• United States




Department of Defense contractors must implement IT security controls by December 31

Dec 05, 20175 mins
Access ControlComplianceSecurity

Organizations doing business with the U.S. Department of Defense (DOD) must demonstrate their ability meet higher levels IT security for their corporate network and systems by Dec. 31, 2017 or risk losing business.

The United States Department of Defense (DOD) buys over $270 billion worth of products and services from commercial organizations in support of its mission. Thousands of small and large businesses supply a wide variety of products and services from commodities like nails and printers to services such as lawn mowing and complex avionics engineering. However, effective Dec. 31, 2017, a number of these organizations will need to implement enhanced IT security measures otherwise their ability to do business with the Department of Defense is at risk.

Protecting national security through enhanced cybersecurity

After years of dealing with an increasing number of cybersecurity incidents and data breaches involving contractors and third-party service providers, DOD mandated that all organizations doing business with DOD must implement IT security best practices for their corporate systems. This initial announcement was made in 2015, allowing organizations time till Dec. 31, 2017 to implement IT security best practices as specified in NIST Special Publication (SP) 800-171. The requirement to enforce adherence to NIST SP 800-171 was codified in the procurement rules and regulations called Defense Federal Acquisition Regulation Supplement (DFARS). The specific requirements for enhanced cybersecurity controls within the DOD supplier base is specified in DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. This DFARS clause requires organizations doing business with Department of Defense to provide “adequate security” for covered defense information that is processed, stored or transmitted on their internal information system or network.

Understanding NIST SP 800-171 compliance

Most requirements in NIST SP 800-171 are about policy, process and configuring IT securely. These requirements entail determining what the company policy should be (e.g., what should be the interval between required password changes) and then configuring the IT system to implement the policy. Some requirements require security-related software (such as anti-virus) or additional hardware (e.g., firewall). NIST SP 800-171 by itself does not provide prescriptive information on how the requirements should be met but additional guidance is provided by looking at relevant security controls that are specified in NIST SP 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations.”  The security requirements are organized into 14 groups or control families with a total of 109 specific security requirements as shown in the table below.

800 171 controls Guarav Pal

Most IT and cybersecurity experts would agree that these are absolutely minimum requirements and essential for ensuring the confidentiality, integrity and availability of information within a system.

Compliance with NIST SP 800-171 is the organization’s responsibility through self-attestation that requires demonstrating implementation or planned implementation of the security requirements with a “system security plan” and associated “plans of action.”  The System Security Plan (SSP) requires developing and documenting system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. The Plans of Action also known as Plan of Actions & Milestones (POAM) to document timelines designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems. Demonstrating compliance with NIST SP 800-171 after December 31, 2017 will require organizations to affirm meeting requirements as covered within their SSP. The SSP may need to be referenced in technical proposals.

Organizations looking to meet DFARS and NIST SP 800-171 requirements must consider time to compliance, financial investment and complexity of the systems involved. Given that the deadline for implementation is December 31, 2017, time to compliance is critical.

FedRAMP and DOD accredited Cloud Service Providers to the rescue

Luckily, over the past few years the US Federal Government has implemented the Federal Risk & Authorization Management Program (FedRAMP). The FedRAMP program accredits cloud service providers with strong security and compliance practices that comply with NIST specifications. Given that these cloud services have been accredited, they are viable options for contractors and sub-contractors looking for expedient and cost competitive solutions to meet DFARS and NIST SP 800-171 requirements.

FedRAMP accredited cloud services at the moderate level or commensurate DOD Impact Level-4 are viable options and allow organizations to inherit and leverage existing controls. Principally, Amazon Web Services (AWS) and Microsoft Azure offer the broadest selection of accredited cloud hosting solutions. Amazon’s East/West and GovCloud regions are popular with Government organizations and contractors with a broad set of accredited IaaS and PaaS offerings. The FedRAMP Program Office and DOD have provided the Authority To Operate (ATO) for both AWS East/West and AWS GovCloud regions at the FedRAMP Moderate level. This allows organizations to take advantage of an existing certified infrastructure as a service (IaaS) environment. Organizations have the option to consider AWS East/West or AWS GovCloud – in the event there are ITAR responsibilities then AWS GovCloud should be considered. This helps reduce the cost of compliance and accelerates the ability to meet the DFARS requirements.

Cloud architecture and implementation strategies

DOD contractors and sub-contractors must consider various implementation options and alternatives. For example, many organizations are considering creating isolated dedicated environments just for government and defense related work. This approach helps reduce the cost and adoption impact especially if DOD or government work is just a sub segment of the overall business portfolio.

There are a number of on-demand services and solutions such as storage, file shares, virtual desktops and potentially even email or portal services for exchanging information. Creating a compliant solution requires advanced information technology engineering skills that include multiple disciplines. Specific areas of expertise required include infrastructure engineering, networking, security and compliance architecture. A mix-and-match approach that leverages existing capabilities and filling gaps with outsources assistance is a very common way of accelerating the compliance process.


Gaurav “GP” Pal is CEO and founder of stackArmor. He is an award-winning Senior Business Leader with a successful track record of growing and managing a secure cloud solutions practice with over $100 million in revenue focused on U.S. federal, Department of Defense, non-profit and financial services clients. Successfully led and delivered multi-million-dollar Amazon Web Services (AWS) cloud migration and broker programs for U.S. government customers including the Department of the Treasury, and Recovery Accountability & Transparency Board (RATB) since 2009.

GP is the Industry Chair at the University of Maryland’s Center for Digital Innovation, Technology and Strategy (DIGITS). He has strong relationship-based consultative selling experience with C-level executives providing DevOps, Managed Services, IaaS, Managed IaaS, PaaS and SaaS in compliance with US FedRAMP, FISMA, HIPAA and NIST Security Frameworks. He has a successful track record of delivering multiple cloud solutions with leading providers including Amazon Web Services (AWS), Microsoft, Google and among others.

GP is a published author and thought leader having spoken at Cloud Expo East, and published in InformationWeek, Gigaom, JavaWorld and IEEE among others.

The opinions expressed in this blog are those of GP and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.