Cybersecurity Resources

Resource Categories

 


AMP SoCal Strengthening Competitiveness Program One-Day Cybersecurity Workshop Video
Our cybersecurity workshops, sponsored by the DoD Office of Economic Adjustment, focus on how manufacturers can be compliant and cyber ready for the future. The workshops are led by Dr. Clifford Neuman, a renowned cybersecurity expert and director of USC’s Center for Computer Systems Security.

We would like to extend a free recording of the class to assist you in your understanding of cybersecurity for your business. To be eligible, you must be a manufacturer:

  • located in the counties of Ventura, Los Angeles, Orange, and San Diego
  • negatively impacted by reduced DoD spending or procurement between 2012 and the present
  • willing to answer a brief post-training assessment survey in 6 months
To receive the link to the video, please fill out and sign the following two forms
  1. Pre-Workshop Assessment
  2. Qualification Criteria for Defense Impacted Firms
Please send signed documents to the following contact and you will receive your free manufacturing cybersecurity training video.
Tomás E. Durán
213-740-4283
Price School – USC Center for Economic Development
Strengthening Competitiveness Program

 

Getting Started


Council of Defense & Space Industry Association (CODSIA): The Council of Defense and Space Industry Associations (CODSIA) provides a central channel of communications for improving industry-wide consideration of the many policies, regulations, implementation problems, procedures and questions involved in federal procurement actions. CODSIA was formed in 1964 by industry associations having common interests in the defense and space fields.

http://www.codsia.org/

 

CUI Registry:
The CUI Registry is the online repository for all information, guidance, policy, and requirements on handling CUI, including everything issued by the CUI Executive Agent other than 32 CFR Part 2002. Among other information, the CUI Registry identifies all approved CUI categories and subcategories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures.

https://www.archives.gov/cui/registry/category-list

 

DFARS:
Clauses for Safeguarding Covered Defense Information and Cyber Incident Reporting, as mandated by section 204.7304 (c) of DFARS. http://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012

 

DHS’ Stop Think Connect cyber resource page for small businesses:
Provides links to the Department of Homeland Security’s C3 Voluntary program Small and Midsize Business Toolkit for resources to help businesses recognize and address cybersecurity risks, information on how to secure your business network, compliance resources on collecting sensitive data from consumers and employees, and safeguards to online attacks, data loss and other threats you’re your business, employee and customers.

https://www.dhs.gov/publication/stopthinkconnect-small-business-resources

 

DoD AQ Frequently Asked Questions:
http://www.acq.osd.mil/dpap/pdi/docs/FAQs_Network_Penetration_Reporting_and_Contracting_for_Cloud_Services_(01-27-2017).pdf

 

FAR:
Part 52 of FAR (Federal Acquisition Regulation) gives instructions for using provisions and clauses in solicitations and/or contracts, sets forth the solicitation provisions and contract clauses prescribed by the regulation, and presents a matrix listing the FAR provisions and clauses applicable to each principal contract type and/or purpose.

http://farsite.hill.af.mil/reghtml/regs/far2afmcfars/fardfars/Far/52_000.htm#P891_130989

 

Federal Bureau of Investigation:
The FBI is an intelligence-driven and threat-focused national security organization with both intelligence and law enforcement responsibilities that is staffed by a dedicated cadre of more than 30,000 agents, analysts, and other professionals who work for around the clock and across the globe to protect the U.S. from terrorism, espionage, cyber-attacks, and major criminal threats, and to provide its many partners with services, support, training, and leadership.

www.fbi.gov

 

NIST SP 800-171:
The purpose of this publication is to provide federal agencies with recommended security requirements for protecting the confidentiality of CUI when the CUI is resident in a nonfederal system and organization, when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency, and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry. https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-171r1.pdf

 

NIST Glossary of Terms:
This online glossary contains terms extracted from NIST Federal Information Processing Standards (FIPS), the NIST Special Publication (SP) 800 series, and from the Committee for National Security Systems Instruction 4009 (CNSSI-4009), as of January 2017.

https://csrc.nist.gov/glossary?index=S#AlphaIndexDiv

 

NIST Manufacturing Extension Partnership (MEP):
For the past 30 years, the MEP National NetworkTM has equipped small and medium-sized manufacturers with the resources needed to grow and thrive. Our industry experts work side-by-side with manufacturers to reduce costs, improve efficiencies, develop the next generation workforce, create new products, and find new markets and much more. Together, they strengthen communities and U.S. manufacturing.

www.NIST.gov/MEP/

 

SBA’s link for Cybersecurity: Is your business prepared in the event of a cybersecurity breach? Now is the time to take stock of your cybersecurity health, including the importance of securing information through best cybersecurity practices; identifying your risk and the types of cyber threats; and learning best practices for guarding against cyber threats.

