All defense contractors – prime and sub – must provide adequate security for covered defense information in accordance with these regulations:
Defense Federal Acquisition Regulations DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting [DFARS]
National Institute of Standards & Technology NIST Special Publication (SP) 800-171 Revision 1 [SP 800-171R1]
Special Publication (SP) 800-171 Revision 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
CT PTAC can:
- Help with understanding the requirements
- Offer assistance in determining if you must comply/li>
- Review documentation and make general suggestions
CT PTAC cannot:
- Help with understanding the requirements
- Offer assistance in determining if you must comply/li>
- Review documentation and make general suggestions
- Confederal entity – You ☞ Contractor who accepts a contract from a federal agency or a prime contractor
- Contract – delivery order, task order or purchase order for the delivery of supplies or services
- System security plan (SSP) – description of security requirements, and specified controls in place addressing planned responsibilities and expected behavior of all individuals who access the system.
- Plan of action and milestones (POAM) – plan to describe specific measures being implemented to correct deficiencies found during a security control assessment. The POAM should identify:
- tasks needed to correct the deficiency
- resources required to make the plan work
- milestones (timeframe) to complete the tasks.
What is the requirement?
DFARS Clause 252.204-7012: Safeguarding Covered Defense Information (CDI) and Cyber Incident Reporting requires that contractors implement NIST SP 800-171R1 to protect systems and networks that process, store, or transmit “covered defense information” (as defined in the clause).
- SP 800-171R1 applies to data that the federal government designates as Controlled Unclassified Information (CUI) when they are shared by the federal government with a non-federal entity (you) and there is no other law in place to protect the data.
SP 800-171R1 provides a single, Government-wide set of performance-based security requirements that significantly reduce unnecessary specificity (e.g., as compared to prescribing detailed security controls), which enables contractors to comply in most cases by using or adapting systems and practices already in place.
- There is no single or prescribed manner in which a contractor may choose to implement the requirements of SP 800-171R1, or to assess their own compliance with those requirements.
- Ultimately, the contractor (and subcontractor) bears the responsibility for determining whether it has implemented the SP 800-171R1.
DFARS 252.204-7012 is
- Not required for solicitations and contracts where the only items being procured are commercial-off-the-shelf (COTS) items.
- Is required for all other solicitations and contracts where covered defense information (CDI) is involved, including the acquisition of commercial items involving CDI.
- It is not required to be applied retroactively, but a contracting officer may modify an existing contract to add the clause.
Is it cui or ucti or cdi or…? what is considered cui/ucti/cdi…?
The DFARS cyber security rules apply to Covered Defense Information (CDI). In some documents, you may also see the terms Covered Unclassified Information (CUI) and Unclassified Covered Technical Information (UCTI) or just Covered Technical Information (CTI). These should all be read as CDI when you read DPAP/DFARS regulations, as they are subsets of CDI as defined by DOD DIB 32-M-236.2. https://www.gpo.gov/fdsys/pkg/CFR-2013-title32-vol2/pdf/CFR-2013-title32-vol2-sec236-2.pdf
US Department of Defense (DoD) contractors and subcontractors are required to safeguard Controlled Unclassified Information (CUI) which is a subset of Covered Defense Information (CDI). General CUI categories are outlined at https://www.archives.gov/cui. In addition, CUI and CDI may be specified as part of the specifics of contracts or directives from the government contracting officers or government clients. Contractor business systems that handle CUI may or not also deal with CDI. For those that do, it may be difficult to separate the two for handling.
What’s the bottom line? does my organization need to comply with sp 800-171r1?
If you have (or expect to obtain) a contract that contains the DFARS clause, you are required to comply with the security standards in SP 800-171R1 by providing and documenting reasonable adequate security for CDI.
- DFARS Clause 252.204-7012 requires contractors to provide “adequate security” for covered defense information that is processed, stored, or transmitted on the contractor’s internal information system or network.
- The Department of Defense must mark, or otherwise identify any covered defense information that is provided to the contractor, and must ensure that the contract includes the requirement for the contractor to mark covered defense information developed in the performance of the contract.
- To provide adequate security, the contractor must, at a minimum, implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” not later than December 31, 2017.
