The National Institute of Standards and Technology (NIST) published the Defense Federal Acquisition Regulation Supplement (DFARS), to establish requirements in regards for properly handling and protecting Controlled Unclassified Information (CUI).
The primary goal of NIST 800-171 is to protect Government information and reduce the risk of security breaches that involve CUI. The publication covers:
- When CUI is being stored, accessed, or managed in nonfederal information systems and organizations. For example, if a government agency using a third-party application stores CUI in it, NIST 800-171 requirements apply.
- When a nonfederal system or organization is not collecting, maintaining, or utilizing the CUI.
- When the CUI category does not have any specific regulations, policies, or laws in place to protect confidentiality.
The Department of Defense is working with the Defense Industrial Base (DIB) sector to develop the Cyber Maturity Model Certification (CMMC) to ensure appropriate protections are put in place within contractor networks to protect controlled unclassified information (CUI). The CMMC will have multiple maturity levels which range from “Basic Cybersecurity Hygiene” to “Advanced” which will be identified in RFP sections L & M and will graded by the Government Procurement Authorities with a “Go/No-Go” decision. CMMC combines numerous cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and other industry best security practices and standards into one unified standard for cybersecurity. CMMC v1.0 will be finalized January 2020 and published for public release.
- The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.
- The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.
- The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.
- The intent is for certified independent 3rd party organizations to conduct audits and inform risk.
The DFARS 252.204-7012 (Safeguarding Covered Defense Information & Cyber Incident Reporting) states that The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via email at email@example.com, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award. Upon contract award the winning company is required to submit a System Security Plan (SSP) and a current Plan of Actions & Milestones (POA&M).
- The Contractor shall submit requests to vary from NIST SP 800-171 in writing to the Contracting Officer, for consideration by the DoD CIO. The Contractor need not implement any security requirement adjudicated by an authorized representative of the DoD CIO to be nonapplicable or to have an alternative, but equally effective, security measure that may be implemented in its place.
- If the DoD CIO has previously adjudicated the contractor’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Contracting Officer when requesting its recognition under this contract.
- If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (https://www.fedramp.gov/resources/documents/) and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.
The Cyber Incident Reporting section to the DFARS clause identifies the requirements for reporting cyber incidents to DOD within 72 hours via DIBNET http://dibnet.dod.mil. The clause identifies a cybersecurity incident as a breach of security protocols which impacts, compromises or endangers the Controlled Defense Information held on the contractors systems and/or networks. The clause covers Supply Chain Management and the importance of implementing sound practices to protect Covered Defense Information. Cloud Services are also covered and the requirement for ensuring FEDRAMP certification to the Moderate level and ompliance with the DOD Cloud Computing Security Requirements Guide (SRG).