Defense contractors and subcontractors that handle certain types of defense information must be in compliance with Department of Defense (DoD) cybersecurity requirements by the December 31, 2017 deadline. Affected contractors – particularly those that are still working towards compliance – should take note of recent guidance issued by the National Institute of Standards and Technology (NIST).
NIST's guidance, which was issued in draft form on November 28, 2017, aims to provide a framework that contractors can use to determine whether their systems satisfy the security requirements set forth in NIST Special Publication (SP) 800-171. The guidance will also assist contractors in identifying gaps that must be addressed in order to achieve compliance.
The guidance is designed to provide a flexible assessment process that contractors can adapt to suit their unique needs, contractual requirements and IT infrastructure. A copy of this guidance can be found here.
DoD cybersecurity requirements
In October 2016, DoD issued DFARS 252.204-7012 in its final version. This contract clause applies to DoD contractors and subcontractors that handle covered defense information (CDI). In general, CDI includes unclassified controlled technical information (UCTI), as well as those categories of information listed in the Controlled Unclassified Information (CUI) Registry that are marked as CDI or otherwise collected or used in support of the performance of the contract.
The clause requires contractors to properly safeguard information that falls within the definition of CDI. Moreover, it requires contractors to implement the specific security controls contained in NIST SP 800-171 on IT systems that process, store, or transmit CDI. The deadline to implement these controls is December 31, 2017.
Overview of the NIST assessment guidance
In light of the impending December 31 deadline, NIST issued guidance on November 28 to help contractors, subcontractors and other organizations develop assessment plans and conduct efficient, effective and cost-effective assessments of the security requirements in NIST SP 800-171. NIST explains that these assessment plans can be used by contractors in conducting self-assessments or by third parties and government agencies to conduct independent assessments of a contractor's information system.
The assessment process helps identify whether the security safeguards are implemented correctly, operate as intended, and satisfy the NIST security requirements. Further, the guidance assists with prioritizing risk mitigation decisions, confirming that identified weaknesses and deficiencies are addressed and supporting on-going monitoring activities.
NIST designed the assessment procedures to be flexible and easily tailored to the needs of the organization conducting the assessment. They are specifically designed to be used by the contractors' technical professionals who are responsible for the company's information systems, information security, and privacy. These individuals play an integral role in properly conducting these security assessments and implementing the necessary security controls.
The NIST assessment procedures: flexible and easily tailored
For each of the security controls delineated in NIST SP 800-171, the guidance provides an assessment objective (ie, a goal to be achieved through assessing the system's compliance with that control) and then outlines a three-step assessment process for each control.
The three-step process includes examination, interviewing, and testing. Examination involves reviewing, inspecting and analyzing the subject of the assessment (eg, a policy document, piece of hardware or data storage system) in order to gather information. Interviewing involves discussions with specific individuals or groups to further an assessor's understanding. Lastly, testing involves the process of exercising the object under specified conditions in order to determine whether it performs as expected. Using this process, assessors can determine whether a given security control is satisfied.
Because the guidance is designed to be flexible, it provides different methods of testing each control. Organizations are not expected to employ each method; rather, it is expected that organizations will choose the method that is most advantageous under each control, taking into account factors such as cost and the level of compliance confidence desired.
An important tool to ensure compliance
We expect that DoD contractors will find the recently issued draft NIST guidance to be a helpful tool for assessing compliance with NIST SP 800-171 by the upcoming deadline and for conducting subsequent self-assessments to ensure continued compliance. Moreover, even contractors that are confident they are in compliance with the security requirements should become familiar with the guidance because it likely will be used by government officials when auditing a contractor's IT system.