Department of Defense contractors must implement IT security controls by December 31

The United States Department of Defense (DOD) buys over $270 billion worth of products and services from commercial organizations in support of its mission. Thousands of small and large businesses supply a wide variety of products and services from commodities like nails and printers to services such as lawn mowing and complex avionics engineering. However, effective Dec. 31, 2017, a number of these organizations will need to implement enhanced IT security measures otherwise their ability to do business with the Department of Defense is at risk.

Protecting national security through enhanced cybersecurity

After years of dealing with an increasing number of cybersecurity incidents and data breaches involving contractors and third-party service providers, DOD mandated that all organizations doing business with DOD must implement IT security best practices for their corporate systems. This initial announcement was made in 2015, allowing organizations time till Dec. 31, 2017 to implement IT security best practices as specified in NIST Special Publication (SP) 800-171. The requirement to enforce adherence to NIST SP 800-171 was codified in the procurement rules and regulations called Defense Federal Acquisition Regulation Supplement (DFARS). The specific requirements for enhanced cybersecurity controls within the DOD supplier base is specified in DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. This DFARS clause requires organizations doing business with Department of Defense to provide “adequate security” for covered defense information that is processed, stored or transmitted on their internal information system or network.

Understanding NIST SP 800-171 compliance

Most requirements in NIST SP 800-171 are about policy, process and configuring IT securely. These requirements entail determining what the company policy should be (e.g., what should be the interval between required password changes) and then configuring the IT system to implement the policy. Some requirements require security-related software (such as anti-virus) or additional hardware (e.g., firewall). NIST SP 800-171 by itself does not provide prescriptive information on how the requirements should be met but additional guidance is provided by looking at relevant security controls that are specified in NIST SP 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations.”  The security requirements are organized into 14 groups or control families with a total of 109 specific security requirements as shown in the table below.

Guarav Pal

Most IT and cybersecurity experts would agree that these are absolutely minimum requirements and essential for ensuring the confidentiality, integrity and availability of information within a system.

Compliance with NIST SP 800-171 is the organization’s responsibility through self-attestation that requires demonstrating implementation or planned implementation of the security requirements with a “system security plan” and associated “plans of action.”  The System Security Plan (SSP) requires developing and documenting system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. The Plans of Action also known as Plan of Actions & Milestones (POAM) to document timelines designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems. Demonstrating compliance with NIST SP 800-171 after December 31, 2017 will require organizations to affirm meeting requirements as covered within their SSP. The SSP may need to be referenced in technical proposals.

Organizations looking to meet DFARS and NIST SP 800-171 requirements must consider time to compliance, financial investment and complexity of the systems involved. Given that the deadline for implementation is December 31, 2017, time to compliance is critical.

FedRAMP and DOD accredited Cloud Service Providers to the rescue

Luckily, over the past few years the US Federal Government has implemented the Federal Risk & Authorization Management Program (FedRAMP). The FedRAMP program accredits cloud service providers with strong security and compliance practices that comply with NIST specifications. Given that these cloud services have been accredited, they are viable options for contractors and sub-contractors looking for expedient and cost competitive solutions to meet DFARS and NIST SP 800-171 requirements.

FedRAMP accredited cloud services at the moderate level or commensurate DOD Impact Level-4 are viable options and allow organizations to inherit and leverage existing controls. Principally, Amazon Web Services (AWS) and Microsoft Azure offer the broadest selection of accredited cloud hosting solutions. Amazon’s East/West and GovCloud regions are popular with Government organizations and contractors with a broad set of accredited IaaS and PaaS offerings. The FedRAMP Program Office and DOD have provided the Authority To Operate (ATO) for both AWS East/West and AWS GovCloud regions at the FedRAMP Moderate level. This allows organizations to take advantage of an existing certified infrastructure as a service (IaaS) environment. Organizations have the option to consider AWS East/West or AWS GovCloud – in the event there are ITAR responsibilities then AWS GovCloud should be considered. This helps reduce the cost of compliance and accelerates the ability to meet the DFARS requirements.

Cloud architecture and implementation strategies

DOD contractors and sub-contractors must consider various implementation options and alternatives. For example, many organizations are considering creating isolated dedicated environments just for government and defense related work. This approach helps reduce the cost and adoption impact especially if DOD or government work is just a sub segment of the overall business portfolio.

There are a number of on-demand services and solutions such as storage, file shares, virtual desktops and potentially even email or portal services for exchanging information. Creating a compliant solution requires advanced information technology engineering skills that include multiple disciplines. Specific areas of expertise required include infrastructure engineering, networking, security and compliance architecture. A mix-and-match approach that leverages existing capabilities and filling gaps with outsources assistance is a very common way of accelerating the compliance process.