On October 18, 2018, the National Institutes for Standards and Technology (NIST) hosted a day-long workshop that featured experts from across the government brought in to educate industry representatives and government agency personnel about the security requirements applicable to Controlled Unclassified Information (CUI). Hundreds of attendees, both in person and via webcast, turned out to learn more about the implementation and assessment of CUI security requirements.
Important new information about future regulations and publications was revealed at the conference, and agency positions about the operation of current rules were discussed. Several of the most significant highlights follow.
1. Government and Industry Are “One Team, One Mission.”
A theme of the conference, and the title of Dr. Ron Ross’s opening keynote, this phrase emphasizes the critical role industry plays in protecting sensitive government information and data. All speakers acknowledged that both government and industry are vulnerable to cyber threats. We have tools to address known vulnerabilities, but need to move beyond this first stage to a point where we can prevent and detect “zero day” vulnerabilities, which may launch in the future, and anticipate advanced persistent threats, which may be capable of taking down (or taking control of) entire systems. Conceptually, not only should companies be hardening targets with basic system security, but they should attempt to limit damage to the target if compromised through measures such as domain separation, network segmentation, and virtualization.
2. The FAR CUI Clause Will Debut in 2019.
The highly anticipated FAR CUI clause will give agencies a mechanism to extend the National Archives and Records Administration (NARA) CUI rules to contractors. (They currently apply only to government agencies). The drafters of the FAR clause noted that they are taking pains to address what they know are significant contractor concerns about how to identify what is CUI that requires protection. As currently envisioned, the FAR clause will put the burden on the contracting agency, as part of the contracting process, to identify all CUI expected to arise in the course of performance. This would include not only CUI to be provided by the government, but also CUI to be generated by the contractor.
The FAR CUI clause is expected to differ from the current DFARS 252.204-7012 clause in a few key ways. First, although the -7012 clause refers to CUI as part of the definition of “covered defense information” (CDI), the DFARS clause does not implement the NARA CUI program in full. For example, it does not address marking requirements. The FAR clause will be more expansive. Second, the DFARS clause requires contractors to identify which of their contractor-generated information is CDI, while, as mentioned above, the FAR clause will put this burden on the government. DoD representatives at the conference noted that upon publication of the FAR clause the DFARS clause will be revised to address duplicative language and conflicts with the FAR clause, although some portions of the DFARS clause not addressed by the new FAR rule may remain, such as the DIBNet reporting process for cybersecurity incidents.
The FAR CUI clause will be consistent with the DFARS in that it will rely on NIST 800-171 as the framework for security requirements.
Before becoming final, a draft rule will go out to agencies and the public for comment. NIST and NARA representatives at the conference strongly encouraged contractors to provide constructive commentary on the draft rule.
3. A Forthcoming Revision to NIST SP 800-171 Will Add New, “Optional” Requirements.
Revision 2 to the NIST SP 800-171 is likely to be published in March 2019. The revision will describe more extensive requirements that might be implemented by contractors handling critical defense and infrastructure information – information which, if compromised, could lead to significant damage. Whereas the current 800-171 requirements are designed to establish “adequate security,” the new requirements would add a layer of protection specifically designed to address advanced persistent threats. Where appropriate, agencies could mandate compliance with the Rev. 2 “optional” requirements. Even where not mandated, contractors might choose to implement the new requirements as an added element of security.
4. “Soon” Someone Within the Government Will Be Given Responsibility for Assessing Contractor Cybersecurity Compliance.
In most instances, contractors are asked to self-certify compliance with the DFARS -7012 clause and 800-171. Increasingly, however, cybersecurity is becoming a factor in proposal evaluation, leading to program-level reviews of security controls. Some contracts contain provisions for post-award audits or self-reporting of cybersecurity of compliance. In addition, the DoD Inspector General has undertaken targeted compliance audits, and the Defense Contract Management Agency (DCMA) has been given some cybersecurity compliance oversight responsibility. This diffuse and somewhat duplicative authority has been a source of confusion and frustration for contractors. Once the FAR CUI clause is in effect, there will be even more possible assessors of compliance within government.
