Deadline Looms for Contractors to Safeguard Defense Information

In 2016, the Department of Defense (DoD) amended the Defense Federal Acquisition Regulation Supplement (DFARS) to include Clause 252.204-7012, Safeguarding Covered Defense Information (CDI) and Cyber Incident Reporting to provide for the safeguarding of controlled unclassified information (CUI), or “covered defense information,” when it is processed, stored or transmitted through a contractor’s internal networks or information systems.

Under the updated DFARS DoD contractors are required to implement the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations by December 31, 2017.

“Covered defense information” (CDI) as defined in the clause is unclassified controlled technical information or other information (as described in the Controlled Unclassified Information (CUI) Registry) that requires safeguarding or dissemination controls as required by law, and is either provided to or developed by the contractor in the performance of a DoD contract.

Contract Impacts

As the December deadline came into view, the DoD issued guidance to its acquisition and contracting personnel to prepare them for the impacts of contractor implementation of the NIST SP and DFAR requirements.

As part of contract requirements the DoD is required to document in the respective Statement of Work that CDI is required for performance of the contract and also to specify any requirements for the contractor to mark the CDI developed in the performance of the contract.

The DFARS update is required in all solicitations and contracts for the acquisition of commercial items except commercially available off-the-shelf (COTS) items. The clause is not required to be applied retroactively, but it may be added via a contract modification. Further, the clause requirement flows down to subcontractors when contract performance by the sub will involve CDI. Enforcement of the clause falls on the prime contractor.

Contractor Requirements

DFARS Clause 252.204-7012 requires contractors/subcontractors to:

• Implement NIST SP 800-171 to safeguard covered defense information by December 31, 2017.
• Report cyber incidents to DoD for incidents that affect covered defense information or that affect the contractor’s ability to perform requirements designated as operationally critical support.
• Submit malicious software to the DoD Cyber Crime Center (DC3) for any software discovered and isolated in connection with a reported cyber incident.
• Facilitate damage assessment in collaboration with the DoD by providing media and damage assessment information upon request.

Requirements by December 31, 2017

To document implementation of the NIST SP 800-171 security requirements by the implementation deadline companies should meet the following requirements:

• Contractor’s System Security Plan – SSP required under the SP documents how the contractor meets, or plans to meet, the NIST requirements. The SSP will describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. When requested by the DoD, the SSP may be used to demonstrate implementation or to inform a risk discussion between the contractor and the DoD.
• Plans of Action – The NIST SP requires the contractor to develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems. The plans of action should describe how and when any unimplemented security requirements will be met, how any planned mitigations will be implemented, and how and when they will correct deficiencies and reduce or eliminate vulnerabilities in the systems.

Compliance Certification

Ultimately, it is the contractor’s responsibility to determine whether it is has implemented the NIST SP 800-171. DoD is not requiring or recognizing any third party assessments or certifications of compliance, nor will DoD certify to a contractor compliance. Depending on the particulars of the procurement, “certification” of compliance may be given simply by submitting a proposal for a covered solicitation or the solicitation may require elements of the SSP to be included in the firm’s proposal. The bottom line is, by signing the contract, the contractor agrees to comply with the terms of the contract, which require compliance with the NIST SP and the DFARS.

Implications

The concern over the security of sensitive government information as it resides and passes through contractor systems and networks has been receiving increased attention for several years, in parallel to the government’s rising awareness of its own cybersecurity vulnerabilities and the value of its critical information. The Office of Management and Budget (OMB) issued guidance back in 2015 and the updated DFARS builds upon August 2015 DoD guidance. These and other requirements continue to move forward the implementation of various NIST cybersecurity requirements within federal agencies and the supporting contracting community alike.

The requirements with the impending DFARS deadline have been known for some time and affected contractors who have been active in the defense marketplace (i.e. paying attention) will likely have addressed the policy and administrative aspects of the requirements.

Of course, like any new regulatory requirement, this has its associated costs to contractors that may or may not be recovered in the process of winning and performing DoD work. And like most new contract requirements, it adds time and effort to both sides of the equation – both the contractor bid and proposal side and the government contracting office side. For contractors that needed to make additional security-related software or hardware investments to boost their cybersecurity posture there is the additional cost associated with those efforts, but it would seem that the benefits of those investments go beyond the immediate context.