The Federal Acquisition Regulatory (FAR) and Defense Acquisition Regulation (DAR) Councils issued new cybersecurity rules for government contractors. The FAR rule, 52.204-21 "Basic Safeguarding of Covered Contractor Information Systems," effective in June 2016, affects all government contractors and lists "basic safeguarding measures that are generally employed as part of the routine course of doing business." The Defense Federal Acquisition Regulation Supplement (DFARS) rule, 252.204-7012 "Safeguarding Covered Defense Information and Cyber Incident Reporting" requires compliance with NIST (SP) 800-171 R1, a more robust guideline, by December 31, 2017. While no audit plan or third-party system approval process exists for the FAR and DFARS rules, contractors imply compliance by signing and accepting contracts with these clauses. More importantly, these clauses exist in current contracts so your compliance is already implied.
In short, the FAR clause applies to all federal acquisitions and the DFARS clause applies to all defense acquisitions, and both have exemptions for commercially available off-the-shelf (COTS) items. For defense contractors, expect to see both clauses in your contract. The FAR clause focuses on systems while the DFARS clause focuses on data, so no apparent contradictions exist. In fact, the two clauses work well together and many of us expect the DFARS rule (or something very similar) to become the FAR rule. Note that some civilian agencies (such as the Federal Deposit Insurance Corporation (FDIC)) are not subject to the FAR.
If you're a U.S. defense contractor, NIST (SP) 800-171 likely applies to you. What does this mean? The NIST document includes 110 items across 14 categories of security requirements. The document is written in performance language meaning that compliance may be achieved through policy and procedure instead of through specific hardware or software requirements. Many organizations will employ new hardware or software to meet the requirements, but have great flexibility in their application and configuration of such tools.
Each organization must assess its own compliance with the requirements and signal its compliance by signing the contract. As with many federal acquisition requirements, contractors imply compliance by signing and accepting the contract. While the government often does not audit many of the specific certifications and representations made by contractors, it can ask for proof of such compliance. We expect DoD to request and evaluate system security plans (SSPs) and plans of actions and milestones (POA&Ms) as part of the acquisition process where significant amounts of controlled unclassified data (CUI) are involved.
It's interesting to note that the Department of Defense (DoD) specifically excludes the submission or acceptance of third-party audits or certifications as addressed in Question 25 in this FAQ. The government acknowledges that organizations will hire outside consulting and technical firms to assist in evaluation and remediation of cybersecurity compliance, but will not accept any such reports or certifications.
Subcontractors, however, engage with prime contractors in a business-to-business (not business-to-government) contractual relationship governed by the Uniform Commercial Code (UCC), not the FAR. Primes may require, and we expect, their subcontractors to undergo external audits and provide written reports of the results of such audits.
Many cybersecurity tools are applicable in our personal and professional lives. Good cyber hygiene habits start at home and are easily transferred to the work environment. We share tips and tricks to show individuals how to protect themselves and their businesses.
Join me at InfoSec World 2018 for a conversation about practical steps toward government contract cybersecurity compliance. We'll talk about the unique requirements for government and defense contractors, walk through the categories of NIST 800-171, and discuss the audit and survey process.
Robert will present his talk entitled, Analyzing Your Government Contract Cybersecurity Compliance on Wednesday, March 21st at 10:30 AM InfoSec World 2018 in Orlando, Florida.