Micro Blog - DoD Guidance on Control Flexibility
On January 27th, 2017 the DoD published the “Networking and Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-DO18) Frequently Asked Questions (FAQs) regarding the implementation of DFARS Subpart 204.73 and PGI Subpart 204.73, DFARS Subpart 239.76 and PGI Subpart 239.76.”
This is a mouthful. And you might ask, “Why should I care?” The answer: because you’re one of the thousands of Defense Industrial Base (DIB) contractors working to meet DoD cybersecurity requirements.
DFARS Case 2013-D018 acted as an update to DFARS 204.252-7012, the foundational clause for federal cyber requirements in the United States. In turn, PGI stands for “Procedures, Guidance, and Information” and was written to provide direction to members of the government’s acquisition community. PGI 204.73, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” lists this FAQ as a place to find information on how to implement the cybersecurity controls detailed in DFARS and other foundational documents.
Therefore, this FAQ provides a collection of comments of interest, specifically pertaining to the details of governing cyber regulations. It includes questions like, “What is the relationship between Controlled Unclassified Information (CUI), and Covered Defense Information (CDI)?” “Is information identified as FOUO considered CDI?” and “Must all cryptography used in covered information systems be FIPS validated?” These questions and many others, along with their responses, provide key insights into federal cyber requirements, as well as into the expectations for their implementation.
This month, DCG has been highlighting discussions of interest detailed in the Networking and Penetration FAQ. Check out our second installment below, where we discuss contractor flexibility in control application.
Q18: What if the contractor thinks a required security control is not applicable, or that an alternative control or protective measure will achieve equivalent protection?
It is important to remember that in most instances the application of “Not Applicable,” to a control requires the permission of the DoD CIOs office. This is specified in the regulation. The DoD CIO has published additional information on NA, but it is best to avoid them if possible or ask for permission. Receiving authorization for a NA can be challenging. If a control is truly not applicable DCG advises that you mark it as Met, and explain how if the circumstance were to arrive you would address it by policy in a compliant manner.
A18: "The rule allows for the contractor to identify situations in which a required control might not be necessary or for an alternative to a required control. In such cases, the contractor should provide a written explanation in their proposal describing the reasons why a control is not required or adequate security is provided by an alternative control and protective measure. The contracting officer will refer the proposed variance to the DoD CIO for resolution. The DoD Chief Information Officer (CIO) is responsible for ensuring consistent adjudication of proposed non-applicable or alternative security measures. When CDI is used in performance of a subcontract, the requirement is for the subcontractor to request the contracting officer to seek CIO adjudication on variances from NIST SP 800-171 requirements."
What if a DoD contractor wants to put in place an “alternative but equally effective" control? In many compliance standards, this is an allowable approach.
In short, don’t do that. As a former senior contracting officer put it at a recent conference, they would expect only the super major defense firms to be able to seek and receive permission for such a “variance.” For most normal contracting companies, as they would say in the Soprano’s, “Fa-get-a-bout-it!"
Q19: "What is the process used by the DoD CIO to adjudicate alternative/non-applicable controls?"
A19: "DFARS provision 252.204-7008 provides a process for the contractor to identify situations in which a security requirement from NIST SP 800-171 might not be necessary, or the contractor proposes an alternative to a security requirement from NIST SP 800-171. In such cases, the contractor must provide a written explanation in their proposal describing the reasons why a security requirement is not applicable, or how alternative, but equally effective, security measures can compensate for the inability to satisfy a particular requirement. The contracting officer will refer the proposed variance to the DoD CIO for adjudication. The DoD CIO is responsible for ensuring consistent adjudication of proposed non-applicable or alternative security measures. If the DoD CIO needs additional information, a request is made to the contracting officer. The resultant DoD CIO adjudication is provided to the contracting officer, who in turn advises the contractor of the decision. The timeframe for response by the DoD CIO is typically within five business days."
The majority of this posting was extracted from the DoD FAQ regarding regulations on contractor cybersecurity, which is posted here, and linked directly out of DFARS/PGI as clarifying information on the regulations.