The end of the year approaches and that means Department of Defense (DoD) contractors must make changes to their own unclassified information systems to ensure compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.1
Why? Because Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, also known as “the -7012 clause,” requires that contractors provide “adequate security” to protect “covered defense information” – including unclassified information – that resides on, or passes through, the contractor’s information system or network. The clause requires that contractors, at a minimum, implement NIST SP 800-171 “as soon as practical” and not later than December 31, 2017.2 It also requires that DoD contractors report to DoD when a cyber incident affects the contractor’s information systems on which covered defense information resides or affects the contractor’s ability to provide operationally critical support requirements identified in the contract. Prime contractors must flow down the clause to subcontractors when contract performance involves covered defense information or operationally critical support (including subcontracts for commercial items).
This advisory provides an overview of the clause and identifies recently released guidance from DoD and NIST to assist with implementation of the NIST standards.
Why the -7012 Clause?
The goal of this clause is to require certain DoD contractors to make changes to their information systems to provide “adequate security” to protect “covered defense information.” Recognizing this clause will impose costs on its nonfederal partners, DoD’s commentary on this clause explains that “[t]he cost of not protecting covered defense information is an enormous detriment to DoD resulting in a potential loss or compromise of such information, adverse impacts to the DoD warfighting mission, and to the lives of service men and women.”3
To achieve this goal, the -7012 clause mandates implementation of appropriate NIST SP 800-171 protocols by December 31, 2017. DoD contracts containing the -7012 clause4 require certain minimum security requirements for two categories of contractor unclassified information systems: (1) those systems that are part of an information technology service or system operated on behalf of the government, and (2) any other systems that process, store, or transmit “covered defense information” during the performance of a DoD contract. In addition, where a solicitation includes DFARS 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls, each offeror makes a representation that “[b]y submission of this offer, … it will implement the security requirements specified by [NIST SP] 800-171 … that are in effect at the time the solicitation is issued or as authorized by the contracting officer not later than December 31, 2017.”
So what is Covered Defense Information or “CDI”? The -7012 clause defines it as unclassified controlled technical information or other unclassified information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to laws, regulations, and applicable policies (e.g., export controlled data, critical infrastructure, proprietary data, etc.), and is:
- Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
- Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
What does NIST SP 800-171 Require?
NIST SP 800-171 was developed to further NIST’s statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014,5 including the development of information security standards and guidelines for federal information systems. NIST SP 800-171 explains that the expansion of certain security standards to contractor information systems reflects a federal policy seeking to protect CUI while residing in nonfederal information systems and organizations. DoD describes the NIST SP 800-171 standards as “performance-based requirements” without “unnecessary specificity” and “include only those security requirements necessary to provide adequate protections for the impact level” of controlled, but unclassified, information.6
NIST SP 800-171 explains that:
This publication provides federal agencies with recommended requirements for protecting the confidentiality of CUI: (i) when the CUI is resident in nonfederal information systems and organizations; (ii) when the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and (iii) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry. The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.7
Guidance on Implementation of the NIST Standards
On September 21, 2017, the DoD issued Guidance for Selected Elements of DFARS Clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting” – Implementing the Security Requirements of NIST SP 800-171 (Guidance).8 The guidance notes that DoD is working with all stakeholders to ensure successful implementation of the -7012 clause.
This guidance was created for DoD acquisition personnel in anticipation of the December 31, 2017, deadline and outlines “the manner in which contractors are likely to approach implementing NIST SP 800-171.” It also addresses how a contractor may use a system security plan to document its implementation of the NIST SP 800-171 security requirements and provides examples of how DoD organizations might choose to leverage the contractor’s system security plan, and any associated plans of action, in the contract formation, administration, and source selection processes.
The guidance includes useful information for contractors regarding implementation of the NIST standard. For example, it states that:
There is no single or prescribed manner in which a contractor may choose to implement the requirements of NIST SP 800-171, or to assess their own compliance with those requirements. For companies new to the requirements, a reasonable first step may be for company personnel with knowledge of their information systems security practices to read through the publication, examining each requirement to determine if it may require a change to company policy or processes, a configuration change for existing company information technology (IT), or if it requires an additional software or hardware solution.
The guidance notes that most of the NIST SP 800-171 requirements address policy and process for configuring IT securely and the requirements assist in determining what should be the company policy, for example, when password changes should be required. Certain requirements, according to the guidance, will require security-related software or additional hardware.
An important statement in the guidance makes clear that “it is the contractor’s responsibility to determine whether it has implemented the NIST SP 800-171 (as well as any other security measures necessary to provide adequate security for covered defense information).” As a result, although a growth industry appears to be emerging around NIST SP 800-171 compliance, the guidance cautions that “[t]hird party assessments or certifications of compliance are not required, authorized, or recognized by DoD, nor will DoD certify that a contractor is compliant with the NIST SP 800-171 security requirements.”
Finally, there are other useful publications to assist in addressing the -7012 clause. A new NIST handbook (Handbook 162) was published on November 20, 2017. This handbook, entitled Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirement,” is intended for small companies providing products that enter the DoD supply chain.9 On November 27, 2017, the Defense Procurement Acquisition Office (DPAP) also issued a Procurement Toolkit note on documenting implementation of the security requirements with a system security plan.10 The Procurement Toolkit contains several additional aids.
What about the Supply Chain, including third-party Cloud Service Providers?
Contractor supply chains continue to receive a great deal of attention, as noted in earlier Steptoe advisories.11 In the area of cybersecurity, a key reason is that a supplier in the supply chain can be a potential weak link and introduce cyber threats into the system, as many Fortune 500 companies have discovered. As a result, the -7012 clause is required to be flowed down to all suppliers that will store, process or transmit CDI as part of its subcontract performance. Specifically, the -7012 clause mandates that the contractor shall:
- Include the clause in subcontracts, or similar contractual instruments, for operationally critical support, or for which subcontract performance will involve covered defense information, including subcontracts for commercial items, without alteration, except to identify the parties.
- Require subcontractors to notify the prime contractor (or next higher-tier subcontractor) when submitting a request to vary from a NIST SP 800-171 security requirement to the contracting officer, in accordance with the clause.
- Provide the prime contractor or next higher-tier subcontractor the incident report number assigned by DoD as soon as practicable after reporting a cyber incident to DoD as required by the clause.
In response to commentary on this clause, DoD clarified the “flow down” to cloud service providers (CSP), explaining that “when the contractor is not providing cloud computing services in the performance of the contract, but intends to use an external CSP to store, process, or transmit any covered defense information for the contract,” then DFARS 252.204-7012(b)(2)(ii)(D) specifies the flow down provisions.12 Specifically, under those circumstances, the entire clause is not flowed down to the CSP, but the CSP must meet security requirements equivalent to the “Moderate” level of security requirements established for the government’s use of CSPs under the Federal Risk and Authorization Management Program. The CSP must also commit to comply with other clause requirements, including cyber incident reporting and damage assessment, protection of malicious software/media, and access to additional information and equipment necessary for forensic analysis. See DFARS 252.204-7012(b)(2)(ii)(D).
Best practices indicate prime contractors and higher-tier subcontractors are not merely flowing down the -7012 clause but are providing additional guidance and information, for example on their supplier web portals. This includes links to other resources such as the DoD Guidance discussed above, and using other forms of communication to assist their supply chains in implementing the NIST requirements. In addition, some primes are even offering assistance through their IT departments.
Failure of a supplier to comply with NIST SP 800-171 could not only become an issue on an existing contract but could also result in a cybersecurity incident, which could lead to unfavorable past performance assessments for contractors.