Understanding DFARS Compliance

 
 

Understanding DFARS Compliance

 

Contractors that hold contracts with the Department of Defense must be compliant with any Defense Federal Acquisition Regulation Supplement (DFARS) clauses specified in their contracts. DFARS is a set of acquisition regulations that govern the way the Federal Government acquires goods and services. Failure to follow some clauses of the DFARS may lead to early termination of the contract, making DFARS compliance an existential issue for contractors. In a worst-case scenario, failure to comply with contractual DFARS clauses could lead to a contractor losing all of their work with the DOD. One pertinent regulation with which contractors must be familiar is the DFARS clause defining cybersecurity standards. This clause requires contractors to implement the requirements identified in the National Institute of Science and Technology (NIST) Special Publication 800-171. This particular standard addresses the storage and transmission of Controlled Unclassified Information (CUI).

DFARS Compliance

Oftentimes, in the course of their performance of a government contract, contractors come into possession of CUI. The definition of CUI is non-classified information for which government regulation requires safeguarding or disseminating controls. While unclassified, protection of this information is still in the national interest. This could involve private information, the disclosure of which would damage the person or entity who owns that information. In the past, this information was given the designation of “Sensitive but Unclassified.”

Although the worst-case scenario involves loss of contracts, it is ultimately the Contracting Officer’s responsibility to determine what action to take for noncompliance. For contracts involving CUI, attestation of compliance is a prerequisite for submitting bids for future DOD contracts. Small contractors who act as subcontractors to prime contractors can expect their primes to be vigilant about ensuring their compliance, as contractual clauses typically flow down to subcontractors.

For smaller contractors, the issue has become how to best find a compliance strategy for these rules. Compliance will usually revolve around having sound controls and a reporting mechanism. The rule first requires that contractors have adequate security on covered information systems. The DFARS cyber clause is also focused on prompt reporting of cybersecurity incidents. The regulation states that if a cybersecurity incident occurs, the contractor must provide the DOD with an incident report, the malicious software and access to the contractors’ information systems upon request. The good news for contractors is that the rules state that the occurrence of an incident is not an automatic implication that the contractor failed to protect CUI. However, contractors should be prepared for enhanced scrutiny by the government of their systems in the event of a cyber incident.

In such a case, contractors should be prepared to disclose what actions they took to comply with the DFARS cyber clause. This may include submitting evidence of implementation of each requirement in the contractors System Security Plan.  Contractors will have to recognize that they are partners with the government in safeguarding this information.

For contractors, the question they will ask first is what constitutes adequate security when it comes to DFARS compliance. This is addressed by the aforementioned NIST SP 800-171 standard. The standard has 110 security requirements that can fall into one of fourteen categories. At a minimum, contractors must describe how they have implemented, or plan to implement, the safeguards described in the special publication. These rules apply in all cases when CUI resides on a contractor network, whether that environment constitutes on-premise servers, an internal cloud as a component of an internal enterprise network system, smartphones or tablets, or any other data processing system.

Am I on the hook for NIST 800-171 Compliance?

 
 

Am I on the hook for NIST 800-171 Compliance?

 

What’s behind all this NIST 800-171 compliance we keep hearing about?

Good question. The government is trying to get its cyber house in order. They’ve been good at implementing FISMA security controls for some time, but recently they’ve decided its time contractors take some responsibility too by implementing NIST  800-171 Compliance. Contractors with government data make excellent targets for attackers, as many of these contractors’ information security policies are not as robust as the FISMA requirements their customers adhere to. Enter NIST 800-171.

NIST 800-171 Compliance

Why another NIST publication?

SP 800-171 was created specifically to address confidentiality concerns for federal data that resides on nonfederal systems. This data is referred to as Controlled Unclassified Information (CUI). The publication outlines what steps should be taken by nonfederal entities (read: contractors) to secure this data.

NIST SP 800-171 – Abstract

The protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations. This publication provides federal agencies with recommended requirements for protecting the confidentiality of CUI: (i) when the CUI is resident in nonfederal information systems and organizations; (ii) when the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and (iii) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry. The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organization.

So is NIST 800-171 the same as NIST 800-53?

