Getting Started
Council of Defense & Space Industry Association (CODSIA): The Council of Defense and Space Industry Associations (CODSIA) provides a central channel of communications for improving industry-wide consideration of the many policies, regulations, implementation problems, procedures and questions involved in federal procurement actions. CODSIA was formed in 1964 by industry associations having common interests in the defense and space fields.
http://www.codsia.org/
CUI Registry:
The CUI Registry is the online repository for all information, guidance, policy, and requirements on handling CUI, including everything issued by the CUI Executive Agent other than 32 CFR Part 2002. Among other information, the CUI Registry identifies all approved CUI categories and subcategories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures.
https://www.archives.gov/cui/registry/category-list
DFARS:
Clauses for Safeguarding Covered Defense Information and Cyber Incident Reporting, as mandated by section 204.73 of DFARS.
https://www.acq.osd.mil/dpap/dars/dfars/html/current/204_73.htm
DHS’ Stop Think Connect cyber resource page for small businesses:
Provides links to the Department of Homeland Security’s C3 Voluntary program Small and Midsize Business Toolkit for resources to help businesses recognize and address cybersecurity risks, information on how to secure your business network, compliance resources on collecting sensitive data from consumers and employees, and safeguards to online attacks, data loss and other threats you’re your business, employee and customers.
https://www.dhs.gov/publication/stopthinkconnect-small-business-resources
DoD Frequently Asked Questions on Implementation of DFARS:
http://www.acq.osd.mil/dpap/pdi/docs/FAQs_Network_Penetration_Reporting_and_Contracting_for_Cloud_Services_(01-27-2017).pdf
FAR:
Part 52 of FAR (Federal Acquisition Regulation) gives instructions for using provisions and clauses in solicitations and/or contracts, sets forth the solicitation provisions and contract clauses prescribed by the regulation, and presents a matrix listing the FAR provisions and clauses applicable to each principal contract type and/or purpose.
http://farsite.hill.af.mil/reghtml/regs/far2afmcfars/fardfars/Far/52_000.htm#P891_130989
Federal Bureau of Investigation:
The FBI is an intelligence-driven and threat-focused national security organization with both intelligence and law enforcement responsibilities that is staffed by a dedicated cadre of more than 30,000 agents, analysts, and other professionals who work for around the clock and across the globe to protect the U.S. from terrorism, espionage, cyber-attacks, and major criminal threats, and to provide its many partners with services, support, training, and leadership.
www.fbi.gov
NIST SP 800-171:
The purpose of this publication is to provide federal agencies with recommended security requirements for protecting the confidentiality of CUI when the CUI is resident in a nonfederal system and organization, when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency, and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry. https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-171r1.pdf
NIST Glossary of Terms:
This online glossary contains terms extracted from NIST Federal Information Processing Standards (FIPS), the NIST Special Publication (SP) 800 series, and from the Committee for National Security Systems Instruction 4009 (CNSSI-4009), as of January 2017.
https://csrc.nist.gov/glossary?index=S#AlphaIndexDiv
NIST Manufacturing Extension Partnership (MEP):
For the past 30 years, the MEP National NetworkTM has equipped small and medium-sized manufacturers with the resources needed to grow and thrive. Our industry experts work side-by-side with manufacturers to reduce costs, improve efficiencies, develop the next generation workforce, create new products, and find new markets and much more. Together, they strengthen communities and U.S. manufacturing.
www.NIST.gov/MEP/
SBA’s link for Cybersecurity: Is your business prepared in the event of a cybersecurity breach? Now is the time to take stock of your cybersecurity health, including the importance of securing information through best cybersecurity practices; identifying your risk and the types of cyber threats; and learning best practices for guarding against cyber threats.
