On January 27th, 2017 the DoD published the “Networking and Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-DO18) Frequently Asked Questions (FAQs) regarding the implementation of DFARS Subpart 204.73 and PGI Subpart 204.73, DFARS Subpart 239.76 and PGI Subpart 239.76.”
This is a mouthful. And you might ask, “Why should I care?” The answer: because you’re one of the thousands of Defense Industrial Base (DIB) contractors working to meet DoD cybersecurity requirements.
DFARS Case 2013-D018 acted as an update to DFARS 204.252-7012, the foundational clause for federal cyber requirements in the United States. In turn, PGI stands for “Procedures, Guidance, and Information” and was written to provide direction to members of the government’s acquisition community. PGI 204.73, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” lists this FAQ as a place to find information on how to implement the cybersecurity controls detailed in DFARS and other foundational documents.
Therefore, this FAQ provides a collection of comments of interest, specifically pertaining to the details of governing cyber regulations. It includes questions like, “What is the relationship between Controlled Unclassified Information (CUI), and Covered Defense Information (CDI)?” “Is information identified as FOUO considered CDI?” and “Must all cryptography used in covered information systems be FIPS validated?” These questions and many others, along with their responses, provide key insights into federal cyber requirements, as well as into the expectations for their implementation.
DCG has been highlighting discussions of interest detailed in the Networking and Penetration FAQ. Check out our fourth installment below, where we discuss questions surrounding incident response.
________________________________________________________________________________
Q19: What are the consequences for non-compliance? The system security plan allows organizations to extend the deadline for full compliance by building a plan of action to address planned implementation of security requirements. Will there be follow-on reviews of these plans and monitoring of a company’s efforts to achieve full compliance?
In short, these represent risks worth considering for all DIB companies.
A19: As noted in Chapter 3 of NIST SP 800-171, Revision 1, [now revision 2 and shortly to be revision 3] the system security plan and associated plans of action demonstrate the nonfederal organization’s implementation or planned implementation of the security requirements. The system security plan and plans of action may also be considered by the requiring activity in an overall risk management decision to determine whether it is advisable to pursue a contract with the contractor, or to determine what other actions can be taken to achieve an acceptable level of risk.
This outlines where Plans of Action and Milestones, more commonly referred to as POAMs fit under the current regulatory guidance. They are allowed but are intended to be used within limits, those limits including some limit on the timeline for implementation. Under the forthcoming CMMC regulation, the DoD is becoming more specific limiting both what controls can be on a POAM (only about 1/3 of the total) and how long a company can take to be fully implemented (a maximum of six months).
“Oversight to verify compliance can be specified on a case-by-case basis depending on the risk involved in a contract in accordance with the quality assurance surveillance plan that is in place.”
Again under the forthcoming CMMC regulation independent third-party assessments will be required for many (but not all) contractors as a standard mechanism for verification.
“Depending on the contract terms and factual circumstances, and on a contract-by-contract basis, the Government may consider the following actions in the event a contractor fails to comply with contract terms and conditions:
- Contractual
Withhold payment for non-compliant contract performance
Disapprove business system/contractor purchasing system
Decline to issue future orders on contract
Decline to exercise future contract options
Document negative past performance rating
Issue a stop work order
Issue a cure notice
Issue a show cause notice
Consider contract termination proceedings
Find the contractor non-responsive
Issue the contractor a Corrective Action Request (CAR)
- Administrative/Judicial
Suspension and Debarment proceedings
Pursuit of civil claims/penalties
Pursuit of criminal prosecution/penalties”
This is a significant list. Further to this guidance in the FAQ, the DoD specifically outlined some additional specifics in the Memo “Contractual Remedies to Ensure Contractor Compliance with Defense Federal Acquisition Regulation Supplement Clause 252.204-7012, for contracts and orders not subject to Clause 252.204-7020; and Additional Considerations Regarding National Institute of Standards and Technology Special Publication 800-171 Department of Defense Assessments”