GOVERNMENT CONTRACTING INSIGHTS CYBERSECURITY
Further Guidance for New Cyber Rule
Ahead of the Dec. 31 deadline for federal defense contractors to implement National Institute of Standards and Technology Special Publication 800-171, NIST released Draft Special Publication 800-171A, “Assessing Security Requirements for Controlled Unclassified Information.” This draft publication is designed to assist organizations in assessing compliance under SP 800-171.
Currently, there is no regulation or statute that imposes the draft on contractors. Rather, the draft publication is intended as guidance for organizations — both government and contractors — in developing assessment plans and conducting “efficient, effective and cost-effective” assessments of the implementation of security controls required by SP 800-171. The draft publication does not prescribe specific, required assessment procedures. Instead, it provides a series of “flexible and tailorable” procedures that organizations could use for conducting assessments with each security control.
The draft publication recognizes multiple methods for con-ducting assessments: examining and interviewing to facilitate understanding, achieve clarification, or obtain evidence; and testing to compare actual results with expectations.
Following the format of SP 800-171, the draft groups its assessment procedures by the 14 families of controlled unclassified information security control requirements, and highlights how an assessor could examine, interview, or test each particular control at issue. It also recognizes that organizations may not need to test every control. Controls that are not applicable should be documented as non-applicable in the organization’s system security plan.
Consistent with its recent update to NIST Special Publication 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations,” in creating this publication NIST used the term “system” rather than “information system” to reflect that controlled unclassified information needs to be safeguarded on a broader array of contractor information systems such as industrial and process control systems, cyber-physical systems and individual devices that are part of the internet of things.
Although it is unclear how the Defense Department intends to use the publication, the draft states that it was designed as “a starting point” for organizations to use in developing assessment plans and determining compliance with SP 800-171. In particular, the draft publication notes that “[o]rganizations can use the assessment procedures to generate evidence to support the assertion that the security requirements have been satisfied.” Such evidence could be used in a variety of ways, such as the basis for identifying security-related weaknesses in an information system, as an aid in source selection, or by the Defense Contract Management Agency when auditing contractor compliance with Defense Federal Acquisition Regulation Supplement clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.”
Attached to the draft special publication is an appendix that provides supplemental guidance for implementing and assess-ing the controlled unclassified information security requirements in SP 800-171. As currently drafted, many of its security controls are only a sentence or two long. The supplemental guidance is based on the more fulsome “security controls in NIST Special Publication 800-53 and is provided to give assessors a better understanding of the mechanisms and procedures used to implement the safeguards employed to protect” controlled unclassified information.
NIST is in the process of revising SP 800-53, which only applies to federal systems. One of the stated objectives of the revised version, however, is to make the cybersecurity and privacy standards and guidelines accessible to non-federal and private sector organizations for voluntary use on their systems. As a result, because NIST is incorporating this guidance more explicitly, defense contractors may ultimately see a blurring of some of the requirements of SP 800-171 versus SP 800-53.
Shortly after NIST released its draft guidance, the Defense Department updated portions of its internal Procedures, Guidance and Information addressing compliance with the requirements of DFARS 252.204-7012. Although it is internal to the Defense Department, it provides contractors with insight into how the Pentagon interprets its own regulations.
The updated guidance made a variety of notable changes.It directs the requiring activity to create a “work statement or specification that includes the identification of covered defense information or operationally critical support.” This is consistent with department statements to industry that procuring entities are responsible for notifying contractors when contract performance involves covered defense information.
It also removed statements that said the safeguarding requirements apply until such time as the requiring activity removes or changes the designation, and that the contracting officer must coordinate with the requiring activity about disposition of controlled unclassified information associated with a contract.The updated guidance states that if a cyber incident involves multiple contracts, the Defense Department should designate one contracting officer to coordinate “additional actions required of the contractor.”
Additionally, it specifies that once the damage assessment is complete, the requiring activity must provide the contracting officer with a report that documents “actions taken to close out the cyber incident.” Previously, the guidance directed the requiring activity to provide the contracting officer with a “report documenting the findings from the damage assessment activities affecting covered defense information,” with a copy provided to the contractor. As revised, the requirement to pro-vide a copy of the report to the contactor has been eliminated.
These updates are consistent with the Defense Department’s attempts to clarify the interpretation of DFARS 252.204-7012 ahead of the Dec. 31 deadline.
Susan B. Cassidy is a partner, Ashden Fein is an associate and Evan R. Sherwood is an associate at Covington & Burling LLP.