Increase in large scale, targeted breaches in the U.S. annual average
Of Organizations experienced cyber attacks on operational technology infrastructure.
Malicious Mobile apps blocked daily
If your small business is a supplier of services to the federal, state or local government; undoubtedly, you have heard news of the recent cybersecurity mandates the Department of Defense (DoD) has established. The Defense Federal Acquisition Regulation Supplement (DFARS) and its subsequent requirements imposed by the National Institute of Standards and Technology (NIST) commonly known as NIST SP 800-171.
In 2010, the U.S. President signed into effect Executive Order 13556, *Controlled Unclassified Information*, which establishes a government-wide program to institutionalize the protection of and ensuring the control of CUI. NIST SP 800-171 is a cybersecurity framework that specifies how your information policies and systems need to be set up.
In this article, we will discuss how the NIST security framework is applicable to Department of Defense Contractors, the minimum requirements to be NIST compliant and available options to achieve DFARS compliance for DoD contractors.
What are the minimum requirements for DFARS compliance?
So now that we understand the basic premise of the NIST SP 800-171 security framework is to protect and enhance security of Controlled Unclassified Information
( CUI ). With cybercrime reaching unprecedented heights globally, estimates reach $2 trillion in related costs by 2019. Additionally, there was a 38% rise in cyber security incidents between 2016 and 2017. Organizations are charged with the mantle of protecting their users and sensitive data.
The minimum requirement for DFARS compliance is to provide documented evidence of the security controls being implemented as required by NIST. In order to be DFARS compliant, contractors must successfully demonstrate satisfaction of the security assessment functions.
Advice to Contractors
First, check whether you need to comply with DFARS 252.204-7012 by examining your contract to verify that it contains the DFARS clause, and if it does, determine whether the scope of work to be performed requires the handling of controlled unclassified information (CUI) on a non-federal system. As required by the guidelines, CUI must be so identified and marked by the contracting officer. If in doubt, whether you’re handling CUI, ask your contracting officer for confirmation.
Secondly, if you've confirmed you need to comply, then prepare and implement a system security plan ( SSP ) and put into effect those security controls required by your plan. If specified, prepare a written variance request, which is permitted by the regulations if certain security requirements are being met with an alternative security control that is as equally sufficient, and tender to your contracting officer(s).
DFARS details 14 “family controls” encompassing 110 security guidelines related to network auditing and accountability, policies and procedures, and implementation of best practices. In order to be considered fully “DFARS compliant”, non-federal and government contractor information systems/organizations must pass a security assessment following NIST SP 800-171 guidelines.
NIST SP 800-171 Summary of Guidelines
For ease of use, the security requirements are organized into fourteen control groups. Each group contains the requirements related to the minimum security requirements for federal information and information systems described in FIPS Publication 200.
What are my options as a government contractor?
The Do-it-Yourself ( DIY ) route
Some organizations have the expertise and internal assets that can ensure compliance with the new information security mandates internally. With enough technical know-how, existing staff can follow the directives provided by the NIST’s provided self-assessment documentation.
Some of the critical components involved to become DFARS compliant:
- Self Education- Understanding what Controlled Unclassified Information (CUI) is, why it’s important, the consequences for non-compliance
- Analyze training, policy and procedures
- Control Families- examining a detailed review of the NIST 800-171 fourteen security control families including 110 security guideline requirements.
- Conduct NIST 800-171 CUI Self-Assessment
- Identify compliance/non-compliance and understanding your security posture relative to industry standards.
- Developing Plan of Actions & Milestones (POA&M)
- Documentation of artifacts
- Written Information Security Program (WISP)
- System Security Plan (SSP).
- Configuration Management Plan (CMP)
- Security Awareness Program
- Security Assessment Plan (SAP)
- Security Assessment Report (SAR)
- Incident Response Plan (IRP)
- Information Security Continuous Monitoring (ISCM)
- Information System Contingency Plan (ISCP)
Compliance as a Service
At Assured Bridge, we’ve created services that help businesses meet their security and compliance requirements as described by NIST SP 800-171 and DFARS Clause 7012. Assured Bridge services embody the shared responsibility model. Using validated and certified infrastructure, we provide the technical services and controls that are often the most difficult and costly; our customers and clients implement the policies and processes to use them. Together, compliance can be effectively achieved, and business goals met.
Leveraging cybersecurity architecture and software solutions from experts specialized in the handling of controlled unclassified information (CUI).