2017 is a significant year for Department of Defense (DoD) contractors, as Defense Federal Acquisition Regulation Supplement (DFARS) compliance is required “as soon as practical, but no later than December 31, 2017 (252.204-7012.ii.A).” DFARS clause 252.204-7008 addresses requirements for safeguarding covered defense information controls in government contractor systems. Covered defense information is a broad term for unclassified controlled technical information or other Controlled Unclassified Information (CUI), which has protection and dissemination requirements. Clause 252.204-7012 expands on these safeguards to include cyber incident reporting requirements. These mandatory controls are detailed in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171: Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations.
As there are 109 controls in NIST SP 800-171, government contractors may be concerned about successfully navigating the road to compliance. A gap analysis can determine a remediation approach for deficient areas. This gap analysis can be expedited by using Appendix D – Mapping Tables, which maps CUI Security Requirements to NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations and International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001: Information Security Management controls.
Remediation activities should include clearly documenting controls via matrices or procedures that are developed from a comprehensive suite of IT policies. Once the appropriate controls and documents are in place, monitor the controls for proper design and operating effectiveness. If controls sufficiently address 800-171 control objectives but vary from the requirements, per 252.204-7012, contractors may submit an exception request for the DoD Chief Information Officer (CIO) to consider. This process is also followed when contractors determine a control is not applicable to their services.
The time is now to determine how DFARS compliance will be implemented by the deadline. Considering the new requirements may result in control development or revision, proactive contractors will be well-positioned to maintain current and receive new DoD awards. DFARS does not contain specific details on 800-171 implementation evaluation criteria, but the expectation is that all DoD contractors will meet the requirements. In addition to the implementation deadline, contractors who receive awards before October 1, 2017, but have not implemented all 800-171 controls must report this status within 30 days of the award date to the DoD CIO via email.
Federal agency cybersecurity effectiveness and resilience is imperative to national security goals. Government contractors have a responsibility to remain trustworthy DoD partners to support mission fulfillment through effective DFARS compliance. For more information, contact one of our risk advisory specialists at 301.231.6200.