The basic federal requirements for safeguarding Controlled Unclassified Information (CUI) in nonfederal systems have relied for some time now on the 110 controls within NIST SP 800-171 rev.2 (February 2020). The National Institute of Standards and Technology (NIST), in response to advance persistent cybersecurity threats, has now released an important supplement to SP 800-171 designated as NIST SP 800-172.

This 84-page supplement is intended to enhance the previously existing SP 800-171 confidentiality controls as well as to provide additional integrity and availability protections for CUI. It applies to all nonfederal systems that agencies determine are processing, storing, or transmitting CUI associated with a critical program or high-value asset, as well as system components that provide protection to such systems.[†]

The new security requirements may be selectively applied by federal agencies implementing the new SP 800-172 standards. We expect the new requirements to start to show up in federal RFPs and contracts.

Similar to SP 800-171, the purpose, target audience, and fundamentals of the development approach for the new SP 800-172 controls are contained in chapters one and two of the publication. The specific enhanced requirements also build on SP 800-171 by relating to the same 14 categories of controls that are contained in chapter 3 of the earlier publication.

Also similar is Appendix C to SP 800-172, which maps the enhanced controls to the security controls contained in NIST SP 800-53 rev. 5 (dated September 2020) following the approach found in Appendix D of SP 800-171. SP 800-53 of course sets out mandatory minimum controls for federal information systems.

The enhancements of SP 800-172 promote the protection of CUI through additional controls for penetration-resistant architecture, damage-limiting operations, and designs in order to achieve greater cyber resiliency and survivability. Of the original 14 families of security requirements found in SP 800-171, enhancements have been made to the following 10 categories:

3.1 Access Control
3.2 Awareness and Training
3.4 Configuration Management
3.5 Identification and Authentication
3.6 Incident Response
3.9 Personnel Security
3.11 Risk Assessment
3.12 Security Assessments
3.13 System and Communications Protection
3.14 System and Information Integrity

Care should be taken to both completely understand the changes in SP 800-172 and how they affect your organization. This may be achievable through your internal resources or can be accomplished with the assistance of subject matter experts such as RegDOX Solutions.

It is acknowledged in SP 800-172 that “[c]ertain enhanced security requirements may be too difficult or cost-prohibitive for organizations to meet internally…. [and that] the use of external service providers can be leveraged to satisfy the requirements.”[‡] Included among those are those relating to threat intelligence, threat and adversary hunting, system monitoring and security management, IT infrastructure, platform and software services, threat, vulnerability, and risk assessments, response and recovery, and cyber resiliency.

RegDOX, with its ITAR and DFARS-compliant secure data storage and collaboration platform for CUI, can both jump-start and also ensure continuing compliance by organizations in satisfying these requirements. Contact us through our website at www.RegDOX.com or call 1-800-517-3171 and we will be glad to explain how.

About RegDOX Solutions Inc.

RegDOX Solution’s first-to-market ITAR and NIST 800-171 (DFARS) compliant online storage and collaboration product has redefined how export-controlled and CUI documents and electronic files can be handled within regulatory requirements. This was recognized by the formal opinion of compliance provided by the US State Department’s Directorate of Defense Trade Control (DDTC). RegDOX’s unique capabilities were confirmed on August 20, 2019 when the US Patent and Trademark Office issued a patent covering RegDOX’s system to store and manage export-controlled documents in the cloud. (Patent No. 10,389,716). The RegDOX® ITAR/EAR solution provides ground-breaking and unsurpassed technology enabling the efficiency and flexibility of a cloud solution to allow multiple users located at numerous locations to collaborate using controlled data while remaining fully in compliance with the strict regulatory and licensing requirements of the ITAR and DFARS.

www.RegDOX.com

[†] Covering system components including mainframes, workstations, servers, input and output devices, cyber-physical components, network components, mobile devices, operating systems, virtual machines, and applications.

[‡] Quoting SP 800-172, page 10.

The Office of the Under Secretary of Defense for Acquisition and Sustainment has released a formal instruction on cybersecurity for acquisition authorities and program managers that was effective on December 31, 2020. This document is referred to as DoD Instruction 5000.90 and can be found here. DoDI 5000.90 supersedes portions of the July 2020 issued DoD Instruction 500.83.

