If you are a defense contractor, you have probably been deluged with all kinds of emails promising the end of your business and ability to work with the US Government as a Prime Contractor or subcontractor if you don’t conform to the new DFARS clause (DFARS 252.204.7012) Safeguarding Covered Defense Information and Cyber Incident Reporting. Any company, with little preparation, can be ready to meet these requirements. There is no reason to raise the alarm, and the blood pressure, of defense contracting company owners all over the U.S.
The DFARS Clause
The DFARS clause specifically states that defense contractors will ensure that any Controlled Unclassified Information (CUI), is appropriately protected as outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171 Revision 1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (Note: The Revision is important as we will see later.) According to the clause, all defense contractors need to meet the requirements of NIST SP 800-171 by December 31.
But before defense contractors start drinking whiskey from the bottle and opening their checkbooks to vendors, a little reading demonstrates that these requirements are not as onerous as they seem and companies, with a little investment, can comply with them with minimal cost.
Where to Start
A company should spend some time understanding what CUI they have and where it should reside to be protected. A good starting place is in Chapter 1 of SP 800-171 where it talks about the CUI registry and links the reader to the National Archives and Records Administration, Controlled Unclassified Information Registry.
Of interest to all defense contractors is the Procurement and Acquisition category, which lists basic contract information such as pricing, contract information or indirect and direct labor costs as CUI. Defense contractors should identify ALL CUI that is in their possession.
Second, the DFARS requirements only applies to the systems where such CUI is stored. So, companies should work hard as previously mentioned to place all their CUI in one location or in the smallest possible configuration to minimize the pain of compliance. For example, a defense contractor with multiple locations may decide to move its CUI to one location and only that location would be subject to NIST SP 800-171.
Third, NIST SP 800-171 Revision 1 states that to meet compliance by 31 December 2017, a contractor must “describe in a system security plan, how the specified security requirements are met, or how the organization plans to meet the requirements”. For the defense contractor, this means that while all 110 controls must be addressed, a contractor is still compliant if it identifies how it will eventually meet the requirements that it is not compliant with. This paragraph is critical in determining how much money a company will spend to meet these requirements for. If a company can prove it has addressed the controls and has a plan, or a roadmap, therefore they will be compliant with 800-171.
Fourth, there are at least three new requirements that companies should be aware of that will cause some concern.
Three New Requirements
First, a company must have multifactor authentication for its employees that have access to systems with CUI. This means that tokens, dongles, or biometric forms of identification, as well as a password, will be required. These solutions are prevalent and not too expensive.
Second, a contractors’ systems with CUI will have to be scanned periodically. Contractors will have to apply a vulnerability scan or have one done by an outside vendor. Numerous vendors in the marketplace provide these services. They are not very expensive. We recommend a third-party vendor. Sometimes IT departments are hesitant when disclosing vulnerabilities that have occurred on their watch.
Third, a company must be able to “create, protect and retain system audit records”. Companies should utilize a Security Event Identification and Management or (SEIM) solution. In case of a breach, this will allow you to collect and organize computer logs to be forensically challenged. Again, there are expensive and inexpensive ways to accomplish this. There are also excellent open source SEIMs, such as the Elastasearch, Logstash, and Kibana (ELK) stack which works well.
Finally, an organization must have an incident response plan to adequately meet the challenges of an incident. In the commercial space, we call this a Cyber Playbook. This outlines the anticipated responses to an incident which include reporting, analysis, detection, and response.
Analyze the impact and cost of complying with NIST 800-171. Understand that, while there are some 110 controls, most of the companies will be compliant with at least 50% of them. The path to compliance is not that rigorous. Review the controls, plan to mitigate areas of non-compliance, and strategize to meet some of the new technical requirements.
MainNerve can help you with that review.