Last month many of you listened to the webinar Jon Williams and I did regarding the December 31, 2017, deadline to comply with the Department of Defense (DoD) Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 and how to implement the security controls set forth in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. Now that the deadline has passed and we’ve entered into a new era of being compliant with the rules, we thought it would be a good time to follow up on several issues discussed during the webinar and to respond to the most commonly asked questions.
DoD Template for System Security Plan
We are still waiting for the DoD to issue a template for a system security plan. During the webinar, we mentioned that, on December 7, 2017, Ellen Lord, Under Secretary of Defense for Acquisition, Technology, and Logistics, told the U.S. Senate, Committee on Armed Services that DoD only expects companies to have a “simple plan” in place by December 31, 2017, and she promised that a template would be forthcoming. While Ms. Lord indicated that the agency is expecting only a basic security plan and is seemingly adopting a more relaxed view of the requirements, DoD did not officially loosen the requirements or delay the deadline. And, instead of posting a “simple plan” that would presumably meet the 110 security requirements of NIST SP 800-171, the DoD Procurement Toolbox recently provided the 12 year old “sample” system security plan template found in Appendix A to NIST SP 800-18 Rev 1 “Guide for Developing Security Plans for Federal Information Systems”.
Accordingly, our advice to small businesses is the same as we outlined during the webinar:
- STEP I – see whether you need to comply with DFARS 252.204-7012 by reviewing your contract to confirm that it contains this DFARS clause, and if it does, determine whether the work to be performed requires you to handle controlled unclassified information (CUI) on a nonfederal system. As required by the regulations, CUI must be so identified and marked by the contracting officer. If in doubt whether you’re handling CUI, ask your contracting officer for confirmation.
- STEP II – if yes to STEP I, then prepare and adopt a system security plan (at a minimum, a basic plan) and implement those security controls required by your plan. If necessary, prepare a written variance request, which is permitted by the regulations if certain security requirements are being met with an alternative security control that is as equally effective, and submit it to your contracting officer(s).
Registration on DIBNET
You may recall that during the webinar we pointed out that the regulation requires “rapid reporting” (within 72 hours) to DoD at http://dibnet.dod.mil if a cybersecurity incident occurs. Several webinar participants pointed out that it can take two to three days to process a DIBNET registration. Do not wait to register. Do it now, when you are not in the middle of a chaotic, cybersecurity incident. Amid the panic of dealing with the breach of security, you will not want to have to deal with the frustration of getting registered in DIBNET or failing to meet the 72 hour requirement due to the delay. Several participants offered this practical and beneficial advice based on their own experiences with trying to register.
Subcontractor Flowdown Provisions The rules require that DFARS 252.204-7012 be flowed down to all subcontractors performing “operationally critical support” or when subcontract performance will involve covered defense information. Each prime contractor subject to DFARS 252.204-7012 must evaluate whether the work to be performed by its subcontractors retains its identity as CUI. And the policy seems to be that primes should not automatically flow down DFARS 252.204-7012 as, according to the DoD’s Industry Day presentation last summer, “prime contractors should minimize the flow down of information requiring protection.” When in doubt, consult with the contracting officer, and as we always advise, get it in writing.
What if DFARS 252.204-7012 is in your contract but the government has not marked the CUI?
The regulations require that CUI be identified and marked in accordance with DoD procedures for protection of CUI. That said, if you believe that you hold CUI that an agency has failed to mark or that has been improperly marked, talk to the contracting officer and have the government commit to writing the resolution of any such discussions.
What if you’re not in compliance? There is no fine, fee, or penalty that will be assessed for non-compliance with DFARS 252.204-7012. There is no certification that the government will give or that is required to be obtained from an outside third party vendor to certify compliance. As with other provisions in a federal contract, however, if the contract contains an applicable regulation, the contractor has agreed that it is in compliance with all contract terms by signing the contract. If not compliant and without having submitted variance requests or plans of action to fix noncompliance, then a contractor could be in breach of contract, and there could be monetary damages and other adverse consequences flowing from the breach. Further, if the solicitation identified compliance with NIST SP 800-171 as an evaluation factor, then noncompliance, if discovered, could be grounds for protest.
In addition to the publications and other resources described during the webinar, other participants shared the following:
- Federal Communications Commission’s Cybersecurity for Small Businesses website, which provides samples and guidance at: https://www.fcc.gov/general/cybersecurity-small-business
- Cybersecurity Evaluation Tool (known as CSET) Developed by Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team and available at: https://ics-cert.us-cert.gov/Downloading-and-Installing-CSET
We will continue to monitor this area, and we will update you via blog post when the template is issued or with any new developments.