Академический Документы
Профессиональный Документы
Культура Документы
com
White Paper: Proposed Changes to DFARS to enhance Cyber Security of DoD Info
September 2011
A White Paper providing context on proposed rule changes
Inside:
CTOlabs.com
Executive Summary
Respondents to a recent survey of members of the federal IT community provides useful context on the proposed DFARS changes. It was interesting to note, however, that few believe the government is best at protecting information.
Survey Background
In July, CTOvision.com created and distributed a survey on the new proposed Defense Federal Acquisition Regulation Supplement (DFARS) to safeguard unclassified Department of Defense information on contractor networks. After receiving responses from government, industry, and academia, weve summarized feelings and expectations towards the policy below. Of the respondents, 73% said that they were familiar with DFARS, so we believe we hit a good community with our survey. Additionally, about a third of the respondents reported that they were security executives, and another third said they were practitioners. It is good having inputs from both those groupings. A quarter of respondents were in government and three fourths came from industry and academia.
standardize protection and reporting for contractor networks and systems. Aside from an extensive list of reporting requirements, the following three policies are at the heart of DFARS: a) The Government and its contractors and subcontractors will provide adequate security to safeguard unclassified DoD information on their unclassified information systems from unauthorized access and disclosure. b) Contractors must report to the Government certain cyber incidents that affect unclassified DoD information resident on or transiting contractor unclassified information systems. Detailed reporting criteria and requirements are set forth in the clause at 252.204-70YY. c) A cyber incident that is properly reported by the contractor shall not, by itself, be interpreted as evidence that the contractor has failed to provide adequate information safeguards for DoD unclassified information, or has otherwise failed to meet the requirements of the clause at 252.20470YY. Contracting officers shall consult with a functional manager to assess contract performance. A cyber incident will be evaluated in context, and such events may occur even in cases when it is determined that adequate safeguards are being used in view of the nature and sensitivity of the DoD unclassified information and the anticipated threats.
CTOlabs.com
Systems and Organizations while only 7% said they did not and 10% did not know. To make DFARS better, the most prevalent suggestion was to get more specific. There were concerns over the government having too broad an influence in contractor systems, overlaps and confusion in rules, departments, and agencies, and insufficiently explicit requirements. Another repeated suggestion was to mandate red team exercises to test the vulnerability of systems.
Overall Trends
Both government and industry respondents were concerned about the fuzzy language of DFARS and ambiguity in its implementation. Public sector respondents were much more confident in the governments ability to keep information secure than private sector though both thought it could be
improved, raising questions on whether government should dictate security measures to industry. While most respondents thought DFARS was generally a good set of guidelines, there were doubts over the cost and implementation. To those that took our survey, thanks! Your inputs will do more than just contribute to this post. We are also providing comments into the formal DFARS process in the hopes of helping government decisionmakers think through the right approach.
CTOlabs.com
More Reading
For more federal cybersecurity technology and policy issues visit: CTOvision.com- an blog for enterprise technologists with a special focus on Big Data. CTOlabs.com - the respository for our research and reporting on all IT issues. Fedcyber.com - tracking all important federal cybersecurity issues.
CTOlabs.com