New Cyber Security Policies and What They Mean for Government Contractors
There were 2 policies implemented this year that impact all US government contractors in regards to how they protect their own internal networks.
DFAR Changes: US Defense Contractors
The first was DFAR changes aimed at US defense contractors. On December 30, 2015, DoD amended both DFARS 252.204-7008 (Compliance with Safeguarding and Covered Defense Information Controls), and DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) giving contractors until December 31, 2017 to fully implement all NIST SP 800-171 controls on covered contractor information systems. The OSD FAQ can be found here.
Notwithstanding the 12/31/2017 phase-in period, contractors must still notify DOD within 30 days after contract award “of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award”. It would also be wise for DoD contractors to stay abreast of what may change with the DFARS safeguarding rule (2013-D018) found here and a new DFARS rule to specify liability protections for certain DoD contractors when reporting cyber incidents (2016-D025) found here.
FAR Policy: All US Government Contractors
The second new FAR policy aimed at ALL US government contractors. On May 16, 2016, the Federal Acquisition Regulation (FAR) was amended to implement requirements for the “Basic Safeguarding of Covered Contractor Information Systems.” See the Federal Register 30,439, available here. This final rule becomes effective on June 15, 2016.
The intent is to establish basic safeguarding measures that are (or should be) generally employed by contractors as part of “routine” business practices – the rule is a baseline and does not impact other more specific federal information safeguarding requirements, such as the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 noted above.
What Items Should “DoD” Contractors Be Aware Of?
DoD contractors must understand the specific testable security controls that they need to comply with in the new policy.
The security requirements are organized into 14 “families” of control and each family contains:
- Basic Security Requirements (from FIPS 200) that you can consider “goals”
- Derived Security Requirements (from NIST SP 800-53) these are “testable security controls”
You can see everything in Appendix D of NIST SP 800-171 which includes a control mapping table that defines how the 79 derived security controls map back to their source controls in NIST SP 800-53 (similar to a FISMA assessment).
One specific item that stands out in this new policy is Incident Reporting triggered by the discovery of a “cyber incident,” which is defined very broadly as a network compromise, an “adverse effect,” or even just a “potentially adverse effect,” on either the network, the covered contract information, or the ability to execute against “operationally critical” contract requirements. In practice, this means that contractors aren’t merely required to disclose network intrusions, but also attempted intrusions, regardless of whether systems or data were actually compromised. This is a very low bar, and implies a requirement for intrusion monitoring. Upon discovery of a cyber incident, the contractor is required to do the following things:
- Report the incident to the DoD within 72 hours of discovery, through http://dibnet.dod.mil, as well as to the prime contractor (if applicable) “as soon as practicable.”
- Conduct an investigation to determine whether any covered information was compromised.
- Preserve an image of all affected systems, plus all relevant logging data, for at least 90 days from the submission of the incident report.
- Submit to the DoD any malware discovered and isolated, per instructions provided by the Contracting Officer.
What Items Should ALL Contractors Be Aware Of?
The new FAR clause identifies 15 security requirements for safeguarding a covered contractor information system (e.g., host servers, workstations, and routers) pulled verbatim from the National Institute of Standards and Technology (NIST) Special Publication (SP) NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Unlike the DFARS rule, the new FAR rule does not impose all NIST SP 800-171 requirements
Who Does the New “FAR – ALL Contractors” Policy Apply To?
The rule is applies to:
- The rule is applicable to all acquisitions (even below the simplified acquisition threshold).
- The rule applies to any covered contractor information system, i.e., systems that are owned or operated by a contractor that process, store, or transmit “Federal contract information.”
- The rule applies to subcontractors at all tiers in which the subcontractor may have Federal contract information residing in or transmitting through its information system.
How is “Compliance” to the New Policies Enforced?
New FAR Policies
The rule is unclear as to how a prime contractor should police a subcontractor’s controls or ensure that a subcontractor reports information or information system flaws in a timely manner as required by the safeguarding requirement in new FAR clause 52.204-21(b)(1) (xii).
- How adequate security will be established, maintained, and monitored for classified matters;
- How agency information security will be met for IT acquisitions;
- How agency personal identity verification requirements for contractors will be met; and
- How compliance with FAR subpart 4.19 will be met when federal contract information may be resident on contractor systems.
New DFAR Policies
Any DoD contractor or subcontractor providing critical services to the United States Department of Defense may very well have to become DFARS 225.204-7012 compliant, especially if sensitive information is being stored, processed or transmitted by such entities.
What Happens If Contractor Violates New “FAR” Policy?
Failure to implement the basic requirements could result in a breach of contract. Also, contractors failing to comply with the rule could be subject to liability under existing laws and regulations, such as the False Claims Act. One comments on the proposed rule expressed concern that an inadvertent release of information “could be turned into not only an information security issue but also a potential breach of contract.” In response, the Federal Register notice states that, “[g]enerally, as long as the safeguards are in place, failure of the controls to adequately protect the information does not constitute a breach of contract.”
Issues with the New “FAR” Policy
The FAR clause does not include an incident reporting requirement, whereas the DFARS cyber-security clause requires covered DoD contractors to rapidly report “cyber incidents” to DoD (and a prime contractor, if applicable) within 72 hours.
NetWatcher Can Help with Several NIST 800-171 Items
Most Specifically With 3.13.1