There were 2 policies implemented this year that impact all US government contractors in regards to how they protect their own internal networks.
The first was DFAR changes aimed at US defense contractors. On December 30, 2015, DoD amended both DFARS 252.204-7008 (Compliance with Safeguarding and Covered Defense Information Controls), and DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) giving contractors until December 31, 2017 to fully implement all NIST SP 800-171 controls on covered contractor information systems. The OSD FAQ can be found here.
Notwithstanding the 12/31/2017 phase-in period, contractors must still notify DOD within 30 days after contract award “of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award”. It would also be wise for DoD contractors to stay abreast of what may change with the DFARS safeguarding rule (2013-D018) found here and a new DFARS rule to specify liability protections for certain DoD contractors when reporting cyber incidents (2016-D025) found here.
The second new FAR policy aimed at ALL US government contractors. On May 16, 2016, the Federal Acquisition Regulation (FAR) was amended to implement requirements for the “Basic Safeguarding of Covered Contractor Information Systems.” See the Federal Register 30,439, available here. This final rule becomes effective on June 15, 2016.
The intent is to establish basic safeguarding measures that are (or should be) generally employed by contractors as part of “routine” business practices – the rule is a baseline and does not impact other more specific federal information safeguarding requirements, such as the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 noted above.
DoD contractors must understand the specific testable security controls that they need to comply with in the new policy.
The security requirements are organized into 14 “families” of control and each family contains:
You can see everything in Appendix D of NIST SP 800-171 which includes a control mapping table that defines how the 79 derived security controls map back to their source controls in NIST SP 800-53 (similar to a FISMA assessment).
One specific item that stands out in this new policy is Incident Reporting triggered by the discovery of a “cyber incident,” which is defined very broadly as a network compromise, an “adverse effect,” or even just a “potentially adverse effect,” on either the network, the covered contract information, or the ability to execute against “operationally critical” contract requirements. In practice, this means that contractors aren’t merely required to disclose network intrusions, but also attempted intrusions, regardless of whether systems or data were actually compromised. This is a very low bar, and implies a requirement for intrusion monitoring. Upon discovery of a cyber incident, the contractor is required to do the following things:
The new FAR clause identifies 15 security requirements for safeguarding a covered contractor information system (e.g., host servers, workstations, and routers) pulled verbatim from the National Institute of Standards and Technology (NIST) Special Publication (SP) NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Unlike the DFARS rule, the new FAR rule does not impose all NIST SP 800-171 requirements
The rule is applies to:
The rule is unclear as to how a prime contractor should police a subcontractor’s controls or ensure that a subcontractor reports information or information system flaws in a timely manner as required by the safeguarding requirement in new FAR clause 52.204-21(b)(1) (xii).
Any DoD contractor or subcontractor providing critical services to the United States Department of Defense may very well have to become DFARS 225.204-7012 compliant, especially if sensitive information is being stored, processed or transmitted by such entities.
Failure to implement the basic requirements could result in a breach of contract. Also, contractors failing to comply with the rule could be subject to liability under existing laws and regulations, such as the False Claims Act. One comments on the proposed rule expressed concern that an inadvertent release of information “could be turned into not only an information security issue but also a potential breach of contract.” In response, the Federal Register notice states that, “[g]enerally, as long as the safeguards are in place, failure of the controls to adequately protect the information does not constitute a breach of contract.”
The FAR clause does not include an incident reporting requirement, whereas the DFARS cyber-security clause requires covered DoD contractors to rapidly report “cyber incidents” to DoD (and a prime contractor, if applicable) within 72 hours.