In short, if your contract says this:
SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)
You have to report cybersecurity incidents to the DoD within 72 hours, assist the DoD in any damage control, and if you have any technical material with distribution statements that say:
Then you need to follow NIST 800-53 and do all of this:
SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)
You have to report cybersecurity incidents to the DoD within 72 hours, assist the DoD in any damage control, and if you have any technical material with distribution statements that say:
- DISTRIBUTION STATEMENT B. Distribution authorized to U.S. Government agencies only (fill in reason) (date of determination). Other requests for this document shall be referred to (insert controlling DoD office)
- DISTRIBUTION STATEMENT C. Distribution authorized to U.S. Government Agencies and their contractors (fill in reason) (date of determination). Other requests for this document shall be referred to (insert controlling DoD office)
- DISTRIBUTION STATEMENT D. Distribution authorized to the Department of Defense and U.S. DoD contractors only (fill in reason) (date of determination). Other requests shall be referred to (insert controlling DoD office).
- DISTRIBUTION STATEMENT E. Distribution authorized to DoD Components only (fill in reason) (date of determination). Other requests shall be referred to (insert controlling DoD office).
- DISTRIBUTION STATEMENT F.Further dissemination only as directed by (inserting controlling DoD office) (date of determination) or higher DoD authority.
Then you need to follow NIST 800-53 and do all of this:
- AC-2 ACCOUNT MANAGEMENT
- AC-3 (4) DISCRETIONARY ACCESS CONTROL
- AC-4 INFORMATION FLOW ENFORCEMENT
- AC-6 LEAST PRIVILEGE
- AC-7 UNSUCCESSFUL LOGON ATTEMPTS
- AC-11 (1) PATTERN-HIDING DISPLAYS
- AC-17 (2) PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION
- AC-18 (1) AUTHENTICATION AND ENCRYPTION
- AC-19 ACCESS CONTROL FOR MOBILE DEVICES
- AC-20 (1) LIMITS ON AUTHORIZED USE
- AC-20 (2) PORTABLE STORAGE DEVICES
- AC-22 PUBLICLY ACCESSIBLE CONTENT
- AT-2 SECURITY AWARENESS TRAINING
- AU-2 AUDIT EVENTS
- AU-3 CONTENT OF AUDIT RECORDS
- AU-6 (1) PROCESS INTEGRATION
- AU-7 AUDIT REDUCTION AND REPORT GENERATION
- AU-8 TIME STAMPS
- AU-9 PROTECTION OF AUDIT INFORMATION
- CM-2 BASELINE CONFIGURATION
- CM-6 CONFIGURATION SETTINGS
- CM-7 LEAST FUNCTIONALITY
- CM-8 INFORMATION SYSTEM COMPONENT INVENTORY
- CP-9 INFORMATION SYSTEM BACKUP
- IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)
- IA-4 IDENTIFIER MANAGEMENT
- IA-5 (1) PASSWORD-BASED AUTHENTICATION
- IR-2 INCIDENT RESPONSE TRAINING
- IR-4 INCIDENT HANDLING
- IR-5 INCIDENT MONITORING
- IR-6 INCIDENT REPORTING
- MA-4 (6) CRYPTOGRAPHIC PROTECTION
- MA-5 MAINTENANCE PERSONNEL
- MA-6 TIMELY MAINTENANCE
- MP-4 MEDIA STORAGE
- MP-6 MEDIA SANITIZATION
- PE-2 PHYSICAL ACCESS AUTHORIZATIONS
- PE-3 PHYSICAL ACCESS CONTROL
- PE-5 ACCESS CONTROL FOR OUTPUT DEVICES
- PM-10 SECURITY AUTHORIZATION PROCESS
- RA-5 VULNERABILITY SCANNING
- SC-2 APPLICATION PARTITIONING
- SC-4 INFORMATION IN SHARED RESOURCES
- SC-7 BOUNDARY PROTECTION
- SC-8 (1) CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION
- SC-13 CRYPTOGRAPHIC PROTECTION
- SC-15 COLLABORATIVE COMPUTING DEVICES
- SC-28 PROTECTION OF INFORMATION AT REST
- SI-2 FLAW REMEDIATION
- SI-3 MALICIOUS CODE PROTECTION
- SI-4 INFORMATION SYSTEM MONITORING
No comments:
Post a Comment