The Department of Defense (DOD) takes the security of their data very seriously. For several years they have been working to ensure that their data is safeguarded by implementing cybersecurity best practices. In late 2013 they began putting rules into place that would impose security requirements that are consistent with their own on defense contractors that process, store or transmit what is identified as Covered Defense Information (CDI).
A document prepared by the National Institute of Standards and Technology (NIST) addresses the security of Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations. CUI is data that is considered to be sensitive but not “classified.” Controlled Unclassified Information has direct military or space application and consists of items such as engineering data and drawings, technical reports, specifications, source and executable code. For more information about CUI categories, click here.
DOD contractors are expected to comply with the standards set forth in this document – 800-171 – by December 31, 2017. The NIST Special Publication 800-171 is also known as the Defense Federal Acquisition Regulation Supplement (DFARS).
Does DFARS and NIST compliance affect me or my business?
If you are a Defense contractor or subcontractor (regardless of size) that stores, processes or transmits CDI (Covered Defense Information) for the federal government, you must comply, or report delays by December 31, 2017. If you do not meet NIST compliance standards, you risk losing any business you do with the U.S. government.
The Department of Education also strongly encourages that organizations subject to the Gramm Leach Bliley Act implement and maintain compliance.
What is necessary to achieve compliance?
There are 110 different security requirements across 14 different categories designed to protect CUI confidentiality. They include:
- Access Control
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authorization
- Incident Response
- Media Protection
- Physical Protection
- Personnel Security
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
Though the list of requirements is comprehensive, two requirements that are the most prevalent concern establishing “adequate security” and cyber incident reporting.
Adequate Security – According to the DFARS clause 252.204-7012, adequate security includes “protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.” This clause basically requires that contractors provide satisfactory security that complies with standardized systems and security already in place by the government. Simply put, “adequate security” is being in compliance with NIST 800-171.
Cyber Incident Reporting – The DFARS clause 252.204-7012 characterizes a cyber incident as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.” Any Covered Defense Information (CDI) that is impacted by a cyber incident requires the contractor to have an incident management plan and specific processes tested and in place for addressing the incident before the December 31, 2017 deadline.
Other requirements that are noteworthy and may be more involved include Audit and Accountability (3.3.5 and 3.3.6), Identification and Authorization (3.5.3), Incident Response (3.6.1), and Security Assessment (3.12.1 and 3.12.3).
Link to the 800-171 document for the complete list of requirements and policy tests for each category.
The focus Is on ensuring that sensitive data is protected.
Requirements set forth in the NIST 800-171 standards are best practices. Your organization may or may not have already implemented some of the measures. Basically, the government is requiring any business involved in the U.S. Government supply chain to get their own security standards in alignment with what the government has been using as their own cybersecurity standards for several years.
As the DFARS clause has been in contracts since 2013, there is not expected to be an additional extension on the December 31, 2017 deadline.
It should be noted that DFARS compliance is an ongoing mandate as opposed to a one-time effort. Once in compliance, it is important that you stay in compliance.
If the new NIST standards affect your business and you have not put the proper protocols into place, it might be worth checking into working with a managed IT provider to evaluate your system.