NIST and DFARS Compliance

A Few Cybersecurity Statistics

$ 0 B


0 %


0 K


The Federal Information Security Management Act

The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. FISMA was signed into law part of the Electronic Government Act of 2002 and was a crucial instrument to where we are today.

DFARS and NIST Cybersecurity Mandates

If your small business is a supplier of services to the federal, state or local government; undoubtedly, you have heard news of the recent cybersecurity mandates the Department of Defense (DoD) has established. The Defense Federal Acquisition Regulation Supplement (DFARS) and its subsequent requirements imposed by the National Institute of Standards and Technology (NIST) commonly known as NIST SP 800-171.

In 2010, the U.S. President signed into effect Executive Order 13556, *Controlled Unclassified Information*, which establishes a government-wide program to institutionalize the protection of and ensuring the control of CUI. NIST SP 800-171 is a cybersecurity framework that specifies how your information policies and systems need to be set up.

In this page, we will discuss how the NIST security framework is applicable to Department of Defense Contractors, the minimum requirements to be NIST compliant and available options to achieve DFARS compliance for DoD contractors.

What are the minimum requirements for DFARS compliance?

So now that we understand the basic premise of the NIST SP 800-171 security framework is to protect and enhance security of Controlled Unclassified Information ( CUI ). With cybercrime reaching unprecedented heights globally, estimates reach $2 trillion in related costs by 2019. Additionally, there was a 38% rise in cyber security incidents between 2016 and 2017. Organizations are charged with the mantle of protecting their users and sensitive data.

The minimum requirement for DFARS compliance is to provide documented evidence of the security controls being implemented as required by NIST. In order to be DFARS compliant, contractors must successfully demonstrate satisfaction of the security assessment functions.

Advice to Contractors

First, check whether you need to comply with DFARS 252.204-7012 by examining your contract to verify that it contains the DFARS clause, and if it does, determine whether the scope of work to be performed requires the handling of controlled unclassified information (CUI) on a non-federal system. As required by the guidelines, CUI must be so identified and marked by the contracting officer. If in doubt, whether you’re handling CUI, ask your contracting officer for confirmation.

Secondly, if you’ve confirmed you need to comply, then prepare and implement a system security plan ( SSP ) and put into effect those security controls required by your plan. If specified, prepare a written variance request, which is permitted by the regulations if certain security requirements are being met with an alternative security control that is as equally sufficient, and tender to your contracting officer(s).

DFARS details 14 “family controls” encompassing 110 security guidelines related to network auditing and accountability, policies and procedures, and implementation of best practices. In order to be considered fully “DFARS compliant”, non-federal and government contractor information systems/organizations must pass a security assessment following NIST SP 800-171 guidelines.

NIST SP 800-171 Summary of Guidelines

For ease of use, the security requirements are organized into fourteen control groups. Each group contains the requirements related to the minimum security requirements for federal information and information systems described in FIPS Publication 200.
As its name implies, access control establishes policies and processes to ensure that information is contained and constrained so that only those personnel and agents who are authorized access may achieve it. It also implies that non-authorized agents are denied access through security controls and measures appropriate to the task. The security architecture employs a layered, control-in-depth approach, designed to meet the access control objectives.

In order to successfully and operate a service that protects information from malicious agents, hackers and mistakes, development operations and administration personnel must understand how to access and maintain service elements without negatively impacting the environment or the data it contains. Service personnel are trained extensively in to meet the needs of their roles. This training is verified through formal education, experience and skills certification appropriate to their tasks and responsibilities.

The Internet-born malicious cyber environment is the source for the malware and adversarial activities that impact operations every day. To increase security, everyone must have an awareness of the potential threats and dangers they may encounter (NIST, 2013). A cyber security awareness and training program will be established that routinely presents important facts and information about current threat activity and interacts with users through tests via phishing and spam email messages (Grimes, 2017). This training program maintains information on training delivered and the results of interactions to enable additional training and maintain compliance. The content and frequency of training activities will be reviewed as compared to ongoing risk assessments and vulnerability testing.

