Defense Acquisition Regulation Supplement (DFARS) 252.204-7012 requires defense contractors to protect the security of controlled unclassified information (specifically “covered defense information”) residing on or transiting contractor or subcontractor information systems by adopting adequate cybersecurity measures for each of 110 security requirements in 14 security families and to report security incidents, mitigate incidents, and preserve data for the Department of Defense (DoD).
The fundamental cybersecurity documents for demonstrating compliance with NIST 800-171 by December 1, 2017, are the System Security Plan and the Plan of Action for planned implementations. NIST-800-171 prescribes the contents of these documents.
A September 21, 2017, DoD Memorandum and the December 7, 2017, testimony by a key DoD official clarify Government expectations for contractors and subcontractors.
While DoD contractors have long understood that compliance with NIST 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) by December 31, 2017, required them to adopt and fully implement all 110 cybersecurity requirements described in NIST 800-171, this is not necessarily the case. If all 110 security requirements are not fully implemented, a DoD contractor can comply with the deadline if it updates its System Security Plan to describe all implemented requirements and identifies those not fully implemented. For those security requirements not fully implemented, the contractor also must have a Plan of Action setting forth the plan and schedule for adopting and fully implementing each security requirement not yet implemented. If the contractor has such plans in place by December 31, 2017, it will technically comply with NIST 800-171, and therefore 252.204-7012, as well.
Each applicable subcontractor must also have a System Security Plan and a Plan of Action. Because 252,204-7012 is a mandatory flow-down clause and applies to all subcontractors other than those supplying commercial off the shelf (COTS) items, DoD contractors must ensure that each of their applicable subcontractors also is in compliance with NIST 800-171. Thus, the DoD contractors should require each applicable subcontractor to provide it with a copy of its System Security Plan and its Plan of Action by December 31, 2017. Under best practices, DoD contractors should also evaluate whether each subcontractor is required to have CUI residing on or transiting its system in order to perform its subcontract, and eliminate non-essential CUI on subcontractor systems.
How do we know that a System Security Plan and a Plan of Action can fulfill NIST 800-171 requirements?
First, on September 21, 2017, DoD adopted a critical memorandum: Implementation of DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and cyber Incident Reporting (DoD Memorandum). This DoD Memorandum expressly acknowledges the System Security Plan and Plan of Action requirements under NIST 800-171, rev. 1.
Second, on December 7, 2017, Ellen Lord, the Defense Undersecretary for Acquisition, Technology, and Logistics, testified before the Senate Armed Services Committee. Lord testified that for 2017, the only DoD requirement to protect DoD CUI is to have a System Security Plan in place, which can be a “simple” plan. While this testimony was described as a delay of the compliance required by DFARS clause 252.204-7012, it is not a delay. It is consistent with NIST-800-171, rev. 1, and 252.204-7012. There is no change.
Are there situations where the System Security Plan and Plan of Action will not satisfy DoD?
While an updated and current System Security Plan and Plan of Action is the minimum requirement for compliance, it may not be sufficient. A contracting officer, either for an ongoing contract or a new procurement, may request a contractor’s System Security Plan and Plan of Action. Contracting officers, and other acquisition and security officials must undertake a risk assessment to determine the significance of specific security requirements based upon the nature of the work to be performed under a contract and the type of CUI to be developed, held, or transmitted using a contractor’s or subcontractor’s system. It is possible that particular security requirements will be found too critical to defer, or that existing Plans of Action may be found inadequate. In addition, solicitations may adopt proposal evaluation criteria or specific requirements related to system security, which disadvantage those that are not in full compliance with NIST 800-171. Therefore, full compliance with all NIST 800-171 security requirements remains a significant differentiator, and timely compliance remains a requirement, if not by December 31, 2017, soon thereafter.
DoD contractors evaluating the benefits of full compliance with NIST 800-171 security requirements should be familiar with President Trump’s May 11, 2017, Executive Order, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. This Executive Order mandates that all federal agencies adopt the NIST Framework for Improving Critical Infrastructure Cybersecurity (the Risk Framework). NIST recently issued a second draft of the updated Risk Framework, ver. 1.1 on December 5, 2017, and is seeking comments. NIST expects to issue a final Risk Framework in early 2018. The Risk Framework ver. 1.1 includes more detailed discussion on supply chain risk management, which may be particularly helpful to those DoD contractors who are concerned about strengthening risk assessments and strategies for those supply chain subcontractors that have access to CUI, or that hold or transit CUI on their systems. Generally, supply chain risk management is receiving more attention at DoD and other executive agencies. It is a perceived area of increased cyber risk.