CONTRACT and PROPOSAL EVALUATION
The DFARS does not otherwise require the Government to monitor contractor compliance or implementation, “Contractor ‘self-attests’ to compliance with DFARS 252.204-7012 and implementation of NIST SP 800-171.”
In November 2018, DoD’s Acting Principal Director for Defense Pricing and Contracting (DPC) issued a memorandum “Guidance for Assessing Compliance and Enhancing Protections Required by DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.” This memorandum includes two guidance documents, slated for integration into DFARS PGI 204.73 in 2019:
- “DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented”This guidance document will enable acquisition personnel in the following ways:
- Enable the consistent review of System Security Plans and Plans of Action and Milestones
- Address the impact of ‘not yet implemented’ security requirements
- Provide clarification on implementing NIST SP 800-171 security requirements
- “Guidance for Assessing Compliance of and Enhancing Protections for a Contractor’s Internal Unclassified Information System”This document “provides a framework of actions that can be tailored by a program office/requiring activity…” These tailorable actions include:
- Requiring delivery of the contractor’s system security plan (or extracts thereof)
- Requiring the contractor to identify known Tier 1 Level suppliers
- Requesting the contractor’s plan to track flow down of covered defense information and to assess DFARS clause 252.204-7012 compliance of known Tier 1 Level suppliers
DOD guidance now explains that the requiring activity/buying activity may add requirements or enhanced cybersecurity measures to the terms of the contract, and include specifics of how compliance with additional requirements will be evaluated, tracked, monitored AT ALL TIER LEVELS.
Look for these security requirements in the solicitation or in your contract within the Statement of Work, Contract Data Requirements List, or Data Item Description, e.g.:
- CDRL: Request Contractor’s System Security Plan and Any Associated Plans of Action for Contractor’s Internal Information System
- DID: Contractor’s System Security Plan and Any Associated Plans of Action for Contractor’s Internal Information System
- CDRL: Request Contractor’s Record of Tier 1 Level Suppliers who Receive or Develop Covered Defense Information
- DID: Contractor’s Record of Tier 1 Level Suppliers who Receive or Develop Covered Defense Information (Draft)
Solicitations may require or allow elements of the contractor’s System Security Plan to be included in the contractor’s technical proposal, and subsequently incorporated (usually by reference) as part of the contract. In the latter case, companies should ensure their plans are marked with an appropriate restrictive notice or marking (e.g., to indicate that it contains “proprietary” or other sensitive information).
WHAT IS NIST SPECIAL PUBLICATION 800-53 and do I need to comply with that too?
NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
The short answer is, even though the SP800-53 guidelines were written specifically for all U.S. federal information systems and organizations, you should become familiar with the SP800-53 requirements, as SP 800-171 draws its structure from, and its requirements are derived from SP800-53.
- 53 – Federal Info Systems
- 171 – Non-Federal Info Systems
SP800-171 is basically a streamlined version of SP800-53, created for non-federal information systems.
Brief History: SP800-53
- Written for all U.S. federal information systems and organizations
- A critical component of Federal Information Security Management Act (FISMA) compliance [FISMA was signed into law part of the Electronic Government Act of 2002
- Created to heighten the security of the information systems used within the federal government (except those designed for national security.)
- Apply to any component of an information system that stores, processes, or transmits federal information.
SP800-53 introduced the 14 security control families (originally 18) referenced in SP800-171.
The Federal Information Processing Standards (FIPS) were designed by the federal government to develop standards for categorizing information and information systems in order to protect both the Government and contractors (single state) from the risks associated with the compromise of the confidentiality, integrity or availability of information.
Implementing a Single-State Security Solution for CUI
Controlled Unclassified Information has the same value, whether such information is resident in a federal system that is part of a federal agency or a nonfederal system that is part of a nonfederal organization. Accordingly, the security requirements contained in this publication are consistent with and complementary to the standards and guidelines used by federal agencies to protect CUI.
