1 00:00:00,00 --> 00:00:07,100 Sir, we just discovered that we have the DFARS 7012 clause in our contract. This is going to affect our supply chain throughout the United States. 2 00:00:08,000 --> 00:00:15,300 We didn’t see it in our contracts before, but this is something that we must do, especially our suppliers in Ohio and Texas. 3 00:00:17,000 --> 00:00:20,900 When do we need to submit our SPRS score? 4 00:00:24,200 --> 00:00:29,900 Sir, we.... 5 00:00:30,000 --> 00:00:33,000 We already submitted an SPRS score of 110. 6 00:00:33,100 --> 00:00:36,000 But we are still missing a system security plan. 7 00:00:52,300 --> 00:00:59,000 Everyone leave except Vice Presidents Keitel, Jodl, Krebs, and Burgdorf. 8 00:01:13,000 --> 00:01:15,100 HOW COULD THIS HAVE HAPPENED?! 9 00:01:15,200 --> 00:01:17,800 I want to know who submitted the SPRS score! 10 00:01:19,000 --> 00:01:24,500 It says it in the DoD Assessment Methodology, plain as day, that the absence of a system security plan would result in noncompliance with DFARS 7012. 11 00:01:25,000 --> 00:01:27,200 Even I know that and I'm the CEO. 12 00:01:29,100 --> 00:01:31,000 How do we not have a system security plan after all these years? 13 00:01:31,100 --> 00:01:34,300 What if the contracting officers or our primes find out about this? 14 00:01:34,400 --> 00:01:40,200 And what is the status of our POAM? I have so many questions about our compliance. 15 00:01:40,300 --> 00:01:43,000 Sir, we used the DoD Assessment Methodology. 16 00:01:43,100 --> 00:01:46,100 But did you assess our environment with NIST 800-171A? 17 00:01:46,200 --> 00:01:47,900 Sir, we've never heard of such a document. 18 00:01:48,000 --> 00:01:52,800 Of course not. You could have found it on the NIST website under the section "Other Parts of this Publication" 19 00:01:52,900 --> 00:01:55,200 We now have to develop a system security plan as soon as possible. 20 00:01:55,300 --> 00:02:04,100 DIBCAC has stated they are going to begin Medium assessments in the near future. 21 00:02:04,200 --> 00:02:09,000 Is our controlled technical information marked? Are we using FIPS-validated encryption? 22 00:02:09,100 --> 00:02:11,900 Have we set up a logon banner on our systems? 23 00:02:12,000 --> 00:02:17,000 But most importantly, have we implemented multifactor authentication for local and network access on our systems? 24 00:02:17,100 --> 00:02:21,900 These are the questions that DIBCAC will be asking not just of us, but our suppliers. 25 00:02:27,000 --> 00:02:29,900 Do we have to report this to DIBNET? 26 00:02:30,000 --> 00:02:37,200 Let me guess: we never acquired a DoD-approved medium assurance certificate. 27 00:02:40,100 --> 00:02:47,000 Are we sure we only have controlled technical information and not export controlled information? 28 00:02:48,000 --> 00:02:52,500 Because that will be a game-changer. 29 00:02:52,600 --> 00:02:56,000 Have you seen the list of additional requirements in the CUI Registry? 30 00:02:56,100 --> 00:03:02,100 Most importantly, we need to do a walkthrough and make sure all media has been marked in accordance with DoDI 5200.48. 31 00:03:05,000 --> 00:03:07,500 It's ok. You marked the media correctly. 32 00:03:13,000 --> 00:03:17,000 DFARS 7012 is a beast. 33 00:03:18,500 --> 00:03:24,000 There is a lot more to do than just NIST 800-171. 34 00:03:25,400 --> 00:03:26,000 But it's not impossible. 35 00:03:31,000 --> 00:03:34,000 We should start by checking our inventory. 36 00:03:40,000 --> 00:03:46,000 Please tell me we documented our hardware and software inventory and separated them by asset category. 37 00:03:46,100 --> 00:03:50,000 Because I don't know how much more of this I can take. 38 00:03:54,000 --> 00:03:55,000 That's all I got.