NIST 800-171 Compliance Challenges Small DOD Contractors

May 30, 2017

On December 30, 2015, DoD amended both DFARS 252.204-7008 (Compliance with Safeguarding and Covered Defense Information Controls), and DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) allowing contractors until December 31, 2017 to fully implement all NIST SP 800-171 controls on covered contractor information systems.

The new DFARS mandates are necessary however they pose huge challenges for small business professional services contractors.  The mandates are necessary because too many small businesses ignore security primarily due to cost concerns and lack of understanding of the issues.

It’s easy to understand the DOD’s concern when the stats show the following:

  • 43% of cyber-attacks target small business.
  • Only 14% of small businesses rate their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective.
  • 48% of data security breaches are caused by acts of malicious intent. Human error or system failure account for the rest.
  • While many small businesses are concerned about cyber attacks (58%), more than half (51%) are not allocating any budget at all to risk mitigation.
  • Small businesses reported that only: 38% regularly upgrade software solutions, 31% monitor business credit reports and22% encrypt databases
  • If a company has a password policy, 65% of respondents say they do not strictly enforce it.  16%  of respondents admitted that they had only reviewed their cybersecurity posture after they were hit by an attack.  75%  of small businesses have no cyber risk insurance.

However, when a small business looks at these mandates they can be overwhelmed.  They see compliance is expensive and time consuming and they don’t understand how the government can expect them to invest when they are already being squeezed by LPTA contracts (more) and live on a 5% margin (more).

Most business leaders understand that they have a responsibility to protect their business and their customer’s data–This is why they either hired some IT professionals or outsourced the network to a third party managed services provider.  However, in many cases this is where it starts and ends.   NIST 800-171 requires business leaders to know much more about cyber security in the necessary precautions to protect an organization.  NIST 800-171 requires the contractor’s executives to know how their organizations deal with the following 14 families of security requirements (see chapter 3 here):

  1. Access Control
  2. Audit and Accountability
  3. Awareness and Training
  4. Configuration Management
  5. Identification and Authentication
  6. Incident Response
  7. Maintenance
  8. Media Protection
  9. Physical Protection
  10. Personnel Security
  11. Risk Assessment
  12. Security Assessment
  13. System and Communications Protection
  14. System and Information Integrity

… and to understand how their organization is dealing with the specifics of each.  For example, this is just a bit of detail from item 4 (Configuration Management)

  • 3.4.1 Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
  • 3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational information systems.
  • 3.4.3 Track, review, approve/disapprove, and audit changes to information systems
  • 3.4.4 Analyze the security impact of changes prior to implementation.
  • 3.4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system.
  • 3.4.6 Employ the principle of least functionality by configuring the information system to provide only essential capabilities.
  • 3.4.7 Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services.
  • 3.4.8 Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
  • 3.4.9 Control and monitor user-installed software.

When the small business gets the time to understand the details of what they are being asked to do to comply with NIST 800-171 they realize they don’t have the people, time or experience—and they definitely don’t have the money to accomplish the task.

The DOD estimates that there are about 5000 small businesses impacted by the legislation (here) but the Small Business Administration (SBA) doesn’t agree (more here).

Compliance for these small business prime contractors is very expensive as many small businesses will be forced to purchase services from outside vendors to provide “adequate safeguards” for covered defense information. Most small businesses have neither the technical expertise nor the information technology personnel or software to conduct these services in-house. — US SBA Office of Advocacy

If you understand how a small professional services business Profit & Loss (P&L) works you will recognize that small business IT budgets are usually less than $500k/year and the security portion of that budget is usually 6-7% (reference table to the right from sans.org).  So, if you take a company with a $250k/year IT budget the security portion of that budget is probably $16,250 (6.5%).  The question you have to ask is… do you think a small professional services firm can buy all of this for $16k???

  • Hire or allocate people to build policies (example: Logical Access Policies, Encryption Policies etc.) and procedures (example: Incident Response Plans and Disaster Recovery Plans…) and then manage those policies and procedures?
  • Continually purchase (upgrade) and maintain the hardware and software necessary to get to a stable state with maintainable security patches?
  • Train their employees on Cyber
  • Purchase Cyber Liability Insurance
  • Hire legal support to update contracts
  • Invest in new required security capabilities (intrusion detection (HIDS/NIDS), log aggregation (SIEM), Vulnerability Scanning etc..

…of course not.  …but that is the ask.

Then there is the responsibility of the prime contractor—does the DOD expect the prime to audit their subs?  There is liability there… Who is going to ensure the subs are not just checking the box?

The DOD could learn a lot by watching how the HIPAA Security Rule has impacted small healthcare firms.  The HIPAA Security Rule has been in place Since 2005 and many SMBs are still not compliant…   The new NY Department of Financial Services (NY DFS) also recently passed legislation that requires Banks, Financial Services firms and Insurance companies working in the state of NY to adhere to more stringent security policies and procedures and to open themselves up for audit.   The NY DFS has realized that small businesses are going to be a challenge (more) and they both built exemptions into the ruling as well as staggered out what needs to be in place over a few years.

Eventually every company in every vertical will need to get their act together when it comes to security or lose their customers and their business altogether however there is a need to appreciate the financial investment required by these small businesses to get to a place where they are capable of more effectively managing the security of their data (and their customer’s data).   We built NetWatcher to help these firms with a low cost, high value platform that helps them meet many of the technical demands outlined in these compliance mandates.

http://resources.netwatcher.com/cyber_security_us_gov_contractors
Click above to download the whitepaper.