"Solving the puzzle of government contracting"
Defense Federal Acquisition Regulations (DFARS) DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting [DFARS] CLICK HERE »
National Institute of Standards & Technology (NIST) NIST Special Publication (SP) 800-171 Revision 1 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” December 2016 [SP 800-171R1] CLICK HERE »
Offer assistance in determining if you must comply.
Help with understanding the requirements.
Review documentation and make general suggestions.
CT PTACcannot provide an official assessment of your information security system or System Security Plan.
All defense contractors must provide adequate security for covered defense information in accordance with these regulations no later than December 31, 2017.
WHAT IS THE REQUIREMENT?
DFARS Clause 252.204-7012, Safeguarding Covered Defense Information (CDI) and Cyber Incident Reporting requires that contractors implement NIST SP 800-171R1 to protect systems and networks that process, store, or transmit “covered defense information” (as defined in the clause).
SP 800-171R1 applies to data that the federal government designates as Controlled Unclassified Information (CUI) when they are shared by the federal government with a nonfederal entity and there is no other law in place to protect the data.
SP 800-171R1 provides a single, Government-wide set of performance-based security requirements that significantly reduce unnecessary specificity (e.g., as compared to prescribing detailed security controls), which enables contractors to comply in most cases by using or adapting systems and practices already in place.
There is no single or prescribed manner in which a contractor may choose to implement the requirements of SP 800-171R1, or to assess their own compliance with those requirements.
Ultimately, the contractor (and subcontractor) bears the responsibility for determining whether it has implemented the SP 800-171R1.
DFARS 252.204-7012 is:
Not required for solicitations and contracts where the only items being procured are commercial-off-the-shelf (COTS) items.
Is required for all other solicitations and contracts where covered defense information (CDI) is involved, including the acquisition of commercial items involving CDI.
It is not required to be applied retroactively, but a contracting officer may modify an existing contract to add the clause.
IS IT CUI, UCTI, OR CDI, OR…? WHAT IS CONSIDERED CUI/UCTI/CDI…?
The DFARS cyber security rules apply to Covered Defense Information (CDI). In some documents you may also see the terms Covered Unclassified Information (CUI) and Unclassified Covered Technical Information (UCTI) or just Covered Technical Information (CTI). These should all be read as CDI when you read DPAP/DFARS regulations, as they are subsets of CDI as defined by DOD DIB 32-M-236.2 CLICK HERE »
US Department of Defense (DOD) contractors and subcontractors are required to safeguard Controlled Unclassified Information (CUI) which is a subset of Covered Defense Information (CDI). General CUI categories are outlined HERE. In addition, CUI and CDI may be specified as part of the specifics of contracts or directives from the government contracting officers or government clients. Contractor business systems that handle CUI may or not also deal with CDI. For those that do, it may be difficult to separate the two for handling.
WHAT’S THE BOTTOM LINE? Does My Organization Need To Comply With SP 800-171R1?
If you have (or expect to obtain) a prime contract, purchase, delivery or task order that contains the DFARS clause, you are required to comply with the security standards in SP 800-171R1, by providing and documenting reasonable adequate security for CDI.
DFARS Clause 252.204-7012 requires contractors to provide “adequate security” for covered defense information that is processed, stored, or transmitted on the contractor’s internal information system or network.
The Department of Defense must mark, or otherwise identify in the contract, any covered defense information that is provided to the contractor (Distribution Statement), and must ensure that the contract includes the requirement for the contractor to mark covered defense information developed in performance of the contract.
To provide adequate security, the contractor must, at a minimum, implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” no later than December 31, 2017.
DEPARTMENT OF DEFENSE CONTRACTS
The Department of Defense is advising their acquisition personnel regarding the contract formation, administration, and source selection processes in anticipation of the December 31, 2017, deadline:
Anticipating the manner in which contractors are likely to approach implementing NIST SP 800-171R1.
How a contractor may use a System Security Plan (SSP) to document implementation of the SP 800-171R1 security requirements.
How DoD organizations might choose to leverage the contractor’s SSP, and any associated Plans Of Action And Milestones (POAM’s.)
