Is this a Start of Something New for Third-Party Management?
The demand for responsible cybersecurity in business is ubiquitous. The need to protect information is not limited to the financial services, insurance and health care sectors. It is difficult to identify an industry that escapes some type of obligation to protect electronic information. Of course, some areas deal with more sensitive information, so it is not surprising that the Department of Defense (DoD) recently took steps to have its contractors provide “adequate security” for “covered defense information,” which includes Controlled Unclassified Information (CUI).
Some companies have yet to implement an adequate cybersecurity program. Perhaps to put further pressure on these companies, the DoD now has issued guidance that demonstrates both its insistence on strong cybersecurity practices from its third-party providers and its intent to cut ties with those who do not. This guidance may serve as a model for other industries to place similar pressure on their vendors who have not implemented cybersecurity programs and to provide criteria to terminate business relationships with them.
This mandate came in the form of Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012. This regulation is interpreted in conjunction with the National Institute of Standards Special Publication (NIST SP) 800-171, which, in turn, provides a series of controls to measure whether a company provides such “adequate security.” Since December 31, 2017, a company that fails to have “adequate security” risks losing its work with the DoD. As a result, government contractors have come under greater scrutiny. Subcontractors face the same, if not greater, pressures.
The new guidance, titled “DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented” may be found here. The guidance is characterized as a tool to help the DoD and contractors assess their System Security Plans (SSPs) and Plans of Action (POAs) and to prioritize what steps should be undertaken to satisfy the DFARS 252.204-7012 mandate for “adequate security.” But make no mistake, the guidance also provides objective criteria that may be used to jettison those companies that do not make the cybersecurity cut.
NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” establishes 110 controls that are organized into 14 different families of security requirements. These controls are used to measure whether a contractor has established an adequate cybersecurity program to meet the requirements of the new Defense Department regulation. The new DoD guidance identifies NIST-assigned priority codes (P1-P5) and “DoD Value” ranges (5-1) to each of these controls. These values should help measure contractor SSPs and POAs as part of an RFP, as well as the impact of those NIST SP 800-171 security requirements that have not yet been implemented to a contractor’s overall cybersecurity program. As a result, the DoD and contractors alike are in a better position to: (1) determine whether a company complies with DFARS 252.204-7012, and if not, (2) how close (or far) it is from compliance.
The draft DoD guidance also addresses methods by which the security requirements that have not been met may be implemented and, when applicable, the guidance provides further clarifying information. Methods of implementation include reconfiguration of the contractor’s IT systems, the acquisition of hardware or software, and the need to develop and implement company policies and procedures.
A benefit of the new guidance is that it will better enable DOD and other organizations to prioritize and address any shortfalls in their cybersecurity program in the context of the NIST 800-171 standard, and to deploy applicable information security controls in a more structured and efficient (and timely) manner. Yet, the new guidance also gives government personnel and prime contractors further objective criteria to measure whether a third-party provider has an adequate and effective cybersecurity program that will protect the confidentiality, integrity and availability of CUI. The guidance will further show which companies have implemented viable cybersecurity programs and which have not and whether for some new third-party providers need to be found.
It is hard to imagine that this model of assessment will be limited to the DoD, its contractors, and their subcontractors. Third-party vendor management is a key component of any cybersecurity program. For instance, under 23 NYCRR 500.11, the New York cyber regulations will soon require Covered Entities to implement written policies and procedures to conduct due diligence and ensure that certain cybersecurity practices are performed by third-party vendors. There is also a growing need for third-party certification. The DoD’s new guidance may have a significant impact beyond the world of government contracting as companies seek alternatives to measure the cybersecurity programs of their vendors.
Public comment for the new draft guidance is due by May 31, 2018.
