Due to the multitude of breaches where defense information has been compromised, the Department of Defense (DOD) has been working to impose additional requirements on defense contractors that process, store, or transmit sensitive information in support of the DOD and its mission. It has taken specific measures to help shore up the defense industrial base (DIB) which consists of the hundreds of thousands of contracting firms that ultimately supply the DOD with its capabilities to defend, or support the defense of, our nation.
What Does DFARS Stand For and What Are DFARS Requirements?
DFARS stands for the Defense Federal Acquisition Regulation Supplement (DFARS). It is a supplement to the Federal Acquisition Regulation (FAR). The FAR is the primary document which governs the acquisition of supplies and services by federal agencies when using appropriated funds. The DFARS is a supplement to the FAR for the DOD and contains acquisition law, policies, regulations, deviations from the FAR for the DOD, etc. The DFARS defines requirements that must be followed by the DoD and those supporting the DoD. While there are a number of DFARS clauses, there is one clause, 252.204-7012, that is directly related to cybersecurity and the protection of sensitive DOD related information, called covered defense information, or CDI.
DFARS clause 252.204-7012 (Revised Oct. 21, 2016), Safeguarding Covered Defense Information and Cyber Incident Reporting, defines CDI as “unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is:
- Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
- Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.”
Essentially, CUI has direct military or space application and consists of items such as engineering data and drawings, technical reports, specifications, source, and executable code, etc. See their category list. This is data that is sensitive but not to the point where it becomes classified.
Who Has to be DFARS Compliant & What are the DFARS Regulations?
All Defense contractors and subcontractors, independent of size, that process, store, or transmit covered defense information must be compliant with DFARS 252.204-7012. While there are several elements to which contractors must comply, there are two primary elements that seem to be the most dominant, demonstrating “adequate security” and cyber incident reporting.
Adequate Security (through compliance with NIST 800-171): As defined in the DFARS, adequate security includes “protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.” To help provide more context of what adequate security is regarding the protection of covered defense information, the Government stated that contractor information systems that process, store, or transmit CDI shall implement security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” The specific use of the word “shall” makes compliance with NIST 800-171 a requirement. Essentially, the government is stating that “adequate security” is compliance with NIST 800-171. See below for additional items to be aware of regarding compliance with NIST 800-171.
Cyber Incident Reporting: DFARS 252.204-7012 defines a cyber incident as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.” If contractors experience a cyber incident that impacts CDI, then they must do the following:
- Perform analysis and gather evidence to determine if specific CDI was compromised on contractor computers or servers.
- Rapidly report (within 72 hours) the discovery of the cyber incident. A medium-assurance certificate will be required to report the incident.
- Preserve and protect OS images and other forensic evidence (e.g. packet captures, logs, etc.) for 90 days.
What these requirements essentially mean for contractors is that they must have an incident management plan and procedures in place (and tested).
What is Important to Know About NIST 800-171?
For those that work within government cyber and information security circles, compliance with security controls is nothing new – NIST SP 800-53 has been out for a long time, and revision 5 is in the final public draft. The security controls defined in NIST 800-171 were derived from the Federal Information Processing Standard (FIPS) Publication 200 control families and the NIST SP 800-53 moderate security control baseline, and they are more straightforward in their wording. The SP 800-171 controls are oriented toward protecting the confidentiality of CDI, but integrity and availability should not be ignored as they are key tenants of an information security program.
While NIST 800-171 represents just a subset of the requirements defined in NIST 800-53, compliance with NIST 800-171 is still a very significant task, especially for small and medium-sized government contractors. NIST 800-171 defines 110 security requirements across 14 control families. Below are some of the requirements that government contractors should take specific note of as compliance with these is more involved (either technically, process-wise, or both):
Audit and Accountability (3.3.5 and 3.3.6): Auditing is a very important control area for the government. Through audit events, the story of the who, what, when, and where of activities on an information system is told. Without the audit logs documenting the events occurring on the information system, the contractor (and the government) is essentially left blind in trying to reconstruct events that occurred on the system in support of an investigation. Requirements 3.3.5 and 3.3.6 specify the correlation of audit review, analysis, and reporting process and define the need for audit reduction and reporting in support of on-demand analysis and reporting.
This is much more than the typical approach of just configuring the components of the information system to generate Syslog events and send it to a centralized Syslog server. Contractors must be familiar with the content of the audit records through the review and analysis process. Specific events of interest must be identified, pulled from the general collection of audit information (reduced), and be reported on (to support on “on-demand analysis”). There are many technical approaches to satisfy these requirements, but contractors should not underestimate the time to understand the auditing capabilities of the systems, configure the systems appropriately, develop a baseline – all before a technical implementation can be put in place.
Identification and Authentication (3.5.3): This is the requirement for multifactor authentication (MFA) for local and network access. There are a wide variety of MFA solutions available, and the good thing is that a federal Personal Identity Verification (PIV) or DOD Common Access Card (CAC) is not required. MFA should be an architected solution that integrates well into the system that transmits, processes, and stores CDI. Users are already frustrated with passwords and the complex rules to which they must comply. Adding another layer to authentication, albeit a very important one in my opinion, can add to user frustration if it is not implemented in a manner that is low impact on users.
Incident Response (3.6.1): The requirement is for an “operational” incident handling capability – operational being the operative word – meaning that the incident handling capability is functional and covers all phase of the incident handling process (preparation, identification, containment, eradication, recovery, and lessons learned). Incident handling is not a program that is just supported by a shelf-ware plan and procedures. Incident handling is a specialized area within cybersecurity and requires specific understanding and technical skills.
