Looking for a better understanding of DFARS 252.204-7012 and NIST SP 800-171 implementation?
Discussions around DFARS compliance, NIST SP 800-171 implementation and cybersecurity within the federal defense contracting space are becoming more and more prevalent by the day.
Although it seems like the conversation has just recently gained steam, the DFARS mandate has been around longer than people realize.
Technically, we can go back as far as April of 2013 when the Information Security Oversight Office (ISOO) issued a memorandum (Executive Order 13556) to government agency leads, detailing what Controlled Unclassified Information (CUI) is, and suggestions on how to protect it.
In October of 2016, the Department of Defense (DoD) issued the DFARS 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” clause.
These regulations require contractors and their suppliers to provide adequate security on all covered defense information is processed, stored, or transmitted on the contractor’s internal information.
Fast forward to September of 2017, the Office of the Under Secretary Defense released a memorandum in regards to implementation guidance for NIST SP 800-171.
As the memo states;
To provide adequate security, the contractor must, at a minimum, implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” not later than December 31, 2017.
Two key points to be made in the above clause are “adequate security” and “implement.” Not to mention, the deadline of December 31, 2017 has long passed.
To become both compliant and implemented, contractors need to first identify if they handle CUI and where it resides within their network.
If a contractor’s products or services to the DoD are items that are commercially available off-the-shelf (COTS), DFARS 252.204-7012 may not be required (that may change with the new CMMC certification process or CMMC level requirements).
For contractors that are providing products or services that are specific to the DoD’s needs, the below requirements must be met in order to be compliant:
For a contractor handling Controlled Unclassified Information (CUI), NIST SP 800-171 provides federal agencies with recommended requirements for protecting the confidentiality of CUI when:
Below are the fourteen control families of security requirements within the NIST SP 800-171, to achieve compliance and implementation, to protect the confidentiality of CUI in nonfederal information:
Understanding DFARS 252.204-7012 and NIST SP 800-171 implementation is the responsibility of the contractor.
Contractors need to determine whether they have met the specific requirements (as well as any other security measures necessary to provide adequate security for covered defense information) to legally be awarded DoD contracts.
If not, they need to implement the security controls they are missing, as soon as possible.
That said, as the DoD has has stated themselves, simply conducting “self-assessments” is not working for contractors looking to meet the cybersecurity requirements of DFARS 252.204-7012.
To achieve a level of “adequate security”, contractors should be using subject matter experts to audit their implementation plan.
Why? Because audits by a third-party require proof. Simply stating you are “compliant” will no longer be acceptable for contractors who want to do business with the DoD.
Contractors now have to prove they have completed the plan they developed prior to December 31, 2017.
By implementing, at minimum, the 110 NIST SP 800-171 controls, makes it extremely difficult for those with malicious intent to access CUI.
At Beryllium InfoSec Collaborative, we believe that should be the reason for achieving “adequate security”, not simply because contractors “have to.”
Protecting the information that makes up the DoD’s defense system, should not be easy. Easy means it’s also easy for others to gain access.
Fortunately for contractors, specifically the small-to-medium size businesses, who may not have the resources to achieve full implementation themselves, Beryllium offers multiple options for contractors to meet the cybersecurity requirements of DFARS 252.204-7012.