DoD Cybersecurity Rules: Government Contractors Need to Kno · NIST SP 800-171 ‘Tailoring Criteria' SP 800-171 guidelines are tailored for nonfederal information systems that contactors

1government contracting

DoD Cybersecurity Rules:Government Contractors Need to KnowBill Walter, DHGJermaine Stanley, DHGTom Tollerton, DHG


Speaker Information

TomTollerton,ManagerDixonHughesGoodman,LLP(704)[email protected]

JermaineStanley,ManagerDixonHughesGoodman,LLP(703)[email protected]

@DHG_GovCon@DHG_Cyber

BillWalter,PartnerDixonHughesGoodman,LLP(703)[email protected]


Topics for Today

• Introductions• BackgroundofDoDCybersecurityRules• UpdatestoComplianceRequirements• NISTSP800-171Overview• KeyDates• WhatShouldGovernmentContractorsBeDoing?



DoD Cybersecurity Rules



InterimRule#1…RequirescontractorreportingofnetworkpenetrationsandimplementedtheDoDCIOCloudComputingSecurityRequirementsGuide(SRG)Version1,Release1onJanuary13,2015.1

ThisruleisintendedtostreamlinethereportingprocessforDoDcontractorsandminimizeduplicativereportingprocesses.2

InterimRule#2ExtendedtimelineforcompliancetoprovidecontractorswithadditionaltimetoimplementsecurityrequirementsspecifiedbyaNISTSpecialPublication(SP)800-171.3




InterimRule#1…Setforth(i)informationsystemsecurityrequirements;(ii)mandatorycyberbreachreporting;and(iii)cloudcomputingstandardsandprocedures.

Expandedsafeguardingrequirementstocoverthesafeguardingofcovereddefenseinformation(CDI)residingincontractorinformationsystems,andrequiredcompliancewiththesecurityrequirementsintheNationalInstituteofStandardsandTechnology(NIST)SpecialPublication(SP)800–171,‘‘ProtectingControlledUnclassifiedInformationinNonfederalInformationSystemsandorganizations




(ii)MandatoryCyberIncidentReporting§ Increasednumberofcircumstanceswherecontractorsmustreportincidents.

§ IncidentsmustbereportedtoDoDwithin72hours.§ Howdowedefineanincident?

‒ Incidentvs.Compromise‒ Event?




(iii)CloudComputerStandardsandProcedures§ EnforcespreviousguidanceissuedbyDoDCIOoncontractingcloudservices

§ Enforces“CloudComputingSecurityRequirementsGuide”‒ FedRAMPcompliancestillrequired,butadditionalcontrolsfor“moresensitiveinformation”

‒ DefinesseveraladditionalclassesofSensitiveData




NewDefinitions…§ CUIvs.UCTIvs.CDI§ 800-171refersto“ControlledUnclassifiedInformation”

‒ Wasdatedbeforethenewruleswereputinplace§ “UnclassifiedControlledTechnicalInformation”wastheoriginalterminDFARS252.204-7012

§ CoveredDefenseInformation– newtermthatencompassesalloftheabove,aswellasnewtypesofinformation




CoveredDefenseInformation(CDI)§ UnclassifiedinformationprovidedtothecontractorbyoronbehalfofDoDinconnectionwiththeperformanceofthecontract;or

§ Unclassifiedinformationwhichiscollected,developed,received,transmitted,used,orstoredbyoronbehalfofthecontractorinsupportoftheperformanceofthecontract




CoveredDefenseInformation(CDI)is…§ Controlledtechnicalinformation(Military)§ Exportcontrolledinformation(commodities,tech,softwareetc.)

§ Criticalinformation(DoDDirective,OPEC,etc.)§ ‘CatchAll’(privacyorproprietarybusinessinformation)




CoveredContractorSystems§ ContractorownedInformationSystem§ Processes,stores,ortransmitsCDI§ Properscopingiskey

‒ Serversandworkstations‒ Networkdevices‒ Storagesystems



Updates to Compliance Requirements


Updated Requirements

Remember…DoDissuedInterimRule#2amendingtheDefenseFederalAcquisitionRegulationSupplement(DFARS)toprovidecontractorswithadditionaltimetoimplementsecurityrequirementsspecifiedinNISTSP800-171.



Additional Updated Requirements § DFARSclause252.204–7012wasamendedtorequirenotificationtheDoDCIO

ofanyNISTSP800–171requirementsthatarenotimplementedatthetimeofcontractaward,within30daysofcontractaward(Doesnotexemptorganizationsfromworkingtoward100%compliance)

§ DFRSprovision252.204–7009andclause252.204–7012wereamendedtorequire,whenapplicable,inclusionoftheclausewithoutalteration,excepttoidentifytheparties.