NIST Special Publication 800-171 Revision 1 Control Families
- 3.1 Access Control; AC
- 3.2 Awareness and Training; AT
- 3.3 Audit and Accountability; AU
- 3.4 Configuration Management; CM
- 3.5 Identification and Authentication; IA
- 3.6 Incident Response; IR
- 3.7 Maintenance; MA
- 3.8 Media Protection; MP
- 3.9 Personnel Security; PS
- 3.10 Physical and Environmental Protection; PE
- 3.11 Risk Assessment; RA
- 3.12 Security Assessment; CA
- 3.13 System and Communications Protection; SC
- 3.14 System and Information Integrity; SI
Most requirements in NIST SP 800-171R1 are about policy, process, and configuring IT securely.
Read through the DFARS clause and the NIST publication, examining each requirement to determine if it may require a change to company policy or processes, a configuration change for existing company information technology (IT), or if it requires an additional software or hardware solution. SP 800-171R1 includes some provisions that may take time to implement, including two-factor authentication, encryption, and monitoring.
SP 800-171R1 includes Appendix D (Mapping Tables) to map out the basic security requirements. This is intended as a guide and is not required to be follow verbatim.
Third Party Assessment
Security of classified defense technical information has been mandated for years. Being required to have an assessed information security system to protect unclassified controlled technical defense information is new. Because of this new requirement, there are now MANY for-profit companies offering to perform an assessment of business information security systems for a fee. You may have already been contacted by one or more.
You may opt to have a third party company perform your information security system assessment. The cost of an information security system assessment can vary widely, from hundreds of dollars to thousands of dollars. The cost for subsequent security systems upgrades, if required, depends on the size and complexity of the business.
PTAC recommends that you first perform your own basic assessment of your existing cybersecurity practices to better prepare you for when a professional assessor performs their review. PTAC can provide a list of sources, but cannot endorse any particular enterprise.
With all of the documented technical support available online, it is possible to perform an information security system self-assessment if you have the technical knowledge (and time) to do so. There are several comprehensive resources listed at the end of this publication.
With a self-assessment, examine each SP 800-171R1 requirement to determine if it is applicable to your company and its handling of CUI. Will you need to make changes to your existing company policy or processes, make overall configuration changes for existing company information technology (IT), or possibly implement a software or hardware solution? Document and rectify any areas where non-compliance exists. Because every company is different, it is up to each company to determine the nature, extent, and effectiveness of each control to adequately mitigate the risks to CUI.
Types of system analysis you may need to perform include, but are not limited to: Risk Assessment, Controls Gap Assessment, and Penetration Testing.
Asking the right questions is crucial to reveal strengths and weaknesses in your information system security. For example, consider situational awareness of CUI and how it enters and leaves your possession. You have to make sure that the spaces where you handle and work with CUI are only accessed by authorized individuals:
- Do you control which computers have access to certain files or databases, and then only upgrade those computers? What other access controls are needed/in place? Only certain individuals need to access areas of your cloud storage, therefore only those individuals need their systems upgraded.
- Where is physical CUI stored at your building? Who needs to be working with the CUI? Does your entire team, by default, work with CUI? And do they need to? Do you control what systems and personnel access CUI? Some of the compliance standards deal specifically with physical CUI and the way it is stored and accessed.
- Does documentation exists for relevant business process workflows and data flows?
Other types of key factors affecting compliance include:
- Data handling
- how data is processed
- tools used or needed to limit data handling
- number of systems and devices requiring encryption at-rest
- number of subcontractor systems receiving controlled data
- business processes that involve CUI
- record keeping
Again, the resources listed at the end of this publication offer excellent guidance on performing a self-assessment.
Whether you need to develop new or improve/update existing cybersecurity protocols, your processes should cover all 14 control families and their corresponding sub-requirements as applicable to your business.
Training is key. Security awareness training teaches employees to understand vulnerabilities and threats to business operations. Your employees need to be aware of their responsibilities and accountabilities when using a computer on a business network, and when handling CUI.
