FAR, DFAR, and NIST 800-171; The Complexities of Compliance
The Short Answer
For anyone who wants to skip to the end, here it is. In order to be DoD cybersecurity compliant today, you should have NIST 800-171’s 110 security controls implemented. In order to demonstrate your implementation of these controls you must have:
A Controlled Unclassified Information (CUI) Systems Security Plan (SSP) to cover the security controls required in 800-171
A CUI Plan of Action and Milestones (POAM) to address any places where you are “progressing toward compliance”
If you are a CEO, COO, Contracting Officer, etc. at a firm that does DoD contracting, particularly prime contracting, ask to see your SSP and your POAM. If you don’t have one, then you’re not compliant with Defense Acquisition Regulation (DFAR). Full stop. You have red on your spreadsheet that represents a real increased risk. Important safety tip: the DoD could audit your SSP at any time and will mandate audits every three years starting this fall.
How do I know if any of this CUI stuff applies to me?
Do you receive information from the government that is not for public release? If your answer is yes, and most contractors do at some point, then you must have a CUI SSP and POAM. Even if this specific clause is not in your contract, you can be held accountable under other provisions. Do you get “UNCLAS//FOUO” slides or docs? CUI applies to you. Do you work papers with government information not for posting to the web? CUI applies to you. Do you handle other government information not for public release? All of that falls under the general heading of CUI.
So, what are we really required to do today?
There are three written, valid, enforceable requirements for cybersecurity: a Federal Acquisition Regulation (FAR) clause which applies to all Federal contracts, and two Defense Federal Acquisition Regulation (DFAR) clauses.
FAR 48 CFR § 52.204-21 - Basic Safeguarding of Covered Contractor Information Systems
DFAR 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls
DFAR 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting
All three clauses are related to government-provided information that broadly falls under the heading of Controlled Unclassified Information (CUI). Related terms include “Federal Contract Information (FCI),” “Controlled Technical Information (CTI),” and “Covered Defense Information (CDI).” As government regulations have matured, CUI has become the consensus general term as embodied in 32 CFR part 2002 Controlled Unclassified Information, dated November 14, 2016. This defines CUI as, “All unclassified information throughout the executive branch that requires any safeguarding or dissemination control is CUI.” In general, I recommend CUI as the catch-all for all of these categories.
The FAR Clause
The 48CFR clause is fairly generic and straightforward. In order to protect federal information, it requires a contractor to have in place 15 specific security controls summarized as:
1. Limit access to authorized users.
2. Limit the types of transactions and functions.
3. Control/limit connections to external information systems.
4. Control information posted publicly
5. Identify users, and processes acting on behalf of users.
6. Authenticate the identities of users.
7. Don’t toss government information in the trash.
8. Limit physical access
9. Escort visitors and keep a log.
10. Have a firewall on your network.
11. Have a DMZ[i] on your network for public-facing websites etc.
12. Fix your IT infrastructure in a timely manner.
13. Have anti-virus.
14. Update your anti-virus.
15. Do vulnerability scanning and scan files as they are downloaded/executed.[ii]
This is in keeping with what you see in typical IT enterprises today. With the possible exception of vulnerability scanning, I haven’t seen a business of any size that does not follow these guidelines. Perhaps there are some, and for a new-start or very small business with no network there may be additional steps to reach compliance, but these represent items that are either critical for your continued operation (having a firewall) or easy to implement (keeping a physical access log). Realize that this is the basic list of requirements; if you are not doing these things, then you have some significant work ahead to become compliant with DoD contracting regulations.
The DFAR Clauses
The DFAR clauses now add some significant substance to these requirements by pulling in a NIST publication. The core piece of the DFAR language is this:“the covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.”
Put simply, 7012 says that any information a contractor receives with some type of control or restriction (e.g. not for posting to the internet) falls under the banner of CUI. IT systems holding information under the banner of CUI must meet the requirements of NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. All DoD contractors who receive any kind of CUI should have been compliant as of December 31, 2017. This compliance date is specified in the regulation.
So, we are good right? Everyone or nearly everyone will have complied over two years ago now, and every DoD contractor is self-attesting, according to DoD regulation, that they are compliant when they accept a contract with the clause. There is only one small problem. The vast majority of DoD contractors are not compliant, and many are not close. Those 110 security controls are no paperwork drill. They have heavy-lift components (this is easily translated by any MBA graduate as “costs money” that “applies to overhead”). When the DoD’s mantra on many contracts is “lowest price technically acceptable,” additional overhead to be fully cyber compliant has often been disincentivized, to say the least.
NIST 800-171; The Good, The Bad, and The Ugly
The good in 800-171 is that its list of security controls is a solid list of controls we all should be taking in order to put a halt to the high level of industrial espionage which has characterized the internet age. General Alexander, as the Director of the National Security Agency, told Congress that it was “The greatest transfer of wealth in history” in 2012.[iii] This is important not just for us as a nation but for each individual company as well.
The bad in 800-171is that there are 110 security controls, so it takes work to be truly compliant. So far, audits have been non-existent or limited. Even when they are conducted, audits have often been undertaken by contracting and government regulation specialists, who often could not tell a firewall from antivirus software. This is changing quickly. DCMA has added Cyber to their list of fundamental responsibilities; Defense Acquisition University is teaching security as the fourth pillar of contracting along with cost, schedule, and performance; and DCMA has built a new audit organization, the Defense Industrial Base (DIB) Cybersecurity Assessment Center, whose sole purpose is to audit cyber across the DIB. The message is clear; DoD has taken notice of CUI gaps in compliance, and enforced accountability for these standards is coming.
The ugly in 800-171 is that it was not originally designed to cover the security controls for an enterprise. In several instances when you really dig in, the way it is structured would fit an individual system much better than an enterprise-level architecture. It is what it is, though, and we must hammer the square peg into the round hole as required.
So, what is all this about CMMC?
DoD has recognized the inherent shortfalls of 171 and elected to create a new framework for measuring cyber compliance: the Cybersecurity Maturity Model Certification (CMMC). CMMC has all of the 171 requirements plus many more. However, it does allow for 5 levels of certification, in contrast to the current all or nothing format of DFAR & 171. DoD has made it clear that CMMC is coming quickly, see my earlier post, but for today the regulatory requirement is slightly different, and more importantly, it doesn’t look like the current requirements are going away any time soon. All DIB companies should be reviewing and actively updating their cybersecurity controls. These are actions that cannot be taken at the last minute with a weekend paperwork drill before the inspector arrives. Increasingly the DoD auditors and the independent third party auditors who will be core to CMMC will have the expertise to ask hard questions and understand the answers. Be ready.
[i] DMZ or Demilitarized Zone term comes from international relations, but in this case, it means a physical or logical subnet that separates an internal local area network (LAN) from other untrusted networks -- usually the public internet.
[ii] Note all of these are somewhat condensed and simplified, for the full text see the earlier FAR link.