COVID-19 Has the DoD Adjusting How They Assess Contractor Cybersecurity

Key Takeaways

• Due to operational disruptions from COVID-19 the Department of Defense (DoD) has adjusted how they conduct security assessments of contractor system that process Controlled Unclassified Information (CUI).
• DoD will now allow for virtual security assessments for CUI reviews – even for those rated as High Assessments where greater security is required.
• DoD acknowledges that such virtual assessments do not cover all of the typical criteria covered in on-site assessments. Therefore, virtual assessments limit their understanding of overall risk.

Assessing Contractor Security of Controlled Unclassified Information (CUI)

The Defense Federal Acquisition Regulation Supplement (DFARS) rule 252.204-7012 requires contractors and subcontractors to implement the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations whenever covered defense information (i.e. CUI) is stored, processed or transmitted through the company’s information system(s). The DoD assesses contractors’ compliance with the NIST SP security requirements and documents their assessment results in the Supplier Performance Risk System (SPRS) hosted at the Naval Sea Logistics Center Portsmouth. Historically, these assessments are done on-site at the contractor’s locations, especially where a higher level of CUI security is warranted.

Adjusting Security Assessments for COVID-19 Impacts

In early July, Kim Herrington, the Acting Principal Director for Defense Pricing and Contracting in the Office of the Undersecretary for Acquisition and Sustainment (USD(A&S)) updated the DoD’s NIST 800-171 contractor CUI assessment guidance due to the operational impacts of the COVID-19 pandemic.

Here’s the point – the DoD will now allow for virtual CUI security assessments. Some of the main details include:

• In May, SPRS was enhanced to allow authorized contractor representatives to enter results for Basic (self) assessments into the system. Medium and High assessments may be entered by a representative from the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
• Assessments at the High level that are typically conducted by DoD personnel at the contractor’s location will now be permitted to be done virtually, using the same methodology as on-site assessments, with additional data protections.
• DoD acknowledges that a virtual assessment does not cover all of the NIST 800-171 requirements, so these assessments result in lower understanding of overall risk.

For more comprehensive details of the updated DoD Assessment Methodology see Version 1.2.1 (with the additions or edits emphasized in blue text.)

Depending on how successful these types of process changes are at maintaining the cybersecurity posture of the DoD and its supporting contracting companies it is possible that we could see additional modifications to other policies.