DoD cyber security: safeguarding unclassified covered defense information

May 03, 2016

Government Contracts Alert

Author(s): Vincent J. Napoleon, Harini N. Kidambi

Data breaches and associated events, which have become commonplace in this era of heightened cyber activity, significantly impact government and defense-related operations. As a result, the potential risk of exposure and vulnerability to cyberattack of government information in the hands of contractors is substantial. Recognizing the need to protect information provided to a contractor by or on behalf of the Department of Defense (DoD) in connection with the performance of a contract and to minimize vulnerabilities and the impact of cyberattacks against defense contractors, the DoD has implemented new corresponding interim rules on August 26, 2015, with subsequent revisions and updates on December 30, 2015. At issue for many contractors is the level of effort that is required to become compliant with these new interim rules related to the safeguarding of certain government information and the reporting of incidents surrounding attacks on contractor information systems where government information resides.

August 2015 interim rule

In August 2015, the DoD issued an interim rule that imposes certain obligations on defense contractors and subcontractors regarding the protection of unclassified covered defense informationa name[1] and the reporting of cyber incidents on an information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits unclassified covered defense information. More specifically, the regulations at DFARS 204.7302 and the clause at DFARS 252.204-7012 require contractors to “. . . provide adequate security to safeguard covered defense information on their unclassified information systems [that support the performance of work under a contract] from unauthorized access and disclosure.” The adequacy of security at a minimum should include “the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” The regulations also require contractors to report cyber incidents affecting a covered contractor information system or the covered defense information residing therein.

December 2015 revisions

The DoD published an interim rule revising the August 2015 interim rule. The revisions primarily provide contractors, among other things, an extended timeline in which to comply with the requirements of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (the “NIST Requirements”).[2] For contractors to employ “adequate security,” they must implement security controls based on the NIST publication, and do so by December 31, 2017. Additionally, the regulations require contractors to report areas of noncompliance of the NIST Requirements within 30 days of contract award. Where contractors request a variance from the NIST Requirements, the DoD CIO will adjudicate such requests and any variance should be incorporated in the resultant contract. The updated rule also requires contractors to report cyber incidents within 72 hours of their occurrence. Finally, the December 2015 revisions require that the safeguarding provisions of DFARS 252.204-7012 be flowed down to subcontractors without modification.

NIST 800-171

The NIST Requirements impose guidelines to protect controlled unclassified information which resides on contractor information systems. To be in compliance with NIST SP 800-171 contractors must meet fourteen families of security for safeguarding unclassified covered defense information. These family of requirements evolve from standards outlined in the Federal Information Processing Standards Publication 200 and NIST SP 800-53. Together these standards represent the basic requirements for safeguarding controlled unclassified information residing on contractor information systems. These family of requirements include the following:

  1. Access Control—Limiting information system access to authorized users and devices, and the types of activities the authorized users are permitted to execute.
  2. Awareness and Training—Making sure managers, system administrators and users are aware of the security risks associated with their activities; training them on applicable policies, standards and procedures; and making sure they are trained appropriately to carry out their duties.
  3. Audit and Accountability—Creating, protecting and retaining information system audit records to enable the monitoring, analysis, investigation and reporting of unlawful, unauthorized or inappropriate information system activity.
  4. Configuration Management—Establishing, maintaining and enforcing security configuration and inventories of organizational information systems (i.e., hardware, software, firmware and documentation) throughout the respective system development life cycles.
  5. Identification and Authentication—Identifying and authenticating the information system users and devices.
  6. Incident Response—Establishing an incident response plan for organizational information systems that include adequate preparation, detection, analysis, containment, recovery and user response activities to track, document and report incidents to appropriate officials and authorities internal and external to the organization.
  7. Maintenance—Performing timely maintenance on organizational information systems.
  8. Media Protection—Protecting (i.e., physically control and securely store) information system media, including limiting its access to authorized users and sanitizing or destroying such media before disposal.
  9. Personnel Security—Screening individuals prior to authorizing their access to information systems and ensuring such systems remain secure upon the termination or transfer of individuals.
  10. Physical Protection—Limiting physical access to and protecting and monitoring the physical facility and support infrastructure for the information systems.
  11. Risk Assessment—Periodically assess the risk to organizational operations (including mission, function, image or reputation), organizational assets and individuals resulting from the operation of organizational information systems and the associated processing, storing and transmission of controlled unclassified information.
  12. Security Assessment—Periodically assess, monitor and correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems.
  13. System and Communications Protection—Monitor, control and protect organizational communications at the external and internal boundaries of the information system, and employ architectural designs, software development techniques and system engineering principles that promote effective information security.
  14. System and Information Integrity—Identify, report and correct information and information system flaws in a timely manner, protect the information system from malicious code at appropriate locations, and monitor information security alerts and advisories and take appropriate actions (See NIST SP 800-171, pages 9–14). 