Much of DoDI 5000.90 deals with policies, responsibilities, and procedures within the DoD for the management of cybersecurity risk acquisitions. Companies within the Defense Industrial Base (DIB) should familiarize themselves with all the instructions. However, the concluding section 3.4 titled, “Cybersecurity in the Supply Chain”, is of particular relevance to direct (prime) and indirect (subcontractors) DoD suppliers.

Section 3.4 needs to be reviewed in depth to get an understanding of the DoD’s expectations for suppliers, but in summary, it sets out several important requirements. The first is minimal Supply Chain Risk Management (SCRM) reviews including cyber-related SCRM reviews of vendors to address such issues as,

DoD Program Managers (PMs) are also required under section 3.4 of DODI 5000.90 to seek alternatives to foreign sourcing of program components (hardware, software, or firmware) from commercial companies owned or under the influence of adversarial foreign governments. These instructions to DoD PMs should be understood by the DIB as defining acceptable, unacceptable, and risky suppliers of hardware and software involved in DoD contracting throughout the supply chain.

At RegDOX, we welcome the opportunity to discuss not only these requirements, but any changes, past, present, or future. Our job is to help you harden your cybersecurity infrastructure to ensure that these increasingly strict requirements do not threaten your DoD-related business.

About RegDOX Solutions Inc.

RegDOX Solution’s first-to-market ITAR and NIST 800-171 (DFARS) compliant online storage and collaboration product has redefined how export-controlled and CUI documents and electronic files can be handled within regulatory requirements. This was recognized by the formal opinion of compliance provided by the US State Department’s Directorate of Defense Trade Control (DDTC). RegDOX’s unique capabilities were confirmed on August 20, 2019 when the US Patent and Trademark Office issued a patent covering RegDOX’s system to store and manage export-controlled documents in the cloud. (Patent No. 10,389,716). The RegDOX® ITAR/EAR solution provides ground-breaking and unsurpassed technology enabling the efficiency and flexibility of a cloud solution to allow multiple users located at numerous locations to collaborate using controlled data while remaining fully in compliance with the strict regulatory and licensing requirements of the ITAR and DFARS.

www.RegDOX.com

RegDOX provides a specialized, secure file sharing application that is hosted on Amazon’s AWS GovCloud and meets or exceeds all DoD requirements, including NIST SP 800-171a, CC SRG Impact Level 4^[1], and the FedRAMP Moderate Baseline. RegDOX will assist in every way we can with any cyber incident reporting, including immediately responding to and tracking events, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment. All of this will be reported to affected customers.

DFARS clause 252.204-7009 specifically provides certain use and confidentiality restrictions on information obtained from a third-party’s report of a cyber incident under DFARS clause 252.204-7012.^[2] DFARS clause 252.239.7010 also requires that RegDOX’s cloud service satisfies the requirements of that clause and NIST SP 800-171, which it certainly does.

The substance of the DFARS reporting requirement is contained in DFARS clause 252.204-7012. RegDOX’s System Security Policy is a comprehensive document detailing all contingency planning.

This is the portion specifically dealing with Cyber Incident Reporting:

As a reflection, due to the robust security protections incorporated into the RegDOX system (among other protections), there have been no cyber incidents in the history of the company. This statement however stands as the standard by which RegDOX will support its clients and meet the DFARS requirements for any such incident.

About RegDOX Solutions Inc.

RegDOX Solution’s first-to-market ITAR and NIST 800-171 (DFARS) compliant online storage and collaboration product has redefined how export-controlled and CUI documents and electronic files can be handled within regulatory requirements. This was recognized by the formal opinion of compliance provided by the US State Department’s Directorate of Defense Trade Control (DDTC). RegDOX’s unique capabilities were confirmed on August 20, 2019 when the US Patent and Trademark Office issued a patent covering RegDOX’s system to store and manage export-controlled documents in the cloud. (Patent No. 10,389,716). The RegDOX® ITAR/EAR solution provides ground-breaking and unsurpassed technology enabling the efficiency and flexibility of a cloud solution to allow multiple users located at numerous locations to collaborate using controlled data while remaining fully in compliance with the strict regulatory and licensing requirements of the ITAR and DFARS.

www.RegDOX.com

________________________________________
^[1] Vol. 1, Release 3, Department of Defense Cloud Computing Security Requirements Guide (March 6, 2017).
^[2] DFARS clause 252.204-7009(b) Restrictions.

