DFARS Compliance: What it Means for You

Defense Contractors Must Implement Procedures to Safeguard Covered Defense Information by Dec 31^st, 2017

Why is this information important to my manufacturing business?

DoD changed the acquisition requirements regarding the safeguarding of unclassified material on government contractor’s internal networks to require contractors to meet a specific NIST standard by December 31^st, 2017.  To maintain and gain future government contracts, your company must attest to meeting the new standard.

What is changing?

In September 2017, the Under Secretary of Defense for Acquisition, Technology and Logistics released a memorandum that informed DoD leaders that the Defense Department changed the Defense Federal Acquisition Regulation Supplement (DFARS) to provide for the safeguarding of controlled unclassified information when residing on or transiting through a contractor’s internal information system or network.  DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires contractors to implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.  Contractors who self-attest to meeting these requirements have until December 31^st, 2017 to implement NIST SP 800-171.

Future Requests for Proposal (RFPs) will require your company to be compliant.

DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires contractors to provide “adequate security” for covered defense information that is processed, stored, or transmitted on the contractor’s internal information system or network.  The Department must mark, or otherwise identify in the contract, any covered defense information that is provided to the contractor, and must ensure that the contract includes the requirement for the contractor to mark covered defense information developed in performance of the contract.  To provide adequate security, the contractor must, at a minimum, implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” not later than December 31, 2017.

NIST SP 800-171 provides a single, Government-wide set of performance-based security requirements that significantly reduce unnecessary specificity (e.g., as compared to prescribing detailed security controls), which enables contractors to comply in most cases by using or adapting systems and practices already in place.

 

Most requirements in NIST SP 800-171 are about policy, process, and configuring IT securely.

There is no single or prescribed manner in which a contractor may choose to implement the requirements of NIST SP 800-171, or to assess their own compliance with those requirements.  For companies new to the requirements, a reasonable first step may be for company personnel with knowledge of their information systems security practices to read through the publication, examining each requirement to determine if it may require a change to company policy or processes, a configuration change for existing company information technology (IT), or if it requires an additional software or hardware solution.  Most requirements in NIST SP 800-171 are about policy, process, and configuring IT securely.  These requirements entail determining what the company policy should be (e.g., what should be the interval between required password changes) and then configuring the IT system to implement the policy.  Some requirements will require security-related software (such as anti-virus) or additional hardware (e.g., firewall).

The complexity of the company IT system may determine whether additional software or tools are required.  For smaller systems, the company may accomplish many requirements manually, such as configuration management or patch management, while larger and more complex systems may require automated software tools to perform the same task.  Having reviewed all of the security requirements, a company may then determine which of the requirements, 1) can be accomplished by their own in-house IT personnel, 2) require additional research in order to be accomplished by company personnel, and 3) require outside assistance.

 

At a minimum, you must have a security plan and plan of action to correct deficiencies by December 31^st, 2017.

NIST SP 800-171 was revised (Revision 1) in December 2016 to enable nonfederal organizations to demonstrate implementation or planned implementation of the security requirements with a “system security plan” and associated “plans of action.”  

Security requirement 3.12.4 (System Security Plan, added by NIST SP 800-171,  Revision 1), requires the contractor to develop, document, and periodically update, system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. 

Security Requirement 3.12.2 (Plans of Action), requires the contractor to develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.

 

If you determine your manufacturing company requires outside assistance, Purdue MEP can help.

Through partnership, Purdue MEP can assess your current security plan against the NIST SP 800-171 standard and help your company develop a plan of action to correct any deficiencies.  Additionally, the Defense Manufacturing Assistance Program might be able to off-set some of the expense of this service if your company meets the DMAP program requirements.  Essentially, the DMAP program is designed to assist defense small-to-medium companies (<1000 employees), who have encountered a decrease of 5% in sales, workforce or production in the last 24 months, or anticipate such a reduction .

 

 

Writer: Gene Jones, 765-496-7802, jonesew@purdue.edu