§ DFARSclause252.204–7012wasfurtheramendedtolimittherequirementtoflowdowntheclauseonlytosubcontractorswheretheireffortswillinvolvecovereddefenseinformationorwheretheywillprovideoperationallycriticalsupport.

§ DFARSclause252.204–7012wasamendedtoremovetherequirementforDoDCIOacceptanceofalternativebutequallyeffectivesecuritymeasurespriortoaward.



NIST SP 800-171


NIST SP 800-171

ProvidesfederalagencieswithrecommendedrequirementsforprotectingtheconfidentialityofCUI:(i)whentheCUIisresidentinnonfederalinformationsystemsandorganizations;

(ii)whentheinformationsystemswheretheCUIresidesarenotusedoroperatedbycontractorsoffederalagenciesorotherorganizationsonbehalfofthoseagencies;and

(iii)wheretherearenospecificsafeguardingrequirementsforprotectingtheconfidentialityofCUI



NIST SP 800-171

‘TailoringCriteria'

SP800-171guidelinesaretailoredfornonfederalinformationsystemsthatcontactorsalreadyhaveinplace,withagoalofattemptingtoavoidrequiringcontractorstocompletelyreplacelegacyinformationsystems.

ProvidesacompletelistingofthesecuritycontrolsintheNISTSpecialPublication800-53moderatebaselineandthetailoringactions(byfamily)thathavebeencarriedoutonthesecuritycontrolsinthemoderatebaseline.

– ThetailoringactionsfacilitatethedevelopmentoftheCUIderivedsecurityrequirements



NIST SP 800-171

Threeprimarycriteriaforeliminatingasecuritycontrolorcontrolenhancementsfromthemoderatebaselineincluding:§ Thecontrolorcontrolenhancementisuniquely

federal(i.e.,primarilytheresponsibilityofthefederalgovernment);

§ ThecontrolorcontrolenhancementisnotdirectlyrelatedtoprotectingtheconfidentialityofCUI;or

§ Thecontrolorcontrolenhancementisexpectedtoberoutinelysatisfiedbynonfederalorganizationswithoutspecification.



Key Dates

August26,2015-expanded

safeguardingrequirementstocovercovered

defenseinformation(CDI)

Dec.14,2015–Publicmeeting

withDoDcontractors

Dec.30,2015–DoDissues

interimruletograntadditional

timeforcontractorstoimplementNISTSP800-171

Dec.31,2017-Contractorsmustcomplywiththe

requirementsofNISTSP800-

171



What Should Government Contractors Be Doing?


What Should We Do?

ExpectationsofContractors§ UnderstandstatusofcompliancewithSP800-171

‒ Beabletocommunicategaps‒ HaveaplanforremediationbyDec.31,2017

§ Haveasystembreachreportingplan‒ Howquicklyareweabletoperformaninvestigation?



What Should We Do?

CurrentPriorities…§ Understandcompliancerequirements

§ Thetimetobeginreviewingcontrolcompliancestatusisnow!

§ Breachnotificationrequirementswithin72hours‒ Howdowereport?‒ What’sinvolved?



What Should We Do?

CriticalQuestions…§ Doweknowthenatureofourin-scopesystem?

‒ Doweknowexactlywhatdatawehave?‒ Dataflows‒ Systemsthat“transmit,process,orstore”relevantdata

§ Needtoproperlyscopeour“coveredinformationsystem.”‒ Segmentationcandramaticallyreduceorexpandthescopeofcompliancerequirements



What Should We Do?

CriticalQuestions…§ Areweeffectivelypushingandenforcingcompliancerequirementswithoursubs?

§ Howareweperformingourcomplianceassessment?‒ Areweusingobjectiveanalysis?‒ Tabletopexerciseorin-depthassessment?‒ Areweusingtoolstoconducttechnicalreviews?‒ Areweimplementingadequateplantoremediategaps?



Questions?@DHG_GovCon@DHG_Cyber


Join Us Next Month @DHG_GovCon@DHG_Cyber

DCMAGuidanceUponCompensationBlendingClarifications,Questions,andConcerns

Wednesday,March9th,11:00am

DoD Cybersecurity Rules: Government Contractors Need to Kno · NIST SP 800-171 ‘Tailoring Criteria' SP 800-171 guidelines are tailored for nonfederal information systems that contactors

Documents