To validate and understand IT system activities, and how they relate to regulatory compliance, a record of events and the agents responsible for them must be developed and maintained (NIST, 2013). In support of this need, events must be generated as well as a creation of a system for collecting, indexing and making the results available. There are many common tools and processes used to accomplish this task. Information security continuous monitoring (ISCM) and security information and event monitoring (SIEM) are the concepts used to facilitate data collection, analysis and presentation (Hargenrader, 2015).

Nearly all IT systems and applications can generate logs that record their activities (NIST, 2011). Key to this function is ensuring the capability is enabled on each node within the architecture. The Information Security Continuous Monitoring (ISCM) subsystem continuously streams, records, indexes and archives all relevant activities to support the audit and accountability needs (NIST, 2011). The resulting information is stored locally, within the environment, externally for near term access, and in a long-term storage volume in AWS. Audit and Accountability information is stored for up to one year, unless longer term storage is necessary.

Managing the configurations of the cloud platform, service instances and applications is critical to enabling security, maintainability and managing complexity (Shackleford, 2016). The cloud platform is managed as a code-as-infrastructure model using AWS Cloudformation initially, with the potential to transition to Terraform through later iterations. The formatted code elements that describe and enable the cloud environment are hosted in a separate code version control system, located outside the service environment. This allows developers to make adjustments to the provisioning code, then check it in for review, testing and implementation as needed. In this way, service elements can be quickly instantiated to meet new customer needs or to scale the environment appropriately when needed.

Each service instance is based on a Linux configuration implemented by the Center for Internet Security (CIS) using benchmarks and input from government requirement documents and best practices. These managed images can then be directly referenced by service implementation code, enabling automation to ensure each security measure is appropriately applied.

The application suites are based on a verified commercial product with wide industry penetration and acceptance. The vendor of these applications retains the responsibility for their appropriate coding security and releases patches and updates as necessary to address emerging issues. Licensing for the application suites includes maintenance support.

The security architecture recognizes four user roles that require access and authentication into the environment at different levels. VPN users are granted access to the secure internal environment. Application users are granted privileges to access and use the collaboration and knowledge management services to which they are subscribed. Service administrator users are allowed access to the platform virtual machines. Cloud administrators are responsible for controlling the environment. These four different roles are segregated to facilitate separation of duties such that no one class has access to all service elements and data.

In addition to mediating access to Assured Bridge resources, the user and credential management tools provide protection for other external accounts and passwords, as well as secure note storage. This increases an organizations security posture by decreasing exposure of internal, user, system and team credentials.

Response to environment events, including outages and disruptions, is facilitated by the ISCM subsystem which is continuously monitoring the environment. Any disruption, outage or customer reported issue is immediately evaluated for priority by the support team. If warranted, the incident response plan (IRP) is initiated.
For this project, maintenance involves ensuring service instances and application software are kept up-to-date with vendor and security fixes and patches. The system administration team is responsible for these actions, in collaboration with the security and operations teams. Customer instance and application maintenance is scheduled for low-use hours on weekends for routine actions. For actions that may have unforeseen operational impacts, maintenance will be first applied to the ‘test’ environment to mitigate the risk of outages or disruption to customer operations.
For the most part, physical media protection is outside the scope of the Assured Bridge security architecture. Our cloud service organization (CSO) manages the physical components of their platforms according to the federal regulations and guidelines they’ve been certified to operate within. The CSO chosen for the project, Amazon AWS initially, is certified appropriately to meet the necessary requirements.
Security screening and management of personnel is outside the scope of this architecture proposal. However, this control is elemental to compliance with SP 800-171 and related regulations and policies. Company and customer management and human resources must coordinate with site facility security officers (FSO) to meet this requirement.
Protection of the cloud environment is the responsibility of the serving CSO. CSO’s selected to host the secure environment are certified through the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP certification ensures the chosen CSO meets the physical security standards required for compliance.
Identifying, analyzing, monitoring and mitigating risks to the environment is a continuous process that is supported by the design of the environment itself. ISCM and CSO alerting processes and vulnerability scanning are primary inputs into the risk assessment process. As new vulnerabilities are discovered, they are logged in the risk register for analysis and prioritization. If appropriate, controls are developed to mitigate them, and application of the controls is entered into the ticket tracker for the administration and security teams to action. Risk review is conducted alongside configuration control board (CCB) monthly and ad-hoc meetings.
Security and vulnerability scanning are automated and based on criteria derived from potential malicious indicators. Weekly vulnerability scans are conducted against the internal service and application environments. Security assessment results are published weekly, or more often, as appropriate to the project knowledge management system.