DoD and NIST personnel recognized this problem, and indicated that efforts are being made to address the situation. They indicated that “soon” it is anticipated there will be one “government-wide” assessor of compliance.
Multiple contractors also asked why the DFARS and NIST 800-171 do not have a requirement for third-party assessment, as is the case with FedRAMP. The government panelists universally indicated that they did not think such a requirement was feasible or appropriate for use in determining NIST 800-171 compliance. First, the government did not want to create a “cottage industry” of assessors. So many would be needed that there could not be a rigorous certification process, as there is for third-party assessment organizations under FedRAMP. Results of third-party assessment would therefore be unreliable and inconsistent. In addition, in the event of a problem, it would not be clear whether the assessor or the contractor would be to blame.
The speakers noted that the new FAR CUI clause will not have a third-party assessment component. The idea is being considered within government, however, as relates to very high-risk situations.
5. Many Contractors Have the Same Questions About CUI and the DFARS Cybersecurity Rule.
In addition to confusion about what qualifies as CUI, several common questions and areas of frequent misunderstanding were identified at the conference.
A. How Do Security Controls Apply to the Cloud?
Several contractors asked questions about when NIST 800-171 security controls must be met in a cloud environment where the DFARS -7012 clause applies. The basic rules can be summarized as follows:
- If the contractor is operating its own cloud, it must follow NIST 800-171.
- If the contractor is using a third-party cloud service provider (CSP), the CSP, per DFARS 252.204-7012(b)(ii)(D), must be able to meet the FedRAMP Moderate baseline. (DoD representatives made the point that the CSP does not have to be FedRAMP certified, it only must be able to demonstrate that it meets the FedRAMP Moderate requirements.) The CSP does not have to comply with the rest of the DFARS clause, but it must allow the contractor to meet its cyber incident reporting obligations in 252.204-7012(c)-(h). The agreement between the contractor and CSP should capture this requirement.
- If the contractor is operating a cloud-based system on behalf of the government, then DFARS 252.239-7010 applies instead of the -7012 clause. The contractor must meet the DoD System Requirement Guidelines and all other requirements for government systems.
B. What Happens After a Company Reports a Cybersecurity Incident Via DIBNet?
After a report is made to DIBNet, the DoD cybercrime center (DC3) makes a decision whether or not the information is critical enough that DoD needs more information, which it can request and collect pursuant to 252.204-7012(d)-(g). In its initial assessment DC3 looks at the information compromised and how it could impact weapons systems or defeat defensive military capabilities. DC3 also analyses the report to identify cyber threat vectors and adversary trends.
It is important to note that per DFARS 204.7302(d), the mere fact that a cyber incident has occurred and been reported is not, in and of itself, evidence of inadequate security.
C. What About Supply Chain Risk?
Another point that was not lost on either the speakers or the audience was that hardware, firmware, and circuits may contain embedded vulnerabilities that the DFARS -7012 clause and NIST 800-171 do not address. These are supply chain issues that are being considered in conjunction with the forthcoming Risk Management Framework 2.0.
D. What Help Is Available for Contractors Working on 800-171 Compliance?
Government speakers emphasized the many readily available, and free, resources to help contractors assess and come into compliance with NIST 800-171. NIST SP 800-171A, “Assessing Security Requirements for Controlled Unclassified Information,” for example, contains specific guidelines for assessment. The Department of Homeland Security also has assembled a Cybersecurity Evaluation Tool (CSET), which has a module for NIST 800-171. In addition, Procurement Technical Assistance Programs have been set up to help small businesses in particular.
The speakers urged that contractors be wary and do their homework when hiring consultants. They observed that some consultants identify problems and then try to sell their products as solutions when other, less costly solutions might have been available. The general view was that contractor IT personnel know their systems better than anyone else, and are therefore typically in the best position to assess compliance, so long as they are honest with themselves in identifying areas that could be improved.