It also involves a team of people from management down to the individuals with the technical skills to perform forensics, eradicate the problem, and recover the system. The plan must be regularly exercised (ideally quarterly) as people and technology frequently change in an organization. The exercises don’t have to be large time-consuming events; but at some point in the year, all members of the incident handling team need to participate in an exercise.
Security Assessment (3.12.1 and 3.12.3): These requirements are to “periodically assess” and “monitor…on an ongoing basis” the security controls in the system to ensure they continue to operate effectively. In short, implement a continuous monitoring program. Like incident handling, continuous monitoring requires active participation by organizational staff, including system and security administrators. SP 800-171 is not prescriptive on what controls have to be monitored and the frequency of monitoring, but controls that address the high-risk areas in the system should be monitored on a regular basis (e.g. at least monthly).
One example is maintaining the security configurations for components of the information system (see 3.4.2). It is imperative that security configurations (e.g. system hardening) be constantly and consistently maintained. This is also a good control to automate. Automate as much of the continuous monitoring program as possible. To understand more regarding continuous monitoring, refer to NIST SP 800-137, “Information System Continuous Monitoring for Federal Information Systems and Organizations.”
What Does DFARS Compliant Mean?
There are several aspects to consider with regard to being DFARS compliant. The primary element to consider is whether or not your organization satisfies the 110 controls defined in NIST 800-171 Appendix D. There are also the often forgotten non-federal organization (NFO) controls that are in NIST 800-171 Appendix E. These are 63 additional controls that NIST 800-171 states are “expected to be routinely satisfied by non-federal organizations without specification.” Essentially, these are controls that should be part of a comprehensive security program. The controls in Appendix E are often overlooked by federal contractors but must be implemented to be considered compliant. Federal contractors must also have a robust incident response program in place in order to meet the cyber reporting requirements should a breach occur.
What is the Impact if an Organization is not DFARS Compliant (or NIST 800-171 compliant)?
Put simply, a government contractor that is not compliant with DFARS 225.204-7012 is at risk of losing business with the government. In response to comments on the DFARS rule, the government stated, “the rule does not preclude a requiring activity from specifically stating in the solicitation that compliance with the NIST SP 800-171 will be used as an evaluation factor in the source selection process” (Federal Register, Volume 81, Number 204, October 21, 2016).
It will be up to the government, though, to decide how compliance will be measured with regards to the specific solicitation. The government also stated, “by signing the contract, the contractor agrees to comply with the contract’s terms.” It is in the best interest of the government contractors to be compliant with NIST 800-171 requirements and be able to demonstrate that compliance. It has been over two years since compliance with DFARS 225.204-7012 became a required standard for federal contractors. One of the main problems, though, is that federal contractors provided a self-attestation regarding their compliance. Without a third-party assessment, it is difficult to know whether organizations actually comply with all the controls outlined in NIST 800-171. Because the DOD has significant concerns over the compliance of federal contractors with the controls in NIST 800-171, the Cybersecurity Maturity Model Certification (CMMC) was created.
What is the CMMC?
The CMMC is essentially DOD’s approach to audit DIB contractors to ensure compliance with cybersecurity practices. It is a tiered approach (Levels 1-5) that has a specified set of controls. The levels build on each other and increase in the required number of controls as noted below:
- Level 1 – 17 controls
- Level 2 – 72 controls (includes the Level 1 controls)
- Level 3 – 130 controls (includes the Level 2 controls)
- Level 4 – 156 controls (includes the Level 3 controls)
- Level 5 – 171 controls (includes the Level 4 controls)
Note that the NFO controls in NIST 800-171 Appendix E are still required to be NIST 800-171 compliant. Appendix E requirements, however, are not part of the CMMC control set. In a recent webcast, Katie Arrington, the Special Assistant to the Assistant Secretary of Defense for Acquisition, ASD(A), for Cyber, noted that the majority of contractors supporting the DOD will be assessed at Level 1-3. Only a very small number (less than 1%) of contractors will be at Level 4 or Level 5.
CMMC assessments will start with a pilot program of a small number of assessors. This small number of select assessors will perform the first assessments and provide lessons learned back to the CMMC Accreditation Body (CMMC-AB) for the training courses for the larger population of assessors, called certified third-party assessment organizations (C3PAO). At this point, it is expected that training for CMMC assessors will begin sometime Q12021. Until then, there are no authorized and accredited C3PAOs to provide CMMC assessments.
There are two primary elements of the DFARS clause to which contractors need to demonstrate compliance. The first is to demonstrate “adequate security” is in place for the protection of systems that process, transmit, or store CDI. Adequate security is essentially translated as compliance to NIST 800-171 (including Appendix E NFO controls). The second is to ensure that there is an operational incident reporting capability in place that can support the reporting requirements of the clause. Since the DOD assessed a low rate of compliance with the self-attestation approach of NIST 800-171 (and essentially DFARS 225.204-7012), they are in the process of establishing the CMMC program which will require a third-party assessment organization to perform an audit of the compliance with the CMMC controls based upon the specified CMMC level.
If your organization is not familiar with NIST security controls, it can be challenging to interpret the controls and translate them into system implementations. Linford & Company has extensive experience with NIST and associated NIST compliance. If you are interested in learning more about NIST requirements and DFARS compliance or getting help to prepare for CMMC, please contact us.
Ray Dunham started his career as an Air Force Officer in 1996 in the field of Communications and Computer Systems. Following his time in the Air Force, Ray worked in the defense industry in areas of system architecture, system engineering, and primarily information security. Ray leads L&C’s FedRAMP practice but also supports SOC examinations and HITRUST assessments. Ray enjoys working with clients to secure their environments and provide guidance on information security principles and practices.