Right on Schedule, on November 6th, 2018, DoD’s Acting Principal Director for Defense Pricing and Contracting (DPC) issued a memorandum titled, “Guidance for Assessing Compliance and Enhancing Protections Required by DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.”

This guidance was made available to the public for comment in Federal Register, Volume 83 Issue 79 (Tuesday, April 24, 2018) as described in the follow blog: Draft DoD Guidance for reviewing NIST SP 800-171 SSP and POA&M -- Do you want to compete in the Federal Market Space?

This new memorandum highlights two new guidance documents, slated for integration into DFARS PGI 204.73 in 2019. This new memorandum shows that the DoD is getting serious about enforcing the security requirements in DFARS 7012. In addition, the DoD is continuing to strengthen the requirements rapidly. One thing is very clear, every DoD contractor needs to establish:

• A System Security Plan (SSP) that outlines the contractor’s current state of compliance,
• A Plan of Actions and Milestones (POA&M) to document your compliance gaps, and
• A Subcontract CyberSecurity Management program.

This new guidance is slated for integration into DFARS PGI 204.73 in 2019.

DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented,” provides guidance for:

• Consistent review of System Security Plans and Plans of Action.
• Address the impact of 'not yet implemented' security requirements on a contractor's unclassified internal information system.
• Provide clarification on implementing NIST SP 800-171 security requirements.

The guidance is designed to help the program office/requiring activity determine the impact of NIST SP 800-171 security requirements not yet met, and in certain cases, to identify when a contractor may have misinterpreted a requirement (which they actually may meet). The guidance is not to be used to assess implemented security requirements, nor to compare or score a company’s approach to implementing a security requirement.

“Guidance for Assessing Compliance of and Enhancing Protections for a Contractor's Internal Unclassified Information System"

Provides a framework of actions that can be tailored by a program office/requiring activity, commensurate with program risk, to assess the contractor's approach to providing adequate security to protect the Department's controlled unclassified information. Tailorable actions include:

• Requiring delivery of the contractor's system security plan and plan of actions
• Requiring the contractor to identify known Tier 1 Level suppliers (New Requirement)
• Requesting the contractor's plan to track flow down of covered defense information and to assess DFARS clause 252.204-7012 compliance of known Tier 1 Level suppliers. (New Requirement)

The DoD’s approach is really the start of broader changes in Federal acquisition efforts.

This DoD’s guidance is part of a larger narrative that is being playing out across the Federal acquisition community involving contractor’s cybersecurity posture. The Federal Government has made it very clear to the entire contracting community—not just DoD contractors, you need to focus on improving your cybersecurity posture. They want government contractors, to not only have an eye on compliance, but focus on the Government’s mission risk, as well. So, what is the real impact of this next set of guidance from the DoD on the DoD contractor community

• If you want to compete in this market you need to implement the required Security Controls as outlined in NIST SP 800-171;
• Your status on NIST SP 800-171 security controls implementations, may control your destiny in the DoD Market, for new contract awards, and continued contract performance;
• Honest self-assessment of your NIST SP 800-171 controls are required
• With every passing day the requirements are getting stricter

So what do you need to do?

Contractors who own or operate information systems that process, store, or transmit Covered Defense Information, need to do the following:

• Review the security controls outlined in NIST SP 800-171 to ensure their security implementation provides sufficient protection against a range of cyberattacks.
• Conduct a gap assessment to understand what requirements they do not meet.
• Develop a SSP and POA&M to remediate identified gaps.
• Develop a plan to track flow down requirements for CDI
• Develop a plan to assess the compliance of your suppliers

Implementing these security controls is a first step to becoming compliant and can be quite a big undertaking for any business. Luckily, InfusionPoints cybersecurity practice can ease this burden. Our proven DFARS/NIST Cyber Security Framework can aid you in meeting requirements and ensuring the cybersecurity postures of your information systems. For more information on protecting CDI, or to learn how InfusionPoints’ consultants can help you and your team, please contact our team.

References:

• InfusionPoints Blog on the Draft DoD Guidance for reviewing NIST SP 800-171 SSP and POA -- Do you want to compete in the Federal Market Space?
• InfusionPoints White Paper - Meeting DFARS/NIST SP 800-171 Requirements
• Guidance for Assessing Compliance and Enhancing Protections Required by DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
• DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented,
• Guidance for Assessing Compliance of and Enhancing Protections for a Contractor's Internal Unclassified Information System,
• Contractor’s Systems Security Plan And Associated Plans Of Action to Implement NIST SP 800-171 on a Contractor's Internal Unclassified Information System

Note: This is not a legal or contract opinion, if you have contract or legal questions please reach out to your contracting officer or legal counsel for further clarification.