DOD releases new guidance to protect data within the supply chain

The U.S .Department of Defense issued new guidance on how it might penalize business partners that do not adequately adhere to new security rules codified in NIST SP 800-171.

NIST has prescribed a set of 110 security requirements that are derived from a larger standard called NIST SP 800-53 that governs cybersecurity standards for government systems. December 31, 2017 was the designated deadline for implementing the controls as part of DFARS 252.204-7012 to protect confidential unclassified information (CUI).

Multiple government agencies such as NIST, NARA and DoD have worked together to provide guides, faq’s, and handbooks to help organizations implement and comply with the new requirements. NIST released templates for the System Security Plans (SSP), Plan of Actions and Milestones to help make it easier to provide the required documentation. On April 24, 2018 the government issued new guidance to further clarify its intent and manner by which it will enforce the implementation and subsequent assessment of the controls.

Cybersecurity and compliance are not just a checkbox exercise

To facilitate gradual adoption, DoD allowed businesses to specify a future date for implementing security controls through the Plan of Actions & Milestones (POAM) artifact. Many organizations have resorted to “POAM’ing” requirements in a checkbox exercise and generated System Security Plans that are very light and do not adequately describe the security posture of the vendor.

The new DOD guidance for reviewing system security plans and the NIST SP 800-171 security requirements not yet implemented  assigns risk scores to controls. Security controls that are deemed high risk and have not been implemented pose a continued risk to the government. The latest guidance helps ensure that businesses can assess and prioritize how they wish to go about implementing the 110 security controls.

The new guidance also provides specific information on the downsides of not implementing the new security controls. The “Assessing the State of a Contractor’s Internal Information System in a Procurement Action” document outlines the specific conditions during the request for proposals (rfp), source selection and subsequent contract award that will looked at by government officials related to NIST SP 800-171 compliance.

System Security Plans (SSP) are highly likely to be part of your proposal response package

System Security Plans (SSP) are artifacts developed to describe how security requirements and controls are implemented by a vendor. While DoD does not explicitly recommend a format, NIST has published a sample template.

Given that federal agencies like DCMA will review SSP’s, they are likely to expect well written and structured documents. NIST SP 800-18 and NIST SP 800-171A will be used to assess whether or not the presented SSP’s are written in a manner that are deemed complete and likely to pass an assessment. Given the stakes involved in DoD contracts and the tremendous expense in bid & proposal, business development and marketing efforts, it would be a shame to lose a contract bid due to a poorly written SSP!

To avoid such a negative outcome, organizations should closely review NIST SP 800-171A “Assessing Security Requirements for Controlled Unclassified Information (Final Draft)”. Creating a SSP document that aligns to the assessment guidance will provide a defensible compliance product that meets the likely assessment standards of the government.

Cybersecurity and compliance are not one-off activities

Many organizations believe that compliance with NIST SP 800-171 simply requires creating a set of static documents with the objective of being eligible for contract awards. That approach is not likely to work. Cybersecurity and compliance requirements will continuously evolve to meet new threats and vulnerabilities. Contractors and Universities looking to implement a compliant system should consider a holistic NIST SP 800-171 solution. The following three factors are critical for organizations to consider.

1. SSP’s are dynamic artifacts not static documents. Systems Security Plans and the security controls mandated in NIST SP 800-171 Rev 1 are based on NIST SP 800-53 Rev 4. As the threats and vulnerabilities change, NIST publishes updated security guides. NIST SP 800-53 Rev 5 has been released and is currently in draft format. It is reasonable to expect that in a 12-18-month time period, the next iteration of NIST SP 800-171 will be published requiring updates. Using a digital format instead of static word documents or pdf’s can help lower the cost of compliance by allowing for automatic updates and upgrades.
2. SSP and POAM artifacts will need to be shared. SSP’s contain sensitive information and as part of the due diligence process may need to be shared with external parties such as prime contractors, government acquisition and security officials. Businesses must be ready for such scenario’s and not resort to the easy route of simply emailing documents. This is a big security hazard and could place the organization at risk given the incidents of email hacks. A better approach is to create a redacted version where certain sensitive information like IP addresses for example are blacked out. Further, think about creating a digital reading room, which is a best practice followed by most government organizations. A digital reading room allows the sharing of a link to a document which can be easily tracked and revoked, and downloads can be prevented. Further the data can be stored in encrypted state. Solutions similar to stackArmor RapidSSP help address these requirements by providing an integrated suite to cost effectively and securely meet such needs.
3. Continuous monitoring and cybersecurity incident reporting. NIST security best practices and DoD DFARS 7012 require the continuous monitoring of IT systems. This includes implementing a robust logging, monitoring and alerting system. Businesses have 72 hours to report a cybersecurity incident to a DoD entity. Given the need to report cybersecurity incidents it is essential to implement processes to review logs and analyze anomalous events.