Government, prime contractors, and suppliers are increasingly being targeted in cybersecurity attacks and our industry must work together to safeguard its critical infrastructure and sensitive information. Awareness of these mounting cyber risks and implementation of effective cybersecurity controls are becoming critical components of keeping information protected. Leidos is committed to employing innovative and compliant cybersecurity processes to protect our networks, information, and systems.
Leidos understands the important role our suppliers play in defending our and our customers’ information and networks from cyber threats. We also understand the value that cybersecurity experience plays in creating and maintaining a competitive advantage for our separate organizations. Our mutual success is impacted by our ability to collaborate on identifying and managing cyber risks.
In October 2016, the Department of Defense (DoD) issued a final rule imposing mandatory cybersecurity measures and controls on their prime contractors and supply chain under DFARS clause 252.204-7012. This clause applies to all solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, except for solicitations and contracts that are solely for the acquisition of commercially available off-the-shelf (COTS) items.
DFARS clause 252.204-7012 requires prime contractors and their suppliers to meet three primary obligations:
- Adequate Security
- Contractors are required to provide adequate security to safeguard Covered Defense Information (CDI) that resides on or is transiting through a contractor’s internal information system or network.
- Adequate security includes implementing the National Institute of Standards and Technology (NIST) SP 800-171 on any internal information systems that include CDI by 12/31/17.
- Companies also must have conducted a self-assessment against all 110 controls listed in NIST SP 800-171, and developed a system security plan describing how the security requirements are met, and plans of action and milestones (POA&M) on how those controls not implemented will be met.
- Reporting Cyber Incidents
- Contractors are required to: Report cyber incidents that affects Covered Defense Information, a covered contractor information system, or an incident that affect the contractor’s ability to perform operationally critical support within 72 hours directly to the DoD and to Leidos;
- Preserve and protect images of all known affected information systems and maintain monitoring and packet capture data for at least 90 days from cyber incident report submission;
- Submit malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center;
- Submit information or provide access to covered contractor information systems and equipment when requested by DoD or the requiring activity/contracting officer, ensuring that all attributional/proprietary information is marked as such.
- Subcontract Flow Downs
- Leidos will flow down DFARS clause 252.204-7012 to subcontractors when performance will involve operationally critical support or CDI. Leidos will determine if information required for subcontractor performance is CDI and requires safeguarding.
- Any request to vary from NIST SP 800-171 security requirements shall be notified to Leidos or next higher-tier subcontractor.
- The applicable flow-down clauses are included in Leidos Terms and Conditions for its purchase orders.
References and Resources
To assist suppliers in achieving compliance with the NIST 800-171 security controls, Leidos has provided links to helpful publicly available resources for each NIST SP 800-171 Controls. If you have any comments or questions regarding the provided supplier resources, please click here.
- DFARS clause 252.204-7012
- Cybersecurity Challenges - Protecting DoD’s Unclassified Information
- Implementation of DFARS Clause 252.204-7021, Shay Assad Memo
- DoD: Small Business Cybersecurity
- National Institute of Standards and Technology (NIST) SP 800-171
- NIST: Cybersecurity Framework
- NIST: Self-Assessment Handbook
DFARS clause 252.204-7012 was structured to ensure that unclassified DoD information residing on a contractor’s internal information system is safeguarded from cyber incidents, and that any consequences associated with the loss of this information are assessed and minimized via the cyber incident reporting and damage assessment processes. In addition, by providing a single DoD-wide approach to safeguarding covered contractor information systems, the clause prevents the proliferation of cyber security clauses and contract language by the various entities across DoD.
DFARS clause 252.204-7012 is required in all solicitations and contracts, including solicitations and contracts using Federal Acquisition Regulation (FAR) part 12 procedures for the acquisition of commercial items. The clause is not required for solicitations and contracts solely for the acquisition of COTS items. The clause is not required to be applied retroactively, but that does not preclude a contracting officer from modifying an existing contract to add the clause. When the acquisition of commercial items involves CDI, such as in some cases when commercial items, services, or offerings are tailored to meet a particular customer’s requirement, DFARS clause 252.204-7012 will apply to commercial items involving CDI.