Well, no. It’s like SP 800-53’s blue-collar cousin. Many of the requirements feel very similar to 800-53, but controls focusing exclusively on data integrity and availability are missing.  Gone are the familiar control family abbreviations (e.g. AC, CM), but in their place you’ll find Section 3.x (e.g. 3.1 – “Access Control”, 3.4 – “Configuration Management”). The publication contains a complete mapping of 800-171 controls to 800-53 controls, primarily to demonstrate where the controls came from. For example, control 3.4.3 (800-171, 3.4 “Configuration Management”, Control #3 – “Track, review, approve/disapprove, and audit changes to information systems.”) maps directly to CM-3 (800-53, Configuration Change Control).

Is compliance mandatory?

Depends, but yes. Contractors that work in the Department of Defense (DoD) in particular are expected to adhere. On August 26, 2015, the Defense Acquisition Regulations System amended the DFARS to expand the scope of 252.204-7012. They renamed it “Safeguarding Covered Defense Information and Cyber Incident Reporting” and added verbiage that in effect states that DoD contractors must adhere to SP 800-171.

DFARS 252.204-7012

(b) Adequate security. The Contractor shall provide adequate security on all covered contractor information systems. To provide adequate security, the Contractor shall implement, at a minimum, the following information security protections:

(2)(ii)(A) The Contractor shall implement NIST SP 800-171.

DFARS 252.204-7012

(b)(2)(ii)(A) The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via email at osd.dibcsia@mail.mil, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award.

And just to make sure the word gets out, adherence to the 252.204-7012 was added in a DFARS clause as a notice to contract offerers. On December 30, 2015, after a chorus of contractors cried “not yet”, a new amendment was released delaying mandatory compliance to December 31, 2017. In the meantime though, upon award of a new contract, the contractor must notify the DoD CIO within 30 days of award of any non-compliance. The government basically said “Ok, you’ve got some time to get compliant, but we still want to know where your problems are in the meantime”.

DFARS 252.204-7008

(c)  For covered contractor information systems that are not part of an information technology service or system operated on behalf of the Government-

(1)  By submission of this offer, the Offeror represents that it will implement the security requirements specified by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.

Implement a compensating control and/or explain yourself.What if I know I won’t be 100% compliant?

DFARS 252.204-7008

(c)(2)(i)  If the Offeror proposes to vary from any of the security requirements specified by NIST SP 800-171 that are in effect at the time the solicitation is issued or as authorized by the Contracting Officer, the Offeror shall submit to the Contracting Officer, for consideration by the DoD Chief Information Officer (CIO), a written explanation of:

(A)  Why a particular security requirement is not applicable; or (B)  How an alternative but equally effective, security measure is used to compensate for the inability to satisfy a particular requirement and achieve equivalent protection.

We’re not in DoD. What about us?

You’re not off the hook, but you’ve got less paperwork to do (unless you want to get into DoD, in which case you should get compliant with 800-171). As of June 15, 2016, all federal contractors are expected to adhere to FAR 52.204-21 – “Basic Safeguarding of Covered Contractor Information Systems”. This clause hits the highlights of 800-171 without referencing it and without enumerating a series of specific controls. The requirements of this clause are high-level and intentionally vague.

FAR 52.204-21

(b)(1) The Contractor shall apply the following basic safeguarding requirements and procedures to protect covered contractor information systems. Requirements and procedures for basic safeguarding of covered contractor information systems shall include, at a minimum, the following security controls:

(i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

(ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

(iii) Verify and control/limit connections to and use of external information systems.

(iv) Control information posted or processed on publicly accessible information systems.

(v) Identify information system users, processes acting on behalf of users, or devices.

(vi) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

(vii) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

(viii) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

(ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.

(x) Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

(xi) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

(xii) Identify, report, and correct information and information system flaws in a timely manner.

(xiii) Provide protection from malicious code at appropriate locations within organizational information systems.

(xiv) Update malicious code protection mechanisms when new releases are available.

(xv) Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

We’re subcontractors on civilian contracts. Do we count?

Depends. Are you using your own gear on the contract, or do you use the prime’s? If it’s the former, you’re invited to the party.

FAR 52.204-21

(c) Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (c), in subcontracts under this contract (including subcontracts for the acquisition of commercial items, other than commercially available off-the-shelf items), in which the subcontractor may have Federal contract information residing in or transiting through its information system.