And perhaps other public and private sector organizations should be paying attention as well.
The reason is that the Defense Federal Acquisition Regulation Supplement (see below for details) requires contractors to provide new protections for covered defense information, including unclassified information, that resides on or passes through, the contractor’s information system or network. The new mandate requires contractors to implement NIST SP 800-171 “as soon as practical” and not later than December 31, 2017.
In addition, starting in 2018, DoD contractors must report if a cyber incident affects the contractor’s information systems on which covered defense information resides or if the incident affects the contractor’s ability to provide operationally critical support requirements identified in the contract. Prime contractors must also flow down the same clauses (requirements) to subcontractors.
What Is NIST SP 800-171?
The National Institute for Standards & Technology (NIST) is known for creating meaningful guidance on a wide variety of cybersecurity and data management topics. Last month, I wrote this overview on NIST SP 800-184 guidance on recovering from cyber incidents. As stated in that blog, implementation of the specific actions listed in SP 800-184 is varied across government agencies.
However, since NIST SP 800-171 is required for DoD contractors and some others, the policy, process and configuration requirements are even more urgent right now.
According to CSO Online: “These requirements entail determining what the company policy should be (e.g., what should be the interval between required password changes) and then configuring the IT system to implement the policy. Some requirements require security-related software (such as anti-virus) or additional hardware (e.g., firewall). NIST SP 800-171 by itself does not provide prescriptive information on how the requirements should be met but additional guidance is provided by looking at relevant security controls that are specified in NIST SP 800-53, ‘Security and Privacy Controls for Federal Information Systems and Organizations.’ The security requirements are organized into 14 groups or control families with a total of 109 specific security requirements. …”
Exclusive Interview with Tom Jones from Bay Dynamics
To cover this topic in more details, as well as gain some insights from insiders who work with federal contractors and the DoD on a daily basis, I turned to Thomas (Tom) Jones.
Tom Jones Federal Systems Engineer at Bay Dynamics
Thomas Jones is a Federal Systems Engineer at Bay Dynamics, an analytics company that enables enterprises and agencies to continuously quantify the financial impact of cyber-risk based on actual conditions detected dynamically in their environment. With more than 25 years of experience in information technology, Thomas has held roles as a federal contractor, sales engineer, solutions architect, system engineer, network engineer, and senior consultant working with the federal government. Tom spends large portions of his work week in the trenches with IT professionals working to ensure cybersecurity and availability for the federal government.
Dan Lohrmann (DL): What are the main components of 800-171, and why is it being mandated?
Tom Jones (TJ): NIST 800-171 covers the protection of Controlled Unclassified Information (CUI), ensuring all systems that process, store or transmit CUI information are secured and hardened. Federal contractors typically handle this type of data and in 2015 when the Department of Defense mandate was issued there had been several server incidences associated with data breaches of contractors and services providers. To force contractors and service providers to do a better job of protecting the data the DoD issued a memorandum — the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012.
To give the effected parties time to put in place the security controls, the DoD set the required compliance date two years out on Dec. 31, 2017. The DFARS memorandum mandated that federal contractors implement NIST 800-171. There are 14 categories of security requirements that must be met. Some of them include access control, risk assessment, system and information integrity, identification and authentication, configuration management and more. A full list can be found here: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf
Some of the highlights include that contractors must implement an insider threat program, patch critical vulnerabilities on high risk systems within 90 days, encrypt high level data that’s at rest and in motion, monitor user behavior, implement an access control policy, and perform configuration checks and risk assessments.
DL: Where is this mandate posted (government website with any guidance)?
TJ: See link above, also: https://www.insidegovernmentcontracts.com/2017/02/dod-clarifies-dfars-cybersecurity-requirements/, as well as the link to DFARS Clause 252.204-7012 https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm
DL: What percentage of federal contractors who must comply do you think will comply? What's holding the others back?
