It’s almost here. After years of rulemaking, covered defense contractors will soon be fully subject to heightened cybersecurity standards for covered defense information (“CDI”) on IT systems under DFARS 252.204-7012, and contractors submitting new proposals will be representing that their systems are compliant with these security requirements pursuant to DFARS 252.204-7008. We discuss in this post seven compliance tips beyond the basics that are worth revisiting during this final compliance push.
First, some brief background. It is well-known that by December 31, 2017, covered contractors must have a cybersecurity plan in compliance with the recommended security control standards currently set forth in the National Institute of Standards and Technology (“NIST”) Special Publication 800-171 Rev. 1. Pursuant to DFARS 252.204-7012, NIST SP 800-171 provides 110 security control requirements to establish “adequate security” on covered systems. Among other things, the requirements relate to access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity. The requirements also provide for documenting how unimplemented security requirements will be addressed, and require a plan of action and milestones (“POAMs”) for such items.
Your company’s compliance with the control standards set out in NIST SP 800-171 Rev. 1 must be self-verified (i.e., contractors cannot rely on certification by the U.S. Department of Defense (“DoD”) or third parties). However, DoD has attempted to answer key issues and streamline implementation assistance by providing additional information and guidance documents. To recap, DoD updated its Cybersecurity Frequently Asked Questions (FAQs) on this topic in January 2017, held an industry information day on June 23, 2017, and recently issued a document entitled Guidance for Selected Elements of DFARS Clause 252.204-7012 in September 2017.
NIST SP 800-171 Rev. 1 and related DoD guidance generally gives contractors flexibility in establishing system security plans sufficient to meet compliance. For example, DoD guidance states that the implementation of NIST SP 800-171 Rev. 1 “enables contractors to comply in most cases by using or adapting systems and practices already in place,” and provides latitude in how contractors choose to implement the requirements. A few compliance tips stand out in this guidance. Chief among these is the need for contractors to have a defined plan and policies in place (in any format) to comport with the new regulation, which articulates what security plan the contractor has in place, what plan of action the contractor has for addressing unimplemented measures, how planned mitigations will be implemented, and how/when deficiencies or vulnerabilities will be corrected in the security system. Contractors should also seriously consider the capabilities of their in-house information technology personnel, and whether outside assistance will be required to meet full compliance with the 110 security control requirements in NIST SP 800-171 Rev. 1.
We list below seven key practical takeaways from DoD’s recent guidance that are worth revisiting during this final period:
- Ensure Security Plan Provides for Periodic Updates. The work is not done for your company once you have documented your security plan and procedures by December 31, 2017. Section 3.12.4 of NIST SP 800-171 Rev. 1 calls for companies to not only “develop” and “document,” but also to “periodically update system security plans.” Contractors looking to remain competitive and compliant should ensure that they have a plan and procedure for such periodic updates in place.
- Remember NIST SP 800-171 is Not NIST SP 800-53. Appendix D of DoD’s September guidance maps each of the NIST SP 800-171 requirements to NIST SP 800-53 (which applies to internal federal Government systems). The guidance notes “not all aspects of a NIST SP 800-53 security control may have been included in NIST SP 800-171 security requirement.” DoD’s Cybersecurity FAQs note that NIST SP 800-53 is intended for internal use by the Federal Government, and the entire purpose of the new NIST SP 800-171 security requirements were to avoid mandating specific solutions so that contractors could comply by using systems and practices they already had in place. DoD guidance further provides that contracting officers should not reference NIST SP 800-53 security controls to identify a NIST SP 800-171 security requirement.
DoD Cybersecurity FAQs further note that contractors who were compliant with the previous DFARS clause “would be 90-95% compliant with the NIST 800-171 security requirements by implementing policy and procedure requirements which do not involve substantive IT changes,” excepting the multifactor authentication requirement at section 3.5.3 of NIST SP 800-171.
- Verify Subcontractor Implementation. Most contractors are aware that the DFARS 252.204-7012 clause will flow down to subcontractors involved in operationally critical support or CDI, and subcontractors are required to directly report cyber-incidents to DoD via the DIBNet Portal. But primes need to do more than simply flow-down the clause to their subcontractors. DoD guidance advises that prime contractors should consult with the contracting officer to determine if the information required for subcontractor performance is CDI, which would require flow-down of the clause to subcontractors. DoD guidance reinforces the expectation that the prime contractor will enforce the clause as part of its compliance program. Accordingly, prime contractors should ensure subcontractors handling CDI will comply with the terms of DFARS 252.204-7012, and have the requisite NIST SP 800-171 Rev. 1-compliant security plan in place. Among other things, prime contractors should also make sure that subcontractors have the requisite public key infrastructure certification in place to be able to report cyber-incidents to DoD within the 72 hour window imposed by DFARS 252.204-7012.
Also, although flow down of the DFARS clause is not required for external cloud service providers (“CSPs”) that are not considered subcontractors—when such CSPs are used by contractors to store, process, or transmit any CDI—contractors are still expected to ensure a CSP meets the requirements of DFARS 252.204-7012 (including cyber-incident reporting).
- Prepare for Source Selection Risk Assessment. The new cybersecurity requirements will be relevant to procurement awards. For example, DoD guidance provides examples of how a solicitation may address the use of system security plans in the evaluation process, which range from assignment as a unique evaluation factor and express notice to the offeror that “its approach to protecting CDI and providing adequate security in accordance with DFARS 252.204-7102 will be evaluated in the solicitation,” to merely indicating that “all security requirements in NITS SP 800-171 must be implemented at the time of award.” Contractors should plan accordingly, including documentation of and POAMs for any unimplemented portions of the cybersecurity requirements.
- Use Restrictive Markings on Security Plan Documents. Contractors should also closely review solicitations to see if elements of the contractor’s system security plan is required to be incorporated into the contract. DoD guidance advises contractors to ensure their security plans are marked with appropriate restrictive notices to indicate proprietary or other sensitive information where this is the case, and contractors should consider the effects of contract incorporation of security plans into contracts on any related licensing rights agreements with the Government.
- Watch for Modifications to Existing Contracts. Contractors with current contracts should also have a security plan in place to comply with NIST SP 800-171 Rev. 1. DFARS 252.204-7012 is not required to be applied retroactively, and only requires the contractor to implement the version of NIST SP 800-171 in effect at the time of the solicitation, but this does not preclude a contracting office from modifying existing contracts. DoD guidance notes that contractors should expect to work with their contracting officers to modify existing contracts to authorize the use of NIST SP 800-171 Rev. 1.
- Align with Existing Monitoring Requirements. The DFARS 252.204-7012 does not set out a new or “unique” monitoring requirement for compliance. That said, DoD Cybersecurity FAQs make clear that “any existing generally applicable contractor compliance monitoring mechanisms” may apply to contractor compliance with the new regulation. Contractors should consider what existing regulatory and contractual monitoring programs will require compliance reporting.
Though most contractors are well on their way to achieving full compliance by December 31, 2017, these seven areas can serve as a useful check in the process and reminder of important considerations going forward. Small businesses seeking further information can access resources through the Defense Department’s Procurement Technical Assistance Program (“PTAP”) with the Defense Logistics Agency, which provides DFARS 252.204-7012 implementation information. Of course, contractors with concerns about their implementation plans should consider consulting with counsel or other compliance professionals as soon as possible.