Before evaluating a build versus buy discussion for any commercially available software or cloud application, the discussion should begin with the question “what exactly is the need?” In other words, “what is the use case for the solution?”

When the use case is compliance with a set of complicated and demanding regulations and cybersecurity standards, such as the Defense Federal Acquisition Regulation Supplement (DFARS), the International Traffic in Arms Regulations (ITAR), and NIST SP 800-171 governing the possession and handling of federal Controlled Unclassified Information (CUI), answering the build vs buy question can be particularly demanding.

A useful analysis considers not just the necessary internal assets, required personnel, needed features, and goals of project stakeholders, but also requires a complete understanding of those regulations and where they are headed.

By necessity, this understanding of the legal requirements will go beyond whether an internal development will be timely, cost-effective, and achieve the needs of stakeholders, but also whether the immediate and future results of the development will fulfill the expressed and intended scope of the regulatory or compliance concerns related to the information. Without that being achieved, the best run development project will efficiently produce a solution that is worthless.

This paper will start with an analysis of whether to build or acquire an ITAR or CUI compliant storage and collaboration solution by first laying out the evaluation framework using the traditional factors of Cost, Control and Maintenance. Then, it discusses how an organization considering an internal ITAR or CUI development model will need to achieve the requisite regulatory knowledge and experience for that development, and then remain current on those regulations throughout the use of the internally developed solution.

Cost of Internal Development vs. Acquisition

No business wants to spend more money than necessary to have a working IT solution. Unfortunately, some real costs are often not considered in the decision-making process. Purchasing software can have an upfront cost (or subscription fee) that may seem expensive by contrast with the use of existing resources, but the expense is known, and the product compliant and ready to use very quickly.

But are all the costs of redeploying existing programming resources and launching an internal solution known and calculated correctly? Let’s look at some often overlooked or less than completely analyzed areas when determining real costs:

Immediate Development Staff Costs: Good software requires more than just programming talent. At a minimum, those line programmers must be joined in their efforts by project planners, software architects, senior management code programmers/developers, database architects and administrators, quality assurance personnel, application testers, and the administrative support and associated managers of all those teams. Even during the initial development, changes, enhancements, and new functionality are common in any development process. The less thorough the scoping of the project, the more those unknowns will surface.

Likewise, not usually planned, but always existing are the hours and hours of often unplanned or inaccurately planned debugging, scope creep, redeployment or loss of personnel resources, and budgetary pressures. It is little wonder that Gallup has reported that one out of every six IT projects have a cost overrun of 200% and a time overrun of almost 70%.¹ Some, of course, miss more widely on unplanned costs and delays than that found by Gallup.

Do you have a user experience team on staff? What about application designers? Does anyone in your organization know the possibilities and needs of a virtual data room solution addressing ITAR and CUI compliance? How strong and knowledgeable is your security team? The answers to all those questions have to be emphatically in the affirmative or the effort will be at best, at risk and at worst, a preordained failure.

Designing and building this kind of software requires more than just reassigning existing programmers or hiring an offshore team to build a scoped project. What if the technology you thought would be suitable turns out not to be sufficient? What if you need to find highly skilled or specialized employees or contractors? What happens when the technology changes? Better solutions or more efficient solutions are constantly being developed.

Long Term Support, Maintenance, and Upgrades Staff Costs: And the unknowns can multiple. If the developers that build your application leave the company, will new people be able to understand the code, address bugs, and make improvements in a timely fashion? Will those developers be available later to provide the user support, maintain the solution in an ever-changing IT infrastructure, and provide upgrades to address additional user and regulatory demands? Can it even be known how much additional work this will cause, thus challenge budgetary assumptions?

Technology Costs: There are numbers of instances where a project began using an expensive technology platform, only to discover there was a better, less expensive open-source alternative. Conversely, an organization will choose an open-source technology without fulling understanding the costs and challenges in staffing the project (as well as the limits and requirements of related technology licenses). In either instance, these technology platform issues can cause both substantial additional costs, delays, or both.

