If you have contracts with the United States Department of Defense (DoD) or are a subcontractor to a prime contractor with DoD contracts, your organization has until December 31, 2017, to implement NIST SP 800-171. This is a requirement that is stipulated in the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012.
In the context of this article, DFARS focuses on two things: safeguarding Covered Defense Information (CDI), and reporting cyber incidents.
Controlled Unclassified Information (CUI) Refresher
If you read through the DFARS requirements, it can be a little confusing since there are cascading definitions:
- CDI is defined as unclassified Controlled Technical Information (CTI);
- CDI pertains to Covered Contractor Information Systems (CCIS);
- CCIS are specifically covered by NIST 800-171;
- NIST 800-171 references the CUI Registry for defining CUI, which is operated by the US National Archives;
- The CUI Registry contains a section on CTI that provides a category description of what is covered; and
- According to the CUI Registry, CTI is merely a subset of CUI.
If you take a step back and look at it in simple terms, what really matters is (1) defining what the applicable CTI is based on definitions from the CUI Registry and (2) clarifying the scope of compliance by clearly documenting where CTI is stored, processed, and/or transmitted on the contractor’s network(s). NIST 800-171 is not applicable on contractor networks that do not store, process, or transmit CTI.
NIST 800-171 Certification
There is no certification process for NIST 800-171. Similar to PCI DSS and HIPAA, NIST 800-171 compliance is based on the honor system, where being “NIST 800-171 compliant” means that you are self-attesting that your organization complies with all of the applicable requirements in that regulation. That may change as DFARS processes mature, but with a focus for the end of the year, you are looking at self-certification.
As it stands today, some larger prime contractors are actively pursuing their subcontractors for evidence of compliance through questionnaires and attestations. This is fully expected for prime contractors, since as contractors, they themselves have to assess risks to CUI (control 3.11.1), and that includes evaluating risks associated with subcontractors. Non-compliance of one or more subcontractors could mean serious trouble for the prime contractor, so many prime contractors are taking NIST 800-171 seriously.
Understanding What Is At Stake
What can possibly go wrong with non-compliance in a contract with the U.S. Government?
- Contract Termination. It is reasonably expected that the U.S. Government will terminate contracts with prime contractors over non-compliance with NIST 800-171 requirements since it is a failure to uphold contract requirements. Subcontractor non-compliance will cause a prime contractor to be non-compliant, as a whole.
- Criminal Fraud. If a company states it is compliant when it knowingly is not compliant, that is misrepresentation of material facts. This is a criminal act that is defined as any act intended to deceive through a false representation of some fact, resulting in the legal detriment of the person who relies upon the false information.
- Breach of Contract Lawsuits. Both prime contractors and subcontractors could be exposed legally. A tort is a civil breach committed against another in which the injured party can sue for damages. The likely scenario for a NIST 800-171-related tort would be around negligence on behalf of the accused party by not maintaining a specific code of conduct (e.g., NIST 800-171 controls).
As you can see from those examples, the cost of non-compliance is quite significant. As always, seek competent legal counsel for any pertinent questions on your specific compliance obligations.
Key Components of NIST 800-171
Contrary to what many people believe, NIST 800-171 is more than just 110 cybersecurity controls. This is a pretty common misconception, most likely due to people glossing over the document and focusing on the main controls listed in Chapter 3, as well the mapping to NIST 800-53 and ISO 27002 in Appendix D. However, Appendix E of NIST 800-171 is also in scope, since it calls out the Non-Federal Organization (NFO) controls as being “expected to be routinely satisfied by nonfederal organizations without specification.”
In the footnotes section of the first page of Appendix E, the “moderate baseline” of NIST 800-53 is called out in regard to the protection of CUI for contractors. The U.S. Government expects these NFO controls to already exist as a basic component of a contractor’s comprehensive security program.
To recap the controls expectations, you need to go through Appendix E and track both the CUI and NFO controls, not just the CUI controls.
Incident Reporting Expectations
DFARS does have a specific callout where contractors are required to “rapidly report” cyber incidents to the DoD, which is defined as within 72 hours of detecting the cyber incident. In addition to merely reporting that an incident occurred, the contractor is required to “conduct a review for evidence of compromise of CDI, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts.
This review shall also include analyzing CCIS that were part of the cyber incident, as well as other information systems on the contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised CDI, or that affect the contractor’s ability to provide operationally critical support.”
