Cybersecurity continues to be an imperative for the protection of the Department of Defense (DoD) and its contractors' supply chain. On June 19, 2019, the National Institute of Standards and Technology (NIST) issued two draft updates to its Special Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations" (NIST SP 800-171) to invigorate security controls aimed at protecting entities in this supply chain. NIST is seeking comment on its proposed Revision 2 to NIST SP 800-171 and also on its new draft NIST SP 800-171B, which is intended to supplement NIST SP 800-171 to provide "Enhanced Security Requirements for Critical Programs and High Value Assets."
NIST SP 800-171 Rev 2
DFARS 252-204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting," requires contractors that will receive, generate, use, store or transit in covered defense information (CDI), or that will be involved in providing the government with operationally critical support, to provide "adequate security" for covered contractor (and contractor-controlled) systems.
CDI includes controlled technical information (CTI) and controlled unclassified information (CUI). The government is supposed to identify to contractors when it will provide CDI. However, contractors are charged with determining whether they will receive, generate, use, store or transit in their own or others' CUI, and their requirements to flow down the clause to their lower tier subcontractors and similar agreement holders.
Contractors and subcontractors are those that provide "operationally critical support," including the provision of "supplies or services designated by the government as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation."
"Adequate security" under the clause includes the minimum requirement that covered contractors and subcontractors comply with the current version of NIST SP 800-171 in effect at the time of the prime contract. Under NIST SP 800-171, DoD contractors and subcontractors must implement 110 identified cybersecurity controls on all CUI.
The DFARS clause also requires covered contractors and subcontractors to report actual or suspected cyber incidents and, for each incident, to engage in the discovery and isolation of malicious software, media preservation and protection, and incident damage assessment. When an actual or suspected incident is reported, contractors and subcontractors are also required to provide the government access to investigate the contractor systems and data recovered.
The newly published proposed second revision to NIST SP 800-171 is not identified as making substantive changes to the basic and derived security requirements located in chapter 3. NIST reports that the revision contains only minor changes, including the movement of discussion points to chapter 3 so that they can be viewed alongside the security requirements in chapter 3. This revision should be reviewed to determine if there are significant changes for contractors and their subcontractors.
NIST SP 800-171B
The government has also issued NIST SP 800-171B for notice and comment. This new NIST publication ratchets up security controls for nonfederal systems and organizations that may be at greater risk of cyber attack by advanced persistent threats (APTs) because they receive, generate, use, transit in CUI that is part of a critical program (CP) or high value asset (HVA). This new NIST publication requires contractors and subcontractors with such information to implement 35 new security requirements in addition to the 110 controls required under NIST SP 800-171 for (1) specific systems that have CUI that is contained in a CP or HVA and (2) where the government contract, grant or other agreement mandates that these enhanced requirements apply. These new security requirements are identified as falling into three categories: "(1) penetration resistant architecture; (2) damage limiting operations; and (3) designing for cyber resiliency and survivability."
The NIST announcement of the new NIST publication also includes a DoD cost analysis relating to stakeholder implementation of these enhanced security requirements. The DoD estimates that there are 69,000 contractors that possess CUI and that only 80 contractors (.5% of DoD contractors) will be subject to these enhanced security controls—50 companies with 25 to 50 endpoint networks, 10 with 50 to 100 endpoint networks, and 20 with 750 to 1500 endpoint networks.
The publication provides proposed cost estimates for implementation of these enhanced controls based on the size and complexity of the networks to be impacted. Smaller contractors, or those with fewer "end-point networks," are proposed to have lower impact costs than contractors with larger numbers of "end-point networks." DoD's total estimated cost of implementing these enhanced security controls—beyond the costs of implementation of the 110 NIST SP 800-171 controls—is $66 million.
Notably, it is anticipated that the contractor's implementation costs and plan for providing this enhanced security will be part of contract proposals and the DoD "will have the opportunity to review how a company chooses to implement the requirements" to determine whether they are reasonable. The NIST estimate does not contemplate that all of the incremental costs will be born by the federal government where a bidding company adopts the standards but does not ultimately receive the contract.
Consider Whether to Submit Comments
These new changes and publications are intended to aid in the cyber hygiene of DoD contractors and subcontractors. DoD is seeking comments on these publications by July 19, 2019. We urge you to take a look at these publications to determine whether they raise questions or concerns that might be addressed in comments. Even if you don't engage in DoD contracting, you should review and consider whether and to what extent they may impact you, or be of use to you. If the past is prologue to future cybersecurity implementation, it is likely that these and other cyber requirements in the DoD arena will ultimately trickle down to contracts, grants and other agreements issued by non-DoD agencies. So too the commercial sector may find these or similar provisions impacting them in the future through supplier agreements or even state, local and international laws and regulations.