NIST & DFARS Regulations for Defense Contractors
Author: Domenic Gargano, Chief Operating Officer, McLaughlin Research Corporation
When 2017 comes to an end, new regulations will be implemented to protect government information that is used by nonfederal organizations. Defense contractors and sub-contractors must demonstrate that they have taken measures to safeguard the information they are entrusted with, or risk losing government work.
In 2013, the Department of Defense (DoD) published Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 (Full Text) which requires nonfederal entities to protect Controlled Unclassified Information (CUI) on their systems. This includes all types of information, ranging from engineering drawings to source code. While not as stringent as the government’s classified systems security controls (NIST SP 800-53), the new regulations are thorough, which may present challenges for some businesses.
The rule mandates that by December 31, 2017, contractors implement information security measures, as outlined by the National Institute of Standards and Technology (NIST) in Special Publication 800-171 (Full Text). Spanning 14 families, NIST SP 800-171 covers 110 security requirements related to cyber risk, network auditing, policies and procedures, and implementation of best practices.
|NIST SP 800-171 Security Requirements Families|
|Access Control||Media Protection|
|Awareness & Training||Personnel Security|
|Audit & Accountability||Physical Protection|
|Configuration Management||Risk Assessment|
|Identification & Authentication||Security Assessment|
|Incident Response||System & Communication Protection|
|Maintenance||System & Information Integrity|
These regulations are not just limited to contractors. Sub-contractors and vendors in the entire supply chain must also be in accordance with the new cybersecurity standards. While any organization entrusted with CUI must be in compliance, the prime contractor may be ultimately responsible for maintaining downstream security.
At this stage, compliance is conducted on a self-reporting basis. This means that if a contractor determines it is not complying with NIST SP 800-171 guidelines, they must notify their Government Contracting Officer (or prime contractor, if acting as a sub-contractor) within 30 days. They must also present a remediation plan. Likewise, if a contractor experiences a cyber incident, they must provide notification within 72 hours. A statement that outlines what will be done to mitigate risk and prevent the incident from occurring again is also expected. Furthermore, if the government wants to review reported incidents, contractors must have an auditing system in place to quickly determine what led to the incident.
So, when will these regulations kick-in? They already have! The government has started invoking DFAR and FAR clauses, through modifications on existing contracts. To retain these projects, prime contractors must comply with the new regulations. Of course, the solicitation process on new bids now requires contractors to meet NIST SP 800-171 guidelines.
Though not every contractor may be audited, noncompliance is risky. If a contractor ever has a breach and cannot respond appropriately, current and future work is suddenly jeopardized. The DoD could view noncompliance as defaulting on (and justification for terminating) a contract. The risk of not complying with NIST guidelines is pretty clear: Contractors risk losing government business.
Depending on an organization’s level of IT and cybersecurity expertise, it may take several months to over a year to align systems, policies, and procedures with NIST guidelines. Some companies may take a DIY approach to compliance, while others may utilize tools and software or lean heavily on consultants. Research and choose the approach that meets your needs and budget, but choose quickly. The NIST compliance deadline is coming December 31, which is right around the corner!