Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1


Ratings: (0)|Views: 60|Likes:
Published by Bob Gourley
An overview of proposed DFARS changes with context provided from a survey of federal IT professionals.
An overview of proposed DFARS changes with context provided from a survey of federal IT professionals.

More info:

Published by: Bob Gourley on Sep 06, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





September 2011
White Paper:Proposed Changes to DFARSto enhance Cyber Security of DoD Info
• Background on proposed changes• Survey Results• Trends of note
A White Paper providing context on proposed rule changes
The Community Weighs In On Proposed DFARS Changes
DoD has proposed changes to the Defense Federal Acquisition Regulation Supplement (DFARS) tohelp enhance security of DoD information in use at contractor facilities. This report provides contexton those changes including insights from a recent survey of the federal IT community.
Executive Summary
Respondents to a recent survey of members of the federal IT community provides useful context onthe proposed DFARS changes. It was interesting to note, however, that few believe the government isbest at protecting information.
Survey Background
In July, CTOvision.com created and distributed a survey on the new proposed Defense FederalAcquisition Regulation Supplement (DFARS) to safeguard unclassied Department of Defenseinformation on contractor networks. After receiving responses from government, industry, andacademia, we’ve summarized feelings and expectations towards the policy below. Of the respondents,73% said that they were familiar with DFARS, so we believe we hit a good community with oursurvey. Additionally, about a third of the respondents reported that they were security executives,and another third said they were practitioners. It is good having inputs from both those groupings. Aquarter of respondents were in government and three fourths came from industry and academia.
Summary of the proposed DFARS changes:
Draft changes to the Defense Federal Acquisition Regulation Supplement were proposed after therecent string of high prole cyber attacks on defense contractors. Information on Department of Defense networks is protected by DIACAP standards but as of now, protecting information on privatenetworks is left up to the company’s discretion. Yet since so much of the government’s informationstorage and R & D is performed by private corporations, DFARS has been put forward in an attempt to1
A White Paper For The Federal IT Community
standardize protection and reporting for contractor networks and systems. Aside from an extensive listof reporting requirements, the following three policies are at the heart of DFARS:a) The Government and its contractors and subcontractors will provide adequate security to safeguardunclassied DoD information on their unclassied information systems from unauthorized access anddisclosure.b) Contractors must report to the Government certain cyber incidents that aect unclassied DoDinformation resident on or transiting contractor unclassied information systems. Detailed reportingcriteria and requirements are set forth in the clause at 252.204-70YY.c) A cyber incident that is properly reported by the contractor shall not, by itself, be interpretedas evidence that the contractor has failed to provide adequate information safeguards for DoDunclassied information, or has otherwise failed to meet the requirements of the clause at 252.204-70YY. Contracting ocers shall consult with a functional manager to assess contract performance.A cyber incident will be evaluated in context, and such events may occur even in cases when it isdetermined that adequate safeguards are being used in view of the nature and sensitivity of the DoDunclassied information and the anticipated threats.
Views of Respondents from Government
Public sector respondents believed in extending regulation to private industry. 75% answered thatgovernment regulations such as FISMA, OMB’s M-11-11, NISTIC , and FICAM should apply to allcontractors if they hope to work with the government, while 25% felt that companies could securetheir data on their own.Most, however, did not believe that the public sector was better at protecting information. 46% of respondents believed that government was better than industry at protecting information systems,54% thought it was not, and numerous wrote in that it depends on which industry, company, oragency, and on which aspect of protection from what threat.Of government respondents, 83% worked for organizations with policies in place for encryption of data for storage and transmission, network protection and intrusion detection, and cyber intrusionreporting based on NIST Special Pub 800-53 “Recommended Security Controls for Federal Information2

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->