An ever-increasing array of cyber-security demands are being placed upon companies in all sectors—from rules specific to firms doing business in New York state to Europe’s General Data Protection Regulation.
Potentially lost amid those frequently spotlighted demands are strict, sweeping, and imminent regulations for contractors with the Department of Defense.
In an effort to protect Covered Defense Information—unclassified data categorized as sensitive because it was provided by, or generated for, the Government and not intended for public release—comes Defense Federal Acquisition Regulations Supplement 252.204-7012 and rules pertaining to “Safeguarding Covered Defense Information and Cyber Incident Reporting.” Yes, it is as complicated as it sounds.
The DFARS supplement applies to all Department of Defense solicitations other than procurements for “commercial off-the-shelf items.” Defense contractors possessing or transmitting CDI must implement the 110 security controls itemized in the cyber-security framework crafted by the National Institute of Standards and Technology, a measurement standards laboratory and non-regulatory agency of the U.S. Department of Commerce.
The NIST document, specifically, is “Special Publication 800-171,” also known as “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”
The deadline for adapting these now-mandated controls is fast approaching: Dec. 31, 2017.
Experts warn that many contractors may not be fully cognizant of how broad and complicated the requirements are, especially as they extend deep into the supply chain to all sub-contractors and suppliers. Smaller companies will, as expected, face a disproportionate challenge. Suppliers and sub-suppliers may be unaware of the rules passed on to prime contractors and poorly positioned to assist them by proving their own cyber-readiness.
“Implementation of the NIST standards and other requirements of DFARS 7012 can be challenging for even the most experienced contractors," says Nelson Kanemoto, founder of eResilience, a division of Referentia Systems that specializes in commercial cyber-security, risk management, and DFARS compliance services.
“For small- and medium -sized businesses it’s even more difficult because of limited time and resources,” he says. “It is critical for contractors to get started ASAP, especially since it's not guaranteed that government contract officers will accept a System Security Plan and Plan of Action and Milestones for implementing DFARS regulations as an alternative to timely compliance. If you’re non-compliant at the end of the year you risk having to stop work.”
Not only is losing government contracts a concern, compliance failures could even trigger civil and criminal liability if inaccurate security assurances fall under “misrepresentation” for purposes of the False Claims Act.
“Implementing NIST guidelines and other requirements of DFARS 7012 is much more complicated than many companies realize,” says Kanemoto. “It goes way beyond the average IT skillset, and government-issued guidelines often have gray areas that require careful interpretation.”
Among DFARS 7012’s key requirements to meet by the end of the year: comprehensive reporting requirements for cyber-incidents and discovery of malicious software; meeting security standards for cloud-stored CDI data (including those of the Federal Risk and Authorization Management Program; providing the government on-demand access to any information and equipment needed to conduct a forensic analysis; and providing the Department of Defense, upon request, damage assessment information.
“It is critical for contractors to get started ASAP, especially since it’s not guaranteed that government contract officers will accept a System Security Plan and Plan of Action and Milestones for implementing DFARS regulations as an alternative to timely compliance. If you’re non-compliant at the end of the year you risk having to stop work.”
Nelson Kanemoto, Founder, eResilience
Other requirements include the use of digital rights management technology to encrypt documents, and requiring multi-factor authentication to access documents.
“Threat actors are launching increasingly sophisticated and potent cyber-attacks that target the most vulnerable points in an organization’s global, multi-tiered supply chain,” said Vijay Takanti, senior vice president of product development for Exostar. “Supply chain risk mitigation and management is a top priority for the aerospace and defense industry, particularly with the Dec. 31st deadline looming.”
Exostar is a provider of cloud-based and Software-as-a-Service offerings for companies in aerospace and defense, life sciences, and healthcare industries. Clients include Northrop Grumman, Huntington Ingalls Industries, Airbus North America, Rolls-Royce, and BAE Systems.
“When you are working though a global multi-tiered supply chain with potentially tens of thousands of suppliers in that supply chain, how do you know and how do you trust the level of security and data hygiene of all of those partners,” says Tom McHale, Exostar’s director of risk management product development, on the new rule’s difficult demands. “A chain is only as strong as its weakest link. There are a lot of people who are scrambling now to be able to demonstrate this level of compliance, especially if you are a large organization with thousands of suppliers.”
The large prime contractors understand what is at stake, he added, but “they have a wide and deep supplier network and don’t necessarily have visibility much below their top level of suppliers. They may not know all the players.”
A common procedure for many firms is using questionnaires and self-certifications to assess supply chain risks and regulatory compliance down through supply chain partners. With the new NIST standards in play, additional pressure is on prime contractors to identify suppliers that are having problems and either help them improve their security posture or reconsider their use as a supplier.
Among the specific challenges for contractors is adapting to two-factor authentication and encryption demands.
“When CDI data is either moved to them or they are holding it for their own purposes, that information—schematics, technical drawings needed for manufacturing purposes—must be encrypted,” McHale says. “There is technology required that they are probably not familiar with and companies may have problems with that level of control.”
The NIST standards “are the correct bar to be shooting for,” says Larry Lieberman, business development manager and “cyber-security evangelist” for eResilience and Referentia.
Nevertheless, it won’t be easy. “Prime contractors are, as we speak, going through the process of parsing out who they are going to need to drop from their roster of sub-contractors and their teams,” he says.
Compliance now, Lieberman says, will pay off later. “The DoD is the top of the iceberg,” he says. “Everyone is going in that direction, including the rest of the federal agencies. This, we suspect, is going to be wrapped into the Federal Acquisition Regulation by next year. It will be not just for anyone doing business with the DoD, but if you are doing business with any federal agency that you will need to adapt these same standards. Then, the commercial world is not too far behind that.”
The hardening of federal cyber-security standards is already underway. On May 1, the Trump administration announced an executive order mandating that agencies submit updated cyber-security risk management plans designed to safeguard controlled unclassified information.
“The government is going to go after the prime sub-contractor, but if a sub-contractor is the one causing all their problems, they are going to be ostracized by prime contractors and probably other sub-contractors as well,” says Tim Williams, eResilience’s technical director.
The rule change is a “wake-up call” to act on now or risk having to find other sources of business, he says, adding that “an entire organization needs to buy in and understand what is going on.”
Williams, with his team at eResilience, suggests key steps for DFARS 7012 compliance:
perform a content audit to understand what information you need to protect;
conduct an assessment to identify the gaps in your organization’s DFARS 7012 compliance;
provide adequate security controls to protect the CDI;
create an incident response plan;
and institute continuous monitoring and improvements.
As for challenges, McHale agrees that multifactor authentication may be a “culture change for people.”
“Another thing that people don’t necessarily understand is the monitoring piece that has to go along with all of this,” he says. “It is not just that you are supposed to be collecting all the log data, you are supposed to be going through that log data to look for indications of compromise. You can’t just wait for the FBI to come along and tell you there was a breach. You need to find that breach ahead of time.”
Another suggestion: Document and maintain a backup of everything you do.
“When all is said and done, if there is an incident and the government comes in, they are going to ask, ‘Why did you implement this required control the way that you did.?’ If there is an issue, it won’t be the Department of defense on the other side of the table, it is going to be the Department of Justice and they are going to be looking at your reasoning,” McHale says. “If you don’t have good reasoning for things, that’s where you are going to run into trouble.”
“A good, documented approach will keep you off the bad side of the road,” he adds. “So, document why you are doing things and have good backup of the reasoning behind why you implemented controls the way you did.”