Time Costs: If a company wait to build an application, how much potential revenue will be lost while until the development is completed? What are the costs of continued regulatory non-compliance from forgoing an existing solution in favor of one internally developed, but not available during the interim? The revenue loss of being unable to address ITAR and CUI related opportunities or, perhaps even worse, suffering non-compliance penalties and fines that would not have occurred with the use of an off-the-shelf solution could far exceed the payment for a license or service subscription. When calculating return on investment (ROI), all factors need to be considered, including those associated with such a risk.

Controls for an Internally Developed Solution

One of the most popular reasons for building an inhouse solution is the company having control over the application. However, this means that the company is always going to be responsible for hosting and maintaining the application, as well as relying on the development team to make any changes or improvements to the solution. With an available commercial solution, there often is the advantage of getting exactly what is wanted or needed now, and achieving that at a fixed cost for hosting and supporting the solution.

Additionally, an internally developed solution is frequently subject to renewed or extended development as internal constituencies with access to programming resources are looking for more.
“Scope creep” is where a planned project starts to stray from its original intended purpose, and other parties want you to add a function or build something on top of the application. Scope creep can be devastating if not managed properly – and it rarely is when building inhouse. A big part of scope creep comes when a company realizes the newly developed system needs to work with other systems being used. It’s never as easy as it sounds.

As an example, Customer Resource Management (CRM) solutions aggregate customer data -which seems straightforward. It builds some forms, saves customer name, address, phone number, email, website, and some other bells and whistles. Easy enough – now we’re done!

But wait! What about sending emails out of the CRM from a sales team’s email addresses? What about modifying the design and content of those emails? What if the sales team wants to automate those tasks based on user requests? What if they want to integrate calendars? Management wants to watch our sales numbers, so integrating the CRM with accounting or ERP software becomes a requirement for the project.

That simple CRM now has tremendous scope creep. Not because it was not scoped appropriately, but because people wanted to use the system for more or improve the current processes or systems. This scope creep folds right into the development goals of a third-party provider of the system as it seeks to make a product as useful to the market as possible, sometimes by only adding niche requirements that nonetheless can attract user interest. Scope creep for a company-specific solution however cannot be leveraged across a market but involves costs that have to be absorbed by one company.

Once the internal application is built, the integration is needed so that it can talk to our other systems. Building a solution allows you to integrate with the current technology ecosystem, but that can change as well. How many databases and code bases do an IT department want to support?

Maintenance of an Internally Developed and Supported Solution

Experience shows that the third traditional factor of maintaining an internally developed solution can quickly expose a company to what is more a curse than a blessing. While additional third-party cost for a service contracts is perhaps avoided, although not in all instances as hardware and software must be obtained to support an internally developed solution, the involvement of a company’s people is still going to be a cost measured as time spent that could have addressed other projects or IT needs, as well as in money. Maintenance and support and security are a 24/7/365 requirement. Pulling resources away from current projects can have far-reaching effects on other aspects of the organization.

Other parts of maintenance include updating the system, creating enhancements, improving the system and securing the system. These require a company’s team to constantly spend time staying up to date on the latest and greatest technology to keep an internal solution current and operable – in addition to their regular responsibilities. More than likely, your company does not have the experience in building this level of complex applications. This is when you turn to a company that knows the industry, the regulations, and the nuances.

Lack of Regulatory Expertise

Having expertise in all aspects of a software is nearly impossible, but it’s just one aspect of a company’s risk when undertaking development of an internal solution. Legal ramifications, compliance requirements, and privacy concerns are not usually skills developers possess. Failure to address these factors can make your project unusable. Is the software Sarbanes-Oxley compliant? If not, no public company will buy it. Will it satisfy the requirements of the ITAR, NIST special publication 800-171, and the Defense Department’s Cloud Computing Security Requirements Guide, or the evolving standards underlying the DoD’s Cybersecurity Maturity Model Certification (CMMC) framework? If the answer to all of that is less than an emphatic Yes!, the effort is not just worthless, but dangerous to the company.

Training also must play a part in your decision. If an application is very complex, a company will need to spend a lot of time training people and integrating the process and procedures into its current system. This may require hiring more staff that is more experienced with the new technology.