The service operates within a secured cloud environment. Users, however, must access the service from remote locations that may include untrusted access points. Whether these access points are at home, at the office or at shared locations using WiFi hotspots, guarantees must be provided to ensure communication into the secure environment are protected and private. Remote connectivity is enabled by using a virtual private network (VPN). This VPN creates a secure, encrypted network channel from the endpoint device, through the access point and Internet, and into the secure environment (NIST, 2005).

Once operating within the environment, local domain name service (DNS) processing and filtering protects against requests to malicious sites or files. For uniform resource location (URL) requests not filtered internally, they are forwarded to a secure DNS service that checks requests against real-time threat intelligence databases.

Customer files that are uploaded into the environment are stored in dedicated volumes attached to customer service instances. File storage actions, including upload and edit, are evaluated by an anti-virus (AV) engine with rulesets that are updated daily. If a suspect or corrupted file is detected it is quarantined, and activity alerts are generated and recorded.

System integrity is implemented through the use of the open source host intrusion detection (HIDS) security package OSSEC, supplemented with alert classification modules. HIDs agents are installed in each service and customer instance and report to the security server within the VPC. The HIDS and supporting applications enable a common operational picture (COP) that presents the security team an overview of the environment (Chernysh, 2017). Each agent establishes hash values for system binaries and configuration files as specified by the security team. These values are updated frequently with results information published and logged with the security server and compliance and auditing processes. Customer information is archived daily and stored externally to the VPC. This enables restoration of audit and compliance data in the event an error or malicious agent impacts the environment.

What are my options as a government contractor?

The Do-it-Yourself ( DIY ) route

Some organizations have the expertise and internal assets that can ensure compliance with the new information security mandates internally. With enough technical know-how, existing staff can follow the directives provided by the NIST’s provided self-assessment documentation.

Some of the critical components involved to become DFARS compliant:

  • Self Education- Understanding what Controlled Unclassified Information (CUI) is, why it’s important, the consequences for non-compliance
  • Analyze training, policy and procedures
  • Control Families- examining a detailed review of the NIST 800-171 fourteen security control families including 110 security guideline requirements.
  • Conduct NIST 800-171 CUI Self-Assessment
  • Identify compliance/non-compliance and understanding your security posture relative to industry standards.
  • Self-Attestation
  • Developing Plan of Actions & Milestones (POA&M)
  • Documentation of artifacts
    • Written Information Security Program (WISP)
    • System Security Plan (SSP).
    • Configuration Management Plan (CMP)
    • Security Awareness Program
    • Security Assessment Plan (SAP)
    • Security Assessment Report (SAR)
    • Incident Response Plan (IRP)
    • Information Security Continuous Monitoring (ISCM)
    • Information System Contingency Plan (ISCP)

Compliance as a Service

At Assured Bridge, we’ve created services that help businesses meet their security and compliance requirements as described by NIST SP 800-171 and DFARS Clause 7012. Assured Bridge services embody the shared responsibility model. Using validated and certified infrastructure, we provide the technical services and controls that are often the most difficult and costly; our customers and clients implement the policies and processes to use them. Together, compliance can be effectively achieved, and business goals met.

Leveraging cybersecurity architecture and software solutions from experts specialized in the handling of controlled unclassified information (CUI).