Solicitations may require or allow elements of the contractor’s SSP to be included in the contractor's technical proposal, and subsequently incorporated (usually by reference) as part of the contract. In the latter case, companies should ensure their plans are marked with an appropriate restrictive notice or marking (e.g., to indicate that it contains "proprietary" or other sensitive information.)
DFARS 252.204-7012 does not otherwise require the Government to monitor contractor implementation of SP 800-171R1 or compliance with any other requirement of that clause. DOD guidance explains that the requiring activity/buying activity may add requirements to the terms of the contract if it determines that oversight related to the security requirements is necessary.
WHAT IS NIST SPECIAL PUBLICATION 800-53 Do I need to comply with that too?
NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. CLICK HERE »
The short answer is, even though the SP 800-53 guidelines were written specifically for all U.S. federal information systems and organizations, you should become familiar with the SP 800-53 requirements, as SP 800-171 draws its structure from, and its requirements are derived from SP 800-53.
53 = federal info systems.
171 = non-federal info systems.
SP 800-171 is basically a streamlined version of SP 800-53, created for non-federal information systems.
Brief History: SP 800-53
Written for all U.S. federal information systems and organizations.
A critical component of Federal Information Security Management Act (FISMA) compliance [FISMA was signed into law part of the Electronic Government Act of 2002.
Created to heighten the security of the information systems used within the federal government (except those designed for national security.)
Apply to any component of an information system that stores, processes, or transmits federal information.
SP 800-53 introduced the 14 security control families (originally 18) referenced in SP 800-171. The Federal Information Processing Standards (FIPS) were designed by the federal government to develop standards for categorizing information and information systems in order to protect both the Government and contractors (single state) from the risks associated with compromise of the confidentiality, integrity or availability of information.
Implementing a Single-State Security Solution for CUI Controlled Unclassified Information has the same value, whether such information is resident in a federal system that is part of a federal agency or a nonfederal system that is part of a nonfederal organization. Accordingly, the security requirements contained in this publication are consistent with and complementary to the standards and guidelines used by federal agencies to protect CUI. — Special Publication 800-171 Revision 1
NIST Special Publication 800-171 Revision 1 Control Families
3.1 Access Control; AC 3.2 Awareness and Training; AT 3.3 Audit and Accountability; AU 3.4 Configuration Management; CM 3.5 Identification and Authentication; IA 3.6 Incident Response; IR 3.7 Maintenance; MA 3.8 Media Protection; MP 3.9 Personnel Security; PS 3.10 Physical and Environmental Protection; PE 3.11 Risk Assessment; RA 3.12 Security Assessment; CA 3.13 System and Communications Protection; SC 3.14 System and Information Integrity; SI
1. READ! Most requirements in NIST SP 800-171 are about policy, process, and configuring IT securely.
Read through the DFARS clause and the NIST publication, examining each requirement to determine if it may require a change to company policy or processes, a configuration change for existing company information technology (IT), or if it requires an additional software or hardware solution. SP 800-171R1 includes some provisions that may take time to implement, including two-factor authentication, encryption, and monitoring.
SP 800-171 includes Appendix D (Mapping Tables) to map out the basic security requirements. This is intended as a guide and is not required to be follow verbatim.
2. ASSESS Third Party Assessment Security of classified defense technical information has been mandated for years. Being required to have an assessed information security system to protect unclassified controlled technical defense information is new. Because of this new requirement, there are now MANY for-profit companies offering to perform an assessment of business information security systems for a fee. You may have already been contacted by one or more.
You may opt to have a third party company perform your information security system assessment. The cost of an information security system assessment can vary widely, from hundreds of dollars to thousands of dollars. The cost for subsequent security systems upgrades, if required, depends on the size and complexity of the business.
PTAC recommends that you first perform your own basic assessment of your existing cybersecurity practices to better prepare you for when a professional assessor performs their review. PTAC can provide a list of sources, but cannot endorse any particular enterprise.
Self-Assessment With all of the documented technical support available online, it is possible to perform an information security system self-assessment if you have the technical knowledge (and time) to do so. There are several comprehensive resources listed at the end of this publication.
