You have doubtless heard and read all about the looming requirement for all Department of Defense government contractors to become compliant with Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards derived from NIST SP 800-171 Rev 1 by Dec 31, 2017- or else risk losing their contracts. DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, will be a mandatory clause in all contracts except for contracts solely for the acquisition of COTS items.
This requirement applies to any DoD Contractor, subcontractor, and supplier ALL THE WAY DOWN THE SUPPLY CHAIN that processes, stores, or transmits Controlled Unclassified Information (CUI). Not just security contractors. Not just companies that have clearances. Not even just IT contractors. If you have a landscaping business and you are performing work at a DOD facility, and have access to blueprints that are or may be considered CUI, you’re subject to this requirement. CUI includes the categories outlined in the NARA CUI Registry, but as you can probably imagine, is not limited to that. your government customer can identify additional categories and data, and you as a contractor, should err on the safe side and identify potential CUI so that you can protect and segregate it just in case.
Note: civilian contractors are not subject to this requirement (there are only 15 security controls outlined in FAR part 52.204-21 compared to 109 in the DFARS clause), but that may be changing to synthesize the compliance requirements to the more complete set that the DOD/DFARS adopted.
Ultimately, it is the contractor’s responsibility to determine whether it is has implemented the NIST SP 800-171 (as well as any other security measures necessary to provide adequate security for covered defense information). Third party assessments or certifications of compliance are not required, authorized, or recognized by DoD, nor will DoD certify that a contractor is compliant with the NIST SP 800-171 security requirements.
The protections required to protect government information are dependent on the information DoD is protecting and the kind of system on which the information is processed or stored.
There is no single or prescribed manner in which a contractor may choose to implement the requirements of NIST SP 800-171, or to assess their own compliance with those requirements. For companies new to the requirements, a reasonable first step may be for company personnel with knowledge of their information systems security practices to read through the publication, examining each requirement to determine if it may require a change to company policy or processes, a configuration change for existing company information technology (IT), or if it requires an additional software or hardware solution.
Some resources and tools to help you determine whether you’re subject to the requirement, and what you can do next:
- DOD Office of Small Business Cyber resources and news – especially the 49-minute video and the presentation slides
- DOD Procurement Toolbox – Cyber security section (including how to approach evaluating each requirement)
- Georgia Tech PTAC 20-min Instructional Video
- A handy presentation [from a law firm] that translates the major requirements into easy-to-understand terms
- The Safeguarding Covered Defense Information one-pager to ease you into the basics.
- The Cybersecurity Evaluation Tool (CSET) that provides a systematic approach for evaluating an organization’s security posture through a step-by-step process to evaluate their control system and information technology network security practices. The tool will allow you to select a standard (e.g. NIST SP 800-171) – and CSET will generate specific questions to those requirements and present you with assessment results.
- A Self-assessment guide when you’re ready for the deep dive
- OSD Memorandum: DPAP Guidance for DoD Acquisition Personnel that instructs DOD buyers how to implement and evaluate vendor cyber compliance (and since it’s going to be an evaluation factor in source selection, you need to know what your customers expect).
- For subcontractor and supplier reference – Lockheed Martin’s notice to its supply chain that you may find informative and applicable regardless of who your prime is.
- And if you heard the rumors of possible delay and were wondering if they have merit — sadly, no.
PTAP counselors can help you walk through these steps. While we’re not technical experts on network security, we could help you walk through the self-assessment and determine what steps you need to take to bring your business up to compliance.
Update (submitted by David Dempsey, Dempsey Fontana, PLLC): This past Tuesday (April 24th 2018), DOD issued draft regulations on its cybersecurity clause DFARS 252.204-7012. Attached are pdf copies of the Federal Register notice plus the two documents referenced in the notice.
PTAP has been advised that DOD has implicitly acknowledged that contractor implementation of a NIST SP 800-171r cybersecurity plan is not going as anticipated. The draft guidance explains three levels of priority within an implemented System Security Plan (“SSP”). The utility of the priority levels is that DOD has identified the priorities on an item-by-item basis per the NIST security requirement. For example, multifactor authentication (NIST 171, 3.5.3) is a priority 1 (“P1”) while monitoring security controls (NISAT 171, 3.12.3) on an ongoing basis is a priority 3 (“P3”). DOD is again focusing on the development of SSP as supplemented by a Plan of Action that includes an implementation schedule.
More importantly, and as highlighted during the presentations sponsored by PTAP, DOD has emphasized that SSPs (with or without an accompanying Plan of Action) will be an evaluation factor used to discriminate among offers as a means to evaluate the government’s overall risk of providing “covered Defense information” to contractors who then use or store CDI on their IT systems. Specifically, the draft guidance states that RFP’s must require delivery of NIST SP 800-171 Security Requirement 3.12.4 – System Security Plan (or specified elements of) and [NIST-171] Security Requirement 3.12.2 – Plans of Action with the contractor’s technical proposal.
Update (submitted by David Dempsey, Dempsey Fontana, PLLC) : Earlier this morning (June 7th, 2018), NIST’s Computer Security Resource Center (“CSRC”) distributed its fourth revision of NIST SP 800-171 (second one for 2018). See https://csrc.nist.gov/ publications/detail/sp/800-171/rev-1/final). As of today, the proper reference to “NIST-171” is NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, rev. 1 (December 2016) (updated June 7, 2018) or “NIST SP 800-171, r1 (updated through June 7, 2018).” According to the “errata sheet” the CSRC has made approximately 72 “substantive” changes to NIST-171. Presumably, DOD will revise the link currently set forth in DFARS 252.202-7012 and bring the DFARS clause up to date.
The CSRC also published today three supplemental documents to NIST-171 (available at the above link):
All previous attendees should also be made aware of DOD’s proposed priorities for NIST-171 implementation (see 83 Fed. Reg. 17807 (April 24, 2018) and follow instructions on p. 17808) and the NIST requirements (identified by ¶ number in an Attachment to the slides presented at those seminars. Moreover, DOD’s updated FAQs on NIST-171 implementation (dated April 2, 2108) should be reviewed in the context of today’s revised NIST-171 – see FAQs updated April 2, 2018.
Also included with today’s CSRC announcement regarding NIST-171 is the second draft of NIST SP 800-171A entitled “Assessing Security Requirements for Controlled Unclassified Information (Final Draft)(February 2018). (This document is also available at https://csrc.nist. gov/publications/ detail/sp/800-171/rev-1/final.) The introduction to CSRC’s “assessment” document states that it “is intended to help organizations develop assessment plans and conduct efficient, effective, and cost-effective assessments of the security requirements in NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”