DFARS 252.204-7012

Cybersecurity for Federal Contractors: Now and the Future

We will cover…

What is DFARS 252.204-7012? ◦ FAR (Federal Acquisition Regulation) to be

used by most agencies for procurement planning and contract formation and administration

◦ DFARS (Defense Federal Acquisition Regulation Supplement) – all of FAR ch. 2

◦ DFARS contain first agency-specific regulation of non-classified, sensitive information based on general controls published by the National Institute of Standards and Technology (NIST)

◦ That regulation is intended to be “basic” controls for the safeguarding of contractor information systems that process, store, or transmit Federal information and the core provision is 252.204-7012

Terms

◦ CUI: "Controlled Unclassified Information“ as described in the CUI Registry* and administered by the National Archives and Records Administration (NARA)

◦ CDI: "Covered Defense Information“. DoD CDI is essentially the same as FAR CUI, except CDI has contractual differences defined in the DoD contract

◦ Covered Defense Information System: unclassified information system that is owned or operated by or for a contractor and that processes, stores, or transmits CDI

◦ CTI: A subset of CUI data is further clarified as "Controlled Technical Information"

◦ COTS Software: “Commercial Off-The-Shelf Software” excluded from classification as CUI and not subject to DFARS 252.204-7012

◦ UCTI: "Unclassified Controlled Technical Information”; used by original DFARS

◦ Cyber Incident: Actions taken that result in a compromise of, or an actual or potentially adverse effect on, a Covered Defense Information System and/or CDI

*http://www.archives.gov/cui/registry/category-list.html

History of DFARS 252.204-7012

1

Rising concerns unclassified (non-secret) but sensitive Information being mishandled

2

Increasingly frequent and more sophisticated cyber attacks and intrusions

Motivating Examples

2001 – 2002 Hacker gained access to 97 U.S. military networks while looking for information on UFOs; conveniently left message, “Your security is crap.”

1 2003 – 2008 Mathematician in his 50s gained unfettered access to French aviation company Dassault and stole weapons data for five years before he was caught and cost the company $360 million.

2 Dec. 2014 Records on 21.5 million people stolen from Office of Personnel Management (OPM); Intrusion relied on Chinese-created malware.

3 2003 → ? Titan Rain: coordinated cyber-attack by Chinese military on defense contractors and agencies including DoD, British Defense Ministry, Lockheed, Sandia National Labs, Redstone Arsenal and NASA.

4

Reaction

◦ Consensus developed rules were needed for

baseline security, incident reporting and remedial

actions covering all information system containing

sensitive federal information

◦ Response has been,

◦ General: NIST special publication (sp) 800-171

rev. 1

◦ Specific: Agency and Departmental regulations

or rules some in line with NIST controls, such as

DFARS

Date Event

11/4/2010

Executive Order 13556 – Policy to Protect Controlled Unclassified Information;

program to be run by NARA as executive agent to identify, manage and

protect CUI; all agencies to contribute and comply

11/18/2013 DFARS Final Ruling implementing requirements for safeguarding CTI

8/26/2015 Interim Ruling for safeguarding CDI

12/30/2015 DoD extended deadline for compliance with all NIST 800-171 Controls to

12/31/2017

5/15/2016 FAR Cyber Ruling – Applies subset of 15 controls from NIST 800-171

9/14/2016 NARA Final CUI Ruling; 32 CFR 2002

10/21/2016 DFARS Final Ruling; COTS exemption; Clarification CDI (CUI Registry)

12/7/2017 In Senate testimony DoD Undersecretary Ellen Lord explained that a System

Security Plan (“a simple plan”) by 2018 is compliance with deadline

01/24/2018 NARA: Issued guidance for drafting agreements with non-executive branch

entities involving CUI that will not be covered by upcoming FAR

◦ DFARS 252.204.7008 – Compliance with Safeguarding Covered Defense Information Controls – contract provision making 800-171 mandatory

◦ DFARS 252.204.7009 – Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information – information can only be given to government; personnel have to be covered by NDAs

DFARS Cyber Security Rules for Contractors

◦ DFARS 252.239.7010 – Cloud

Computing Services

◦ DFARS 252.204.7012 – Safeguarding Covered Defense

Information (“CDI”); Cyber

Incident Reporting

◦ Most significant of the four DFARS

on cybersecurity

DFARS Cyber Security Rules for Contractors

DFARS 252.239.7010 – Cloud Computing Services Requires:

◦ Must adhere to the federal Cloud Computing Security Requirements

Guide (SRG)*

◦ DoD data remains in US unless permitted otherwise in writing

◦ Information is confidential

◦ Imaged Hacked Systems retained for 90 days

◦ Notification of Third-party Access Requests

* http://iase.disa.mil/cloud_security/Pages/index.aspx

DFARS 252.239.7010 – Cloud Computing Services (cont.)

Requires:

◦ Reporting: All cyber-incidents have to be reported through

http://dibnet.dod.mil/

◦ DoD access to facilities, personnel, equipment and records

◦ Flow-down of provision to subcontracts

Main provision is DFARS 252.204.7012

◦ Title: Safeguarding Covered Defense Information and Cyber Incident Reporting (Oct 2016)

◦ Requires Adequate Security: “implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017.”

