DFARS Contractor Cybersecurity Requirements

The latest revision of the DoD Federal Acquisition Regulation Supplement (DFARS, revised Oct 21, 2016) contains some new cybersecurity requirements for DoD contractors who process unclassified information. The requirements are laid out in DFARS clause 252.204-7008:

(b)The security requirements required by contract clause 252.204-7012, shall be implemented for all covered defense information on all covered contractor information systems that support the performance of this contract.
(c)(1)By submission of this offer, the Offeror represents that it will implement the security requirements specified by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (see http://dx.doi.org/10.6028/NIST.SP.800-171) that are in effect at the time the solicitation is issued or as authorized by the contracting officer not later than December 31, 2017.

In a nutshell, this clause requires contractors to properly secure their own internal IT systems that process essentially any deliverable due to the government—including technical information such as:

  • research and engineering data,
  • engineering drawings, and associated lists,
  • specifications,
  • standards,
  • process sheets,
  • manuals,
  • technical reports,
  • technical orders,
  • catalog-item identifications,
  • data sets,
  • studies and analyses and related information, and
  • computer software executable code and source code

So if you’re a DoD contractor developing and submitting CDRLs, you’ll need to ensure—using your own capital, mind you—that your IT systems meet some pretty stringent cybersecurity requirements by the end of 2017. In addition to securing your IT systems, you’ll need to ensure you have a process in place to monitor your organization for cyber-incidents, and be able to quickly report any such incidents to the DoD.

The requirements to properly secure the systems are outlined in a document provided by the National Institutes of Standards and Technology (NIST), the organization responsible for developing the cybersecurity standards for US Government-owned IT systems. The NIST SP 800-171 contains 14 families (groupings) of requirements, comprising 109 individual requirements, each mapped to NIST SP 800-53 and ISO/IEC 27001 controls that you may be familiar with if you have been involved in securing Federal IT systems. There are 131 associated SP 800-53 controls (i.e. risk mitigating actions that need to be taken), encompassing 670 unique assessments that a contractor will need to perform to verify the actions have been taken. Figure 1 below breaks these numbers down.

Figure 1: NIST SP 800-171 Requirements Breakdown

If you are a DoD contractor that hasn’t yet implemented NIST SP 800-171, your organization will need to take the following actions by the end of this year to be in compliance:

  • Consult the DFARS links above to determine if your organization processes unclassified covered defense information subject to the requirement; if yes, continue on
  • Perform a gap analysis against the 800-171 requirements to determine where your organization currently is compliant and where it is not. The Common Solutions Group has a checklist template available to help with this analysis: https://library.educause.edu/resources/2016/9/nist-sp-800-171-compliance-template
  • Develop written justification for any of the 800-171 controls that are not applicable to your organization, or that your organization cannot meet; for the latter, make sure to include the compensating mitigations the organization plans to take to reduce the risk of not meeting the controls
  • Develop and review a plan to implement controls, including allocating human and capital resources to execute the plan
  • Execute implementation of the plan, beginning with the most critical mitigations
  • Perform a follow-up risk assessment to validate and verify (V&V) that the plan was executed properly
  • Create and engage a process to ensure continuous monitoring of the controls your organization has implemented; i.e. a process to perform continuous risk assessments
  • Develop and implement a process to identify and report cyber-incidents to the DoD

That’s it! Simple right? If you’re not sure if your organization is affected by this requirement, if you’re not sure where to start, or if you feel you need a hand moving your organization toward compliance, feel free to give us a call. We are happy to help—as a DoD contractor we are in the same compliance boat. We understand and have a decade of experience helping our customers—both Government and private sector—overcome cybersecurity challenges.

–Adam Austin
Cybersecurity Lead
Haight Bey & Associates

Haight Bey & Associates