If you have contracts with the US
Department of Defense (DoD) or are a subcontractor to a prime contractor with
DoD contracts, your organization has until December 31, 2017 to implement
. This is a requirement that is stipulated in the Defense Federal
Acquisition Regulation Supplement (DFARS)
In the context of this article,
DFARS focuses on two things:
Covered Defense Information (CDI); and
Controlled Unclassified Information (CUI) Refresher
If you read through the DFARS
requirements, it can be a little confusing, since there are cascading
is defined as unclassified Controlled Technical Information (CTI);
pertains to Covered Contractor Information Systems (CCIS);
are specifically covered by NIST 800-171;
800-171 references the CUI Registry for defining CUI, which is operated by the
US National Archives.
CUI Registry contains a section on CTI that provides a category description of
what is covered; and
to the CUI Registry, CTI is merely a subset of CUI.
If you take a step back and look
at it in simple terms, what really matters is focused on (1) defining what the
applicable CTI is, based on definitions from the CUI Registry and (2)
clarifying the scope of compliance by clearly documenting where CTI is stored,
processed and/or transmitted on the contractor’s network(s). NIST 800-171 is
not applicable on contractor networks that do not store, process or transmit CTI.
NIST 800-171 Certification
There is no certification process
for NIST 800-171. Similar to PCI DSS and HIPAA, NIST 800-171 compliance is
based on the honor system, where being “NIST 800-171 compliant” means that you
are self-attesting that your organization complies with all of the applicable
requirements in that regulation. That may change as DFARS processes mature, but
with a focus for the end of the year you are looking at self-certification.
As it stands today, some larger
prime contractors are actively pursuing their subcontractors for evidence of
compliance through questionnaires and attestations. This is fully expected for
prime contractors, since as contractors, they themselves have to assess risks
to CUI (control 3.11.1) and that includes evaluating risks associated with
subcontractors. Non-compliance of one or more subcontractors could mean serious
trouble for the prime contractor, so many prime contractors are taking NIST
Understanding What Is At Stake
What can possibly go wrong with
non-compliance in a contract with the US Government?
. It is reasonably expected that the US Government will
terminate contracts with prime contractors over non-compliance with NIST
800-171 requirements, since it is a failure to uphold contract requirements.
Subcontractor non-compliance will cause a prime contractor to be non-compliant,
as a whole.
. If a company states it is compliant when it knowingly is not
compliant, that is misrepresentation of material facts. This is a criminal act
that is defined as any act intended to deceive through a false representation
of some fact, resulting in the legal detriment of the person who relies upon
the false information.
of Contract Lawsuits
. Both prime contractors and subcontractors could be
exposed legally. A tort is a civil breach committed against another in which
the injured party can sue for damages. The likely scenario for a NIST 800-171-related
tort would be around negligence on behalf of the accused party by not
maintaining a specific code of conduct (e.g., NIST 800-171 controls).
As you can see from those
examples, the cost of non-compliance is quite significant. As always, seek
competent legal counsel for any pertinent questions on your specific compliance
Key Components of NIST 800-171
Contrary to what many people believe,
NIST 800-171 is more than just 110 cybersecurity controls. This is a pretty
common misconception, most likely due to people glossing over the document and
focusing on the main controls listed in Chapter 3, as well the mapping to NIST
800-53 and ISO 27002 in Appendix D. However, Appendix E of NIST 800-171 is also
in scope, since it calls out the Non-Federal Organization (NFO) controls as
being “expected to be routinely satisfied by nonfederal organizations without
In the footnotes section of the
first page of Appendix E, the “moderate baseline” of NIST 800-53 is called out
in regard to the protection of CUI for contractors. The US Government expects
these NFO controls to already exist as a basic component of a contractor’s
comprehensive security program.
To recap the controls
expectations, you need to go through Appendix E and track
both the CUI
and NFO controls, not just the CUI controls.
Incident Reporting Expectations
DFARS does have a specific
callout where contractors are required to “rapidly report” cyber incidents to
the DoD, which is defined as
within 72 hours of detecting the cyber incident.
In addition to merely reporting that an incident occurred, the contractor is
required to “conduct a review for evidence of compromise of CDI, including, but
not limited to, identifying compromised computers, servers, specific data, and
user accounts. This review shall also include analyzing CCIS that were part of
the cyber incident, as well as other information systems on the contractor’s
network(s), that may have been accessed as a result of the incident in order to
identify compromised CDI, or that affect the contractor’s ability to provide
operationally critical support.”
