Our team attended the DOD DFARS Industry Day held on 23 June 2017 in the Washington DC area. Industry Day auditorium was full and we had a chance to reconnect with many of our professional colleagues from many parts of the DoD Contracting community. During Industry Day, it was apparent there were many questions from us, from our clients and from our fellow industry professionals. It was also apparent that Industry as a whole has a lot to do to meet the deadline.
BOTTOM LINE UP FRONT:
DFARS 252.204-7012 and CUI NIST SP800-171 Compliance?
Yes. Do it. No extensions or excuses.
If DoD contractors are non-compliant at the end of 2017, there is a real risk of having to stop work.
DoD knows there are challenges, particularly amongst small-to-midsize companies who seem disproportionately impacted by the security controls due to the limited time, staff and resources. Most companies are tasking their Facility Security Officers and/or IT staff with compliance duties on top of their other already busy days. Our colleagues expressed dismay at the unplanned and unexpected high costs of compliance not just in this budget year, but in their added lifecycle costs.
DoD is unwavering in their commitment to getting government contractors to secure industry systems that handle Controlled Unclassified Information (that includes Controlled Defense Information (CDI)).
Below are a few of the highlights we picked up from the meeting.
The objective of the DFARS CUI program is to reduce and protect the attack surface. The DoD is NOT changing any provisions of the regulations that have been published.
DoD has four (4) primary area of focus:
- Strong Authentication – this includes multi-factor authentication
- Harden Devices – includes:
- Configuration Management
- Patch Management
- Reduce Attack Surface – limit internet connections and establish trusted internet connections
- Defend Every Computer – implementing the same defenses as the DoD
Leadership Involvement is Key.
Compliance task passed to staff does NOT equal task completed. DoD expects senior executives in companies to understand the cyber threats and get behind US Government efforts to secure their environment. The DoD Office of the Chief Information Officer (OCIO) is overseeing the DoD DIB Cybersecurity Strategy https://www.defense.gov/Portals/1/features/2015/0415_cyberstrategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf
ALL encryption implemented must have FIPS 140-2 validation. “Equal to” or “better than” encryption was not acceptable.
The relevant section of the DFARS is 252.204.7012 for contractors’ use of cloud services. 252.204.7010 relates to cloud services provided for DoD’s use. http://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012
- The contractor’s cloud service must meet FedRAMP, Moderate controls.
- Cyber incidents must be reported to comply with CUI. It was noted that the cloud service provider (CSP) may not be aware of all cyber incidents, depending on the configuration, administration, and service level agreement.
- Access requirements, defined in sections c – g may not apply in all circumstances (i.e., wherein CSP is used for email or other infrastructure)
Implementation Process and Procedures
There were a number of questions on attestation and/or certifying requirements for compliance. Here is the bottom line:
- DoD will NOT monitor compliance
- DoD will NOT certify compliance
- DoD will NOT recognize 3rd party assessments
However, remember by signing the contract that requires CUI compliance, the contractor is making an attestation that they are compliant ( i.e. agreeing that the contract has been/will be executed in his or her presence according to the formalities required by law). Compliance may be:
- Full implementation of the NIST SP800-171 controls
- Partial implementation of NIST SP800-171 controls with a Plan of Actions and Milestones (POAM) for full implementation. Remediation schedule must be in place.
- Partial implementation of NIST 800-171 with some alternatives for full compliance
If a contractor elects to implement and employ “alternative” controls, those alternatives must be equally effective. The DoD, OCIO will evaluate alternative controls and deficiencies for all DoD Services. The DoD goal is a 5-day adjudication of the sufficiency of the alternative control. If the alternatives are found not to be “equal” in compliance, or if the remediation plan is inadequate, the contractor puts their ability to work on the contract at risk.
How to Demonstrate Compliance?
The System Security Plan (SSP) and POAM are the tools to demonstrate compliance. However, government contract officers are NOT bound to accept a System Security Plan and POAM for implementing DFARS regulations as an alternative to timely compliance.
System Security Plan
The SSP should show controls that are:
- Not Applicable – with rationale
- Alternative, but equal – with rationale and appropriate artifacts
- Individual, isolated, or temporary deficiencies should be assessed for risk and mitigation applied
The SSP may be required as part of an RFP. If required it may be/act as one of the following:
- Used as an evaluating factor
- Used as pass/fail
Defense Contracting Management Agency (DCMA)
DCMA will oversee that the cybersecurity clauses are included in contracts. They will verify that SSPs are done.
A cyber incident is defined by a compromise. A compromise is when disclosure is made to an unauthorized person in violation of security policy. A cyber incident report should include (at a minimum):
- Evidence of compromise
- Information affected
- Determination if it requires operationally critical support in response
Cyber incident reports are made to DC3 at cibnet.dod.mil. DC3 analyzes the report and will forward reports to appropriate contracting officer(s). Follow-up action is determined by the Damage Assessment Management Office (DAMO). The requiring activity (DoD Program Manager) will notify company for follow-up acttion.
- DoD Cyber Crime Center (DC3) http://www.dc3.mil/
- DoD, OCIO web site http://dodcio.defense.gov/
- DoD Procurement and Acquisition web site http://www.acq.osd.mil/dpap/
- Executive Order 13800, Strengthening Cybersecurity of Federal Networks and Critical Infrastructure https://www.federalregister.gov/documents/2017/05/16/2017-10004/strengthening-the-cybersecurity-of-federal-networks-and-critical-infrastructure
- DoD Memo, Guidance on Implementation of CUI http://www.cdse.edu/documents/toolkits-cui/cui-implementation-memo-11-april-2017.pdf
- DoD Instruction, 5000.02, Enclosure 14 http://www.dtic.mil/whs/directives/corres/pdf/500002_dodi_2015.pdf
Read more about CUI Compliance from our other articles:
There was a lot here, and these are just the highlights. If you need assistance with understanding the DOD DFARS CUI mandate, assessing your status, or with reaching compliance – please contact us for an initial consultation. We are here to help you and have the team standing by to get you compliant quickly.
ZOFIA CONSULTING COMPLIANCE ADVISORY SERVICES
- Information Security Management System (ISMS)
- ISO 27001, NIST SP800-53, NIST SP800-171 Compliance
- Business Continuity Management System (BCMS)
- Federal Continuity Directives (FCD) 1 & 2
- Incident Reporting and Response
- CUI Strategy Development and Implementation
CONTROLLED UNCLASSIFIED INFORMATION (CUI) BROCHURE –>
This work by Zofia Consulting, LLC is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.