For several years the Department of Defense (DoD) has been focused on protecting controlled and unclassified information. Seven years ago, around November 2010, the White House issued Executive Order 13556 that established an open and consistent program across all civilian and defense agencies for managing information. The issue this Executive Order was trying to rectify was that departments/agencies had ad hoc measures for safeguarding controlled and unclassified information. Due to the ad hoc nature, it led to confusion and inconsistencies with authorized and sensitive information sharing. This was a major security concern.
Effective on June 15th, 2016, the DoD, General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) published a rule where federal government contractors and subcontractors must apply cyber security controls to protect sensitive information. The deadline to be compliant is December 31st, 2017.
This applies to contractors and subcontractors within these organizations that meet the following criteria:
In simple terms; any contractor or nonfederal organization that either stores and/or processes what is defined as federal Controlled Unclassified Information (CUI) on their systems, must meet the criteria required in order to comply with DFARS NIST SP 800-171. However; any publicly available information that is considered to be “fundamental research” would not fall under CUI data and therefore does not apply to the DFARS 800-171 requirements.
The systems are to be protected with control requirements based on security requirements. This was published in NIST 800-171 which outlines requirements that contractors and subcontractors must implement.
This NIST document includes 14 families of security requirements:
- Requires limiting system access by unauthorized users. This would also include any related device with any access to your systems.
Awareness and Training:
- Ensures that all personnel are trained and educated about the security risks both to themselves and to any vendor.
Audit and Accountability:
- Involves the need to monitor any related record and can be retrieved for analysis or investigation.
- Conveys the need to establish an operational baseline toward inventory use and configuration of that inventory where applicable.
Identification and Authentication:
- DFARS 800-171 very much deals with the “who” and therefore requires identifying any person who may access CUI data.
- A key aspect of this federal regulation is that organizations are able to appropriately respond to an unexpected occurrence that could compromise sensitive data and be able to recover CUI data.
- Given that DFARS 800-171 is purely dynamic in nature; it is required that organizations be able to continuously monitor and maintain all parts of their infrastructure and systems.
- Involves the physical protection of any media in any format that contains CUI data stored.
- In addition to the training and increased awareness of personnel; an organization must also screen any individual who requires access to any system or device that contains CUI.
- For the purposes of securing any system, room, office or device located on an organization's premises or off-premises; this requirement involves limiting physical access to personnel.
- As part of an ongoing process and monitoring it is required that organizations conduct risk assessments to avoid possible breaches and/or vulnerabilities.
- As compared to performing a periodic risk assessment; an organization is also required to perform a security control assessment. This requirement is also needed to avoid possible breaches and/or vulnerabilities more related to an IT technical control.
System and Communications Protection:
- This requirement is centered around the aspect of continuous monitoring of an organization’s transmitted or received information externally or internally.
System and Information Integrity:
- This requirement is for maintaining any sensitive or CUI related data in terms of its security, integrity, and availability.
What Does It Mean for You?
If you are an information systems contractor or sub-contractor that processes or stores federal information, you should think about the following:
- Act before Dec 31st to ensure you are compliant.
- Get buy-in from the leadership members, owners or directors of your organization.
- Seek outside help with qualified consulting firms who specialize in areas of assessing the state of your information security programs and can help build a remediation blueprint plan designed to meet the DFARS 800-171 requirements.
- Implement a centralized work-flow process or “engine” designed for continuous monitoring, alerting and data mapping of all 14 controls and related 109 sub-controls.