Many people are unaware that a significant number of U.S. companies are subject to regulations that share some similarities with the European General Data Protection Regulation (which has companies that handle European data scrambling to get into compliance). Specifically, government contractors have obligations pursuant to Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7000 et. seq.
The DFARS regulations were adopted in October 2016 when the U.S. Department of Defense issued a final rule. (See 82 Fed. Reg. 72986 Oct. 21, 2016, available here.) Entities subject to the provisions were given until Dec. 31, 2017, to comply with certain aspects as discussed below. If your organization is a contractor or subcontractor that handles “controlled unclassified information” (see here) you need to make sure your house is in order to comply.
Some of the most significant provisions of the DFARS regulations are:
- Coverage: The security requirements outlined in 252.204-7012 “shall be implemented for all covered defense information on all covered contractor information systems that support the performance of [the] contract.” See DFARS 252.204-7008(b).
- National Institute of Standards and Technology (SP) 800-171 Required: “[C]overed contractor information system[s] shall be subject to the security requirements in NIST Special Publication (SP) 800-171, ‘Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations’ (available here).” DFARS 252.204-7012(b)(2)(i).
- Departures: Contractors must submit requests to depart from NIST SP 800-171 in writing to the contracting officer for adjudication by the DOD chief information officer. See DFARS 252.204-7012(b)(2)(ii)(B).
- Reporting: Contractors must “rapidly report” a cyber incident, meaning report it to the DOD within 72 hours of discovery of any cyber incident. See DFARS 252.204-7012 subsections (a), (c). The contractor must also send any malicious software to the DOD Cyber Crime Center. See subsection (d).
- Preservation: Contractors are obligated to preserve images of all known systems and all relevant monitoring or package capture data for 90 days from submission of the report to the DOD and have to allow the DOD access for a forensic analysis. See DFARS 252.204-7012 subsections (e)-(f).
- Flowing Down: Contractors must put provisions from the DFARS Cyber Regulations in all subcontracts “for which subcontract performance will involve covered defense information.” See DFARS 252.204-7012 subsections (m). Further, subcontractors must be required to notify the contractor when submitting requests to depart from NIST SP 800-171 and upon reporting any incident to the DOD.
- Noncompliance Notification: For all contracts awarded prior to Oct. 1, 2017, the contractor shall notify the DOD chief information officer, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award. See DFARS 252.204-7012(b)(2)(ii)(A).
NIST (SP) 800-171
The above provisions might not appear especially daunting without an understanding of what NIST (SP) 800-171 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” entails. As noted above, the DFARS regulations state that covered information systems shall be covered by the security requirements in NIST CUI requirements and that contractors have to request any departures. Therefore, the NIST CUI requirements are incorporated wholly by reference within the DFARS cyber regulations.
Chapter 3 of the NIST CUI requirements specifies the security requirements. There are 14 different sections, 3.1 through 3.14 as follows:
3.1 Access Control
3.2 Awareness and Training
3.3 Audit and Accountability
3.4 Configuration Management
3.5 Identification and Authentication
3.6 Incident Response
3.8 Media Protection
3.9 Personnel Security
3.10 Physical Protection
3.11 Risk Assessment
3.12 Security Assessment
3.13 System and Communications Protection
3.14 System and Information Integrity
Combined there are over 110 separate requirements detailed within these headings. Some are simple, straightforward controls, e.g., 3.1.8, “Limit unsuccessful login attempts.” Others are broader and open to some interpretation for how they must be implemented such as 3.1.4, “Separate the duties of individuals to reduce the risk of malevolent activity without collusion,” and 3.4.6, “Employ the principle of least functionality by configuring the information system to provide only essential capabilities.” Additionally, the NIST CUI requirements specify a number of ongoing obligations such as training (see 3.2), auditing (see 3.3), change management (see 3.4.3), incident response planning and testing (see 3.6), maintenance (see 3.7), risk assessment (3.11), security assessment (3.12), monitoring (see 3.14.3).
What Must Companies Do?
Combining the strict verbiage of the DFARS cyber regulations with the comprehensive nature of the NIST CUI requirements creates a formidable compliance challenge for any contractor and its subcontractors. If your organization has not yet fully implemented the NIST CUI requirements, it cannot wait any longer to address these issues. Below are some immediate actions a company should take if they have not addressed these issues previously. It is strongly suggested to enlist the assistance of a trusted legal adviser to facilitate this process and manage the ongoing interaction with the DOD.
A first step is to evaluate the NIST CUI requirements in the context of any existing security control programs based on other advisory materials such as NIST SP 800-53 or ISO 27001. The NIST CUI requirements provide a set of tables with the relevant mapping. Assuming a company has previously implemented controls consistent with either of those publications, they can focus on identifying any gaps and addressing those.
If a company has not previously implemented such controls, time is of the essence. They should start with the high-level policies and procedures and implement plans for risk assessments, security assessments, incident response, auditing, configuration management, and awareness and training. Given the time constraints the company should also be simultaneously implementing the controls specified in NIST SP 800-171 such as those relating to access control, authentication, media protection, physical protection, monitoring, and malware defense. Companies must also make sure their incident response plan prepares them to comply with the DFARS regulations tight notice period.
Needless to say, it is a lot of work for a company that has not addressed these issues but it is imperative to do so. In many industries implementing these controls is a precautionary measure that does not directly implicate the business operations in the short term. But the self-disclosing feature of the DFARS regulations have made failure to implement the NIST SP 800-71 a potential bar to future government contracts, which is why companies cannot afford to delay in addressing these issues.
CREDIT: Steven Snyder, Law360