In a nutshell, that callout in DFARS requires contractors to have a mature incident response capability. This doesn’t mean that dedicated resources need to be hired, but at a minimum it means that staff or contract personnel must be trained and proficient at responding to cyber incidents in a timely manner. The same holds true for management, since the clock starts ticking once the incident is discovered, and that requires removing administrative roadblocks.
Three Key Steps To Get Compliant
Not sure where to start with your compliance efforts? Want to double check your work? Follow these steps:
1. Define CUI As It Applies To Your Organization
The sad reality is the many prime contractors do not have clear guidance from contracting officers. That reality isn’t going to change soon, so you need to be proactive.
- Start with checking your contract to see if CUI is defined. Most likely it is not clearly defined.
- Based on your contract, review the CUI Registry for similar examples of CUI.
- Generate a Memorandum for Record (MFR), or similar document, that clearly establishes your case for what you determine your in-scope CUI to be.
- If you are a subcontractor, provide that MFR to your prime contractor with a deadline for response (e.g., 10 business days). If you are a prime contractor, provide that MFR to your government contracting officer with a similar deadline for response.
- Assuming that you will not get a response, you at least have evidence of due care where you took reasonable steps to properly define and seek clarification on your CUI obligations.
2. Scope Your Network To Minimize Compliance
Now that you have your CUI defined, the next step is to identify where it is stored, processed, and/or transmitted on your network(s).
- If you do not already have comprehensive Data Flow Diagrams (DFDs), generate them specific to how CUI traverses your network and identify where it is stored and processed.
- Once you have DFDs, generate architectural network diagrams that document what network-based controls exist in your environment specific to protecting CUI.
- With the DFD and network diagrams, you may find ways to segment off the CUI environment to make the scope of compliance a small percentage of your network.
- If you are not sure how to scope your network, you may want to leverage similar concepts from PCI DSS compliance, since organizations have saved significant time and money by minimizing the Cardholder Data Environment. The same can hold true for CUI data and complying with NIST 800-171, and to prove that point, we leveraged the Open PCI DSS Scoping Toolkit to create a free resource, the NIST 800-171 scoping guide.
3. Generate Evidence of Compliance.
- When you know what your CUI is and where it is on your network, you now need to go through Appendix D and E of NIST 800-171 to identify what controls are applicable to your environment.
- If you’ve done a good job scoping your environment, there may be controls that are not applicable or only applicable to a small percentage of your network. This is where you need to generate documentation to explain how these controls are complied with or are not applicable.
- Some controls will be administrative in nature, such as having documented policies, standards, and procedures. Other controls require technology solutions. This is where you have to generate evidence that is specific to your organization.
- If you do want to engage a cybersecurity consultant, at least go through those requirements and address the “low hanging fruit” controls and document what your organization currently does, since most of the controls are not highly-technical or complex in nature. This will save you considerable consulting fees and will allow your consultant to focus on the more complicated questions that you have.
Can’t Meet The Deadline?
If you are throwing your hands up and know you will not be compliant, there is a process in place to deal with non-compliance. This requires the prime contractor to submit a written request for variance to complying with NIST 800-171 to the government contracting officer.
DFARS does not provide any further explanation of the process other than the fact that the contractor must have “an alternative, but equally effective, security measure” in place to offset the control that cannot be implemented if the variance is approved. This sounds very similar to the compensating control process for PCI DSS compliance.
Since variances are not guaranteed, it is not a wise decision to “beg for forgiveness” in terms of meeting NIST 800-171 compliance since there will be compliant companies that are able to pick up the slack. Those companies may well benefit from contracts that are dropped due to non-compliance.
It is not too late to jump on NIST 800-171 and turn it into a marketing tool. Prime contractors already are screening subcontractors for compliance with NIST 800-171, so your immediate efforts may be handsomely rewarded by multi-year contracts with both prime contractors and the U.S. Government.
Additionally, people overlook that NIST 800-171 is a very good step in the right direction to counter the threat to the security of the United States by state-sponsored actors who are determined to steal valuable intellectual property from U.S. Government contractors. Taking NIST 800-171 seriously will reduce the risk associated with cyber threats, but it does take direct management support to make it happen.
To learn more about how to prepare for the December 2017 deadline now with proven controls from Tripwire, click here.
About the Author: Beverly Cornelius is a partner at ComplianceForge. ComplianceForge is a boutique cybersecurity firm that specializes in governance, risk, and compliance-related documentation. Their unique solutions help companies document their cybersecurity governance programs to comply with specialized requirements, such as NIST 800-171, FAR, and EU GDPR.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.