We had the opportunity to attend Department of Defense’s (DoD) Industry Information Day on Friday, June 23, at the Mark Center Auditorium in Alexandria, Virginia. DoD’s Chief Information Officer published advance notice of the meeting in the Federal Register on April 5, 2017.
At the start of the event and throughout, DoD emphasized the importance of industry’s role in its overall cybersecurity posture. DoD also stated that:
- The cybersecurity threat is not going away and it is real and pervasive;
- The Defense Industrial Base is a target for cyber actors;
- Senior executives need to be involved with cybersecurity compliance;
- It is critical to DoD that information contractors receive is protected; and
- Cyber breaches cost companies $400 billion a year.
The above comments and others reflect a growing sense of urgency at DoD that information received from DoD or created by contractors for DoD does not fall into the wrong hands.
The main emphasis event, however, was the implementation of proposed Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, which will apply to all DoD procurements that involve Covered Defense Information (except for Commercial Off-the Shelf purchases). Covered Defense Information is “unclassified controlled technical information or other information” and includes information “[m]arked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract [and] [c]ollected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.” DFARS 252.204-7012(a). Covered Defense Information is a broad category of information which includes information subject to export control, controlled technical information, and information about critical infrastructure. The full list of Covered Defense Information is available at the CUI Registry.
For contractors needing to comply with this clause, it is first important to study NIST 800-171 (“Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”). The 110 security requirements listed in NIST 800-171 are categorized into 14 separate “families” that include access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity. Within these families are the individual requirements that range from escorting visitors and monitoring physical security (3.10.3) to storing and transmitting only cryptographically-protected passwords (3.5.10). Unlike NIST 800-53, 800-171 does not mandate how contractors achieve these requirements and leaves the flexibility for contractors to tackle them as they see fit.
Other requirements of DFARS 252.204-7012 discussed at the Industry Information Day include:
- reporting cyber incidents that affect a covered contractor information system directly to DOD;
- submitting malicious software that a contractor has recovered;
- if requested, submitting any media associated with that incident if DoD wants to do a damage assessment of the incident; and
- flowing down the DFARS clause into any contracts that will involve controlled defense information or involve operationally critical support.
DoD recommended utilizing the Cybersecurity Evaluation Tool (CSET) to pinpoint an organization’s cybersecurity gaps. View the full list of Covered Defense Information at the CUI Registry. The Framework helps an organization evaluate its current cybersecurity posture and formulate its goals.
The Defense Contract Management Agency (DCMA) will also play a role in the implementation of the DFARS clause, including ensuring the applicable cybersecurity clauses are in the contract and engaging with contractors to verify they have a security plan. Like with DOD’s recently enacted requirements for detection and avoidance of counterfeit parts, contractors are responsible for monitoring their subcontractors’ compliance.
Even though DoD contractors have until December 31, 2017 to comply with DFARS 252.204-7012, there is an immediate requirement to comply with NIST 800-171 if a contractor is not operating an IT system on behalf of the government. For contracts awarded prior to October 1, 2017, “the Contractor shall notify the DoD Chief Information Officer (CIO), via email at email@example.com, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award.” DFARS 252.204-7012(b)(2)(ii)(a).
These are just a few highlights from DoD’s Industry Information Day. Look for future blogs discussing these new requirements in greater detail.