Term Paper: Identifying Policies and Procedures Needed for Department of Defense Contractors

Pages: 18 (3535 words)  ·  Style: APA  ·  Bibliography Sources: 12  ·  Level: Master's  ·  Topic: Government: Agencies  ·  Buy This Paper

SAMPLE EXCERPT:

[. . .] Organizations have flexibility in applying the baseline security controls in accordance with the guidance provided in Special Publication 800-53. This allows organizations to tailor the relevant security control baseline so that it more closely aligns with their mission and business requirements and environments of operation (FIPS pub 200, 2006).

· In October 2016, the DoD published revised guidelines for the Defense Federal Acquisition Regulations Supplement (DFARS) concerning unclassified controlled technical information (UCTI). These more rigorous guidelines are intended to improve cyber security practices between the DoD and private sector organizations. The most significant changes in the most recent guidelines provided by DFARS Clause 252.204-7012 include the following: (a) All contractors must be in full compliance with the requirements outlined in NIST 800-171; (b) Contractors must report cyber incidents within 72 hours or less to the DoD, (c) All non-compliant aspects must be reported to the DoD within 30 days after contract award; and, (d) Compliance must extend to all operation aspects - all suppliers and subcontracts storing, processing and/or creating CDI that is part of contract performance (Solutions for DFARs, 2017).

· National Institute of Standards and Technology (NIST) Special document 800-53, Revision 4 on Security and Privacy Controls for Federal Information Systems and Organizations. According to Langenberg (2016), “The Defense Federal Acquisition Regulation 204.73 consists of a limited selection of the controls from this document (SP 800-53). The best way to determine what steps you need to take to comply is to take both documents to your IT department, or contact a company that can perform a gap assessment to see where you are vulnerable. BUT, the biggest thing your company needs to do is have an assessment done as soon as possible. Then decide how you will comply with the DFARS clause 204.73 and get those procedures in place” (para. 2).

· Network Penetration Reporting and Contracting for Cloud Services. (Defense Federal Acquisition Regulation Supplement Parts 202, 204, 212, 239, and 252. On August 26, 2016, the DoD implemented updated cyber security regulations following the high-profile breach in security at the Office of Personnel Management that compromised secure data concerning more than 21.5 million government employees and contractors. In response, the DoD implemented stricter guidelines concerning private sector organizations and their use of cloud computing resources (Wagner, 2016).

Even the above list is not exhaustive, though, and it is vitally important to keep in mind, though, that the DoD regularly updates its guidelines concerning IT security and private sector organizations, including the controls placed on domains in the IT infrastructure as discussed further below.

List controls placed on domains in the IT infrastructure.

On March 12, 2014, the DoD issued DoDI 8510.01 which is commonly referred to as the Risk Management Framework (RMF) for DoD Information Technology (IT) or RMF for DoD IT (RMF for DoD IT, 2017). According to the DoD’s most recent guidance concerning DoDI 8510.01, these controls apply to all public and private sector organizations performing work for the federal government. In this regard, DoDI 8510.01 stipulates in part that these policies apply to, “All DoD IT that receive, process, store, display, or transmit DoD information. These technologies are broadly grouped as DoD IS, platform IT (PIT), IT services, and IT products. This includes IT supporting research, development, test and evaluation (T&E), and DoD-controlled IT operated by a contractor or other entity on behalf of the DoD” (DoDI 8510.01, 2014).

The DoD has adopted standards outlined in the National Institute of Standards and Technology (NIST) concerning the types of controls that should be used with IT systems, including the following:

· The environment in which the information system will be used (e.g., inside a guarded building within the continental United States, in an unmanned space vehicle, while traveling for business to a foreign country that is known for attempting to gain access to sensitive or classified information, or in a mobile vehicle that is in close proximity to hostile entities);

· The type of information that will be processed, stored, or transmitted (e.g., personal identity and authentication information, financial management information, facilities, fleet, and equipment management information, defense and national security information, system development information);

· The functionality within the information system or the type of system (e.g., standalone system, industrial/process control system, or cross-domain system); and,

· Other characteristics related to the overlay that help protect organizational missions/business functions, information systems, information, or individuals from a specific set of threats that may not be addressed by the assumptions otherwise described in NIST Special Publication 800-53 (NIST Special Publication (SP) 800-53 Revision 4, 2013).

In addition, the DoD has developed an Active Directory (AD) of controls that are required for its IT infrastructure based on the goals outlined in Table 1 below.

