As many contractors by now are aware, and as we explained in our 5-part GovCon Video Blog™ series (here) on federal government contract cybersecurity requirements, contractors that bid on and are awarded contracts with Department of Defense (DoD) agencies that are not solely for the acquisition of commercial off the shelf items have two cybersecurity obligations under DFARS clause 252.204-7012 and its implementing rule, DFARS 204.7304(c). First, defense contractors have to provide "adequate security" for all covered contractor information systems - i.e., information systems that process, store, or transmit covered defense information. Second, they have to submit timely cyber incident reports to DoD upon discovery of a cyber incident.
As we explained in part one and part three of our vlog series, in order to provide "adequate security" for covered contractor information systems that are part of a defense contractor’s IT system (as opposed to a federal government IT system), defense contractors generally must implement the security requirements contained in the National Institute of Standards and Technology’s (NIST’s) Special Publication 800-171 by December 31, 2017. As the deadline looms large, compliance with SP 800-171’s security requirements – 110 in all, spread out among 14 different categories – may at first glance seem daunting and overwhelming. However, the security requirements for the most part are stated in general terms, and many, if not most of them, are likely already in place for defense contractors that follow commercial best practices. In addition, as we explained in part three and part four, DoD has instructed that implementation of SP 800-171, for the purpose of the December 31 deadline, can be demonstrated by the development of (i) a system security plan explaining which of the security requirements have been met, and (ii) a plan of action for any unmet security requirements.
The system security plan, as we explained in part four, is required under SP 800-171 to be periodically updated. SP 800-171 in fact requries defense contractors to monitor security controls on an ongoing basis and to make periodic assessments to determine if the security controls are effective.
In order to assist contractors in making these assessments, late last month NIST published a draft of Special Publication 800-171A, Assessing Security Requirements for Controlled Unclassified Information. NIST’s draft SP 800-171A lays out a table for each security requirement under SP 800-171 that sets forth the security requirement, followed by an “assessment objective” section. The "assessment objective" section essentially breaks down each security requirement into separate components and may serve as a check list for determining if a security requirement has been met. Each “assessment objective” section, in turn, is followed by a "potential assessment methods and objects" section that proposes methods or procedures that contractors can use to make their determinations for whether assessment objective components or requirements have been met.
Although compliance with SP 800-171A is voluntary, once the draft is final, defense contractors should find that SP 800-171A will serve as a useful tool for maintaining compliance with SP 800-171 on an ongoing basis. Public comments on the draft may be submitted to NIST through January 15, 2018.