by Jane Ginn
With the renewed emphasis within the U.S. Department of Defense (DOD) on trustworthy information systems and supply chain security, it is essential for companies in the DOD vendor supply chain to have the capability to express their information security policies and procedures with clarity and specificity. This will demonstrate compliance with, at a minimum:
- DFARS Subpart 204.73
- NIST Special Publication 800-53, Rev.4
- FIPS Publications 199 & 200
- NIST Special Publication 800-37
- NIST Special Publication 800-39
These regulations are authorized by the 2002 Federal Information Security Management Act (FISMA) information technology requirements and emphasize, among other things, the supply chain protection elements DOD must consider when procuring systems, components, and services necessary for mission success. To ensure to DOD that a company has such capabilities a demonstration of the security controls that a company in the supply chain currently has in place must be made. And, according to regulations issued in November, 2013, and updated December, 2014, this demonstration must be made in accordance with best practices as outlined in the National Institute for Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 4, Appendices F & G. If such controls are found to be insufficient in an initial assessment, a step-by-step remediation plan should be outlined and implemented according to a systematic schedule.
Vendors in the DOD supply chain have a responsibility to meet the requirements of DFARS Subpart 204.73 (added November 18, 2013) for safeguarding “unclassified controlled technical information” residing on or transiting through unclassified information systems. DOD vendors are also responsible for reporting an incident to DOD within 72 hours of discovery in accordance with criteria set forth in FAR Subpart 252.204-7012. A cyber incident would include exfiltration, manipulation or other loss or compromise of data or any other activity that constitutes a breach of authorized access. Incident data that must be reported includes:
- Data Universal Numbering System (DUNS)
- Contract numbers affected unless all contracts by the company are affected
- Facility CAGE code if the location of the event is different than the prime Contractor location
- Point of contact if different than the POC recorded in the System for Award Management (address, position, telephone, email)
- Contracting Officer point of contact (address, position, telephone, email)
- Contract clearance level
- Name of subcontractor and CAGE code if this was an incident on a Sub-contractor network
- DoD programs, platforms or systems involved
- Location(s) of compromise and date discovered
- Type of compromise (e.g., unauthorized access, inadvertent release, other)
- Description of technical information compromise.
Summary of Controls
The key controls that a company must ensure are divided into 14 major categories
Specific controls that map back to NIST SP 800-53 are called out in the DFARS. From 12 to 3 specific controls have been specified within each of the 14 categories and, when combined and fully operational, the control set is aimed at building a defense-in-depth cybersecurity strategy.
According to several interviews with DOD prime contractors that purchase goods and services from specialty firms, many of their suppliers are smaller firms without the in-house information technology capabilities to implement FAR 204. These small and medium-sized enterprises (SMEs) must first perform a baseline assessment of their current conditions in each of these categories. They must then map their current implementation to applicable regulatory controls and assign priorities to each. They must then begin a systematic process for upgrading their administrative, technical and operational controls to meet the NIST 800-53 Standard. This is an expensive and time-consuming process that will take these SME personnel away from their core responsibilities, and divert them toward a regulatory and compliance activity that will not help their bottom line. However, given the uptick in cyber-attacks on US targets, this is likely to be a time-consuming, but necessary process.
The Defense Industrial Base – Information Sharing and Analysis Center (DIB – ISAC) has developed a program for verifying compliance in accordance with these rules; CyberVerify. CTIN is currently developing a SaaS-based software application to make the compliance process less painful for the small companies subject to these rules; VendorCET. Contact us at: rjg (at) ctin.us for more information.