Covered Defense Information is unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies, and is: (1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
National Institute of Standards and Technology (NIST) released special Publication 800-171, Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations. Some of the changes include generalizing "information systems" to "systems" and formalizing the requirement of a System Security Plan ("SSP"). A SSP, as defined by the NIST 800-171, is a document that describes how an organization meets the security requirements for a system or how an organization plans to meet the requirements. In particular, the System Security Plan describes the system boundary; the environment in which the system operates; how the security requirements are implemented; and the relationships with or connections to other systems. In addition, the NIST notes that nonfederal organizations should develop plans of action that describe how any unimplemented security requirements will be met and how any planned mitigations will be implemented. Organizations can document the system security plan and plan of action as separate or combined documents and in any chosen format. A resource for developing SSPs and Plans of Actions can be found at Cyber Security Evaluation Tool (scroll down to C/SET).
NIST SP 800-171 was written using performance-based requirements, with the intent to not require the development or acquisition of new systems to process, store, or transmit CUI, but enable contractors to comply using systems and practices they already have in place. It eliminates unnecessary specificity and includes only those security requirements necessary to provide adequate protection for the impact level of CUI (e.g., covered defense information). Most requirements in NIST SP 800-171 are about policy, process, and configuring IT securely, while others require security-related software (such as anti-virus) or additional hardware (e.g., firewall). For companies that were compliant with the 2013 Safeguarding of Unclassified Controlled Technical Information DFARS clause with the table of NIST SP 800-53 controls, almost all the additional NIST SP 800-171 requirements can be accomplished by policy/process changes or adjusting the configuration of existing IT. With the exception of the multifactor authentication requirement (3.5.3), no additional software or hardware is typically required.
For companies new to the requirements, a reasonable approach would be to:
- Examine each of the requirements to determine - Policy or process requirements
- Policy/process requirements that require an implementation in IT (typically by either configuring the IT in a certain way or through use of specific software)
- IT configuration requirements
- Any additional software required
- Any additional hardware required.
- If unsure of what a requirement means, companies should refer to the mapping table in Appendix D to NIST SP 800-171, identify the corresponding NIST SP 800-53 control, and consult the Supplemental Guidance related to that control in NIST SP 800-53 [Note: not all aspects of a NIST SP 800-53 control requirement may have been included in NIST SP 800-171 requirement, so not all of the Supplemental Guidance may apply].
- Typically, most requirements entail determining what the company policy should be (e.g., what should be the interval between required password changes) and then configuring the IT system to implement the policy.
- The complexity of the company IT system may determine whether additional software or tools are required. Small systems can manually accomplish many requirements, such as configuration management or patch management, while more complex systems may require automated software tools to perform the same task.
- Based on the above, determine which of the requirements can be readily accomplished by in-house IT personnel and which require additional research in order to be accomplished by company personnel or may require outside assistance.
- Develop a plan of action and milestones to implement the requirements.
- Examine each of the requirements to determine - Policy or process requirements
The intent of DFARS clause 252.204-7012 is to ensure that the security requirements in NIST SP 800-171 are applied to information systems that are owned by, or operated by or for contractors, and process, store, or transmit CDI. The clause is not structured to require contractor compliance with NIST SP 800-171 as a mandatory evaluation factor in the source selection process, but the requiring activity is not precluded from stating in the solicitation that it will consider compliance with NIST SP 800-171 in the source selection process.
- NIST – National Institute of Standards and Technology
- POAM – Plans of Action and Milestones
- SSP – System Security Plan
- DFARS – Defense Federal Acquisition Regulations Supplement
- CDI – Covered Defense Information
- DoD – Department of Defense
- COTS – Commercial Off the Shelf