◦ Required Reporting: Contractors and subcontractors must report cyber incidents on information systems with CDI or which affects ability to perform critical support under a contract

◦ Required Response: On discovery, conduct review for evidence; submit to DoD and receive assigned incident report number; provide number to prime/next higher subcontractor; preserve imaged system for 90 days

◦ When to report: within 72 hours directly to DoD via specified portal

DFARS 252.204.7012 (cont.)

◦ Additional cyber incident requirements: provide DoD access to information /

equipment to conducts its analysis; submit malicious software to DoD Cyber

Crime Center (DC3)

◦ Using Cloud Solution:

◦ Cloud Service Provider (CSP) must meet security requirements of the Federal Risk and

Authorization Management Program (FedRAMP), Moderate baseline

◦ CSP must comply with same as contractor for cyber incident reporting, malicious

software, media preservation and protection, access to additional information and

equipment necessary for forensic analysis, and cyber incident damage assessment.

Covered Companies: Who Has to Comply

• 1. Direct or indirect DoD contractor, or

• 2. Work with Covered Defense Information (CDI), or

• 3. DFARS clause 252.204.7008 is in a contract

The DFARS Cover All of the Following Companies:

Flow-down to Subcontractors

Contractors to include clause in solicitations, Purchase Orders and Subcontracts

Specifically applies to contract (i) providing “operationally critical support” and/or (ii) working with Covered Contractor Information System

All subcontractors must meet NIST 800-171 controls

• Unclear contractor / subcontractor responsibility to ensure its contractors and suppliers are compliant

◦ Regulations Not Concerned with Classified

(Secret) Material

◦ Do Not Address Other Privacy or

Confidentiality Regulations, although there

can be an overlap

◦ ITAR (International Traffic in Arms Regulations

– State Department)

◦ EAR (Export Administrative Regulations –

Commerce Department)

◦ HIPAA – Standards for Privacy of Individually

Identifiable Health Information

◦ Gramm-Leach-Bliley – Act Right to Opt-out

of Sharing of Nonpublic Personally

Identifiable Financial Information

Keep in Mind:

Excluded Data Can

Exclude Sub- contractors

What is Covered as CUI/CDI

Definition: Any unclassified information provided by or for

the DoD relating to a contract or collected, developed, received, transmitted, used, or stored by or

for a contractor in performing the contract.

Can be technical, administrative, or operational in nature and is:

• 1. CTI

• 2. Critical information (operations security)

• 3. Export control

• 4. Any other information, marked or identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government policies

General Requirements (beyond language of DFARS)

Found in NIST (sp) 800-171 rev. 1

“Protecting Controlled Unclassified

Information in Non-Federal Information

Systems”

◦ 14 Categories

◦ 110 Controls

◦ Referenced by Sections Numbers in

chapter 3 of publication

NIST 800-171 Cybersecurity Standards (https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-171r1.pdf)

3.1 Access Control

3.2 Awareness and Training

3.3 Audit and Accountability

3.4 Configuration Management

3.5 Identification and Authentication

3.6 Incident Response

3.7 Maintenance

3.8 Media Protection

3.9 Personnel Security

3.10 Physical Protection

3.11 Risk Assessment

3.12 Security Assessment

3.13 System and Communication Protection

3.14 System and Information Integrity

Responsibilities of Direct Contractors

and Subcontractors

◦ Adequate Systems Facilities Security

◦ Report Cyber Incidents

◦ Maintain records of compliance as well as breaches

◦ Train and obligate personal

◦ Also, assess and correct vulnerabilities (and demonstrate this

has occurred)

*http:// dibnet.dod.mil

NIST 800-171 Cybersecurity Standards: Assessments Required of

Contractors 3.11 Risk Assessment:

◦ “Periodically assess the risk to organizational operations . .. resulting from the . . . processing, storage, or transmission of CUI.”

◦ ”Remediate vulnerabilities in accordance with risk assessments.”

◦ “Periodically assess the security controls in organizational systems….”

◦ “Develop and implement plans of action designed to correct deficiencies ….“

3.12 Security Assessment:

◦ “Periodically assess the security controls in

organizational systems to determine if the

controls are effective….”

◦ “Develop and implement plans of action . . .

to correct deficiencies and reduce or

eliminate vulnerabilities….”

◦ “Monitor security controls on an ongoing

basis….”

◦ Develop, document, and periodically

update system security plans….”

Compliance Deadlines

Complete DFARS CDI Assessment (current cybersecurity posture) and report your findings to the DoD Chief Information Officer (CIO), within 30 days contract award

1

Prior Interpretation: Correct any gaps documented by an assessment by December 31, 2017

2

Now: Plan of compliance by end of 2017

3

Broader Reach than DoD ◦ May 15, 2016 FAR Cyber Ruling (FAR 52.2014-21, Basic

Safeguarding of Contractor Information Systems Requirements – Applies subset of 15 controls from NIST 800-171, effective June 16, 2016

◦ Covers 300,000± Companies; Has Mandatory Flow-down; no cyber-incident reporting requirement

◦ NRA intends to establish a universal FAR that will supersede DFARS 252.204-7012, use NIST SP 800-171, and expand the scope to all Federal agencies and contractors (such as NASA, DoE, etc.) and not just the DoD

◦ NARA's timing is open, but in press interviews predicted beginning FY 2019

Open Questions ◦ Do CSPs apply just apply FedRamp or to they have to meet 800-171

standards?