Costs, Risks, and Loss of Functions Avoided by Not Seeking to Replicating the Focus of RegDOX’s ITAR and CUI Solution

RegDOX’s focus is on using its leverage across multiple customers to ensure both ongoing ITAR and CUI compliance and providing its solution without the risk of non-compliance and at price and level of functionality that cannot be replicated by any one company for its internal use. The success of this effort is demonstrated by its approval by the Directorate of Defense Controls, the agency that has issued and enforces the ITAR, and its numerous and growing number of patents covering its application. This success is the product of many working years of development and a deep expertise in the ITAR and requirements for CUI.

The bottom line for any company considering programming its way to ITAR or CUI compliance is that seeking to replicate what RegDOX’s does best is not only going to be more expensive when considering all upfront, ongoing and hidden costs, but the effort will bring greater risk of non-compliance and many fewer features and functions.

¹ September 11, 2011, Why Your IT Project May be Riskier than You Think, Harvard Business Review 89(9):23-25.

About RegDOX Solutions Inc.

RegDOX Solution’s first-to-market ITAR and NIST 800-171 (DFARS) compliant online storage and collaboration product has redefined how export-controlled and CUI documents and electronic files can be handled within regulatory requirements. This was recognized by the formal opinion of compliance provided by the US State Department’s Directorate of Defense Trade Control (DDTC). RegDOX’s unique capabilities were confirmed on August 20, 2019 when the US Patent and Trademark Office issued a patent covering RegDOX’s system to store and manage export-controlled documents in the cloud. (Patent No. 10,389,716). The RegDOX® ITAR/EAR solution provides ground-breaking and unsurpassed technology enabling the efficiency and flexibility of a cloud solution to allow multiple users located at numerous locations to collaborate using controlled data while remaining fully in compliance with the strict regulatory and licensing requirements of the ITAR and DFARS.

www.RegDOX.com

On September 29, 2020, the Department of Defense’s Defense Federal Acquisition Regulations Supplement (DFARS) agency issued an interim rule on Cybersecurity Maturity Model Certification (CMMC)implementation, per DFARS 252.204-7012, The rule is designed to clarify confusion about the integration of the CMMC framework, which has been a topic of concern to many people and businesses that serve the Defense Industrial Base (DiB).

The interim rule will go into effect on November 30^th, 2020 and is open for comments until that date for purposes of formulating a final rule. Those comments will be posted at http://www.regulations.gov.

With the ever-changing landscape surrounding CMMC and this new interim rule, let’s take a look at what exactly CMMC is, what has changed with the interim rule, what companies need to be aware of, and finally, what RegDOX has been doing to prepare for the implementation of CMMC.

WHAT IS THE CMMC?

The CMMC was part of an initiative created in 2018 to assure the DoD that nonfederal DiB supply chain contractors and subcontractors have implemented ‘proper’ cybersecurity measures (processes and practices) to protect information at a level proportionate to the risk of exposure of that data.  The CMMC introduced five (5) security levels with increasing controls and requirements on the handling and protection of information as the level increases.

There are several reasons why this initiative was launched: Increased sophistication and number of attacks, publicized, well-known ‘incidents’, and internal auditing results.  Nearly everyone agrees that our nation’s adversaries have become more aggressive and daring and that we were not adequately protecting Controlled Unclassified Information (CUI) and other sensitive or confidential information. The then-existing system can best be explained as, “Do it yourself. Make sure you do it all and do it right, but it’s up to you.” As expected, this arrangement was haphazard and, unfortunately, not working at all for some.

The CMMC’s alternate approach was designed to have independent assessments of contractors’ IT systems, specifically cyber security, conducted by certified, trained, third-party providers. Their independent status and certification approvals were intended to ensure that compliance standards were being met.

The specific controls that the CMMC planned to implement and verify through this independent auditing mechanism were taken directly from the National Institute of Standards and Technology (NIST) SP 800-171, “Protecting Controlled Unclassified Information (CUI) In Nonfederal Systems and Organizations.”

Currently, anyone doing business with the DoD has to attest to being compliant with these controls, so the assumption was made that this foundational adherence to the NIST 800-171, together with those dictated by the presence of CUI, would not be an excessive burden to bring someone to CMMC compliance.  Most companies need to be certified at Level 1, however those with CUI would need to achieve Level 3, at a minimum.

