If you are a client or a business that supports clients that serve the Department of Defense (DoD) as a contractor or subcontractor you’ve likely heard of Defense Federal Acquisition Regulation Supplement (DFARS). Protecting sensitive national defense information shared with and created and maintained by private organizations that support federal government contracts is vital to our national security. DoD contractors that process, disseminate, store or transmit Controlled Unclassified Information (CUI) are required to meet DFARS minimum security standards or risk losing existing DoD contracts and eligibility for future contracts.
DFARS security compliance requirements must be applied by both contractors and subcontractors, following guidance in National Institute of Standards and Technology’s (NIST) Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations.” Fortunately, DFARS compliance requirements are a set of standard security controls based on best practices that are already in use for information security, so compliance is not a daunting challenge. The DFARS Cybersecurity Rule Subpart 204.73 (revised December 28, 2017), “Safeguarding Covered Defense Information and Cyber Incident Reporting” can be found here: http://www.acq.osd.mil/dpap/dars/dfars/html/current/204_73.htm
Protecting Covered Defense Information
To achieve DFARS cyber security compliance, a defense contractor’s information systems must provide the same protections and meet the same DFARS compliance requirements for federal data as an internal federal information system. Protection of Covered Defense Information (CDI) is a core DFARS requirement, and CDI is a subset of Controlled Unclassified Information (CUI). CDI is provided to a contractor by the DoD, and it becomes the responsibility of the contractor to protect the security and integrity of the information. CDI has four subcategories, controlled technical information (CTI), operations security information, export-controlled information, and other marked information that requires protection.
CTI is technical information related to military operations, however it is not considered general DoD information. Viewing CTI does not require a security clearance however it is not publicly available information. CTI is subject to controls on its access, display, use, disclosure, reproduction, modification, performance, or dissemination. DFARS provides additional definition for CTI to include:
Minimum Requirements for Federal Contractors
DFARS (Defense Federal Acquisition Regulation Supplement) standards were rolled out in an interim rule published in August 2015 with the rule amended in October 2016. DFARS provides a regulatory structure for DoD contractors to proactively comply with certain security frameworks in order to reinforce cybersecurity for the DoD supply chain. Under DFARS Clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” DoD contractors must comply with NIST Special Publication 800-171 that provides a requirement framework for contractors to protect sensitive defense information on unclassified, non-federal systems and report cybersecurity incidents.
The DFARS Clause 252.204-7012 regulatory framework requires defense contractors to specifically document how the following requirement components are met:
- First component involves providing adequate security for any non-federal covered contractor information systems. Adequate security is defined as protective measures in line with damage that could occur due to unauthorized access, loss, misuse or modification of information due to a security incident. Compliance with NIST SP 800-171 guidelines effectively provides “adequate security”
- Second component involves cybersecurity incident reporting. The cyber incident report minimum required elements can be found here: http://dibnet.dod.mil. The DIBNet portal is a gateway for DoD contractors and subcontractors to report cyber incidents and voluntarily participate in the DoD’s Cybersecurity Program.
If malicious software is determined to be part of the reported incident, a description of the event must also be submitted to the DoD’s Cyber Crime Center. Incident reporting guidance requires preservation and protection of images of all known affected information systems and all relevant monitoring/packet capture data for a minimum of 90 days from a cyber incident report submission. If the DoD decides to conduct a formal assessment of damage caused by a cybersecurity event, a contractor would be required to submit media and other materials that support that assessment.
Specific DFARS requirements are explored in more detail below.
Subcontractor and Supply Chain Management
DFARS Clause 252.204-7012 was amended to limit flow-down compliance to subcontractors and suppliers whose efforts involve CDI or are considered operationally critical support. DoD prime contractors under DFARS are obligated to be proactive by strengthening the entire supply chain, ensuring not only their own DFARS compliance, but ensuring subcontractors demonstrate compliance as well. Consequently, subcontractors are responsible for reporting any practices that could deviate from the DFARS and NIST 800-171 guidelines before any CDI is shared with the subcontractor. It is important that a prime contractor control what information flows down to subcontractors based on the CDI data a subcontractor will need to access to perform their assigned work under a federal contract.
Cybersecurity Incident Reporting
A contractor’s responsibility under DFARS standards in the event of a cybersecurity incident that compromises information integrity or an information system is rapid reporting, which requires reporting the incident to DoD within 72 hours. To determine the extent of a potential compromise, an assessment is required that at a minimum must include a list of compromised systems, technical data and users, and a list of any other systems that might have been compromised. The assessment must also provide a thorough system review and provide methods for preventing any future incidents.
Cybersecurity events experienced by subcontractors must be reported to the prime contractor or to the next tier subcontractor, with evidence provided per DFARS requirements. The prime contractor is responsible for DoD incident reporting with evidence submitted as detailed for contractors above.
Cloud Service Providers
If a contractor uses a cloud service provider to store, process or transmit CDI for a DoD contract, there are three security standards that may be relevant for DFARS compliance:
- A contractor that uses a cloud solution to host or process data for a DoD contract must ensure the cloud service provider meets security requirements established in the Federal Risk and Authorization Management Program (“FedRamp”) moderate baseline and must comply with specific DFARS requirements including incident reporting requirements.
