Understanding DFARS 252.204-7012 and NIST SP 800-171 Implementation

Looking for a better understanding of DFARS 252.204-7012 and NIST SP 800-171 implementation?

Discussions around DFARS compliance, NIST SP 800-171 implementation and cybersecurity within the federal defense contracting space are becoming more and more prevalent by the day.

Although it seems like the conversation has just recently gained steam, the DFARS mandate has been around longer than people realize.

DFARS 252.204-7012 Timeline

Technically, we can go back as far as April of 2013 when the Information Security Oversight Office (ISOO) issued a memorandum (Executive Order 13556) to government agency leads, detailing what Controlled Unclassified Information (CUI) is, and suggestions on how to protect it.

In October of 2016, the Department of Defense (DoD) issued the DFARS 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” clause.

These regulations require contractors and their suppliers to provide adequate security on all covered defense information is processed, stored, or transmitted on the contractor’s internal information.

Fast forward to September of 2017, the Office of the Under Secretary Defense released a memorandum in regards to implementation guidance for NIST SP 800-171.

As the memo states;

To provide adequate security, the contractor must, at a minimum, implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” not later than December 31, 2017.

Two key points to be made in the above clause are “adequate security” and “implement.” Not to mention, the deadline of December 31, 2017 has long passed.

What Does a Contractor Need to Know?

To become both compliant and implemented, contractors need to first identify if they handle CUI and where it resides within their network.

If a contractor’s products or services to the DoD are items that are commercially available off-the-shelf (COTS), DFARS 252.204-7012 may not be required (that may change with the new CMMC certification process or CMMC level requirements).

For contractors that are providing products or services that are specific to the DoD’s needs, the below requirements must be met in order to be compliant:

• Contractors and subcontractors must have implemented the 110 NIST SP 800-171 controls, “Protecting CUI in Nonfederal Information Systems and Organizations” to safeguard covered contractor information systems.
• You must report cyber incidents directly to the DoD that affect a covered contractor information system, or covered defense information/CUI, or your ability to execute the requirements of the contract.
• If discovered and isolated in connection with a reported cyber incident, you must submit the malicious software to the DoD Cyber Crime Center (DC3).
• You must preserve and protect all relevant information related to the cyber incident to respond, should the DoD choose to conduct a damage assessment.

For a contractor handling Controlled Unclassified Information (CUI), NIST SP 800-171 provides federal agencies with recommended requirements for protecting the confidentiality of CUI when:

• The CUI is resident in nonfederal information systems and organizations.
• The information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and
• When there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government wide policy for the CUI category or subcategory listed in the CUI Registry.

Below are the fourteen control families of security requirements within the NIST SP 800-171, to achieve compliance and implementation, to protect the confidentiality of CUI in nonfederal information:

• Access Control
• Audit and Accountability
• Awareness and Training
• Configuration Management
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Physical Protection
• Personnel Security
• Risk Assessment
• Security Assessment
• System and Communications Protection
• System and Information Integrity

What Does “Adequate Security” Mean?

Understanding DFARS 252.204-7012 and NIST SP 800-171 implementation is the responsibility of the contractor.

Contractors need to determine whether they have met the specific requirements (as well as any other security measures necessary to provide adequate security for covered defense information) to legally be awarded DoD contracts.

If not, they need to implement the security controls they are missing, as soon as possible.

That said, as the DoD has has stated themselves, simply conducting “self-assessments” is not working for contractors looking to meet the cybersecurity requirements of DFARS 252.204-7012.

To achieve a level of “adequate security”, contractors should be using subject matter experts to audit their implementation plan.

Why? Because audits by a third-party require proof. Simply stating you are “compliant” will no longer be acceptable for contractors who want to do business with the DoD.

Contractors now have to prove they have completed the plan they developed prior to December 31, 2017.

NIST Subject Matter Expertise

By implementing, at minimum, the 110 NIST SP 800-171 controls, makes it extremely difficult for those with malicious intent to access CUI.

At cuick trac™, we believe that should be the reason for achieving “adequate security”, not simply because contractors “have to.”

Protecting the information that makes up the DoD’s defense system, should not be easy. Easy means it’s also easy for others to gain access.

Fortunately for contractors, specifically the small-to-medium size businesses, who may not have the resources to achieve full implementation themselves, cuick trac™ offers multiple options for contractors to meet the cybersecurity requirements of DFARS 252.204-7012.