Cybersecurity Advice

DFARS clause 252.204-7012 was structured to ensure that unclassified DoD information residing on a contractor’s internal information system is safeguarded from cyber incidents, and that any consequences associated with the loss of this information are assessed and minimized via the cyber incident reporting and damage assessment processes. In addition, by providing a single DoD-wide approach to safeguarding covered contractor information systems, the clause prevents the proliferation of cyber security clauses and contract language by the various entities across DoD.

DFARS clause 252.204-7012 is required in all solicitations and contracts, including solicitations and contracts using Federal Acquisition Regulation (FAR) part 12 procedures for the acquisition of commercial items. The clause is not required for solicitations and contracts solely for the acquisition of COTS items. The clause is not required to be applied retroactively, but that does not preclude a contracting officer from modifying an existing contract to add the clause. When the acquisition of commercial items involves CDI, such as in some cases when commercial items, services, or offerings are tailored to meet a particular customer’s requirement, DFARS clause 252.204-7012 will apply to commercial items involving CDI.

Covered Defense Information is unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies, and is: (1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

National Institute of Standards and Technology (NIST) released special Publication 800-171, Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations. Some of the changes include generalizing "information systems" to "systems" and formalizing the requirement of a System Security Plan ("SSP"). A SSP, as defined by the NIST 800-171, is a document that describes how an organization meets the security requirements for a system or how an organization plans to meet the requirements. In particular, the System Security Plan describes the system boundary; the environment in which the system operates; how the security requirements are implemented; and the relationships with or connections to other systems. In addition, the NIST notes that nonfederal organizations should develop plans of action that describe how any unimplemented security requirements will be met and how any planned mitigations will be implemented. Organizations can document the system security plan and plan of action as separate or combined documents and in any chosen format. A resource for developing SSPs and Plans of Actions can be found at Cyber Security Evaluation Tool (scroll down to C/SET).

NIST SP 800-171 was written using performance-based requirements, with the intent to not require the development or acquisition of new systems to process, store, or transmit CUI, but enable contractors to comply using systems and practices they already have in place. It eliminates unnecessary specificity and includes only those security requirements necessary to provide adequate protection for the impact level of CUI (e.g., covered defense information). Most requirements in NIST SP 800-171 are about policy, process, and configuring IT securely, while others require security-related software (such as anti-virus) or additional hardware (e.g., firewall). For companies that were compliant with the 2013 Safeguarding of Unclassified Controlled Technical Information DFARS clause with the table of NIST SP 800-53 controls, almost all the additional NIST SP 800-171 requirements can be accomplished by policy/process changes or adjusting the configuration of existing IT. With the exception of the multifactor authentication requirement (3.5.3), no additional software or hardware is typically required.

For companies new to the requirements, a reasonable approach would be to:

• Examine each of the requirements to determine - Policy or process requirements
  • Policy/process requirements that require an implementation in IT (typically by either configuring the IT in a certain way or through use of specific software)
  • IT configuration requirements
  • Any additional software required
  • Any additional hardware required.
  • If unsure of what a requirement means, companies should refer to the mapping table in Appendix D to NIST SP 800-171, identify the corresponding NIST SP 800-53 control, and consult the Supplemental Guidance related to that control in NIST SP 800-53 [Note: not all aspects of a NIST SP 800-53 control requirement may have been included in NIST SP 800-171 requirement, so not all of the Supplemental Guidance may apply].
• Typically, most requirements entail determining what the company policy should be (e.g., what should be the interval between required password changes) and then configuring the IT system to implement the policy.
• The complexity of the company IT system may determine whether additional software or tools are required. Small systems can manually accomplish many requirements, such as configuration management or patch management, while more complex systems may require automated software tools to perform the same task.
• Based on the above, determine which of the requirements can be readily accomplished by in-house IT personnel and which require additional research in order to be accomplished by company personnel or may require outside assistance.
• Develop a plan of action and milestones to implement the requirements.

The intent of DFARS clause 252.204-7012 is to ensure that the security requirements in NIST SP 800-171 are applied to information systems that are owned by, or operated by or for contractors, and process, store, or transmit CDI. The clause is not structured to require contractor compliance with NIST SP 800-171 as a mandatory evaluation factor in the source selection process, but the requiring activity is not precluded from stating in the solicitation that it will consider compliance with NIST SP 800-171 in the source selection process.