APPLE AVIONICS CO. has implemented a robust evaluation (by an independent cyber security company) of all of the company’s cyber security measures. While the DFARS 225.204-7012 Compliance for securing Controlled Unclassified Information (CUI) has directed contractors to implement the NIST SP 800-171 requirements by December 31, 2017, it has not established guidelines for contractor implementation. All government contractors that perform work with the DoD, directly or indirectly, are required to comply with the DFAR 225.204-7012.
Apple Avionics Co. wants to ensure it is in compliance with all the rules and regulations of the FAR and the DFAR to protect all information sent between our company and any company we are doing business with and the Federal Government. If there is a security breach or suspected compromise our company wants to be aware of it immediately and not one day, one week, one month or one year down the road.
Cyber Security Items That Were Evaluated for Our Company and then implemented.
Control Families
1. Access Control— limits system access to authorized users
2. Awareness and Training—provides awareness of the security risks associated with user’s activities; training them on applicable policies, standards and procedures; and making sure they are trained appropriately to carry out their duties.
3. Audit and Accountability— creation, protection, retention, and review of system logs.
4. Configuration Management— creation of baseline configurations and use of robust change management processes.
5. Identification and Authentication—identifying and authenticating the information system users and devices.
6. Incident Response— developing operations to prepare for, detect, analyze, contain, recover from, and respond to incidents.
7. Personnel Security—screening individuals prior to authorizing their access to information systems and ensuring such systems remain secure upon the termination or transfer of individuals.
8. Risk Assessment— assessing the operational risk associated with processing, storage, and transmission of CUI
9. Security Assessment—assessing, monitor and correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems.
10. System and Communications Protection—monitor, control and protect data at the boundaries of the system, and employ architectural designs, software development techniques and system engineering principles that promote effective information security.