With a self-assessment, examine each SP 800-171 requirement to determine if it is applicable to your company and its handling of CUI. Will you need to make changes to your existing company policy or processes, make overall configuration changes for existing company information technology (IT), or possibly implement a software or hardware solution? Document and rectify any areas where non-compliance exists. Because every company is different, it is up to each company to determine the nature, extent and effectiveness of each control to adequately mitigate the risks to CUI.
Types of system analysis you may need to perform include, but are not limited to: Risk Assessment, Controls Gap Assessment, and Penetration Testing.
Asking the right questions is crucial to revealing strengths and weaknesses in your information system security. For example, consider situational awareness of CUI and how it enters and leaves your possession. You have to make sure that the spaces where we handle and work with CUI are only accessed by authorized individuals.
Only certain individuals need to access areas of your cloud storage, therefore only those individuals need their systems upgraded. Do you control which computers have access to certain files or databases, and then only upgrade those computers? What other access controls are needed/in place?
Some of the compliance standards deal specifically with physical CUI and the way it is stored and accessed. Where is physical CUI stored at your building? Who needs to be working with the CUI? Does your entire team, by default, work with CUI? And do they need to? Do you control what systems and personnel access CUI?
Does documentation exists for relevant business process work flows and data flows?
Other types of key factors affecting compliance include:
How data is processed
Tools used or needed to limit data handling
Number of systems and devices requiring encryption at-rest
Number of subcontractor systems receiving controlled data
Business processes that involve CUI
Again, the resources listed at the end of this publication offer excellent guidance on performing a self-assessment.
3. DEVELOP/UPDATE Whether you need to develop new or improve/update existing cybersecurity protocols, your processes should cover all 14 control families and their corresponding sub-requirements as applicable to your business.
4. IMPLEMENT/TRAIN Training is key. Security awareness training teaches employees to understand vulnerabilities and threats to business operations. Your employees need to be aware of their responsibilities and accountabilities when using a computer on a business network, and when handling CUI.
There are numerous free training modules offered via the web, or contact your PTAC Counselor for information on training or for technical assistance. The National Archives offers training for personnel at all levels, including marking, safeguarding, and destruction. CLICK HERE »
5. CYBER INCIDENT REPORTING REQUIREMENTS Once you discover a cyber incident that affects your information system or the covered defense information that resides on that system, you must “rapidly report” an incident within 72 hours of discovery to DoD's DIB Cyber Incident Reporting & Cyber Threat Information Sharing Portal (DibNet) CLICK HERE »
If you are a subcontractor to prime contractor you must report in parallel to both 1) your prime contractor, and 2) the DoD at the DibNet site above.
You will need a DoD-approved medium assurance certificate to access the cyber reporting function at DibNet. The DoD has established the External Certification Authority (ECA) program to ensure industry partners securely communicate with the DoD and authenticate to DoD Information Systems. Follow the link on the DibNet site for more information about the ECA program or visit the Defense Information Systems Agency (DISA) for links to ECA approved vendors. CLICK HERE »
6. SUBCONTRACTOR FLOWDOWN REQUIREMENT Primes must flow this clause down to subcontracts for operationally critical support or for which subcontract performance will involve covered defense information.
The DFARS clause states, “The Contractor shall determine if the information required for subcontractor performance retains its identity as covered defense information and will require protection under this clause.”
[NOTE: the FAR does not distinguish between a subcontract, purchase order, delivery or task order.]
7. DOCUMENT You need to document your security processes and procedures to demonstrate compliance with the DFARS regulation and NIST guidelines.
While the DFARS uses the word “may” regarding using a system security plan, NIST 800-171R1 references a system security plan (SSP) over and over. There is no prescribed format or specified level of detail for system security plans, however, you must ensure that the required information in 800-171R1 is properly addressed in your plan.
Any deficiencies should be documented using a Plan of Action & Milestone (POAM):
Describe how and when any unimplemented security requirements will be met.
How and when you will correct deficiencies and/or reduce or eliminate vulnerabilities in your system(s.)
How and when any planned mitigations will be implemented.