In 2015, Defense Department (DoD) contractors that handle sensitive DoD information were given extra time to comply with new department cybersecurity regulations. That grace period now is up, and companies must meet these requirements in 2018.
After Dec. 31, 2017, contractors processing, storing, or transmitting controlled but unclassified information (CUI) must meet minimum security standards set out in the Defense Federal Acquisition Regulation Supplement (DFARS) or risk losing their contracts. The National Institute of Standards and Technology (NIST) has a number of resources to help companies understand these requirements and assess their compliance.
The DFAR Supplement was published in 2015 to ensure that sensitive data maintained on non-Federal systems is properly protected. Under this rule, contractors must comply with guidelines published by NIST in Special Publication 800-171. As originally published the requirements were to go into effect immediately, but DoD pushed the deadline to 2018 in response to industry complaints that such a shift could not be made that quickly.
The requirement to protect sensitive DoD information is not new. Contractors formerly were required to comply with guidance in NIST SP 800-53, the comprehensive 462-page catalog of security controls for Federal IT systems. Guidelines in SP 800-171 are contractor specific and the publication is just 77 pages, so compliance should be simpler. Requirements in the new document are derived from the Federal Information Processing Standard (FIPS) Publication 200 and the moderate security control baseline set out in SP 800-53. Minimum requirements call for contractors to provide adequate security to protect DoD information and to rapidly report breaches or other incidents that could compromise the data. They also must cooperate with DoD in responding to security incidents.
“The requirements apply to all components of non-Federal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components,” the guidelines say. They also apply to subcontractors.
The NIST resources for contractors are provided through its Manufacturing Extension Partnership (MEP). MEP has developed a set of Frequently Asked Questions for small manufacturers to help them understand the DoD cybersecurity requirements, as well as a handbook to help small manufacturers in self-assessing compliance.
Contractors have 30 days from the awarding of a contract to report any security requirements not implemented at the time of award. Full compliance requires a process of continuous assessment, monitoring, and improvement. The handbook acknowledges that security control assessments can be challenging and resource intensive and will require cooperation throughout the company. Security assessments require:
- Understanding the company’s operations and how it is supported by IT,
- Understanding IT system architecture and the personnel supporting it,
- Access to policies and procedures and technical documentation, and
- Developing a clear understanding of security objectives.
The effort required for ensuring compliance with DFARS can pay off for companies by helping them comply with non-DoD Federal Acquisition Regulation requirements as well as with meeting basic cybersecurity needs for business.