00:00.0
00:07.1
Sir, we just discovered that we have the DFARS 7012 clause in our contract. This is going to affect our supply chain throughout the United States.
00:08.0
00:15.3
We didn’t see it in our contracts before, but this is something that we must do, especially our suppliers in Ohio and Texas.
00:17.0
00:20.9
When do we need to submit our SPRS score?
00:24.2
00:29.9
Sir, we....
00:30.0
00:33.0
We already submitted an SPRS score of 110.
00:33.1
00:36.0
But we are still missing a system security plan.
00:52.3
00:59.0
Everyone leave except Vice Presidents Keitel, Jodl, Krebs, and Burgdorf.
01:13.0
01:15.1
HOW COULD THIS HAVE HAPPENED?!
01:15.2
01:17.8
I want to know who submitted the SPRS score!
01:19.0
01:24.5
It says it in the DoD Assessment Methodology, plain as day, that the absence of a system security plan would result in noncompliance with DFARS 7012.
01:25.0
01:27.2
Even I know that and I'm the CEO.
01:29.1
01:31.0
How do we not have a system security plan after all these years?
01:31.1
01:34.3
What if the contracting officers or our primes find out about this?
01:34.4
01:40.2
And what is the status of our POAM? I have so many questions about our compliance.
01:40.3
01:43.0
Sir, we used the DoD Assessment Methodology.
01:43.1
01:46.1
But did you assess our environment with NIST 800-171A?
01:46.2
01:47.9
Sir, we've never heard of such a document.
01:48.0
01:52.8
Of course not. You could have found it on the NIST website under the section "Other Parts of this Publication"
01:52.9
01:55.2
We now have to develop a system security plan as soon as possible.
01:55.3
02:04.1
DIBCAC has stated they are going to begin Medium assessments in the near future.
02:04.2
02:09.0
Is our controlled technical information marked? Are we using FIPS-validated encryption?
02:09.1
02:11.9
Have we set up a logon banner on our systems?
02:12.0
02:17.0
But most importantly, have we implemented multifactor authentication for local and network access on our systems?
02:17.1
02:21.9
These are the questions that DIBCAC will be asking not just of us, but our suppliers.
02:27.0
02:29.9
Do we have to report this to DIBNET?
02:30.0
02:37.2
Let me guess: we never acquired a DoD-approved medium assurance certificate.
02:40.1
02:47.0
Are we sure we only have controlled technical information and not export controlled information?
02:48.0
02:52.5
Because that will be a game-changer.
02:52.6
02:56.0
Have you seen the list of additional requirements in the CUI Registry?
02:56.1
03:02.1
Most importantly, we need to do a walkthrough and make sure all media has been marked in accordance with DoDI 5200.48.
03:05.0
03:07.5
It's ok. You marked the media correctly.
03:13.0
03:17.0
DFARS 7012 is a beast.
03:18.5
03:24.0
There is a lot more to do than just NIST 800-171.
03:25.4
03:26.0
But it's not impossible.
03:31.0
03:34.0
We should start by checking our inventory.
03:40.0
03:46.0
Please tell me we documented our hardware and software inventory and separated them by asset category.
03:46.1
03:50.0
Because I don't know how much more of this I can take.
03:54.0
03:55.0
That's all I got.