How Can You Double Check Compliance With The New DFARS/NIST Requirements?

What do DOD Contractors Need to Know About Controlled Unclassified Information (CUI) & Compliance with the DFARS and NIST?

The DoD relies on external contractors and suppliers like you to carry out a wide range of tasks. Sensitive data is shared with you must be protected. The fact is that inadequate safeguards for this sensitive data may threaten America’s National Security and put our military members at risk.

The DoD has implemented a basic set of cybersecurity controls through DoD policies and the Defense Federal Acquisition Regulation Supplement (DFARS). The DFARS rules and clauses apply to the safeguarding of contractor/supplier information systems that process, store or transmit Controlled Unclassified Information (CUI). These security controls must be implemented at both the contractor and subcontractor levels based on information security guidelines developed by the National Institute of Standards and Technology (NIST) Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations.”

As a U.S. DoD contractor who collects, stores, or transmits Covered Defense Information (CDI) or Controlled Unclassified Information (CUI) you must comply with NIST (The National Institute of Standards and Technology) regulations 800-171 and DFARS (Defense Federal Acquisition Regulation Supplement) 252.204-7012. Your subcontractors must comply as well and be able to maintain compliance. If you don’t, you can’t bid on DoD contracts, and you may lose the ones you have.

The Department of Defense enforces a specifically defined set of cybersecurity controls through the DFARS. The DFARS rules and clauses apply to the safeguarding of contractor/supplier information systems that process, store or transmit Controlled Unclassified Information (CUI). These security controls must be implemented by both you, the contractor, and your subcontractors according to levels based on information security guidelines developed by the National Institute of Standards and Technology (NIST).

Complying with DFARS and NIST requirements isn’t easy. You and your subcontractors must meet DFARS cybersecurity standards and NIST Guidelines, or you can’t apply for DoD contracts. To do this requires a complete scoping and readiness assessment to measure your compliance. You must then remediate any identified gaps in security.

What Are Your Requirements as a DoD Contractor?

Cyber attacks have reached epidemic proportions in the U.S. Even government agencies are at risk of breaches. This poses a real risk to National Security. It’s imperative that you, your personal and your subcontractors safeguard classified information and Controlled Unclassified Information. The security of the U.S. Government depends upon the measures you take as a contractor, as well as those in your supply chain. Unfortunately, many businesses don’t have the right cybersecurity controls in places like firewalls, anti-virus and anti-malware, and identity-authentication processes. They also lack detection and response controls for IT exploits.

Until now, strict security processes, controls, and standards that applied to federal information systems weren’t required for CUI. The DFARS 225.204-7012 and NIST SP 800-171 regulations were developed to cover unclassified federal information for nonfederal organizations. You must implement the security controls outlined in the NIST SP 800-171 to be compliant with DFARS.

The U.S. Government provided a disciplined and structured process for contractors to follow. If you want to comply and be accepted for DoD projects, you must leverage the following IT solutions:

  • Security Information and Event Management
  • Intrusion Prevention System
  • Vulnerability and Threat Management
  • Database Security Controls
  • Log Management
  • File Integrity Checking
  • A Tested Incident Response Plan

What Specifically is Covered by the DFARS/NIST Regulations?

The DFARS 252.204-7012 | NIST SP 800-171 requirement for CUI includes any information related to a DoD performance contract, as well as anything that supports the contract. This is a very broad requirement and could have a dramatic impact on the number of systems that must be covered.

These systems are broken down into four categories:

  1. Controlled Technical Information: Any and all technical information as defined by DoD, including those with space or military applications.
  2. Operations Security Information: Any intentions, capabilities or activities that an attacker could use to guarantee failure or unacceptable consequences.
  3. Export-Controlled Information, like biochemical or nuclear data.
  4. Any additional information specified in the contract.

The new rule also applies to your subcontractors. They must meet the same applicability definitions described above.

As a DoD Contractor, you must know what CUI you store, process, or transmit in the course of performing your duties. You and your subcontractors must be prepared to apply NIST SP 800-171 security controls to your information systems. You must create and sustain an environment for the proper storing, processing, or transmitting of CUI. This includes ensuring your employees or any individuals involved in the contract practice security and privacy when it comes to information systems.

What Are Your Cybersecurity Standards?

The minimum cybersecurity standards are described in NIST Special Publication 800-171 and broken down into fourteen areas:

  1. Access Control– You must limit system access to authorized users.
  2. Awareness & Training– You are required to promote awareness of the security risks associated with users’ activities, train them on applicable policies, standards and procedures, and ensure they are trained to carry out their duties.
  3. Audit & Accountability- You must create, protect, retain and review all system logs.
  4. Configuration Management– You are required to create baseline configurations and utilize change management processes.
  5. Identification & Authentication-You must authenticate information systems, users, and devices.
  6. Incident Response– You’re required to develop operations to prepare for, detect, analyze, contain, recover from, and respond to incidents.
  7. Maintenance-You must perform timely maintenance on your information systems.
  8. Media Protection– You must protect, sanitize and destroy media containing CUI.
  9. Personnel Security– You’re required to screen individuals before authorizing their access to information systems, and ensure these systems remain secure upon the termination or transfer of individuals.
  10. Physical Protection-You must limit physical access to and protect and monitor your physical facility and support infrastructure that houses your information systems.
  11. Risk Assessment– You are required to assess the operational risk associated with processing, storage, and transmission of CUI.
  12. Security Assessment– You must periodically assess, monitor and correct deficiencies and reduce or eliminate vulnerabilities in your organizational information systems.
  13. System & Communications Protections– You must monitor, control and protect data at the boundaries of your system, employ architectural designs, software development techniques and system engineering principles that promote effective information security.
  14. Protection System & Information Integrity– You’re required to identify, report and correct information and any flaws in your information in a timely manner. You must also protect your information systems from malicious code at appropriate locations, and monitor information security alerts and advisories so you can take appropriate actions.

Plus, there are specific security requirements comprising 110 individual controls that you and your subcontractors must implement in each of these areas.

Large enterprises probably have these security systems in place. Smaller businesses probably don’t – and this is a big undertaking. With the right experience in CUI requirements, your managed services provider can help by handling these responsibilities for you, by…

  • Periodically assessing the security controls in your company’s systems to determine if the controls are effective in their application.
  • Developing and implementing plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in systems.
  • Monitoring security controls on an ongoing basis to ensure the continued effectiveness of the controls.
  • Developing, documenting, and periodically updating system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

As a DoD contractor, you and your authorized employees must fully understand what Covered Defense Information you store, process, or transmit in the course of doing business with the Department of Defense. You must also be ready to provide adequate security using controls outlined in the NIST SP 800-171, Security and Privacy Controls for Non-Federal Information Systems.

Like this article? Check out Exactis Data Leak (Questions/Answers), 2018 Cybercrime Statistics (Reference Material), Stopping Cyber Threats In Small Business (Training/Education).

Bill Wootton is the Founder and President of C3 Integrated Solutions, a full-service IT provider based in Arlington, VA that specializes in securing our nation’s Defense Industrial Base through cloud-based solutions and industry leading partners. Bill is passionate about bringing cyber-awareness, and cyber-maturity to the nation’s Defense Industrial Base, working with clients to help them achieve CMMC and NIST 800-171 compliance by providing MSP, security and Office 365 integration services.

6:26 pm
Call Us: (571) 384-7950