This article by Ryan Heidorn was originally published in Washington Technology.
The times are changing for companies that do business with the federal government. Cybersecurity, which has long been a priority for the Government, has only grown in importance as cyber espionage and nation state sponsored hacks remain persistent threats. Ron Ross, a Fellow at the National Institute of Standards and Technology (NIST), described the situation bluntly: “We literally are hemorrhaging critical information about key programs.”
Contractors working with the Department of Defense (DoD) and other agencies are likely familiar with the term controlled unclassified information(CUI), which is a broad categorization for sensitive information that is not classified but requires security and/or distribution controls.
If your company does business with the DoD, it’s likely that your contracts mandate compliance with DFARS 252.204-7012 (referenced here as simply “DFARS”), which requires contractors to protect the confidentiality of CUI on their network by implementing the security controls in NIST SP 800-171—a framework that, as of Revision 1, contains 110 security controls.
This requirement is not new. Companies, both large and small, that work with the DoD—contractors, subcontractors, and suppliers—faced a deadline of December 31, 2017 to become compliant with DFARS or risk a failure to win new contracts, contract termination, or (in the case of companies handling export-controlled CUI under ITAR) even criminal liability.
Audits have begun and changes are coming
With regard to Ross’ statement about hemorrhaging critical information, the DoD has indicated that they view the threat as a supply chain issue. Dana Deasy, the DoD CIO, in testimony before the Senate Armed Services Committee, stated that the problem “is not necessarily a tier-one supply level… it’s down when you get to the tier-three and the tier-four [subcontractors].”
The DoD has been exploring options for validating and certifying cybersecurity compliance. At a May 2019 event, Katie Arrington, special assistant to the Assistant Secretary of Defense for Acquisition for Cyber, announced the DoD is developing a new certification standard called the “Cybersecurity Maturity Model Certification” (CMMC). This represents a fundamental shift for defense contractors. It’s no longer acceptable to say your company is compliant; soon, you will have to prove it.
While yet unpublished, the CMMC is expected to serve as the enforcement mechanism for the DFARS rule, with an anticipated five levels of certification. DoD contracts will require a specific level of certification, and award decisions (“go/no-go”) will be tied to the contractor’s certification status. The DoD indicated it plans to begin accrediting third-party certifiers by mid2020. Contractors who have neglected to fully address their cybersecurity obligations under DFARS now face an existential crisis: become compliant or get forced off the DoD supply chain.
It can be a lot of work to achieve DFARS compliance, especially as the NIST 800-171 framework evolves (at the time of writing this article, the release of Revision 2 is expected any day). For companies with limited IT or information security resources, navigating DFARS compliance can seem daunting, confusing, and expensive.
How does a company begin the process of achieving DFARS compliance? If you don’t have in-house security expertise or have neglected investing in IT infrastructure, how can you find the right partner to keep up with the changing compliance landscape? We’ve put together a few guidelines to point you in the right direction.
1. Find a partner with the right experience.
Seek out a specialist with proven experience helping contractors successfully navigate DFARS compliance. Many IT service providers and consulting firms advertise compliance services, but in practice have limited hands-on experience assessing and implementing compliant solutions. The right partner should be able to provide references to other organizations they have guided through the full process of assessment, remediation, and policy development.
For example, an inexperienced vendor might assess your existing information systems, determine that your corporate network is missing many of the required NIST controls, and recommend that you implement them across your entire infrastructure—which might mean ripping out or substantially upgrading your network and starting from scratch. This advice might demonstrate a lack of insight or expertise. For many reasons, it may not make sense (or be required) to deploy the NIST controls across the entire organization.
You are better off working with a partner that understands the laws, guidance, and technology landscape enough to determine whether you could leverage or modify your existing technology or business practices, or to create a secure enclave within your information systems for handling CUI in a compliant way.
Another important differentiator in selecting a partner is their level of in-house technical expertise. Some consultants may be able to assess your environment and provide recommendations but lack the resources necessary to guide you through the whole process of correcting deficiencies or implementing compliant solutions.
Here are some skills to look for when assessing potential partners. Look for partners that have:
- The ability to assess the current environment;
- Enough expertise in IT operations to understand your business and help select, configure, and deploy cost-effective, compliant technical solutions;
- Experience with policy development, as many NIST requirements are tightly linked to policy, procedure, and documentation;
- Strong relationships with other industry professionals (technology vendors, lawyers, audit and assurance professionals, and other advisors or specialists) that they can leverage to connect you with the resources you might need in the course of becoming (and staying) compliant.
