Government contractors that work with classified information should be aware of new cybersecurity measures being implemented under Change 2 to the National Industrial Security Program Operating Manual (NISPOM). No later than November 18, 2016, any contractor holding a facility clearance must apply basic cybersecurity measures to its information systems (IS) pursuant to the recent update to the NISPOM.
The NISPOM requires all federal agencies to maintain certain safeguards, procedures, and restrictions when disclosing classified information to their contractors. Under the recently promulgated Change 2 to the NISPOM, agencies and contractors must implement the following notable changes:
- A cleared contractor must cooperate with a federal agency customer if the agency asks the contractor to provide any records needed to assess a potential cybersecurity threat. If a cleared contractor receives a request to cooperate, the cleared contractor should coordinate with its Facility Clearance Officer (FSO) to ensure proper compliance.
- If a Cleared Defense Contractor's (CDC) IS experiences a cyber incident, it is required to
- Immediately provide the Department of Defense (DoD) (a) a description of the method/technique used to conduct the cyber incident, (b) a sample of the malicious software involved, and (c) an assessment summarizing the information within the DoD program that has been potentially compromised;
- Comply with any DoD request to assess any equipment or information that is needed to conduct a forensic analysis of the cyber incident.
- All authorized IS users must participate in an initial and an annual refresher cybersecurity awareness training program before gaining access to classified information. The program must incorporate a "risk-based set of management, operational and technical controls" and, at minimum, must include
- Policies and procedures that (a) reduce information security risks; (b) focus on information security throughout the IS's life cycle; and (c) provide direction on how to detect, report, and respond to IS security incidents;
- Plans for providing adequate information security for data resident in the IS;
- A training program that trains IS users on the security risks associated with their employment's activities and responsibilities;
- An evaluation of the IS on at least an annual basis to reflect continuous monitoring of the IS; and
- A self-inspection program subject to review by the Cognizant Security Agency (CSA).1
The Change 2 to the NISPOM is focused on improving federal agencies' and their contractors' cybersecurity in order to help them prepare for and respond to cyber incidents. It will be important for contractors to understand what exactly entails "cybersecurity" and a "cyber incident" triggering reporting obligations.
- "Cybersecurity" is defined as the "[p]revention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communication services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and non-repudiation."
- "Cyber Incident" is defined as "[a]ctions taken through the use of computer networks that result in an actual or potentially adverse effect on an IS or the information residing therein."
The NISPOM does not expressly require subcontractors to adhere to the new cybersecurity requirements. However, it is likely in the contractors' best interest to include the NISPOM's cybersecurity requirements in their subcontractors' contracts because, like cleared contractors, cleared subcontractors may also experience cyber incidents.
Existing NISPOM Authority Worth Remembering
Although it is not a new NISPOM requirement, all cleared contractors should be mindful that they are subject to an "aperiodic security review" by the CSA to ensure that their employed safeguards adequately protect classified information.2 The CSA will normally provide notice of the security review, but "unannounced reviews may be conducted at the discretion of the CSA."
How Does This Relate to DFARS 252.204-7012, Safeguarding of Unclassified Controlled Technical Information?
Defense contractors and their subcontractors are no doubt aware of recent changes to DFARS3 requiringSafeguarding of Unclassified Controlled Technical Information. The promulgation of Change 2 to the NISPOM now raises the prospect that a defense contractor with a facility clearance may be subject to the safeguarding and cyber incident reporting obligations under both the DFARS and the NISPOM. Consequently, all cleared defense contractors need to be sure they have in place the processes, procedures, and systems necessary to satisfy both sets of requirements. There is, however, some overlap between the sets of requirements which may help assist cleared contractors in demonstrating compliance. For example, both the NISPOM and the DFARS require contractors to
- Report cybersecurity threats and potential cybersecurity threats to the DoD;
- Submit malicious software to the DoD; and
- Create policies and procedures that mitigate incurred cybersecurity incidents and reduce the chance that cybersecurity threats will occur.
Contractors must be aware, however, that the NISPOM requirements are not as specific as those set forth in the DFARS requirements. As a result, a contractor should consider having its FSO coordinate with the Defense Security Service (DSS) to confirm that compliance with the DFARS requirements satisfies the NISPOM requirements.
It should also be noted that some cleared contractors may not always be subject to the requirements of DFARS 252.204-7012, Safeguarding of Unclassified Controlled Technical Information. Cleared contractors, therefore, must be sure to implement the NISPOM changes to their IS, even if they are not subject to the DFARS safeguarding and cyber incident reporting obligations.