While the DoD has directed contractors to implement the NIST Requirements as soon as practical but not later than December 31, 2017, it has not established guidelines for contractor implementation.  Similarly, NIST neither requires any particular technological solution, nor does it require contractors to purchase (or refrain from purchasing) any particular hardware or software, or overhaul their existing systems in order for contractors to implement the NIST Requirements. However, NIST does, within the context of its 800-171 requirements, guide contractors to adequately protect information “using the systems they already have in place, rather than trying to use government-specific approaches.” (See the NIST SP 800-171, page vi.) In short, NIST guidelines attempt to overlap with contractors’ existing security processes and also give contractors flexibility to implement alternative but equally effective security measures to satisfy a given requirement.

Large contractors likely have robust security systems already in place. This means that such contractors likely do not need to make any drastic changes, as they are already more inclined to being compliant with the NIST Requirements. However, for smaller contractors, there is a higher degree of likelihood that they will need to make more significant changes to their existing systems to be compliant. To comply with the NIST Requirements, all contractors—regardless of size—must thoughtfully read through the guidelines and determine what their existing system is and how it measures up to the requirements outlined in NIST SP 800-171. As contractors seek to implement the NIST Requirements as a means of eliminating or minimizing the risk resulting from the unauthorized access, use, disclosure, disruption, modification or destruction of information maintained on behalf of the government by contractors, it is strongly advised by NIST that contractors review the listing of security controls outlined in Appendix E of NIST SP 800-171 titled “Tailoring Criteria, Listing of Moderate Security Control Baseline and Tailoring Actions” to ensure their security implementation provides sufficient protection against a range of cyberattacks (See the NIST SP 800-171 Cautionary Note, page v.).

The way forward

The regulations seem to indicate a shift in the DOD’s priorities to be more conscientious of the protections necessary to safeguard against cyberattack. As part of their assessment, contractors should determine whether their security systems measure up to the NIST Requirements and adjust accordingly so as to become compliant over the next year and a half by the December 31, 2017, final deadline. Notwithstanding the extension of time allotted by the December interim rule for contractors to comply with the NIST Requirements, contractors should, as one commentator indicated, “be wary of slowing down NIST 800-171 implementation.” While there is minimal guidance in implementing the NIST standards, contractors should, as a practical matter, assess the adequacy of their programs for safeguarding their information systems. Discussion continues among industry and government stakeholders about implementation of the NIST Requirements. For example, the Aerospace Industry Association (AIA) is currently engaged with National Archive Record Administration (NARA), NIST and the Defense Procurement Acquisition Policy office (DPAP) to establish suggested approaches that may assist contractors in becoming compliant with the NIST Requirements. Given the current state of cyber activity, the protection of sensitive federal information while residing on contractor information systems is of paramount importance to national security. 

  1. Covered defense information is unclassified information that is provided to the contractor by or on behalf of the DoD in connection with the performance of the contract or collected, developed, received, transmitted, used or stored by or on behalf of the contractor in support of the performance of the contract and is controlled technical information, critical information, export control or any other information marked or identified in the contract that requires safeguarding or dissemination controls consistent with law, regulations and government-wide policies. See DFARS 204.7301.
    [Back to reference]
  2. 48 C.F.R. 252 (December 30, 2015).
    [Back to reference]

The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

Back to top