◦ What CDI / CUI marking requirements exist?

◦ Is the COTS exemption the same for solicitations as subcontracts

◦ Is a SSP really sufficient for end of 2017 compliance?

◦ When is final compliance deadline

◦ Will there be 800-171 audits?

◦ Enforcement

◦ Who is responsible? DCAA (Defense Contract Audit Agency)?

◦ What are the consequences of failure to comply?

Conducting a DFARS

Assessment

◦ Don’t Delay

◦ Don’t Start Without Company Buy-in Across Functions –

Compliance, Facilities, Finance, IT, Legal, Supply Chain

Management, Engineering, Manufacturing

◦ Senior Management Responsibility, Supervision and

Assessment Focal Point

◦ Understand DFARS and NIST 800-171 or Retain Outside

Expertise

◦ Set Milestones to Avoid Project Drift

Assessment Steps…

◦ Identifying applicable “information systems”*, the

scope of effort, available resources and personnel,

and tasks and milestones

◦ NIST 800-171 chapter 3 (110 controls) full

assessment

◦ Preparation and agreement on a gap analysis and

status of compliance

◦ Preparation and adopt of a remediation plan

◦ From that remediation plan, prepare the required

POA&M (Plan of Action and Milestones)

◦ Institute POA&M, including document storage,

control management and audit solution

◦ Training and monitoring

*Group of components (workstations, servers, VoIP phones, routers, switches, firewalls) in a connected infrastructure, under a single management authority. A separate information system could be segregated by a firewall or logically separated physically or by access, or under a separate management authority

DFARS Assessment Approach

Preliminary

DFARS

Questionnaire

• Preliminary DFARS Assessment

• Interview

GAP Analysis

• Compiling results of preliminary questionnaire, interview, and assessment document

• Preparation and Presentation of 800-171 GAP Analysis

POA&M

• Preparation, Presentation and Tracking of POA&M

• Preparation of Third Party Compliance Certificate

Preliminary Review

◦ Documentation is key throughout process. E.g., during the preliminary

assessment, the DFARS questionnaire is completed with/by the

prospective client.

◦ The initial interview with business stakeholders is carried out following the

completion of the questionnaire.

◦ During the initial interview outside assessor learns about the client’s IT

systems and internal flow of operations.

◦ The goal is to identify current security posture of the business.

Determining the Scope

The results of the interview and

questionnaire are used to create a customized assessment document

In that assessment document, each

control will be clearly defined for the client in

accordance with DFARS requirements

The outside team works closely with the relevant

client personnel to provide clarification on

what each of the 110800-171 controls mandate and how

these controls apply to the client’s business

Research and Gap Analysis

The audit team records the results of each stage into the third-party’s assessment tool.

The tool generates a percentage of compliance.

The audit team identifies and investigates each

control:

Controls met by the client are recorded and verified.

Controls that are not met are recorded and

recommendations to satisfy the control are provided to

the client.

The result is a Gap Analysis specific to that client.

Agreed Remediation ◦ The audit team presents Gap Analysis to the client’s

stakeholders.

◦ The Gap Analysis will spell out in detail the deficiencies identified, as well as recommendations for remediation.

◦ The Gap Analysis enables the client to develop a roadmap, which includes specific goals tied to dates, will allow the client to reach compliance.

◦ This roadmap, reflecting the requirements of 800-171 and the DFARS, as well as the clients’ priorities, will be the client’s POA&M.

Progress Reviews

• The client will drive the timeline to remedy identified deficiencies.

• The outside audit team will continue to track progress toward full compliance as each deficiency is resolved.

• The POA&M is a ‘living and breathing’ document that is used to track implementation of the recommendations and may be amended as circumstances and available solutions change.

• The audit team typically will follow up weekly to track and verify implementation progress until full compliance.

Certification and Benefits of Third-party Assessments

POA&M and DFARS Assessment Tool are used to provide the client the NIST (sp) 800-171/DFARS 252.204-7012 Compliance Certificate

Partial compliance certificate along with POA&M can demonstrate to DoD or Prime Contractor that client is taking steps to be compliant and progress in achieving full compliance

Full compliance certificate will demonstrate compliance as of date of certificate

How Long Does it Take to Complete a DFARS Assessment? ◦ About two man-weeks for SMEs. Larger companies can

take several months.

◦ Variable factors:

- number of unique "Information Systems" that must be assessed,

- number of employees and their computing devices, - number of sites that must be visited during the

assessment, - number of DoD contracts that must be reviewed for

specific requirements, and - definitions of systems, and the overall number of

computing systems in place.

QUESTIONS AND DISCUSSION