Aeronautical Systems Proprietary Information1 Aeronautical Systems Proprietary Information

Supplier Cybersecurity

Getting Cybersecurity compliant

as members of the Defense Industrial

Base

Controls Training DFARS CMMCFlow of

CDI/CDI

Aeronautical Systems Proprietary Information2

Strategic Supplier Manager

Cybersecurity Compliance

• Identify, define and support policies and processes

that promote the protection of Controlled

Unclassified Information (CUI) as it flows through our

procurement organization and our supply chain

• Support our suppliers in their efforts to protect CUI

and achieve compliance with and supply chain

cybersecurity

SM-ProcurementSupplierSecurity@ga.com

Roland Chapin

Aeronautical Systems Proprietary Information3

Definitions

CUI Controlled Unclassified Information: Unclassified

Information related to a government contract

that must be protected.

CDI Covered Defense Information (Deprecated)

FCI Federal Contract Information: Administrative

information related to the execution of a

government contract (Purchase Orders,

Contracts, Subcontracts…)

Aeronautical Systems Proprietary Information4

Definitions

FAR 52.204-21 Basic Safeguarding of Covered Contractor

Information Systems

DFARS 252.204-7012 Safeguarding Covered Defense Information and

Cyber Incident Reporting

NIST SP 800-171 National Institute of Standards and Technology

Special Publication 800-171: Protecting

Controlled Unclassified Information in

Nonfederal Systems and Organizations

CMMC Cyber-Security Maturity Model Certification

Aeronautical Systems Proprietary Information5

Definitions

System Security Plan

(SSP)

The document created by an organization

documenting compliance with the various NIST

controls.

Plan of Action and

Milestones (POAM)

A documented plan to implement controls from

the NIST SP800-171 that have not yet been

implemented.

Artifacts Documents or evidence that can be used in

determining compliance. Examples include:

policies, procedures and logs.

Aeronautical Systems Proprietary Information6

Today’s Learning Objectives

Expectations when working with General Atomics

• Common Problems

• What Constitutes Compliance

• The 110th Security Control

Problems in achieving compliance

Why is this important?

How we can help

Aeronautical Systems Proprietary Information7

• Business Continuity Plan (BCP)

• Recovery Time Objective (RTO)

• Document Marking Policy (if applicable)

• FAR 52.204-21 Compliance

• DFARS 252.204-7012 Compliance

Cybersecurity Expectations

Aeronautical Systems Proprietary Information8

Does your Company have a Business

Continuity Plan (BCP) in the event of a

disaster?

Summary of the Plan

Business Continuity Plan

Aeronautical Systems Proprietary Information9

If your Company Information System goes

offline due to a non-recoverable cyber

security attack (e.g. Ransomware), what is

your Recovery Time Objective (RTO)?

Recovery Time Objective: How quickly you

expect to be able to restore operations.

Recovery Time Objective

Aeronautical Systems Proprietary Information10

Document Marking Obligations

If in your capacity as a subcontractor you are creating CUI in

performance of a government contract, you have the responsibility to

mark it appropriately to ensure its protection.

We can help if this situation applies to you.

Aeronautical Systems Proprietary Information11

Cybersecurity Framework

110 Security Controls

Required by DFARS

15 Security Controls

Required by FAR

NIST SP800-171

DFARS 252.204-7012

• CUI

FAR 52.204-21

• FCI

FAR & DFARS

-List of Controls-

Does not determine

compliance.

-Invoking Clause-

Determines

compliance.

Aeronautical Systems Proprietary Information12

3.1 Access Control (AC)

3.2 Awareness and Training (AT)

3.3 Audit and Accountability (AU)

3.4 Configuration Management (CM)

3.5 Identification and Authentication (IA)

3.6 Incident Response (IR)

3.7 Maintenance (MT)

NIST SP800-171

3.8 Media Protection (MP)

3.9 Personnel Security (PS)

3.10 Physical Protection (PE)

3.11 Risk Assessment (RA)

3.12 Security Assessment (CA)

3.13 System and Communications

Protection (SC)

3.14 System and Information Integrity (SI)

Protecting Controlled Unclassified Information

in Nonfederal Systems and Organizations

14 Control Families

Aeronautical Systems Proprietary Information13

NIST SP800-171

Control Families

Individual Controls

Control Types

Aeronautical Systems Proprietary Information14

Problem Areas for Organizations

1. Fail to Properly Mark CUI

2. System Security Plan is inadequate

• Failure to provide

Implementation

details.

• Does not

reference

applicable

artifacts.

• 110th Control – the

most important

control

Aeronautical Systems Proprietary Information15

Problem Areas for Organizations

3. Artifacts are not properly maintained or are

inadequate

• Policies

• Procedures

• Technical Documentation

• LogsArtifacts

Explain how you comply

Demonstrate compliance

Are auditable

Aeronautical Systems Proprietary Information16

Problem Areas for Organizations

4. Lack of understanding what constitutes compliance

• Policies do not meet standards

• Technical controls are misunderstood

5. Failure to manage to Plan of Action and Milestones

Aeronautical Systems Proprietary Information17

How Can We Help?

We offer our suppliers access to online training sessions specifically designed to help them overcome challenges with meeting their compliance obligations.

Training

Our subject matter experts are available to respond to direct inquiries and support suppliers in their challenges in achieving compliance.

Knowledge Sharing

Self Assessment and Evaluation Tools

Materials

Stay up to date through our supplier focused communications on regulatory updates. GA publishes a supplier newsletter and we keep up to date resources available on our supplier website.

Publications

Aeronautical Systems Proprietary Information18

Why is this Important?

Economic

• Financial Loss (Regardless who assumes the loss)

• Reduced Margins

• Penalties and Fines

• Cash Flow Disruptions

Logistic

• Schedule Impact

• Lack of Resources

Strategic

• Loss of First to Market Advantage

• Loss of Technological Dominance

• Increased Competition

• Loss of Reputation

Examples of Impacts

Aeronautical Systems Proprietary Information19

Strategies for Achieving Compliance

1. Identify where CUI exists within your network.

2. Document within System Security Plan Template those controls that

are currently in place.

3. Identify those areas of the System Security Plan that need to be

flushed out that are not directly related to the NIST SP800-171 controls

(e.g. Network Diagrams). Assign them for completion.

4. Separate remaining controls by area of responsibility: technical

controls vs. administrative controls vs. physical controls.

5. Establish and document compliance plans in the POAM.

6. Once your POAM is complete, stick to your implementation plan.

7. Schedule regular check-ins with your buyer or subcontract

administrator to evaluate your progress on your POAM.

Aeronautical Systems Proprietary Information20

Useful Resources

GA Supplier

Cybersecurity Website

https://www.ga.com/procurement/general-

atomics-cybersecurity

GA-ASI Supplier

Cybersecurity Website

https://www.ga-asi.com/cybersecurity

CMMC Advisory Board https://www.cmmcab.org/

DFARS 252.204-7012 https://www.acq.osd.mil/dpap/dars/dfars/html/

current/252204.htm#252.204-7012

FAR 52.204-21 https://www.acquisition.gov/content/52204-21-

basic-safeguarding-covered-contractor-

information-systems

NIST SP 800-171 https://csrc.nist.gov/publications/detail/sp/800-

171/rev-2/final

Aeronautical Systems Proprietary Information21

Questions?