If you are doing business with the Department of Defense (DoD), you need to be aware of the Dec. 31, 2017, deadline to comply with the DFARS’ new Cybersecurity mandate. DoD requires all contractors to provide assurance to DoD that their IT systems will provide an acceptable level of security when receiving information determined by DoD to be of a sensitive category by the close of 2017.
This article provides a general overview of the requirements. Who is impacted? What type of information is covered? What action is required? What happens to companies that do not comply?
1. What is the U.S. NIST Cybersecurity Framework?
In June 2015, the National Institute of Standards and Technology (NIST) issued a publication (NIST 800-171) titled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” When NIST 800-171 was published, it specified a grace period that ends Dec. 31, 2017.
2. Are the NIST Cybersecurity Standards Mandatory?
Yes. All contractors doing business with the DoD must implement and certify compliance with NIST 800-171 by Dec. 31, 2017. A contractor can meet its contractual obligations by either fully implementing the protocols of NIST 800-171 or by documenting potential gaps with its compliance with a plan of action to eliminate and mitigate each weakness.
3. Who is Affected by NIST 800-171?
Anyone (individual or business/contractor) who processes, stores or transmits Controlled Unclassified Information (“CUI”) for or with the DoD is impacted. This includes all governmental contractual relationships at any tier. The prime contractor is required to disclose to the Contracting Officer any deviations from the security requirements in NIST 800-171 within 30 days of contract award, and the mandatory flow-down condition imposes the same reporting obligations on subcontractors. The requirements apply to contracts and subcontracts of any dollar value.
Contractors with information system development life cycle responsibilities, acquisition or procurement responsibilities, information system, security, and/or risk management and oversight responsibilities, and information security assessment and monitoring responsibilities are particularly affected.
4. What is CUI?
CUI is a broad category that encompasses many different types of sensitive, but not classified information. CUI is intended to replace categories such as “For Official Use Only” and “Sensitive but Unclassified” and “Law Enforcement Sensitive.” CUI is “information that law, regulation, or government wide policy requires to have safeguarding or disseminating controls.” For example, personally identifiable information such as health documents, proprietary material and information related to legal proceedings would all count as CUI. Each Federal agency is required to establish and maintain a public CUI registry reflecting authorized CUI categories and subcategories and associated markings.
5. What are the NIST 800-171 Requirements?
The purpose of the NIST 800-171 requirements is to protect the confidentiality of CUI when the CUI is residing in nonfederal information systems and organizations. There are 14 categories of security requirements that contractors must satisfy:
- Access Control;
- Audit and Accountability;
- Awareness and Training;
- Configuration Management;
- Identification and Authentication;
- Incident Response;
- Media Protection;
- Physical Protection;
- Personnel Security;
- Risk Assessment;
- Security Assessment;
- System and Communications Protection; and
- System and Information Integrity.
Essentially, Contractors are required to describe in a System Security Plan how each of the above-referenced 14 specified security requirements is met or how the contractor plans to meet the requirements. A contractor can satisfy its obligations by explaining either how it satisfies the requirement or include a Plan of Action that describes how any unimplemented security requirements will be met within a certain timeframe. Contractors can document the System Security Plan and Plan of Action as separate or combined documents and in any chosen format. SP 800-171 allows some flexibility to contractors by permitting exceptions to the security requirements so long as individual, isolated or temporary deficiencies are managed through plans of action. Specifically, contractors are required to:
- Periodically assess the security controls in organizational systems to determine if the
controls are effective in their application;
- Develop and implement plans of action designed to correct deficiencies and reduce or
eliminate vulnerabilities in organizational systems;
- Monitor security controls on an ongoing basis to ensure the continued effectiveness of
the controls; and
- Develop, document and periodically update system security plans that describe
system boundaries, system environments of operation, how security requirements are
implemented and the relationships with or connections to other systems.
For additional guidance, contractors should reference NIST 800-53, which contains information on satisfying the 14 categories of controls, including a step-by-step guide for implementation of a security control structure.
6. If I’m not doing business with the DoD, do I need to worry about cybersecurity?
Yes, all government contractors at any tier need to have a cybersecurity plan in place. Although less extensive than the DoD requirements, FAR 52.204-21 mandates 15 basic safeguarding security controls for contractor information systems upon which Federal contract information transits or resides. This rule applies to subcontractors as well as prime contractors. If not followed, they pose a performance risk to the prime contractor and subcontractors.
7. What are the ramifications of non-compliance?
If it is discovered through an audit or protest that your organization has not implemented the standards specified in NIST 800-171 for CUI, the DoD may take any one of the following actions:
- Issue a stop-work order;
- Terminate the contract (for convenience or for default);
- Assess a poor past performance rating;
- Institute suspension or debarment proceedings; and/or
- False Claims Act Exposure.
8. Additional Resources:
DoD is posting all related regulations, policy, frequently asked questions and resources addressing DFARS Clause 252.204-7012, and NIST 800-171, at the Cybersecurity tab.
Odin, Feldman & Pittleman P.C. has significant experience in government contracts and cybersecurity law. Please contact our Government Contracts Group for more information.