DFARS Case 2013-D018

1. DFARS Case 2013-D018 Overview and Implementation Bill Botke MFC Information Security Officer and Privacy Lead

2. Agenda • Problem Statement • Data…What’s the risk? • Risk Posture • Adversarial Threats and “Quick Wins” • Cyber DFARS Overview • Summary

3. The Problem "…I want to mention the serious problem of the loss of unclassified sensitive information to industrial espionage. Some have called the loss of this information through our networks the greatest transfer of wealth in history…providing potential adversaries with huge savings in time and money as they seek to develop weapon systems comparable and even superior to our own…" Mr. Frank Kendall, Undersecretary of Defense for Acquisition, Technology and Logistics (2013 Lockheed Martin Supply Chain Conference)

4. Data…It’s Everywhere…Every Minute… • 45 New Viruses • 200 New Malicious web sites • 180 Personal Identities Stolen • 5,000 Examples of Malware Created • $2 Million Lost

5. Managing Our Risk Posture There is no such thing as "perfect protection" Are you here? DFARS Baseline Ideal State High Risk Low Cost Low Maturity Lower Risk Higher Cost Higher Maturity GOAL: Build a sustainable IT Security Program that balances protection and compliance against the needs to run and support the business

6. Adversary Threats & “Quick Wins” Top Threats to Defense Industrial Base (DIB) “Quick Wins” Mitigations

7. First…How did we get here? Classified Data Protection Unclassified Data Protection • June 2011 – DoD Proposes New DFARS Rule for Protecting Controlled, Unclassified Information • May 2013 – Snowden articles published adding increased pressure to protect unclassified information • Nov 2013 – DoD Publishes initial DFARS Cyber Rules • Aug 2015 - DoD issues interim rule under DFARS Case 2013-D018 – (NIST SP 800-171) • Dec 2015 – DoD issues updated rule • Oct 2016 – Final Cyber DFARS issued Jan 1993 – DSS National Industrial Security Program Operating Manual (NISPOM) Apr 2006 - Office of the Designated Approving Authority (ODAA) Process Manual

8. Cyber DFARS Primer Covered Defense Information (CDI) Unclassified Covered Technical Information (“CTI”), operations security, export controlled information; and any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls used in the performance/ support of a contract Safeguard Data Report Incidents Flow Down Cyber DFARS Clause • Applied to all DoD Contracts • NIST 800-171 • 110 Cyber DFARS Controls • Report Incidents within 72 Hours • Flow down Cyber DFARS clause to all suppliers receiving or generating CDI Mandatory Unclassified Cyber Requirements…All DoD contracts

9. Covered Defense Information — Definition • Covered Defense Information (CDI) - Term used to identify informationthatrequires protection under DFARS Clause252.204-7012 • Covered defense informationmeans: • Unclassified controlled technical information (CTI) or other information as described in the CUI Registry that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies and is− • Marked or otherwise identified in the contract, task order, or delivery order and provided to contractor by or on behalf of, DoD in support of the performance of the contract;OR • Collected, developed, received, transmitted, used, or stored by, or onbehalf of, the contractor in support of the performance of thecontract* • * “In support of the performance of the contract” is not meant to include the contractor’sinternal information (e.g., human resource or financial) that is incidental to contractperformance

10. Compliance — Implementation of Cyber DFARS • By signing…contractor agrees to comply with terms of contract and all requirements of DFARS Clause 252.204-7012 • Contractor’s responsibility to determine if they have implemented NIST SP 800-171 • DoD will not certify that a contractor is compliant with NIST SP 800-171 requirements • Third-party assessments or certifications are not required, authorized, or recognized by DoD • If oversight related to these requirements is deemed necessary, it can be accomplished through existing FAR and DFARS allowances, or an additional requirement can be added to the terms of the contract Innovation Required for Success Revaluate and Re-Architect Perception of Risk has to adapt to Digital Business Exploit Trust Delivery Vectors Social Media Tactics Targeting

11. Safeguard Data – NIST 800-171 110 Requirements across 14 Families • Access Control • Awareness & Training • Audit & Accountability • Configuration Management • Identification & Authentication • Incident Response • Maintenance • Media Protection • Personnel Security • Physical Protection • Risk Assessment • Security Assessment • System & Communication Protection • System & Information Integrity

12. Subcontractor Flowdown Required only when performance will involve operationally critical support or covered defense information Contractor shall determine if information required for subcontractor performance is, or retains its identify as, covered defense information and requires safeguarding Flowdown is a requirement of the terms of the contract…must be enforced by prime contractor If a subcontractor does not agree to comply with the terms of DFARS Clause 252.204–7012, then covered defense information shall not be shared with the subcontractor or otherwise reside on it’s information system

13. DCMA Oversight of DFARS Clause MITIGATERISK • Encourage corporate, segment, or facility-level system security plans…more consistent implementation and reduced cost • Verify SSP / POA&Ms are in place…will not assess plans against NIST 800-171 requirements • If potential cyber issue is detected…notify contractor, DoD program office, & DoD CIO • During Contract Receipt/Review, verify clause is flowed to subs/suppliers as appropriate • For contracts before 10/2017, verify contractor submitted to DoD CIO notification of security requirements not yet implemented • Verify DoD-approved medium assurance certificate to report cyber incidents • When required, facilitate entry of government assessment team via coordination with cognizant government and contractor stakeholders

14. Resources • Cybersecurity in DoD Acquisition Regulations page at http://dodprocurementtoolbox.com for Related Regulations, Policy, Frequently Asked Questions, andResources; Email questions to osd.dibcsia@mail.mil • NIST Publications - https://csrc.nist.gov/publications • NIST Manufacturing Extension Partnership athttps://www.nist.gov/mep • NARA CUI Program - www.archives.gov/cui • Cybersecurity Evaluation Tool (CSET) – Download • https://ics-cert.us-cert.govor request physical copy of software at cset@dhs.gov — Select“AdvancedMode” to display option to select NIST800-171

15. Develop a Resilient Mindset Every Control Will Fail • If the adversary has access to: • The internal corporate network • Any username and password • All documentation & specifications • What would you do differently?

16. Summary As an Aerospace and Defense Supplier, YOU are a target of our adversaries • Have responsibility to improve/maintain cybersecurity posture • DFARS non-compliance not only increases risk…could result in contract default, withheld payments or brand/reputation impacts thru CPARS Lockheed Martin is working with partners and suppliers • Risk to LM and customer information from cyber attackers continues to increase • Regulations such as the Cyber DFARS are here to stay and will continue to evolve • Ensure a heightened sense of cybersecurity awareness Contractors are responsible • DFARS Compliance – full conformitywith all clause requirements and NIST SP 800-171 required as of 31 Dec 2017 • Incident Reporting – must be reported within 72-hoursto the DoD • Flow Down - cyber DFARS must be flowed down to all suppliers / subcontractorswho store, process and/or generate Covered Defense Information (CDI) as part of contract performance