Contractors Get More Time to Meet New Security Regs
The Defense Department has given contractors two years to meet new requirements for securing sensitive DOD data on non-Federal IT systems, responding to industry concerns over moving too quickly to the new standards.
The New Defense Federal Acquisition Regulation Supplements (DFARS) were supposed to go into effect Dec. 31. But DoD backed off its initial plan after industry objections surfaced last fall.
The new DFARS was published in August 2015 to reflect the “urgent need to increase the cyber security requirements” on information held by contractors, said DOD spokeswoman Lt. Col. Valerie Henderson.
The new rules require contractors to comply with National Institute of Standards (NIST) Special Publication 800.171 to protect Controlled Unclassified Information (CUI).
The 77-page document establishes a streamlined set of controls drawn from the much larger Special Publication 800-53, a 462-page catalog of NIST security controls developed for federal IT systems.
“Changing NIST standards is not a simple switch for contractors,” wrote the Council of Defense and Space Industry Associations (CODSIA) in a November letter objecting to the new rules. The group also complained of vague language it wants clarified.
David M. Wennergren, executive vice president of operations and technology at the Public Service Council, helped draft the CODSIA letter. He said industry supports the requirements, but needs time to put them into effect.
Wennergren said CODSIA members don’t object to the standards, but are concerned instead about the way they were being applied. “I believe that the NIST security controls are good,” said Wennergren, a former Navy deputy CIO and Pentagon official. “They make sense.”
But it’s too soon to put the requirement into contract language, he said. “We need to be a little more thoughtful.”
New requirements for using government-approved cryptography and for two-factor authentication, for instance, “are good and noble things,” he said, but cannot be implemented immediately.
Indeed, most Federal agencies are still struggling to meet government requirements to implement multi-factor authentication.
As a result, the Pentagon pulled back on its initial requirement in late December and published interim rules extending the compliance deadline to Dec. 31, 2017, and opening the new rules for public comment.
The extension gives contractors time to make an orderly move what a more streamlined set of standards, and gives DoD time to ensure that DFARS requirements are aligned with civilian Federal Acquisition Regulations (FARs) now being developed by the Office of Management and Budget (OMB). Both will incorporate SP 800-171.
The new requirements clarify rules now in place that draw on NIST Special Publication 800-53, a much larger 462-page catalog of security controls developed for federal IT systems and which is the basis for the Federal Risk and Authorization Management Program (FedRAMP), which defines security requirements for vendors providing commercial cloud services to government agencies.
Ron Ross, a NIST Fellow and computer scientist who helped create both documents, said the new guidelines address only one leg of the cybersecurity tripod – information confidentiality. Unlike the broader SP800-53, the regulations do not deal with information integrity or availability.
“It looks a lot different from SP 800-53,” Ross said. “It’s a lot lighter.”
Although industry asked for more time to make the transition, compliance should not be difficult, Ross said. “This is not a stretch. This is pretty much best practices.”
The new guidelines aim to clarify which rules apply to contractors who use or store sensitive government information for their own use and on their own systems. The Federal Information Security Management Act (FISMA) – now the Federal Information Security Modernization Act – applies to government data stored on contractor-furnished equipment, but for government use.
“OMB has been struggling with this for a long time,” Ross said.
OMB initially ruled in 2014 that FISMA applies to all federal information, Ross said.“But that’s never been tested.”
Then in October, OMB Director Shaun Donovan revised that position with new guidance on federal information security and privacy management requirements, acknowledging that there had been multiple “incidents impacting government information that resides on or is connected to contractor systems” and that the government needed “to improve cybersecurity protections in Federal acquisitions.”
According to Ross, “That was the driver for SP 800-171.”
The National Archives and Records Administration (NARA) developed a standard defining CUI, which was to be protected at the “moderate” impact level defined in the Federal Information Processing Standards (FIPS) publication 200. NIST tailored its guidelines for contractors and published them in June 2015.
NARA will follow with final FARs rules for protecting CUI on contractor-owned systems later this year, after approval by OMB. But to date, there has been no coordination in the development of the FARs and DFARS rules, PSC’s Wennergren said.
“This is really good stuff. Moving to a common set of security controls is really powerful and helpful,” he said. But contractors want a common set of expectations for compliance, not one-off requirements for different agencies or government branches. “We need to raise the bar, and we need to raise it together.”
Government contractors are hoping that the civilian FARs and the DoD DFARS will comprise a single, coherent set of requirements for them to deal with.
Both government and industry officials believe that two years will be adequate for contractors to move their cybersecurity to the new requirements. For most, the change will not be drastic, Wennergren said. Many large organizations already are in compliance, and many smaller subcontractors will not fall under the new requirements because they do not hold government CUI on their systems.
For those companies that find they do need help, smaller subcontractors will be able to turn to their larger prime partners for mentoring and advice. Many large security vendors also provide professional services to help their clients ensure regulatory compliance. As new FARs and DFARS language emerges, these will be included in their compliance services portfolios.
Although DoD has no formal program to provide guidance, there are other government options. The NIST Cybersecurity Framework, a set of voluntary guidelines for protecting private sector critical infrastructure, provides valuable guidance, Wennergren said.
“They can also get in touch with us,” Ross said. “We are a resource for the entire nation.”
Ross said the agency takes its responsibility to provide cybersecurity guidance seriously. “We really care that it is implementable.”