https://www.sba.gov/managing-business/cybersecurity

 

US Cert’s Page for Small and Medium Size businesses: Cybersecurity is critical to any business enterprise, no matter how small.  However, leaders of small and midsize businesses (SMB) often do not know where to begin, given the scope and complexity of the issue in the face of a small staff and limited resources. To help business leaders get started, DHS has provided a list of top resources specially designed to help SMBs recognize and address their cybersecurity risks.

https://www.us-cert.gov/ccubedvp/smb

 

Tools You Need to Complete


EXOSTAR Instructional Materials:
These guides, provided by EXOSTAR, aim to help buyers and suppliers of buying partners in learning more about EXOSTAR’s risk management tool, PIM (Partner Information Manager).

http://www.myexostar.com/PIM-Guides-and-Resources/

 

Federal Communications Commission (FCC):
In collaboration with other government agencies and industry leaders, created the Small Biz Cyber Planner-an easy-to-use, free online tool that will help you create a customized planning guide to protect your business from cybersecurity threats. Learn more at www.fcc.gov/cyberplanner

 

Industrial control Systems Cyber Emergency Response Team (ICS-CERT):
A core component of the National Cybersecurity and Communications Integration Center (NCCIC) risk management mission is conducting security assessments in partnership with ICS stakeholders. NCCIC works with these and other partners to assess various aspects of critical infrastructure (cybersecurity controls, control system architectures, and adherence to best practices supporting the resiliency, availability, and integrity of critical systems), and provides options for consideration to mitigate and manage risk. NCCIC assessment products improve situational awareness and provide insight, data, and identification of control systems threats and vulnerabilities. The information gained from assessments also provides stakeholders with the understanding and context necessary to build effective defense-in-depth processes for enhancing cybersecurity.

https://ics-cert.us-cert.gov/Assessments

 

Obtain Medium Level Assurance Certificate: The DoD has established the External Certification Authority (ECA) program to support the issuance of DoD-approved certificates to industry partners and other external entities and organizations. The ECA program is designed to provide the mechanism for these entities to securely communicate with the DoD and authenticate to DoD Information Systems. https://iase.disa.mil/pki/eca/Pages/index.aspx

 

Examples of Plans


Centers for Medicare & Medicaid Services – Plan of Action and Milestones Process Guide:
The purpose of this guide is to provide information security personnel and stakeholders with guidance to aid in understanding, developing, maintaining, and reporting program- and system-level weaknesses and deficiencies to the Department of Health and Human Services (DHHS). It also provides the necessary requirements and protection for all POA&M information that is properly managed and entered into the CMS Federal Information Security Management Act Control Tracking System (CFACTS).

https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Downloads/RMH_VIII_6-2_Plan_of_Action_and_Milestones_Process_Guide.pdf

 

DoD Cyber Security Strategy:
The purpose of this strategy is to guide the development of the DoD’s cyber forces and strengthen our cyber defense and cyber deterrence posture. It focuses on building cyber capabilities and organizations for DoD’s three primary cyber missions. https://www.defense.gov/Portals/1/features/2015/0415_cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf

 

FedRAMP Plan of Action and Milestones (POA&M) Template:
The purpose of the POA&M is to facilitate a disciplined and structured approach to mitigating risks in accordance with the CSP’s priorities. The POA&Ms include the findings and recommendations of the security assessment report and the continual security assessments. The POA&M identifies: (i) the tasks the CSP plans to accomplish with a recommendation for completion either before or after information system implementation; (ii) any milestones the CSP has set in place for meeting the tasks; and (iii) the scheduled completion dates the CSP has set for the milestones.

https://s3.amazonaws.com/sitesusa/wp-content/uploads/sites/482/2015/03/POAM-Template-User-Guide_02182015.docx

 

FTC’s Start with Security: A Guide for Business:
This guide developed by the Federal Trade Commission offers 10 practical lessons businesses can learn from the FTC’s 50+ data security settlements. Visit https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business to download the guide, access videos, and more.

 

NIST 800-181:
The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf

Reporting Cyber Attack


DoD’s Defense Industrial Base (DIB) Cyber Incident Reporting (Register Now):
DoD established the Defense Industrial Base (DIB) Cybersecurity (CS) Program to enhance and supplement DIB participants’ capabilities to safeguard DoD information that resides on or transits DIB unclassified networks or information systems. This public-private cybersecurity partnership is designed to improve DIB network defenses, reduce damage to critical programs, and increase DoD and DIB cyber situational awareness. Under the DIB CS Program, DoD and DIB participants share unclassified and classified cyber threat information.

https://dibnet.dod.mil/portal/intranet/

 

DoD’s Defense Industrial Base (DIB) Cyber Incident Reporting contact information: dibcsia@mail.mil