There are numerous free training modules offered via the web, or contact your PTAC Counselor for information on training or for technical assistance. The National Archives offers training for personnel at all levels, including marking, safeguarding, and destruction. https://www.archives.gov/cui/training.html
5. CYBER INCIDENT REPORTING REQUIREMENTS
Once you discover a cyber incident that affects your information system or the covered defense information that resides on that system, you must “rapidly report” an incident within 72 hours of discovery to DoD’s DIB Cyber Incident Reporting & Cyber Threat Information Sharing Portal (DibNet) https://dibnet.dod.mil/portal/intranet/
If you are a subcontractor to a prime contractor you must report in parallel to both
- your prime contractor
- the DoD at the DibNet site above
You will need a DoD-approved medium assurance certificate to access the cyber reporting function at DibNet. The DoD has established the External Certification Authority (ECA) program to ensure industry partners securely communicate with the DoD and authenticate to DoD Information Systems. Follow the link on the DibNet site for more information about the ECA program or visit the Defense Information Systems Agency (DISA) for links to ECA approved vendors. https://iase.disa.mil/pki/eca/Pages/index.aspx
6. SUBCONTRACTOR FLOWDOWN REQUIREMENT
Primes must flow this clause down to subcontracts for operationally critical support or for which subcontract performance will involve covered defense information.
The DFARS clause states “The Contractor shall determine if the information required for subcontractor performance retains its identity as covered defense information and will require protection under this clause…”
[Note: the FAR does not distinguish between a subcontract, purchase order, delivery or task order.]
7. DOCUMENT, DOCUMENT, DOCUMENT
You need to document your security processes and procedures to demonstrate compliance with the DFARS regulation and NIST guidelines.
While the DFARS uses the word “may” regarding using a system security plan, NIST SP 800-171R1 references a system security plan over and over. There is no prescribed format or a specified level of detail for system security plans, however, you must ensure that the required information in SP 800-171R1 is properly addressed in your plan.
Any system security deficiencies must be documented using a Plan of Action & Milestone (POAM):
- Describe how and when any unimplemented security requirements will be met
- How and when you will correct deficiencies and/or reduce or eliminate vulnerabilities in your system(s).
- How and when any planned mitigations will be implemented
FedRamp provides guidance on preparing a SSP https://www.fedramp.gov/developing-a-system-security-plan/
There are also several System Security Plan templates available via the internet that may prove useful:
- FedRamp templates – https://www.fedramp.gov/templates/
- NIH IT Security Plan (IT-SP) – https://irtsectraining.nih.gov/ITSecSSPlan/html/02_01.html
- FDIC word doc – Click Here
- GA Tech Word doc – Click Here
Continuously monitor and update your SSP to remain compliant. Train staff at least annually; document training.
- Defense Procurement & Acquisition Policy Network Penetration Reporting and Contracting for Cloud Services Frequently Asked Questions
- National Archives – Controlled Unclassified Information (CUI)
- FedRamp FAQs
- NIST SP 800-115 Technical Guide to Information Security Testing and Assessment
- DHS Cyber Security Evaluation Tool (CSET®)
- NIST MEP CYBERSECURITY Self-Assessment Handbook While written for manufacturers, this is a good resource for any company
- NIST MEP CYBERSECURITY Self-Assessment Handbook Associated webinar
These resources are non-government entities provided by CT PTAC as a convenience, for information purposes only, and are not specifically endorsed by CTPTAC:
ON DEMAND TRAINING COURSES OFFERED BY CT PTAC:
- Cybersecurity Compliance: Threats, DFARS Requirements, Standards, and Assessments
- Simplifying Cybersecurity Compliance for Federal Contractors
- Analyzing Your GovCon Cybersecurity Compliance
There is no charge for this course if you use the CTPTAC Access Code: CT9102
- Add webcast to cart.
- Enter the access code in the Coupon field and click Apply.
- Click Proceed to Checkout to complete your registration.
- Fill out the registration form and click Place Order.
YOUR CT PTAC COUNSELOR IS YOUR BEST RESOURCE FOR DFARS/NIST COMPLIANCE INFORMATION AND SUPPORT
All information contained herein is provided by CT PTAC as a convenience, for information purposes only, and should not be considered legal advice. PTAC makes no representations as to the accuracy or completeness of the information provided herein. PTAC cannot be held liable, directly or indirectly, for any such damage or loss which may be a result of, caused or allegedly to be caused by or in connection with the use of or the reliance on any such content. Any person or entity that relies on any information contained herein does so at her or his own risk.