2. A creative approach.
There are currently 110 security controls you must comply with, but none of the controls are prescriptive in the way of saying, “buy this hardware or software product.” NIST SP 800-171 provides a set of capabilities and best practices that avoid unnecessary specificity, enabling contactors to comply in many cases by using or adapting systems and practices that are already in place.
For example, the NIST controls related to Audit and Accountability require that you monitor all systems processing CUI, collect and retain system logs, and alert on suspicious or anomalous activity. You might logically determine that you need a security information and event management (SIEM) product, which is often an expensive and unwieldy solution that requires niche expertise to operate, especially for small businesses. But a creative partner might determine that you don’t need to go the most expensive route—you may be able to use the technology you already have to accomplish the same goals.
And if you do need to purchase a new software or hardware, a creative partner will find ways to address multiple requirements with the fewest number of products and services. Seek out a partner that has a track record of solving problems with ideas and processes, not just IT spending.
3. Well-documented capabilities.
Current DoD guidance includes some leeway for companies that need to attest to DFARS compliance while still working towards implementing the full scope of NIST controls. This involves creating a thorough System Security Plan (SSP) and documenting associated plans of action and milestones (POAMs), timelines, and mitigation methods to describe how you are working toward correcting any deficiencies.
While neither NIST nor the DoD currently prescribe or require a specific format for the SSP, it is important to select a partner that knows how to write these plans in a way that is recognizable, clear, and formatted in a way that will stand up to CMMC audits. If the vendor isn’t talking about how their work will help you achieve future CMMC certification, look for a partner who is more knowledgeable about the forces shaping DFARS compliance.
In addition to the SSP, remember that many NIST controls are intended to be addressed by internal policies and procedures. For example, your path to DFARS compliance likely includes the development of an Access Control Policy, Mobile Device Policy, and Incident Response Plan, among several others. Seek out a partner that can help craft enforceable policies that address specific DFARS requirements in the broader context of how your business operates and other regulatory requirements (such as state privacy laws) that may also affect your business.
Compliance is an ongoing process, and the appropriate planning, documentation, and policy work can make all the difference in smoothly operationalizing security and demonstrating your compliance.
4. Define the relationship.
Unless your company has a large, dedicated IT staff, and you prefer to handle even the most complex IT projects in-house, you probably don’t want a partner that performs an assessment and then disappears.
When you are interviewing potential IT compliance partners, try to get a sense of what an ongoing relationship would look like. Will the partner help you manage and maintain your compliance obligations on an ongoing basis? If you need ongoing support, can they provide services to make sure that technology solutions are deployed, maintained, and monitored appropriately? Is the partner able to train your management and/or IT staff?
5. Price out your options.
Depending on the size of your company, its operational maturity, and the scope of technical implementation, the cost of a DFARS compliance project from beginning to end can vary a great deal. But there are cost-related questions you can and should ask up front.
First, if you’re not sure where to start, the prospective partner may propose an initial assessment of your technical environment and business processes. That may be a good place to start, but you can also inquire about other aspects of the compliance project that are likely to be required, such as the development of internal policies and the SSP/POAM. If the vendor cannot provide a fixed bid up front, provide some basic information on your existing infrastructure and ask for an estimated range of costs (low/mid/high).
Ask the vendor about projects they have completed for similarly sized companies in your industry. What were the project milestones? How long did the engagement take? Does the vendor see any similarities between your company and previous engagements they’ve worked on? If so, press the vendor for a ballpark estimate on what to expect in terms of total cost. Insist that the vendor provide client references and be sure to follow up; this is your best opportunity to understand how the prospective partner operates before committing to an engagement.
When evaluating a proposal, be sure to determine whether the vendor can perform any required technical remediation themselves, or whether they will need to bring in a contractor or recommend a third party. Determine not only the fixed bid for each phase of the project, but also an hourly rate in case the vendor claims a task is out of scope. Lastly, find out if the vendor will provide consultative and support services, including training, on an ongoing basis, and what that might look like.
One thing is for sure: the cost of not complying with DFARS can be high. But the advantages to handling DFARS compliance correctly are substantial and can lead to successful bids and lucrative contracts. Just as with a lot of successful business initiatives, the best defense against failure is to identify partners with the right expertise. Asking questions up front about the vendor’s compliance experience, creative approach, policy development skills, ongoing service capabilities, and costs can go a long way to reducing your compliance headaches and providing just what the DoD ordered.