- NIST SP 800-171 standards are applicable when a contractor uses internal cloud computing (not a third-party platform) in an enterprise system to host or process data to support a DoD contract.
- A contractor that uses cloud-computing to provide IT services to the DoD must comply with requirements in the “Cloud Computing Security Requirements Guide” (SRG) https://iasecontent.disa.mil/cloud/SRG/index.html. The SRG outlines a security model that provides service and security levels controls and requirements for contractors in implementing and maintaining physical, administrative and technical security controls necessary for utilizing cloud-based services.
Proving DFARS Compliance
Self-attestation is currently considered sufficient to prove DFARS compliance, so a third-party audit is not a requirement. A well-documented SSP based on NIST 800-171 which connects controls to their implementation, or a compensating control, is sufficient to resolve any questions that should arise. The technical evaluation of a government contract proposal can use the SSP and may also request a Plan of Action and Milestones (POA&M) to document compliance as part of consideration for a DoD contract award.
For manufacturers who provide products within supply chains for the DoD, NIST provides a self-assessment handbook, NIST Handbook 162, “NIST MEP Cybersecurity Self-Assessment Handbook for Assessing NIST SP 800-171 Security Requirements in Response to DFARS Compliance Cybersecurity Requirements.” The handbook provides a step-by-step guide for assessing a small manufacturer’s information systems against the security requirements in NIST SP 800-171.
Be Prepared – Compliance Audits are coming
In January 2019, the Under Secretary of Defense issued a memo documenting the intent to audit the DoD supply chain for DFARS compliance. The memo tasks the Defense Contract Management Agency (DCMA) with auditing all tier one contractors to validate contractor compliance with DFARS clause 252.204-7012 requirements. A DCMA audit for an organization with a DoD contract with CDI will generally include the following:
- Verifying the contractor has an SSP
- Verifying the contractor has submitted a 30-day notification listing any security controls not yet implemented.
- Verifying the contractor has a valid medium assurance Public Key Infrastructure (PKI) certificate required for cyber incident reporting (ECA Certificate Policy https://iase.disa.mil/pki/eca/Pages/index.aspx).
The audit requirements only require DCMA direct assessment of tier-one suppliers, however this is expected to impact the entire DoD supply chain for contractor business partners as well. If an organization wants to compete for DoD contracts in the supply chain market and be able to demonstrate accountability with an easy “Yes” on a DFARS vendor survey, be proactive and contact an expert security focused third-party Managed Security Service Provider (MSSP). An MSSP with specialized expertise in DFARS compliance requirements for DoD contractors will assist your organization in performing the required assessment and audit, and conducting any remediation work necessary to achieve DFARS compliance.
Achieving DFARS/NIST SP 800-171 compliance is not a one-time solution. It is a continuous process of assessment, monitoring and improvement to ensure your organization maintains compliance with constantly evolving security requirements, and thus eligibility as a DoD contractor. An MSSP like RSI Security with specialized expertise in compliance services for DoD contractors required to meet DFARS compliance and monitored cybersecurity will assist your organization in performing the required assessment and audit, and conducting any remediation work necessary to achieve DFARS/NIST SP 800-171 compliance. Contact us today for personal help with all your needs for compliance advisory services.
A defense contractor that is audited by the DoD and found to not be in compliance would likely face a stop-work order. This would mean any work done for a DoD contract would be suspended until appropriate security measures are implemented to effectively protect CDI. The DoD could also levy financial penalties that may include damages for breach of contract or false claims. In severe noncompliance cases, the DoD could terminate contracts or even suspend a contractor from ever working with the DOD again.
What Contractors Can Do to be Prepared
To be prepared under current and future evolving DFARS requirements contractors can be proactive with the following:
- Review NIST SP 800-171 security controls to verify your organization’s security controls provide adequate protection against a broad range of potential cyberattacks.
- Perform a gap assessment to determine if any required security controls are not being met and remediate any identified gaps by developing an SSP and POA&M
- If your organization works with subcontractors and suppliers, develop a plan to assess their compliance and ensure all CDI that flows down to subcontractors is protected with adequate security controls.
- Develop a plan for tracking CDI flow down requirements for sharing information with subcontractors and suppliers through the entire supply chain.
The DFARS Compliance Checklist can also be a helpful tool in preparation for DFARS compliance.
An MSSP like RSI Security who has specialized expertise in compliance services for DoD contractors can assist your organization in assessing current compliance and conducting any remediation work necessary to achieve DFARS/NIST SP 800-171 compliance. Contact us today for personal help with all your assessment and compliance needs.
RSI Security Offerings:
RSI Security has been helping everyone from corporations to individual contractors pass DFARS compliance for 10 years. We are one of the leaders in digital security and consulting. We are well versed in all aspects of security compliance and will have you DFARS compliant in a timely manner. We also have a positive relationship with the DoD that can ease some of the hurdles that come such a complicated endeavor.
Our security services are first class all the way, utilizing the best tools, provisions, and practices to keep your company safe from disruptive security data breaches. Vulnerability assessments, real-time behavioral monitoring, intrusion detection, sophisticated digital pattern tracking and an inherent understanding of how hackers operate are just a few of the reasons why RSI Security is a leader in digital cybersecurity solutions.
Check out our website for more information and to learn about the various services we offer.