Does your company do business with the Department of Defense? Do you want that business to continue after 2017? If you answered yes to both of these questions, you need to know about Defense Federal Acquisition Regulation Supplement (DFARS) clause 225.204-7012 and its potential impact on your business. As of December 2015, DFARS 225.204-7012 requires contractors to implement NIST Special Publication (SP) 800-171 standards “as soon as practical, but not later than December 31, 2017.” The title of NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, should give you a sense of what is behind this directive. In practical terms, the Department of Defense (DoD) is telling its contractor community that if you want to be allowed to receive information determined by DoD to be of a sensitive nature, you must provide assurance to DoD that your own IT systems will provide an acceptable level of security for that information. Failing to do so after 2017 will preclude you from contracting with DoD.
DFARS 225.204-7012 requires contractors to implement NIST SP 800-171 standards, not later than December 31, 2017
DFARS 225.204-7012 is now included in all solicitations issued and contracts awarded by the DoD (except solicitations/contracts strictly for commercial off-the-shelf items). Subcontracting does not exempt you – the clause is flowed down in cases where covered defense information is to be passed to the subcontractor. As its title implies, the clause relates to Safeguarding Covered Defense Information. The clause also lays out cyber incident reporting requirements which, although highly relevant, are beyond the scope of this blog. You can read the full clause here.
So what, you may ask, is “covered defense information”? In short, it is the DoD version of “Controlled Unclassified Information” which is the focus of NIST SP 800-171. Here is how DFARS 225.204-7012 defines it:
“Covered defense information” means unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is—
(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
While achieving compliance may at first seem like a daunting task, keep in mind that the NIST standards are generally best practice standards that, in some instances, your company may already have implemented. Rest assured, however, that achieving compliance will take an organized and disciplined effort (there is a reason that DoD is not requiring immediate compliance). So if you have not started to implement a program to achieve compliance, time is of the essence.
The good news is that there are numerous resources available to help you achieve compliance. You might consider bringing in a third-party security auditor, well versed in the NIST 800-171 standards, to assess your situation and recommend an action plan. You might also want to assess your current contract portfolio – what security and reporting standards apply to your company right now. Establishing an accurate baseline is an essential first step to achieving compliance.
Monitoring and documenting continuing compliance
NIST SP 800-171 compliance is a dynamic process. Your IT systems, as well as government security standards, are always changing. Achieving compliance is only the start; maintaining compliance is an ongoing process. Automating your company’s monitoring program is the ideal way to ensure ongoing success in maintaining and documenting compliance on a continuous basis.
Achieving compliance is only the start; maintaining compliance is an ongoing process
SecurityCenter Continuous View® (SecurityCenter CV™) from Tenable automates the monitoring and assessment of NIST SP 800-171 technical security controls, helping you to measure, visualize and graphically communicate adherence to the standards. SecurityCenter CV offers several reports, dashboards, and Assurance Reports Cards® (ARCs) that are both ready-to-use for NIST SP 800-171 compliance and customizable to your business needs.
The Audit and Monitoring Dashboard is the best example of a SecurityCenter CV tool that aligns with NIST SP 800-171. The dashboard monitors the Audit and Accountability (section 3.3) and System and Information Integrity (section 3.14) sections, known as “families” in SP 800-171. These two families require the monitoring, analysis and reporting of unlawful, unauthorized or inappropriate system activity to detect potential attacks. For example, inbound and outbound communications traffic could be indicators of suspicious activity. Such behavior could trigger your immediate investigation and responsive actions to thwart an attack. Security Center CV, with its passive monitoring capability, delivers the continuous visibility required to detect the suspicious activity. Once detected, the enabling dashboard also helps you correlate your audit reviews, assessment and reporting processes, facilitating compliance with 800-171.
You can read more about SecurityCenter CV SP 800-171 dashboards and ARCs on the Tenable website.
The DFARS deadline is closer than you think
If you work with DoD, now is the time to implement NIST SP 800-171 and to automate the controls with SecurityCenter CV
After a two-year compliance period, the DFARS deadline is fast approaching. If you work with DoD, now is the time to implement NIST SP 800-171 and to automate the controls with SecurityCenter CV. Don’t let non-compliance compromise your ability to win new contracts.