In a nutshell, that callout in
DFARS requires contractors to have a mature incident response capability. This
doesn’t mean that dedicated resources need to be hired, but at a minimum it
means that staff or contract personnel must be trained and proficient at
responding to cyber incidents in a timely manner. The same holds true for
management, since the clock starts ticking once the incident is discovered and
that requires removing administrative roadblocks.
Three Key Steps To Get Compliant
Not sure where to start with your
compliance efforts? Want to double check your work? Follow these steps:
CUI As It Applies To Your Organization
. The sad reality is the many prime
contractors do not have clear guidance from contracting officers. That reality
isn’t going to change soon, so you need to be proactive.
- Start with checking your contract to see if CUI
is defined. Most likely it is not clearly defined.
- Based on your contract, review the CUI Registry
for similar examples of CUI.
- Generate a Memorandum for Record (MFR), or
similar document, that clearly establishes your case for what you determine
your in-scope CUI to be.
- If you are a subcontractor, provide that MFR to
your prime contractor with a deadline for response (e.g., 10 business days). If
you are a prime contractor, provide that MFR to your government contracting officer
with a similar deadline for response.
- Assuming that you will not get a response, you
at least have evidence of due care, where you took reasonable steps to properly
define and seek clarification on your CUI obligations.
Your Network To Minimize Compliance
. Now that you have your CUI defined,
the next step is to identify where it is stored, processed and/or transmitted
on your network(s).
- If you do not already have comprehensive Data
Flow Diagrams (DFDs), generate them specific to how CUI traverses your network
and identify where it is stored and processed.
- Once you have DFDs, generate architectural
network diagrams that document what network-based controls exist in your
environment, specific to protecting CUI.
- With the DFD and network diagrams, you may find
ways to segment off the CUI environment to make the scope of compliance a small
percentage of your network.
- If you are not sure how to scope your network,
you may want to leverage similar concepts from PCI DSS compliance, since
organizations have saved significant time and money by minimizing the
Cardholder Data Environment. The same can hold true for CUI data to comply with
NIST 800-171 and to prove that point, we leveraged the Open PCI DSS Scoping
Toolkit to create a free resource, the
800-171 scoping guide
Evidence of Compliance.
- When you know what your CUI is and where it is
on your network, you now need to go through Appendix D and E of NIST 800-171 to
identify what controls are applicable to your environment.
- If you’ve done a good job scoping your
environment, there may be controls that are not applicable or only applicable
to a small percentage of your network. This is where you need to generate
documentation to explain how these controls are complied with or are not
- Some controls will be administrative in nature,
such as having documented policies, standards and procedures. Other controls
require technology solutions. This is where you have to generate evidence that
is specific to your organization.
- If you do want to engage a cybersecurity
consultant, at least go through those requirements and address the “low hanging
fruit” controls and document what your organization currently does, since most
of the controls are not highly-technical or complex in nature. This will save
you considerable consulting fees and will allow your consultant to focus on the
more complicated questions that you have.
Can’t Meet The Deadline?
If you are throwing your hands up
and know you will not be compliant, there is a process in place to deal with
non-compliance. This requires the prime contractor to submit a written request
for variance to complying with NIST 800-171 to the government contracting
DFARS does not provide any
further explanation of the process, other than
IF the variance is
approved, the contractor must have “an alternative, but equally effective,
security measure” in place to offset the control that cannot be implemented.
This sounds very similar to the compensating control process for PCI DSS
Since variances are not
guaranteed, it is not a wise decision to “beg for forgiveness” in terms of
meeting NIST 800-171 compliance, since there will be compliant companies that
are able to pick up the slack and those companies may well benefit from
contracts that are dropped due to non-compliance.
It is not too late to jump on
NIST 800-171 and turn it into a marketing tool. Prime contractors already are
screening subcontractors for compliance with NIST 800-171, so your immediate
efforts may be handsomely rewarded by multi-year contracts with both prime
contractors and the US Government.
Additionally, people overlook
that NIST 800-171 is a very good step in the right direction to counter the
threat to the security of the United States by state-sponsored actors who are
determined to steal valuable intellectual property from US Government
contractors. Taking NIST 800-171 seriously will reduce the risk associated with
cyber threats, but it does take direct management support to make it happen.