WHAT IS CHANGING UNDER THE INTERIM RULE?

The most significant change introduced by the September 29, 2020 Interim Rule is to extend the date for third party CMMC audits and certifications.  Instead of a 2020 compliance and audit deadline, companies must meet the CMMC cyber controls, audits, and certification requirements to satisfy the CMMC level applicable by December 1, 2025. Before any future DOD contracts will be awarded, the company must submit a self-assessment to verify compliance in the cyber assessment capability module within the Supplier Performance Risk System (SPRS).

There is a specific scoring method to be followed for the Assessment.  A contractor that has fully implemented all 110 of the NIST SP 800-171 controls will have a score of “110.” Contractors must conduct a self-assessment of its compliance with the NIST Requirements, and submit that self-assessment to SPRS by October 30^th, 2020. This will give DoD at least 30 days to post the self-assessment scores to SPRS ahead of the November 30^th, 2020 deadline. It’s important to note that an inaccurate report could subject a company to penalties under the False Claims Act.

The interim rule definitively stated that contractors will need to be re-certified every three years – at the highest level of CMMC applicable to their contracts. Also, that the CMMC level identified for specific contractors may be different than those required of sub-contractors to that contractor.

Another significant change under the interim rule is that the use of a Plan Of Action and Milestones (POA&M), will continue to be accepted.  An organization may not be in compliance with a NIST (SP) 800-171 control, but if it has a POA&M that recognizes the deficiency for the control and documents a solution and timeframe to remediate the issue, then compliance is considered to be achieved.

The last critical change is that the previously recommended Level 1 through 5 ranking have been replaced with “Basic”, “Medium” and “High” level assessments used in the DoD Assessment Methodology.

WHAT IMPACT DOES THE INTERIM RULE HAVE FOR YOUR COMPANY?

The top five industries impacted by this interim rule are: Research and Development in the Physical, Engineering, and Life Sciences (except Biotechnology), Engineering Services, Commercial and Institutional Construction and Computer Related Services and Facilities Support Services. While those are the main target, any industry with a DoD contract will need to abide by CMMC, as well as any other requirements.

Contractors will still need to have a certified, external third-party assessor come in and conduct a formal review of its information systems and procedures for CMMC compliance before December 1, 2025. Without this certification, companies will be ineligible to participate in any DoD contract after that date.  For now, each organization is required to self-assess according to the DoD Assessment Methodology and submit the results of the assessment – their ‘score’ – to the Supplier Performance Risk System (SPRS) here.  There has been no definitive value that needs to be met or exceeded.

For those contractors that have been internally managing their systems’ security, as well as cybersecurity protocols, they need to be fully aware and understand the changes and reach of the new interim rule.  A copy of the September 29, 2020 Interim Rule can be found here (85 Fed. Reg. 61,505).
Because of the new requirement to submit an assessment score using the DoD Assessment Methodology, those companies intending to conduct the assessment internally need to be aware of what the methodology says and what it means.  A review of the NIST SP 800-171 DoD Assessment Methodology is available here (Strategically Assessing Contractor Implementation of NIST SP 800-171”).

WHAT IS REGDOX DOING TO PREPARE FOR CMMC?

RegDOX has an established practice of assisting, and at times directing, companies in achieving the self-assessment requirements that have been required by ITAR, DFARS, and now on an interim basis the CMMC. It will continue this offer this service.

Further, RegDOX has applied for training to become a Certified Third-Party Assessor (C3PA). And, depending on evolving requirements, RegDOX is also evaluating becoming a Certified 3rd Party Assessment Organization (C3PAO).

We will continue to participate in webinars, meetings (online and offline), phone calls, and networking events to keep up to date on any changes. By staying on top of current developments, RegDOX customers can be assured that our online compliance and collaboration solution and assessment services will continue to address and anticipate the current state of CMMC compliance.

About RegDOX Solutions Inc.
Operating since 2007, RegDOX is a market-leading provider of highly intuitive SaaS solutions enabling customers to securely manage and collaborate on confidential documents and information, whether inside or outside of their IT environments. RegDOX® products and services include storage and data management.