TJ: I suspect most contractors will comply to one degree or another. If a contractor fails to be in compliance by Dec 31 2017 they must report how they are out of compliance. Given they have had nearly two years to fulfill the requirements, most of the larger contractors and service providers should already be in compliance or at least closing in on compliance. The interesting use cases are going to be the smaller contractors and the contractors that aren’t primarily federally focused. Also, the largest contractors are likely to be in a state of “check list compliance” where validating compliance is very manual, based on a snapshot in time (i.e. out of date data), done on a contract by contract basis, and would require something of a herculean effort to pull together anything like a current enterprise view of compliance.
Most contractors, both large and small, are already meeting many of the individual requirements (like encrypting data) for certain data assets however challenges do exist even there. Most of these assets and security technologies sit in siloes within organizations and because of the need to protect the information itself, the organizations have no easy way of knowing where protected data is stored and if they are meeting the security requirements. They don’t have any mechanism to bring the siloed information together into a consolidated view so they can easily see, for example, that an application that contains sensitive information has tight access control restrictions, and that users who access the application are being monitored and flagged for anomalous behavior. For a large contractor that has more than 250,000 employees and thousands of active contracts, manually connecting the dots between where their most valuable data assets reside, who is accessing it, how they are interacting with it, and whether they are meeting the NIST 800-171 requirements is a daunting task that could take years to complete.
DL: How can contractors show compliance? What is needed?
TJ: Contractors should start by gaining an understanding of their assets, and then identify and tag those that are highly valuable. They should perform a risk assessment to see gaps that put those assets at risk, and implement protections that not only enable compliance with the NIST mandate, but more importantly continuously protect those crowned jewels. For example, they should use user and entity behavior analytics to monitor and detect when an employee accesses a highly sensitive application that he normally would not access, and verify if the behavior is business justified or indeed unusual. If it is not business justified, that alert should be sent to investigators as a high priority alert for investigation. They should have data loss prevention technology and multi-factor authentication in place, integrated with user and entity behavior analytics, to ensure their most valuable data assets stay in the hands of only those who are given access, and doesn’t leave the organization. They should make sure their most valuable information is encrypted at all times and that their security technologies are configured properly.
This strategy is a risk based approach to security. It focuses first and foremost on protecting organizations’ most valued assets, those that if compromised, would damage the mission the most. By adopting a risk based approach, contractors are putting security first, making compliance inherent.
DL: What recommendations do you have to help?
TJ: In addition to the recommendations above, contractors should look into technologies that automate and consolidate data collection, analysis, communication and reporting so that they can see at any point in time gaps in NIST compliance and are able to quickly understand their compliance status as well as show their status to auditors.
DL: Anything else you'd like to add?
TJ: DFARS Clause 252.204-7012 and 800-171 are really about making sure those that we trust with access to some of our nation’s most valuable data are maintaining a base level of security. After almost two years and numerous guidance, I don’t think it is too much to ask.
DL: I’d like to thank Tom for taking the time to answer these questions and for helping others achieve the DoD goal of implementing NIST SP 800-171 by the end of 2017.
In addition, I encourage readers to examine this CSO Magazine article which highlights how FedRAMP can help achieve NIST SP 800-171 compliance by utilizing cloud providers who have been accredited. I like this quote from the article:
“Luckily, over the past few years the U.S. federal gGovernment has implemented the Federal Risk and Authorization Management Program (FedRAMP). The FedRAMP program accredits cloud service providers with strong security and compliance practices that comply with NIST specifications. Given that these cloud services have been accredited, they are viable options for contractors and sub-contractors looking for expedient and cost competitive solutions to meet DFARS and NIST SP 800-171 requirements.”
Final Thoughts
On Dec. 5, NIST has also announced a new version of the Cybersecurity Framework Draft Version 1.1 is out for review. You can view those latest NIST draft documents here.
I also think all government organizations can benefit from NIST SP 800-171, even if they are not mandated to comply. It will be interesting to see if these mandates eventually extend beyond the DoD contractor community and start to show up in mandates for all government contracts.
My personal opinion is that more such mandates are coming in 2018 and beyond — and mandates will also start to cover new areas like the Internet of Things (IoT) devices being connected to federal networks.
Next week, I will be looking back at 2017 cybersecurity and technology infrastructure topics in review and naming my top cybertrends for the year.