The clock is ticking! By Dec. 31, 2017, Department of Defense contractors with information systems that contain or that transmit certain types of DoD information must have in place adequate security controls in accordance with Department of Defense Federal Acquisition Regulation (DFARS) clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (October 2016).
This deadline has not changed since Dec. 30, 2015. Nonetheless, there inevitably are contractors and subcontractors still wrestling with precisely how best to achieve compliance with the clause. And, while these contractors and subcontractors may now feel like they’re cramming for the final exam, this article addresses some recent information learned at a DoD industry information day that should provide some much needed respite.
Summary of the CDI Clause and its Core Requirements
The CDI clause imposes three key obligations upon DOD contractors with CDI on their own non-federal, contractor information systems: (1) providing adequate security to all covered information systems; (2) reporting cyber incidents affecting covered contractor information systems; and (3) including the substance of the clause in all subcontracts for operationally critical support or for subcontracts that will involve CDI.
First, under the CDI clause contractors must provide “adequate security” on all contractor information systems. The CDI clause specifies that for contractor information systems that are not part of an IT service or system operated on behalf of the government, contractors must implement the security requirements specified in National Institute of Standards and Technology (NIST) Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations in effect at the time the solicitation is issued or as authorized by the contracting officer. NIST SP 800-171, Rev. 1 contains approximately 110 security controls categorized across fourteen control families.
Second, the CDI clause requires contractors to rapidly report — within 72 hours of becoming aware — any “cyber incident,” defined as actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. The definition of “cyber incident” is quite broad, and contractors must obtain a DoD-approved medium assurance certificate to be able to report such incidents. Contractors also have a range of data preservation and assessment obligations upon making such a report.
Finally, the CDI clause requires contractors to flow the clause down in its entirety, without alteration, in all subcontracts for operationally critical support, as well as all subcontracts that will involve subcontractor access to CDI. There is no exception for commercial item subcontracts. Prime contractors are to work with their contracting officers in determining whether a particular subcontract will involve CDI.
The DOD Chief Information Officer Industry Day: Five Key Tips for Compliance
In response to concern and feedback provided by a range of industry groups, DoD hosted an industry information day in June 2017 to address the high volume of questions raised after publication of the final CDI clause. DoD confirmed that it has no intention of delaying the Dec. 31, 2017 implementation deadline for the security controls required under the CDI clause. Yet, DoD provided, among other things, fivekey tips about the CDI clause that should prove useful to contractors trying to get up the curve quickly.
Tip One:DoD is responsible for identifying Controlled Unclassified Information (CUI). DoD confirmed that it is the requiring activity’s responsibility to designate or explain to contractors what information is being provided that DoD considers to be CUI. DoD’s comments in this area highlighted the continued need for further education and coordination between contracting activities and requiring activities (i.e., DoD end users). The questions from the audience confirmed that there is still substantial room for improvement in this dialogue.
Tip Two: A Contractor’s System Security Plan (SSP) features prominently in compliance. During the event, DoD highlighted the role a contractor’s SSP (a new requirement in the SP 800-171, Rev. 1) can play in demonstrating compliance. The SSP enables contractors to highlight moderate deficiencies in their implementation of the required controls and create plans/timelines for any updates that may be necessary. Importantly, the DoD representatives suggested that having such a plan in place (and performing against that plan) may be sufficient to demonstrate compliance with the clause. Of course, only time will tell whether these indications from DoD will hold up in the context of a cyber incident, and with hindsight. Nonetheless, DoD’s confirmation that contractors may be able to develop and use an SSP in this manner is helpful and DoD also highlighted a number of publicly available implementation tools, including DHS’s evaluation tool (discussed further below), the output of which is, in fact, a draft SSP.
Tip Three: DoD will NOT be separately auditing SP 800-171 compliance. DoD confirmed that it currently does not envision having a separate audit or compliance program in place for monitoring SP 800-171 compliance. However, the DoD representatives present did note that the Defense Contract Management Agency (DCMA) may elect to check whether a contractor has an SSP as part of its compliance review and that DoD may review SSPs as part of the source selection process.
Tip Four: Consult the DOD resources available. DoD confirmed its intention of issuing an updated set of frequently asked questions upon completion of the administrative review of those questions. This updated FAQ will provide more detail on much of the substantive discussion contained in the industry day presentation itself and provide it in a fairly digestible form. In the interim, a full recording of the industry day video can be found here and a copy of the slides presented during that session can be found here. These resources are a great first step for contractors familiarizing themselves with the CDI clause.
Tip Five: Use DoD as a resource. DoD also addressed certain questions raised by prime contractors standing in the shoes of the contracting officer and trying to provide guidance on what information is considered CDI/CUI. As a matter of last resort, DoD suggested contractors reach out to the point of contact in the DFARS case itself for purposes of addressing such tensions between primes and subcontractors.
Tricks to Slow Time: Steps contractors can take to mitigate the effect of the December 2017 implementation deadline
Contractors just beginning to confront the daunting task of implementing NIST SP 800-171’s 110 controls can take solace in two primary tips from DoD’s industry day to temper the brunt of the fast-approaching implementation deadline.
First, contractors should develop their SSPs as a means of addressing and charting a course towards resolving moderate deficiencies and shortcomings in the company’s implementation. The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team has issued an assessment tool for evaluating an organization’s security posture and enables users to select NIST SP 800-171 compliance and generate assessment results, including a draft SSP based on those findings. The ICS-CERT evaluation tool can be found here. (https://ics-cert.us-cert.gov/Downloading-and-Installing-CSET) By creating an SSP, regardless of the deficiencies that may be noted, a contractor can take measurable steps towards implementing the NIST SP 800-171 safeguards required by the CDI clause.
Second, contractors with known deficiencies should draft a plan of action and milestones (POAMs) to address the timeline for closing those deficiencies. NIST SP 800-171, Rev. 1 notes that such SSPs should be created to document the security requirements in place or planned for the systems, and specifically notes that SSPs and POAMS can be used “as critical inputs to risk management decisions.” Contractors that know that they may not be able to implement the full scope of controls by Dec. 31, 2017, should begin drafting SSPs and POAMs now that reflect the timeline for closing those gaps, even if that timeline extends beyond the end of this year.
Although the measures described herein are no substitute for the eventual implementation of the full slate of NIST SP 800-171 controls (or alternate but equally effective controls), the SSP and POAM process can give overwhelmed contractors some much needed breathing room in the sprint toward full compliance.
Erin B. Sheppard is a partner at Dentons, where she helps government contractors address and solve a broad array of contracting problems including: pursuing bid protests, resolving performance disputes, and litigating contractor claims and terminations. She also helps clients navigate the constantly changing landscape of cybersecurity regulations and counsels government contractors that have been victims of cyber incidents in their breach investigation and response.
Phillip R. Seckman is a partner at Dentons, where he represents clients concerning government and commercial contract matters, including federal procurement law, state and local procurement law, and complex federal regulatory issues. He concentrates his practice in the areas of commercial item acquisitions, GSA schedule contracting, compliance and internal investigations, and bid protests.