New Cyber Rule Requires Critical Documents
Contractors and their supply chain with active Defense Department contracts, or those that plan on doing business with it, must assure that any of their data systems that transmit, process or store controlled unclassified information are compliant with National Institute of Standards and Technology Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations.”
It’s clear that meeting the Defense Federal Acquisition Regulation Supplement 252.204-7012 mandate to comply to the special publication is a required priority for defense contractors, subcontractors and suppliers.
Making a system security plan and plan of actions and mitigations is crucial to winning new business and keeping existing contracts this year and moving forward. Here are some tips on how to approach creating and utilizing these complex compliance documents.
First of all, DFARS compliance includes safeguarding all controlled unclassified information and “covered defense information.” Contractors must report cyber-related incidents to the Defense Department and any deviations or gaps from NIST SP 800-171. They must show progress on a “plan of action with mitigations” and report and maintain a “system security plan.”
The plan of action with mitigations and system security plan are important artifacts to use to demonstrate your adherence to the NIST 800-171 guidance. Defense contractor or suppliers will need to submit these compliance documents to the department or a prime contractor, preferably sooner rather than later. Defense Department documentation calls these type of artifacts “critical inputs to an overall risk management decision to process, store or transmit” controlled unclassified information.
Contractors processing, storing or transmitting controlled unclassified information must meet these security standards at a minimum that were laid out in the Defense Federal Acquisition Regulation Supplement. Those who decide to avoid it, unfortunately risk losing contracts this year and in years moving forward and even risk falling under the False Claims Act. Especially if a company has already received a questionnaire, it’s important that it submit its compliance status truthfully, and prepare compliance documents now if it wants to keep its customers.
Identifying the scope and target of valuation is important here. There are approximately 120 controls included in NIST SP 800-171 and assessing each of these controls for documents, for every component of a system, can be a massive undertaking for an organization. By identifying only those components that are either directly or indirectly in scope, a contractor can reduce the list of areas that need to be assessed.
Having these two documents proving each control status and plan for remediation allows an organization to address the DFARS 252.204-7012 requirement for 2018. The key is showing where the gaps are, a plan for remediation and progress according to that plan.
"A great deal of company resources will have to be allotted to getting these documents ready if requested."
Here is the direct guidance from the Office of the Under Secretary of Defense: “NIST SP 800-171 was revised (Revision 1) in December 2016 to enable non-federal organizations to demonstrate implementation or planned implementation of the security requirements with a “system security plan” and associated “plans of action.”
The security requirement 3.12.4 — system security plan, added by NIST SP 800-171, Revision 1 — requires the contractor to develop, document and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
Security Requirement 3.12.2 — plans of action — requires the contractor to develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.
The goal is to assess the target of evaluation defined in step one and the components identified in step two of the process against the controls. Both current and target scores should be recorded to enable a gap analysis that will feed the two documents.
A system security plan can be critical to fully documenting compliance. Revision 1 to NIST SP 800-171 added another control to the set that requires the creation of a plan to “describe[s] the boundary of [a contractor’s] information system; the operational environment for the system; how the security requirements are implemented; and the relationships with or connections to other systems.”
In addition to the plan of actions and mitigations, the system security plan “describes how and when any unimplemented security requirements will be met, how any planned mitigations will be implemented, and how and when they will correct deficiencies and reduce or eliminate vulnerabilities in the systems.”
That means that the documents must describe the requirements, how a contractor plans to remediate for each of the controls, and a timeline for remediation in the organization.
That is just the bare bones, as there is much more information that can be included for compliance such as team members in charge of controls, deadlines and technology that will be adopted in remediation steps.
A great deal of company resources will have to be allotted to getting these documents ready if requested. Regardless of the method, these documents are key for saving contracts if not yet fully compliant, and will put a company in good standing for primes or contracts against the competition.
In 2018, contractors need to ensure they are working on becoming compliant using these documents, and that they can demonstrate competitiveness and adherence to the regulations if the business relies on defense-related revenue.
George Wrenn is the founder and CEO of CyberSaint Security, a company helping defense contractors and the supply chain with DFARS compliance. His email is: firstname.lastname@example.org