIST SP800-171 that have not yet been
implemented.
Artifacts Documents or evidence that can be used in
determining compliance. Examples include:
policies, procedures and logs.
Aeronautical Systems Proprietary Information6
Today’s Learning Objectives
Expectations when working with General Atomics
• Common Problems
• What Constitutes Compliance
• The 110th Security Control
Problems in achieving compliance
Why is this important?
How we can help
Aeronautical Systems Proprietary Information7
• Business Continuity Plan (BCP)
• Recovery Time Objective (RTO)
• Document Marking Policy (if applicable)
• FAR 52.204-21 Compliance
• DFARS 252.204-7012 Compliance
Cybersecurity Expectations
Aeronautical Systems Proprietary Information8
Does your Company have a Business
Continuity Plan (BCP) in the event of a
disaster?
Summary of the Plan
Business Continuity Plan
Aeronautical Systems Proprietary Information9
If your Company Information System goes
offline due to a non-recoverable cyber
security attack (e.g. Ransomware), what is
your Recovery Time Objective (RTO)?
Recovery Time Objective: How quickly you
expect to be able to restore operations.
Recovery Time Objective
Aeronautical Systems Proprietary Information10
Document Marking Obligations
If in your capacity as a subcontractor you are creating CUI in
performance of a government contract, you have the responsibility to
mark it appropriately to ensure its protection.
We can help if this situation applies to you.
Aeronautical Systems Proprietary Information11
Cybersecurity Framework
110 Security Controls
Required by DFARS
15 Security Controls
Required by FAR
NIST SP800-171
DFARS 252.204-7012
• CUI
FAR 52.204-21
• FCI
FAR & DFARS
-List of Controls-
Does not determine
compliance.
-Invoking Clause-
Determines
compliance.
Aeronautical Systems Proprietary Information12
3.1 Access Control (AC)
3.2 Awareness and Training (AT)
3.3 Audit and Accountability (AU)
3.4 Configuration Management (CM)
3.5 Identification and Authentication (IA)
3.6 Incident Response (IR)
3.7 Maintenance (MT)
NIST SP800-171
3.8 Media Protection (MP)
3.9 Personnel Security (PS)
3.10 Physical Protection (PE)
3.11 Risk Assessment (RA)
3.12 Security Assessment (CA)
3.13 System and Communications
Protection (SC)
3.14 System and Information Integrity (SI)
Protecting Controlled Unclassified Information
in Nonfederal Systems and Organizations
14 Control Families
Aeronautical Systems Proprietary Information13
NIST SP800-171
Control Families
Individual Controls
Control Types
Aeronautical Systems Proprietary Information14
Problem Areas for Organizations
1. Fail to Properly Mark CUI
2. System Security Plan is inadequate
• Failure to provide
Implementation
details.
• Does not
reference
applicable
artifacts.
• 110th Control – the
most important
control
Aeronautical Systems Proprietary Information15
Problem Areas for Organizations
3. Artifacts are not properly maintained or are
inadequate
• Policies
• Procedures
• Technical Documentation
• LogsArtifacts
Explain how you comply
Demonstrate compliance
Are auditable
Aeronautical Systems Proprietary Information16
Problem Areas for Organizations
4. Lack of understanding what constitutes compliance
• Policies do not meet standards
• Technical controls are misunderstood
5. Failure to manage to Plan of Action and Milestones
Aeronautical Systems Proprietary Information17
How Can We Help?
We offer our suppliers access to online training sessions specifically designed to help them overcome challenges with meeting their compliance obligations.
Training
Our subject matter experts are available to respond to direct inquiries and support suppliers in their challenges in achieving compliance.
Knowledge Sharing
Self Assessment and Evaluation Tools
Materials
Stay up to date through our supplier focused communications on regulatory updates. GA publishes a supplier newsletter and we keep up to date resources available on our supplier website.
Publications
Aeronautical Systems Proprietary Information18
Why is this Important?
Economic
• Financial Loss (Regardless who assumes the loss)
• Reduced Margins
• Penalties and Fines
• Cash Flow Disruptions
Logistic
• Schedule Impact
• Lack of Resources
Strategic
• Loss of First to Market Advantage
• Loss of Technological Dominance
• Increased Competition
• Loss of Reputation
Examples of Impacts
Aeronautical Systems Proprietary Information19
Strategies for Achieving Compliance
1. Identify where CUI exists within your network.
2. Document within System Security Plan Template those controls that
are currently in place.
3. Identify those areas of the System Security Plan that need to be
flushed out that are not directly related to the NIST SP800-171 controls
(e.g. Network Diagrams). Assign them for completion.
4. Separate remaining controls by area of responsibility: technical
controls vs. administrative controls vs. physical controls.
5. Establish and document compliance plans in the POAM.
6. Once your POAM is complete, stick to your implementation plan.
7. Schedule regular check-ins with your buyer or subcontract
administrator to evaluate your progress on your POAM.
Aeronautical Systems Proprietary Information20
Useful Resources
GA Supplier
Cybersecurity Website
https://www.ga.com/procurement/general-
atomics-cybersecurity
GA-ASI Supplier
Cybersecurity Website
https://www.ga-asi.com/cybersecurity
CMMC Advisory Board https://www.cmmcab.org/
DFARS 252.204-7012 https://www.acq.osd.mil/dpap/dars/dfars/html/
current/252204.htm#252.204-7012
FAR 52.204-21 https://www.acquisition.gov/content/52204-21-
basic-safeguarding-covered-contractor-
information-systems
NIST SP 800-171 https://csrc.nist.gov/publications/detail/sp/800-
171/rev-2/final
Aeronautical Systems Proprietary Information21
Questions?