https://www.sba.gov/managing-business/cybersecurity
US Cert’s Page for Small and Medium Size businesses: Cybersecurity is critical to any business enterprise, no matter how small. However, leaders of small and midsize businesses (SMB) often do not know where to begin, given the scope and complexity of the issue in the face of a small staff and limited resources. To help business leaders get started, DHS has provided a list of top resources specially designed to help SMBs recognize and address their cybersecurity risks.
https://www.us-cert.gov/ccubedvp/smb
Tools
EXOSTAR Instructional Materials:
These guides, provided by EXOSTAR, aim to help buyers and suppliers of buying partners in learning more about EXOSTAR’s risk management tool, PIM (Partner Information Manager).
http://www.myexostar.com/PIM-Guides-and-Resources/
Federal Communications Commission (FCC):
In collaboration with other government agencies and industry leaders, created the Small Biz Cyber Planner-an easy-to-use, free online tool that will help you create a customized planning guide to protect your business from cybersecurity threats. Learn more at www.fcc.gov/cyberplanner
Industrial control Systems Cyber Emergency Response Team (ICS-CERT):
A core component of the National Cybersecurity and Communications Integration Center (NCCIC) risk management mission is conducting security assessments in partnership with ICS stakeholders. NCCIC works with these and other partners to assess various aspects of critical infrastructure (cybersecurity controls, control system architectures, and adherence to best practices supporting the resiliency, availability, and integrity of critical systems), and provides options for consideration to mitigate and manage risk. NCCIC assessment products improve situational awareness and provide insight, data, and identification of control systems threats and vulnerabilities. The information gained from assessments also provides stakeholders with the understanding and context necessary to build effective defense-in-depth processes for enhancing cybersecurity.
https://ics-cert.us-cert.gov/Assessments
Obtain Medium Level Assurance Certificate: The DoD has established the External Certification Authority (ECA) program to support the issuance of DoD-approved certificates to industry partners and other external entities and organizations. The ECA program is designed to provide the mechanism for these entities to securely communicate with the DoD and authenticate to DoD Information Systems. https://iase.disa.mil/pki/eca/Pages/index.aspx
Examples of Plans
DoD Cyber Security Strategy:
The purpose of this strategy is to guide the development of the DoD’s cyber forces and strengthen our cyber defense and cyber deterrence posture. It focuses on building cyber capabilities and organizations for DoD’s three primary cyber missions. https://www.defense.gov/Portals/1/features/2015/0415_cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf
FedRAMP Plan of Action and Milestones (POA&M) Template:
The purpose of the POA&M is to facilitate a disciplined and structured approach to mitigating risks in accordance with the CSP’s priorities. The POA&Ms include the findings and recommendations of the security assessment report and the continual security assessments. The POA&M identifies: (i) the tasks the CSP plans to accomplish with a recommendation for completion either before or after information system implementation; (ii) any milestones the CSP has set in place for meeting the tasks; and (iii) the scheduled completion dates the CSP has set for the milestones.
https://s3.amazonaws.com/sitesusa/wp-content/uploads/sites/482/2015/03/POAM-Template-User-Guide_02182015.docx
FTC’s Start with Security: A Guide for Business:
This guide developed by the Federal Trade Commission offers 10 practical lessons businesses can learn from the FTC’s 50+ data security settlements. Visit https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business to download the guide, access videos, and more.
NIST 800-181:
The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf
Reporting Cyber Attack
DoD’s Defense Industrial Base (DIB) Cyber Incident Reporting (Register Now):
DoD established the Defense Industrial Base (DIB) Cybersecurity (CS) Program to enhance and supplement DIB participants’ capabilities to safeguard DoD information that resides on or transits DIB unclassified networks or information systems. This public-private cybersecurity partnership is designed to improve DIB network defenses, reduce damage to critical programs, and increase DoD and DIB cyber situational awareness. Under the DIB CS Program, DoD and DIB participants share unclassified and classified cyber threat information.
https://dibnet.dod.mil/portal/intranet/
DoD’s Defense Industrial Base (DIB) Cyber Incident Reporting contact information: dibcsia@mail.mil