DFARS and NIST 800-171...Why are they important?
For covered contractor information systems that are not part of an IT service or system operated on behalf of the Government . . . the following security requirements apply:
. . . the covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. . .” The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. . .
-Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012
Why is this important --- and how did we get here?
The issue of protecting controlled unclassified information (CUI) has been around for a while, being an extensive focus of the Department of Defense (DoD) for the past several years. In November 2010, the White House issued Executive Order 13556.This order established an open and uniform program across Civilian and Defense agencies for managing information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulation, and Government-wide policies.
The issue the Executive Order was trying to correct, was that departments and agencies were employing ad hoc, agency-specific policies, procedures, and markings to safeguard and control CUI. This inefficient and confusing patchwork led to inconsistent, unclear, or unnecessarily restrictive dissemination policies, and created impediments to authorized information sharing. Inefficiency in itself is a shame. In this case more so, since CUI is sensitive information that often impacts privacy and security concerns, contains proprietary business interests, and is critical in law enforcement investigations.
About the DFARS 252.204-7012.
This led to DoD, General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) to publish a rule that requires federal government contractors, grantees, or those with cooperative agreements to apply cybersecurity controls to protect corporate information systems effective June 15, 2016. The systems are to be protected with control requirements based on security requirements published in NIST 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”
The scope of this requirement is limited to systems that store CDI, which in this case is defined to include any information related to ‘the performance of the contract" that DoD provides to the contractor (pretty much anything). Or, which the contractor accumulates in support of the contract (pretty much everything). This is an expansive requirement and will have a dramatic impact on the number of systems that must be considered in-scope of a gap assessment. System information covered under this rule falls into four categories:
- Controlled Technical Information, which is defined as "technical information” with military or space application that is subject to controls (pretty much everything the government has provided or asked for already).
- OpSec information about intentions, capabilities, and activities that an adversary could use to guarantee failure or unacceptable consequences.
- Export-controlled information, such as "dual-use" technologies like nuclear or biochemical information.
- Any additional information specifically identified in the contract (pretty much whatever the government has not asked for yet).
The new rule also flows down to subcontractors, but only applies if subcontractors meet the same applicability definitions described above The new rule also notes that compliance with basic safeguarding requirements will not remove any other regulatory or existing contractual requirements related to safeguarding government information in covered contractor information systems.
NIST SP 800-171.
NIST SP 800-171 outlines the basic safeguarding requirements that applicable contractors must implement. The publication includes 14 families of security requirements, comprising 109 individual controls. The control families are:
1. Access Control— limits system access to authorized users
2. Awareness and Training—provides awareness of the security risks associated with user’s activities; training them on applicable policies, standards and procedures; and making sure they are trained appropriately to carry out their duties.
3. Audit and Accountability— creation, protection, retention, and review of system logs.
4. Configuration Management— creation of baseline configurations and use of robust change management processes.
5. Identification and Authentication—identifying and authenticating the information system users and devices.
6. Incident Response— developing operations to prepare for, detect, analyze, contain, recover from, and respond to incidents.
7. Maintenance—performing timely maintenance on organizational information systems.
8. Media Protection—protection, sanitation and destruction of media containing CUI.
9. Personnel Security—screening individuals prior to authorizing their access to information systems and ensuring such systems remain secure upon the termination or transfer of individuals.
10. Physical Protection—limiting physical access to and protecting and monitoring the physical facility and support infrastructure for the information systems.
11. Risk Assessment— assessing the operational risk associated with processing, storage, and transmission of CUI
12. Security Assessment—assessing, monitor and correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems.
13. System and Communications Protection—monitor, control and protect data at the boundaries of the system, and employ architectural designs, software development techniques and system engineering principles that promote effective information security.
14. System and Information Integrity—identify, report and correct information and information system flaws in a timely manner, protect the information system from malicious code at appropriate locations, and monitor information security alerts and advisories and take appropriate actions While the DFARS has directed contractors to implement the NIST Requirements by December 31, 2017, it has not established guidelines for contractor implementation. Large contractors likely have robust security systems already in place. This means that such contractors likely do not need to make any drastic changes, as they are already more inclined to being compliant with the NIST Requirements.
So what do you need to do?
Contractors who own or operate information systems that process, store, or transmit federal contract information, need to do the following:
- Review the security controls outlined in Appendix E of NIST SP 800-171 to ensure their security implementation provides sufficient protection against a range of cyberattacks.
- Conduct a gap assessment to understand what requirements they do not meet.
- Develop an IT Security Plan and roadmap to remediate identified gaps.
Implementing these security controls is a first step to becoming compliant and can be quite a big undertaking for small and medium-size businesses. Luckily, InfusionPoints cyber security practice can ease this burden. Our proven Quick Look Assessment and Cyber Security Framework can aid these firms in meeting requirements and ensuring the security postures of their systems. For more information on protecting CUI, or to learn how InfusionPoints’ consultants can help, please contact our team.