If you are a defense contractor, you have probably been deluged with all kinds of emails promising the end of your business and ability to work with the US Government as a Prime Contractor or subcontractor if you don’t conform to the new DFARS clause (DFARS 252.204.7012) Safeguarding Covered Defense Information and Cyber Incident Reporting. While some of these emails are certainly meant to raise the alarm, and blood pressure, of defense contracting company owners all over the U.S., the fact is that any company, with a little preparation, can be prepared to meet these requirements.
The DFARS clause specifically states that defense contractors will ensure that any Controlled Unclassified Information (CUI), is appropriately protected as outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171 Revision 1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (Note: The Revision is extremely important as we will see later. According to the clause, all defense contractors are required to meet the requirements of NIST SP 800-171 by December 31.
But before defense contractors start drinking whiskey from the bottle and opening their checkbooks to vendors, a little reading demonstrates that these requirements are not as onerous as they seem and companies, with a little investment, can comply with them with minimal cost.
A company should spend some time understanding what CUI they have and where it should reside to be protected. A good starting place is contained in Chapter 1 of SP 800-171 where it talks about the CUI registry and links the reader to the National Archives and Records Administration, Controlled Unclassified Information Registry. The defense contractor is provided access to a list of different types of CUI and links are provided to further define the list. Of interest to all defense contractors is the Procurement and Acquisition category, which lists basic contract information such as pricing, contract information or indirect and direct labor costs as CUI. This pretty much ensures that all defense contractors may be required to meet the requirements of NIST SP 800-171. Defense contractors should identify ALL CUI that is in their possession to ensure that it is collated as best possible in the minimal number of locations or smallest possible configuration.
Second, the DFARS requirements only apply to the systems where such CUI is stored. So, companies should work hard as previously mentioned to place all their CUI in one location or in the smallest possible configuration to minimize the pain of compliance. For example, a defense contractor with multiple locations may decide to move its CUI to one location and only that location would be subject to NIST SP 800-171.
Third, NIST SP 800-171 Revision 1 states that to meet compliance by 31 December 2017, a contractor must “describe in a system security plan, how the specified security requirements are met, or how the organization plans to meet the requirements”. For the defense contractor, this means that while all 110 controls must be addressed, a contractor is still compliant if it identifies how it will eventually meet the requirements that it is not compliant with. This paragraph is critical in determining how much money a company will spend to meet these requirements for, if a company can prove it has addressed the controls and has a plan (or what is known as a “roadmap” in compliance speak) they will be compliant with 800-171.
Fourth, there are at least three new requirements that companies should be aware of that will cause some concern. First, a company must have multifactor authentication for its employees that have access to systems with CUI. This means that tokens, dongles, or biometric forms of identification, as well as a password, will be required. Fortunately, these solutions are prevalent and not too expensive. Second, a contractors’ systems with CUI will have to be scanned periodically so contractors will have to apply a vulnerability scan or have one done by an outside vendor. Again, these services are done by numerous vendors in the marketplace and are not very expensive. We recommend a third-party vendor as sometimes IT departments are not keen on disclosing vulnerabilities that have occurred on their watch. Third, a company must be able to “create, protect and retain system audit records”, which means that companies should utilize what is known as a Security Event Identification and Management or (SEIM) solution to be able to collect and organize computer logs to be forensically challenged in case of a breach. Again, there are expensive and inexpensive ways to accomplish this and there are excellent open source SEIMs, such as the Elastasearch, Logstash, and Kibana (ELK) stack which works well. Finally, an organization must have an incident response plan to adequately meet the challenges of an incident. In the commercial space, we call this a Cyber Playbook and this outlines the anticipated responses to an incident to include reporting, analysis, detection, and response.
As companies start to analyze the impact and cost of complying with NIST 800-171, they should understand that, while there are some 110 controls, most of the companies will be compliant with at least 50% of them if they are in business since a lot of this is basic IT support. The path to compliance is not that rigorous with a thorough review of the controls, a plan to mitigate areas of non-compliance and strategies to meet some of the new technical requirements.