Protecting DoD s Unclassified Information
[Pages:80]Cybersecurity Challenges
Protecting DoD's Unclassified Information
Industry Information Day, June 23, 2017
Unclassified
1
Outline
? Protecting DoD's Unclassified Information ? Regulations, Policy and Guidance
? Covered Defense Information ? Subcontractor Flowdown ? Adequate Security ? Cloud Environment ? Implementation Processes and Procedures ? Resources
Unclassified
2
Protecting DoD's Unclassified Information ? Regulations, Policy and Guidance
Unclassified
3
Protecting DoD's Unclassified Information ? Regulations, Policy and Guidance
Cybersecurity Policy and Guidance
? DoDI 8582.01, "Security of Unclassified DoD Information on Non-DoD Information Systems"
? National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, "Security and Privacy Controls for Federal Information Systems and Organizations"
? NIST SP 800-171, "Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations"
? NIST "Framework for Improving Critical Infrastructure Cybersecurity"
? Federal Risk and Authorization Management Program (FedRAMP)
? "DoD Cloud Computing Security Requirements Guide" (SRG)
Unclassified
4
DoDI 8582.01, "Security of Unclassified DoD Information on Non-DoD Information Systems"
DoDI 8582.01, "Security of Unclassified DoD Information on Non-DoD Information Systems," June 6, 2012
? Establishes policy for managing the security of unclassified DoD information on non-DoD information systems
? Applies to all unclassified DoD information in the possession or control of non-DoD entities on non-DoD information systems
? Requires that adequate security be provided for all unclassified DoD information on non-DoD information systems. Appropriate requirements shall be incorporated into all contracts, grants, and other legal agreements with non-DoD entities
Unclassified
5
NIST SP 800-53 and NIST SP 800-171
NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations
(Revision 4, April 2013)
? Catalog of security and privacy controls for federal information systems and organizations to protect organizational operations, organizational assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors
NIST SP 800-171, Protecting CUI in Nonfederal Information Systems and Organizations
(Revision 1, December 2016)
? Recommended requirements for protecting the confidentiality of CUI when: CUI is resident in nonfederal information systems/ organizations Information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies
Unclassified
6
NIST Cybersecurity Framework
The Cybersecurity Framework complements, and does not replace, an organization's risk management process and cybersecurity program
NIST "Framework for Improving Critical Infrastructure Cybersecurity"
(Version 1.0 published Feb 12, 2014, Draft Version 1.1, published Jan 10, 2017)
? A risk-based approach to managing cybersecurity consisting of:
- Framework Core: A set of activities, desired outcomes, and applicable references that provide a "common language" of industry standards, guidelines, and practices
- Framework Functions: Identify, Protect, Detect, Respond, Recover; these functions provide a strategic view of the lifecycle of an organization's management of cybersecurity risk
- Framework Profile - The alignment of standards, guidelines, and practices to the Framework Core ? a roadmap for reducing cybersecurity risk
Executive Order 13800 ? "Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure," May 11, 2017
? Effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity... to manage the agency's cybersecurity risk.
Unclassified
7
FedRAMP and the DoD Cloud Computing Security Requirements Guide
Federal Risk and Authorization Management Program (FedRAMP)
? Government-wide program that provides standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services for the Federal Government
? Defines FedRAMP "Low", "Moderate", and "High" baselines a tailored set of Controls/Control Enhancements (C/CEs) based on the Low, Moderate, and High baselines recommended in NIST SP 800-53
DoD Cloud Computing Security Requirements Guide
Version 1 Release 3 | 6 March 2017
? Outlines security model by which DoD will leverage cloud computing along with the security controls and requirements necessary for using cloud-based solutions
? Applies to DoD-provided cloud services and those provided by a contractor on behalf of the Department
? Defines security information impact levels that consider the potential impact should the confidentiality or the integrity of the information be compromised
? Addresses DoD use of FedRAMP Security Controls
Unclassified
8
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- department of defense manual
- dod manual 5200 01 volume 1 february 24 2012
- dod 5200 01 vol 3 february 24 2012 lsi education
- dod instruction 2000 16 october 2 2006 incorporating
- department of defense instruction
- department of defense manual dod cui
- dod instruction 5200 08 december 10 2005 incorporating
- protecting dod s unclassified information
- dodm 5200 01 vol 1 dod information security program
- dod 5200 01 vol 4 february 24 2012
Related searches
- dod standard financial information structure
- man protecting woman
- dod introduction to information security answers
- s p information technology etf
- trityl protecting group
- introduction to information security dod answers
- 5200 01 dod information security program
- controlled unclassified information vs fouo
- introduction to controlled unclassified information
- introduction to controlled unclassified information training
- dod controlled unclassified information
- peterson s dod mwr library