Deadline for Cybersecurity Compliance Rapidly Approaching
By: Sara Crabtree, Senior Manager and Neal Beggan, Principal
No one thinks a cybersecurity breach will ever happen to their company until the day it actually happens. At that point, all of the discussions, gap analysis and planning that could have occurred to prevent the breach is but wishful thinking for the ability to rewind time. We can bet Target wishes it had discussed cybersecurity requirements with all of their subcontractors prior to finding out that a refrigeration and HVAC subcontractor was the reason that 40 million of its debit and credit card accounts were hacked at the end of 2013.
In August 2015, following the Office of Personnel Management’s data breaches which resulted in more than 21.5 million government employees and contractors having their personally identifiable information stolen, the Department of Defense (“DoD”) implemented new cybersecurity regulations with the intent of protecting covered defense information and reducing the vulnerability of cloud computing attacks. The new regulations found in Defense Acquisition Regulation Supplement (“DFARS”) 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, require that prime contractors and subcontractors provide “adequate security” on all covered contractor information systems, which is defined as unclassified information systems that are owned, or operated by or for, a contractor and that processes, stores, or transmits controlled unclassified information (“CUI”) or covered defense information (“CDI”).
CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable laws, regulations and government-wide policies. It is information that is collected, developed, received, transmitted or otherwise stored by the contractor in the course of the performance of the contract. It is unclassified information, but it is generally protected from public disclosure. Examples include legal, financial, intelligence, patent, procurement, privacy related, export control and controlled technical information.
There is still some confusion as to what is defined as covered defense information, but the Federal Acquisition Regulation (“FAR”) defines it as unclassified controlled technical information that is marked or otherwise identified as such, or information which is collected, developed, received, transmitted, used or stored by or on behalf of the contractor in support of the performance of the contract. Examples of CDI include research and engineering data; technical drawings and reports; manuals and data sets; catalog-item identifications; and computer software executable code and source code.
Now that the types of systems and information that need to be protected are understood, it is important to understand what ”adequate security” of those systems means. DFARS 252.204-7012 states that covered contractor information systems shall be subject to the security requirements in the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. NIST 800-171 is a set of security requirements, made of 14 families of security areas that result in 110 individual controls that a contractor must meet. The control families include areas such as access control, configuration management, incident response, physical protection, and system and information integrity.
DFARS 252.204-7012 calls for contractors to be in compliance by December 31, 2017, but it is important to note that cybersecurity is an area that contractors should be thinking about after we flip the calendar and start the New Year. To be in compliance with NIST 800-171, the first step contractors should take is to conduct a gap analysis. Contractors should review all 110 controls and one by one, determine if they are currently in compliance, need to be make changes in order to be in compliance or if it does not apply to them. It could be beneficial for a contractor to bring in a third party with expertise in this area to conduct the gap analysis for them, especially if the contractor does not have personnel that are familiar with the requirements or if they do not have the time to conduct the analysis.
Once it is understood which controls the company is in compliance with and which controls might need additional measures in order to become compliant, the company needs to develop a System Security Plan (“SSP”) which documents how the company is operating and how the IT systems work. The company should also develop a Plan of Action and Milestone (“POAM”), which is to document the controls which the company is not in compliance with and how the company intends to become compliant, as well as a timeline for achieving that compliance. Depending on the size of the company and the number of controls involved, the timeline on the POAM could be days, weeks or months.
Determining compliance with DFARS 252.204-7012 and NIST 800-171 is primarily a measure of self-determination. DoD does not recognize any third party letters of compliance. Contracting Officers and higher tier subcontractors (i.e. prime contractors) may require proof of compliance, however, by means of asking to review a contractors SSP and POAM (in whole or in part). They could also require a contractor to certify compliance, in addition to standard representations and certifications in a solicitation which contains the DFARS clause.
Think you can’t afford to take your company through the requirements of getting NIST 800-171 compliant? Consider the alternatives. Based on the 2017 Ponemon Cost of Data Breach Study sponsored by IBM, on average, it costs $141 per lost or stolen record. The average total cost of a data breach? $7.3 million. In addition, a contractor may face termination for default of their contract, breach of contract, liquidated damages, exclusion from future contract awards due to non-responsibility, and a violation of the False Claims Act. Can your organization really afford these alternatives?