Table 1

Principles and rules for DoD IT networks

Source: Adapted from Active Directory optimization reference architecture, 2010

List required standards for all devices, categorized by IT domain

The general considerations that apply to DoD IT standards are set forth in DoDI 8500.01 (March 14, 2014) that will be relevant for the company’s DoD contract include, but may not be limited to, the following depending on what types of IT products and services are involved at the time:

· System managers (SMs) and program managers (PMs) must use trusted system and network (TSN) tools, techniques, and practices, including the use of all source threat assessments to inform acquisition and engineering mitigation decisions, for all IT when required in accordance with required standards.

· Cybersecurity will be implemented in all system and service acquisitions at levels appropriate to the system characteristics and requirements throughout the entire life cycle of the acquisition in accordance with Reference (q).

· All acquisitions of qualifying IT must have an adequate and appropriate cybersecurity strategy that will be reviewed prior to acquisition milestone decisions and acquisition contract awards and operational test oversight

· Each mobile code technology used in DoD information systems must undergo a risk assessment, be assigned to a mobile code risk category, and have its use regulated based on its potential to cause damage to DoD operations and interests if used maliciously.

· Disposal and destruction of classified hard drives, electronic media, processing equipment components, and the like will be accomplished in accordance prescribed standards and applicable security controls.

· Disposal of unclassified electronic media will be accomplished in accordance with the guidelines provided in NIST SP 800-88 (Reference (dm)) and applicable security controls.

· Cryptographic products used to protect IT and the information that resides in the IT will be acquired and implemented in accordance with Reference (bi).

· All IT will be assigned to and governed by a DoD Component cybersecurity program. IT below the system level (i.e., IT services and products) will be security configured and reviewed by the cognizant information system security managers (ISSMs) under the direction of the authorizing official (AO) for acceptance and connection into an authorized computing environment.

· Cybersecurity must be consistent with enterprise architecture principles and guidelines within the DoD Architecture Framework (Reference (dn)) and DoD cybersecurity architectures developed or approved by the DoD chief information officer (CIO).

· Connections to the DISN must comply with connection approval procedures and processes as established in Reference (am).

· All persons entrusted with the management of DoD IT will be responsible for proper use, care, physical protection, and disposal or disposition in accordance with DoDI 5000.64 (Reference (do)), DoDI 2030.02 (Reference (dp)) and, when appropriate, Reference (bo).

· In addition to complying with the provisions of DoDI 1035.01 (Reference (dq)):

(a) Telework solutions involving the use of DoD-owned, government-furnished equipment for remote access to unclassified DoD networks will comply with the requirements of applicable security controls defined in Reference (cj).

(b) Telework solutions involving the use of non-government furnished equipment (i.e., any computer or other telework device not furnished by DoD) for remote access to unclassified DoD networks will be developed by the DoD Components desiring the capability based on the guidance provided in NIST SP 800-114 (Reference (dr)) and evaluated and approved by the DoD CIO on a case-by-case basis.

· DoD will ensure new computer assets (e.g., server, desktop, laptop, thin client, tablet, smartphone, personal digital assistant, mobile phone) procured to support DoD will include a TPM version 1.2 or higher where required by the Defense Information Systems Agency’s (DISA), security technical implementation guides (STIGs) where such technology is available.

· Vendor trust platform models (TPMs) must be in conformance with Trusted Computing Group standards (www.trustedcomputinggroup.org/groups/tpm) and must be approved by the procuring DoD Component. The TPM must be turned on and ready for provisioning when the computer asset is received from the vendor. Written justification must be provided to the responsible… [END OF PREVIEW]

Four Different Ordering Options:

?
Which Option Should I Choose?

1.  Buy the full, 18-page paper:  $26.88

or

2.  Buy & remove for 30 days:  $38.47

or

3.  Access all 175,000+ papers:  $41.97/mo

(Already a member?  Click to download the paper!)

or

4.  Let us write a NEW paper for you!

Ask Us to Write a New Paper
Most popular!

Policy & Procedures Supervisors Policies Company Manual


Security Policy Dr. Fossett's Dental Office Term Paper


Policy Statement Analysis the Tri-Council Research Proposal


Policy Making at Csu, Monterey Bay California Term Paper


Policy Book Company Manual


View 1,000+ other related papers  >>

Cite This Term Paper:

APA Format

Identifying Policies and Procedures Needed for Department of Defense Contractors.  (2017, October 8).  Retrieved March 23, 2019, from https://www.essaytown.com/subjects/paper/identifying-policies-procedures-needed/7406017

MLA Format

"Identifying Policies and Procedures Needed for Department of Defense Contractors."  8 October 2017.  Web.  23 March 2019. <https://www.essaytown.com/subjects/paper/identifying-policies-procedures-needed/7406017>.

Chicago Format

"Identifying Policies and Procedures Needed for Department of Defense Contractors."  Essaytown.com.  October 8, 2017.  Accessed March 23, 2019.
https://www.essaytown.com/subjects/paper/identifying-policies-procedures-needed/7406017.