On January 27th, 2017 the DoD published the “Networking and Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-DO18) Frequently Asked Questions (FAQs) regarding the implementation of DFARS Subpart 204.73 and PGI Subpart 204.73, DFARS Subpart 239.76 and PGI Subpart 239.76.”
This is a mouthful. And you might ask, “Why should I care?” The answer: because you’re one of the thousands of Defense Industrial Base (DIB) contractors working to meet DoD cybersecurity requirements.
DFARS Case 2013-D018 acted as an update to DFARS 204.252-7012, the foundational clause for federal cyber requirements in the United States. In turn, PGI stands for “Procedures, Guidance, and Information” and was written to provide direction to members of the government’s acquisition community. PGI 204.73, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” lists this FAQ as a place to find information on how to implement the cybersecurity controls detailed in DFARS and other foundational documents.
Therefore, this FAQ provides a collection of comments of interest, specifically pertaining to the details of governing cyber regulations. It includes questions like, “What is the relationship between Controlled Unclassified Information (CUI), and Covered Defense Information (CDI)?” “Is information identified as FOUO considered CDI?” and “Must all cryptography used in covered information systems be FIPS validated?” These questions and many others, along with their responses, provide key insights into federal cyber requirements, as well as into the expectations for their implementation.
DCG has been highlighting discussions of interest detailed in the Networking and Penetration FAQ. Check out our fourth installment below, where we discuss questions surrounding incident response.
Q18: What if the contractor thinks a required security control is not applicable, or that an alternative control or protective measure will achieve equivalent protection?
A18: The rule allows for the contractor to identify situations in which a required control might not be necessary or for an alternative to a required control. In such cases, the contractor should provide a written explanation in their proposal describing the reasons why a control is not required or adequate security is provided by an alternative control and protective measure. The contracting officer will refer the proposed variance to the DoD CIO for resolution. The DoD Chief Information Officer (CIO) is responsible for ensuring consistent adjudication of proposed non-applicable or alternative security measures. When CDI is used in performance of a subcontract, the requirement is for the subcontractor to request the contracting officer to seek CIO adjudication on variances from NIST SP 800-171 requirements.
In practice, it is rarely worthwhile to engage the formal approval process required to mark a control N/A. Instead, we recommend drafting a thorough, hypothetical method of address for the control (domain, or other potentiality) in question. Should that condition present itself in your system in the future, you have a concrete plan to integrate it, and therefore the control can reasonably be marked as “met” instead of N/A.
In addition, 7012 states, “The Contractor shall submit requests to vary from NIST SP 800-171 in writing to the Contracting Officer, for consideration by the DoD CIO.” However, contracting officers are rarely well-versed in this process and are likely to insist on specific compliance mechanisms over others. Our advice to never ask for a variance. Submit your proposed control structure, including alternative controls and/or protective measures, and express your understanding that the current system architecture meets the requirement(s) in question. Then ask them to confirm your compliance. This mitigates the risk of a compulsory rejection from the CIO’s office.